Security Bytes - Issue 13
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
Sadly Expected
A reported in previous Security Bytes, in early August the UK’s NHS was attacked causing massive services and infrastructure outages, such as emergency services and prescription services. After the attack initial communications expressed no private data was stolen. Reported this week by investigators that the LockBit 3.0 malware did in fact exfiltrate data ushing in communications to those potentially affected.
Article - https://www.theregister.com/2022/10/14/nhs_software_hosting_provider_advanced_ransomware_lockbit/
Original event - https://www.theregister.com/2022/08/05/major_outage_at_it_service/
Yo, What’s Up WhatsApp
Ah the gift that keeps giving. WhatsApp is one of those apps that everyone uses despite the fact it has, well let’ say, a turbulent cyber past. This week an attacker drops a trojan called Triada in a popular WhatsApp mod called YoWhatsApp, leading to the theft of their WhatsApp account and getting signed up to paid subscriptions, which presumably the attacker has conveniently setup. The thing is, based on what I can find, the only way to install YoWhatsApp is through an APK and not an Appstore where such things are tested. Installing unverified APK’s is not good, but I digress.
Article - https://www.darkreading.com/mobile/whatsapp-beware-dangerous-mobile-trojan-malicious-mod
Password Temperature
Researchers from the University of Glasgow published a study demonstrating that is it possible to accurately and quickly guess passwords with a cheap thermal camera and some deep-learning models. By analyzing the residual temperature from a person’s hand, they are able to determine what and in what order the keys were pressed. This isn’t actually new, but importantly, there are two interesting differences. First, is the use of cheap equipment, and second is performing the tests in an open “realistic” environment. You might be asking…”Um, if I have a camera, why don’t I just record the person typing in the password?” Great question. I’ll give you my $0.02. First, all research is just the tip of the iceberg. Once proven, it’s all about scale, miniaturization, and distance, and in this case it’s worth noting that thermal signatures can travel through materials light cannot (and vice versa, btw). And, of course thermal is governed by certain physics that in many cases results in a long cycle. When combined with hypersensitive thermal devices, it’s trivial to see residual indicators.
Research - https://dl.acm.org/doi/pdf/10.1145/3563693
Funny, But Not Really
Researchers at Synopsys CyRC have identified a vulnerability with IKEA’s wireless digital lights product, the Trådfri smart lighting system, that permits attackers to change light settings, such as on/off, brightness, color, and everything in between. Although they’ve found similar issues in late 2021, this one is interesting because they’re sending malformed Zigbee frames, which could conceivably be used against other Zigbee devices, like door locks. Messing with people’s home IoT isn’t new but imagine the art of the possible when IoT in the home is far more than just pretty lights you can control from your phone.
Report - https://www.synopsys.com/blogs/software-security/cyrc-advisory-ikea-tradfri-smart-lighting-gateway/
Last year’s report - https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems
About Zigbee - https://en.wikipedia.org/wiki/Zigbee
Crazy Crypto
Crypto is one of the more compelling dynamics of the digital age, IMHO. First, let’s talk about theft. This week we have additional examples of what has become such a regular occurrence it garners virtually no reaction. This week the crypto exchange Binance was taken for $566m. The thief managed to get away with $110m before the validator network could be halted locking the remaining crypto in the thieves’ wallet. But add to that just this year’s take in crypto thievery from exchanges alone, such as $191m from Nomad, $600m from Ronin, $320m from Wormhole, and many, many smaller attacks… you know less than $10m (and I’m not counting the $610m from Poly Network because it was reported as retuned). By my math that’s more than $2.9b in total theft with roughly $1b recovered, roughly 35%.
Imagine the uproar if that happened to a bank? Oh, but it’s coming. Many of the world’s largest banks have adopted cryptocurrencies and is now considered a tradable asset as some countries move completely to a crypto-based monetary system, such as El Salvador, which now a year after converting has lost more than gained. All this in the midst of clear fraud, scams, and crimes of all kinds using, manipulating, or leveraging crypto.
Take this week’s SEC’s inditement of 11 people running a crypto scam taking $300m, underpinning the SEC’s massive push for a larger crypto enforcement capability. And this week the US Fed fines Bittrex $53m based on OFACT and FinCEN claims (both controls that come into play with ransomware payments, among other things) due to interactions with sanctioned countries, such as Cuba, Iran, Sudan, Syria, and Crimea. Of course, the news-making Kim Kardashian was fined $1.26m earlier this month for being paid $250k for her 331m Instagram followers as an influencer to pitch EthereumMax, which is a commodity, without disclosing she was being paid as, essentially, an advertiser/spokesperson… now made illegal due to a law earlier this year.
And of course, ransomware. You might be surprised to learn that the first generally agreed upon ransomware attack was called the “AIDS Trojan” in 1989. Once infected and after the user rebooted the computer 90 times, it would encrypt all your files and post a message on the last boot up screen stating to unlock your computer send $378 to a PO Box in Panama. This “mail money” continued for years, but the amounts started to drop down to $10 levels because it became trivial to launch an attack, and who doesn’t have 10 rubles (aka WinLock) to spare? With the birth of online payment options, such as PayPal in 1998, hackers were able to leverage banking infrastructure to obtain the money, which is regulated and controlled, so that wasn’t going to last. But then came bitcoin in 2009, and it was thoroughly embraced by cybercriminals. However, it was the events surrounding Petya (and NotPetya) in 2016, combined with the rapid expansion of crypto that ransomware started taking on a more pandemic quality with the birth of RaaS (Ransomware as a Service). Of course, with (Not)Petya using exposed NSA cyberweapons, especially EnternalBlue, we have the mergence of the four horses of the apocalypse: cryptocurrency, RaaS, ransomware, and malware. Now, with only sheer motivation, anyone could make millions by buying services that use ransomware delivered by weapons-grade malware and get paid instantly with crypto.
As of this writing there are more than 12,000 cryptocurrencies available on the market, an astonishingly huge number when compared to the UN’s calculation of 180 different hard currencies worldwide. It’s important to note I’m not against crypto. It’s all about understanding the true scope of impacts, exposure, and implications – good and bad. I will say that I do find it quite interesting that in a world where we have total chaos in the digital space from a cybersecurity perspective that we would rely on that same system to trust in the most essential aspect of a monetary system – currency. And, I have to end by saying that in just a few years this is all going to get turned upside down with quantum computing.
Binance article - https://tokenist.com/binance-freezes-trading-after-identifying-a-potential-hack-worth-600m/
Bittrex article - https://www.theregister.com/2022/10/11/crypto_exchange_bittrex_settlement/
SEC indites 11 in crypto scam - https://www.sec.gov/news/press-release/2022-134
SEC Doubles crypto enforcement - https://www.sec.gov/news/press-release/2022-78
NSA vs ShadowBrokers - https://en.wikipedia.org/wiki/The_Shadow_Brokers
Petya/NotPetya - https://en.wikipedia.org/wiki/Petya_and_NotPetya
AIDS Trojan - https://en.wikipedia.org/wiki/AIDS_(Trojan_horse)
El Salvador - https://www.cnbc.com/2022/10/13/el-salvadors-bitcoin-holdings-down-60percent-to-60-million-one-year-later.html
Kardashian - https://www.sec.gov/news/press-release/2022-183
