At a glance.
- Password manager software update compromised.
- Facebook user emails exposed.
- Qlocker's approach to getting paid.
- Cellebrite proof-of-concept prompts calls for Scottish police to abandon the tool.
Passwordstate breach offers keys to the password candy store.
TechCrunch reports that Australian software developer Click Studios, the creator of password manager Passwordstate, emailed 29,000 users on Friday to warn them that the password manager had suffered a cyberattack. Threat actors compromised Passwordstate’s recent software update, installing malware on the users’ machines in order to gain access to all of the passwords stored in the application. The Record by Recorded Future notes that CSIS, the Danish security firm investigating the attack, has published an analysis of the supply chain attack. The attackers forced the targets’’ machines to download a ZIP file named “Passwordstate_upgrade.zip” which contained a DLL file named “moserware.secretsplitter.dll” designed to ping the attackers’ remote server in order to request new commands. In addition to instructing all victims to change all of the passwords they’d stored in Passwordstate, Click Studios also released a hotfix package to assist users in removing the malware. As CyberScoop points out, Passwordstate’s customers include 370,000 IT professionals globally, making this attack particularly troublesome. “This is a real annoying breach,” said William Thomas of UK security firm Cyjax. “Imagine having to change all your passwords for each device on the network, on a Friday.” So much for the weekend.
We received other industry comment on the incident. Tom Garrubba, CISO at Shared Assessments, wrote that this is an example of the growing number of attacks against software distribution:
“Attacks to payload distribution mechanisms are starting to become more commonplace despite the difficulty in executing such an attack (the recent SolarWinds breach is another great example of such an attack). These kind of threat actors appear much more predatory by showing greater patience in planning, penetrating their target, and then shadowing and studying the target’s internal machinations – in this case, their code promotion to customers. By identifying Click Studio’s flaws then waiting precisely for the right moment to roll out their malicious code, the threat actor’s ensured maximum distribution.
“Vendors are not only encouraged to continuously evaluate and monitor their networking and systems controls – including those which promote code updates - but also to evaluate the security around their entire code promotion practices up to and including their distribution methods. Outsourcers are strongly encouraged to have a discussion and to even gain evidence that their vendors are practicing good cyber hygiene including code promotion and distribution.”
Demi Ben-Ari, founder and CTO of Panorays sees the trusted familiarity of password managers as lulling potential enterprise victims into unwariness:
"The reality is that not everyone would even consider a password manager to be a third party. But in fact, a password manager should be treated as a high-risk supplier whose security should be thoroughly assessed and continuously monitored. This unfortunate cyber incident involving Passwordstate serves as a wake-up call to businesses in every industry: It underscores why it’s so crucial for organizations to fully understand the risk posed by all of their third parties--and to continuously assess, monitor and remediate their security posture."
New bug leaks Facebook user emails.
Facebook can’t catch a break. Wired reports a researcher has discovered a tool (with the self-explanatory name Facebook Email Search v1.0) that exploits a front-end Facebook vulnerability in order to link user accounts to their corresponding email addresses. The researcher, who has asked to remain anonymous, says he decided to go public with his findings after Facebook allegedly told him the bug wasn’t important enough to warrant their attention. In a video the researcher sent to technology news source Ars Technica, he demonstrates just how quickly the tool works: “I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts.” Facebook responded, “It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." It’s worth noting that this comes on the heels of last month’s massive breach of Facebook user data, and some say that Facebook’s response to this new bug supports claims that the social media giant has been attempting to downplay the impact of recent security incidents.
Qlocker ransomware scheme offers shortcut to quick payouts.
A lucrative ransomware operation has been discovered in which the cybercriminals have managed to skip the time-consuming step of developing, well, ransomware. Bleeping Computer explains that the threat group Qlocker encrypted the files of QNAP NAS (network-attached storage) users by simply scanning the internet for QNAP devices, exploiting recently disclosed security flaws, and then remotely executing the 7zip file archiver to password protect the victims’ NAS files. While many ransomware attackers focus on larger businesses so they can make outlandish ransom demands, Qlocker netted $260,000 in just five days by targeting consumers and small-to-medium companies and requesting modest ransoms of just $500 each. The operation is still underway, with more payments rolling in daily. QNAP users have been advised to update their software and secure their NAS devices.
Scottish police urged to drop Cellebrite.
As the CyberWire noted last week, Signal messaging app creator Moxie Marlinspike discovered a massive vulnerability in the software products of Cellebrite, the digital forensics firm that has become a go-to for governments looking to unlock confiscated phones. Now, the Ferret reports, privacy rights groups are urging Police Scotland stop using Cellebrite technology in their investigations. This type of software has been called into question by Scottish privacy advocates in the past, and this recent discovery could be the last straw. Heather Burns, policy manager at the Open Rights Group and a member of the Scottish Government’s independent advisory group on emerging technologies in policing stated, “The fact that these technologies are buggy and appear to disregard software licences of other vendors should concern the Police...Police Scotland should therefore not consider extending the use of this software while these issues are unresolved.” Police Scotland stated that they’re investigating the full ramifications of the bugs and how they can be mitigated.