Secure With Celerity Episode 9
DAVID TAYLOR [00:00:49] Hi my friends and family. I’m Dave Taylor and here we’ve got our Lead Cyber Security Analyst. It is Josh, how you’re doing Josh?.
JOSHUA READ [00:00:57] Hello are you all right?
DAVID TAYLOR [00:00:58] Not too bad. It’s nice and warm on and it’s about to rain so bright and ready for the weekend. So we are jumping to our very first story of the week. Which is that new ransomware masquerades as COVID-19 contact tracing app on your Android device, and device even. And that is mainly around Canada’s health apps that they released as an app, isn’t that right?
JOSHUA READ [00:01:22] Yeah, Canada couple of weeks ago announced they were gonna be introducing one of these COVID-19 tracing technology app things. And they will be able to fight COVID-19 to fight the spread of COVID-19. Obviously, cyber attack have jumped on the bus and decided that they want to weaponise this announcement. The official application wasn’t due to be released for another month. The cyber attackers were much faster to the grindstone and managed to pump out a set. Quite crypto ransomware tracking was tracking up, which was targeting Android users in Canada, distributed the two websites under the guys of official COVID-19 tracing apps provided by Health Canada wants to use a false victim to cry crypto ransomware corrupt and encrypts that device, the files that drive common files so the likes of doc png. which are images. Yeah, PPTPs which part finds all of those file formants were encrypted. There is a decryption tool available because the ransomware that was built around this was actually open source to get involved. And it was released in June, I think it was right at the start of June. So essentially it was weaponised in COVID-9 all over again. As we’ve seen across the weeks, it’s a reoccurring topic. And it will constantly be reoccurring topic. It’s something, you know, people want. I mean, in terms of the press. I’ve not seen a great date of official communications regarding, you know, the tracking apps in the UK have not you know, that hasn’t been a great deal of sort of marketing in push on you should be doing this you should be doing that, or this is what you download that. So, you know, if it’s cyber attackers did want to weaponise the UK environment with this so-called tracking app. Then it could quite easily be done with the guidance.
DAVID TAYLOR [00:03:53] So it’s because it wasn’t the UK government sort of criticised that they haven’t actually taken up sort of similar domains that might be self sufficient ones like today with the health COVID tracking?
JOSHUA READ [00:04:04] Yeah. You know, this is what amazes me around domain names right now. You could go on to any domain name we site and essentially buy whatever you wanted to. Now, if you buy a Microsoft imitation domain, all, you know, Amazon imitation demand this textual analysis which you know, flag in to the authority saying, you know, this uses, wants to buy this domain. They’ve already purchased it. Or it looks an awful lot like Microsoft or Amazon, maybe you want, you know, and go, they’ll communicate the user, the buyer, and make sure that they’ve got good intentions at heart all I’m against, but centrally I don’t see that being any push to protect COVID-19 sort of related domains. Zoom seems to be a priority towards the likes of Microsoft, Amazon and all the big large corporations which are commonly phished and, you know, and that’s one of the problems they have. But the Cloud crypto ransomware based on open source code, which was on hold. They discovered it. They’re using a simple search pest technique on the apps package. And the developers of the open source ransomware, who called it cry dried. Put the code up and attempted to disguise it as a research project, which I found quite funny because why would you you provide the general public with a ransomware which is fairly safe? It’s exposing native services to Android and mobile. And why would you weaponize that, make that available to the public in research projects? Well, you know, one of the main things you do is you assess the ethics around what you are doing and you also have to provide substantial protections around, you know, either the users that are involved, all the techniques and the general public that might be involved. So obviously I don’t, actually I think this was a research project based on what happened.
DAVID TAYLOR [00:06:21] Now we know that.
JOSHUA READ [00:06:25] Yeah. But then, you know, the. I think the issue is here that it’s really damaging the reputation of these contact tracing ups. It’s a contact tracing apps have already gone up in a big sort of X next to their name in the eyes of the general public already because of their lack of sort of acknowledgement towards privacy aspects. You know, a way that there’s an element of privacy that any one individual has a right to. And obviously everyone wants rid of this COVID-19 situation.
DAVID TAYLOR [00:07:05] We were talking earlier in the week where we how I think on iPhones and possibly sort of on Samsung’s as well. Like if you go into your privacy, there’s already a little setting that mentions about COVID-19 tracing, it’s not that it’s on that. But it’s almost just given the capabilities that someone’s got an app, it’s easy, they can integrate with it. But if I ask our people on Twitter and stuff kind of kicking up a fuss saying Apple put this on my phone, it’s almost like them putting you choose album on your iTunes again.
JOSHUA READ [00:07:30] Someone class that as malware . As the recent the investigating team wasn’t convinced by the fact that it was a research project. They told GitHub, I think they have taken it down now but again, it’s not, you know, a public Cloud platform which is accessible by everyone in the world. It’s you know, it’s using vulnerabilities in present in well, not vulnerabilities, but weaknesses present within Android operating systems that are there for the genuine reasons and have been weaponized. So, yes, it was a semi well-built piece of ransomware, but it was nowhere near as, you know, how potent it could have been. And also, obviously, the weaknesses in it have resulted in them being able to build a decryption tool already for it. And so, yeah, it’s I think the long line of issues that will come cropped ahead towards these contact tracing apps. And I advice my opinion on them already and I shall do it again. It’s you know, it they are what they are. If the government wants to trace PayPal, they want to trace PayPal. Well, you know, they can’t do it without the user knowing. That’s an invasion of privacy.
DAVID TAYLOR [00:08:50] Yeah. I reckon we’re gonna see similar things happening all around the world. Like once they’ll get up and running. All right. On to our next story. So this is over 100 hundred new Chrome browser extensions caught spying on users. That’s Google recently removed 106 more extensions from its Chrome Web store after they’re found illegally collecting sensitive user data. As part of that, they call a massive global surveillance campaign. This was targeting oil and gas, finance and health care sectors.
JOSHUA READ [00:09:20] Yet these sort of announcements that Google released, it’s almost like they have a random number generator and they just slap the number into an article and say that, oh, yeah, we’ve removed 696 different applications from the web store every single month. There is over 100 different applications that relate that are removed from the store. The various, you know, malicious content that’s involved with them all stealing your information. I know personally, I’ve had experiences with extensions in the past, me just testing them. I know my family members have had them even stuff around or refresh extensions to my friends, I’ve had them as well. The problem here is that Google Chrome will always be a user favourite in the eyes of the general public. It’s very customisable, very user friendly browser. Much better than IE in my personal opinion.
DAVID TAYLOR [00:10:28] Internet Explorer
JOSHUA READ [00:10:33] And for those that are concerned around privacy, Firefox is your browser. Firefox is my personal browser. Google Chrome, obviously everything works on Google Chrome. A lot of developers pushed so far. Google Chrome, developer stuff to Google Chrome. It’s, you know, a very good platform, but it’s more around the security of the App Store. It’s not just Google Chrome it’s also Android. The Android market as well. The app stores and Android market that I’m seeing more and more reports coming out from the likes of Google and Android and elements like that we remove in this many apps. Well, essentially, those apps shouldn’t exist on those platforms as they are. As an organisation, they have a sense of responsibility for protecting their user base. And if that, you know, blindly uploading and not vetting in applications and just whacking them up, you know, then there’s a failure in the process. And as a result, users have been affected. I mean, these browser essentials I put on the screen now, these were two examples of the browser extensions which were blocked this month. Every man, every woman in the world will want to hide what they are searching on the Internet. It’s especially after what we’ve just spoke about, you know, especially what I’m about to talk about in the next story. And it’s, you know, the information that is obtainable from a system about a user’s behaviour uses habits is unbelievable. It’s the starting point in any investigation that you want to take because, you know, essentially that’s where the amount of problems start. So I have it this suppose to keep up browsing and secured search extension. They look legit. There are too many reviews that they have? Apparently one of them had 4 million users using it and had over 1,650 reviews that were rated false down or above. Now, for me, if I was end user looking at those reviews. All right, looks decent but, in terms of who goes back to a story we spoke about last week around botnets, you know, an army of bots posting very generic reviews that the one on the picture here, the best antivirus software I have ever, ever had ever will do ever. You know, it doesn’t really make sense. And people have to text with pinch of salt. And when you read an reviews, they have to understand that it is very easy to build an API, which can basically just compile tons and tons of basically reviews on stuff just to make it look better and it’s a problem. I know I’ve worked with organisations in the past that worked in organisations in the past which have a we do not support in inverted commas around Google Chrome and other browsers. Now, that’s all well and good. And yet, you know, if you don’t support it. But you need to understand that users will be users. And if users want to use Google Chrome, they will find ways to get Google Chrome. And that’s something that I think in the security space hasn’t been really understood for a long time. You know the likes of shadow I.T. set ups. This essentially is, as you know, a shadow I.T. it’s a bypass of security to get what the user needs, a good Internet browser.
DAVID TAYLOR [00:14:16] It’s so easy to install as well out things like chrome extensions. You know, it’s literally like one click in. It’s not technical at all.
JOSHUA READ [00:14:29] And what I will say on this is there were numerous things you can do even if your organisation doesn’t support Google Chrome, you should still have a group policy. It builds to encompass Google Chrome in your systems. You know you can get an ADMX template for your group policy and for an active directory, configure it, configure how you want to configure it. You know, there’s hundreds of use cases where, you know, security could possibly put at risk because of the functionality that Google Chrome provides. You know, one case would be, you know, a user sinks that personal account with on a work laptop using the Google Chrome sink option. Now, that’s all well and good. They’ve got all the passwords of the personal pc on the work pc but they also went to the web. So they have all their work passwords sinked with their account on that home pc.Now, if that users furloughed, remained redundant, fired, or maybe even has decided that, you know, they just even that personal account is breached or in a compromised. It’s you know, that’s good bye passwords. If they’ve got admin passwords to all the admin portals, especially like I know the av portal or the same portal, then that can cause a lot of havoc cause they have access to that password. They basically copy and paste it into, you know, a password safe that is managed by that personal account. Now there are stuff you can do around group policy to stop them from sinking their accounts. You know, you can stop them from downloading certain applications. You can also enforce the security. So say they need to have this application installed in order to this extension installed, sorry, in order to use Google Chrome. Now, even if you don’t, spot it, you should still be doing what you’re doing or have a tool that will be able to remove Google Chrome, if your user based isn’t deemed to be allowed to use Google Chrome. Well, my advice to the general user. Just be careful what you download. Try and see past the reviews. The reviews are consistently botted and, you know, this was a great extension. Isn’t will not suffice as a good review. This because someone said good extension doesn’t provide specific information that, you know, stuff can be faked. And if you’re also probably looking closer into the permissions it’s asking for, you know, if he’s asking for storage or looking at local files in your system, you know, if he doesn’t need them, it should ask for them. And that’s the least privileged model that’s how it should be in security. But I think, as I said before, the need to be more responsibility and accountability held by Google in this side of things. I think there isn’t enough.
DAVID TAYLOR [00:17:32] I mean, I don’t know if they are difference in size, but it seems to like it seems to me that Google’s already getting rid of these apps and these extensions compared to Apple removing stuff. I don’t think that maybe a strict of vetting process on that system, but I don’t think you’ll be the last time we see these kind of numbers and, you know, kind of extensions and apps being that if I Google, but w we’ll keep an eye on it. So I go over that next story. It is the story around hackers have leaked269 GB of US police and fusion centers data online. So we would chat about it earlier and you alluded to before. This is one story, but it’s almost the tip of an iceberg isn’t? Data privacy rabbit hole?
JOSHUA READ [00:18:19] Yeah, this is some of the stuff that was released on this breach was terrible. I just read and it was shocking. And so essentially, it was a group of activists and transparency advocates, which is a fancy name for activists. They managed to extract 269 gigabytes with data from 200 police departments. Now, in America, they have these things called fusion centres, which are basically data hubs. When, you know, you’ve got your Wisconsin police department and they need information from another state. Then they go to one of these fusion centres and request this information. Now, these fusion centres hold a lot of information around all police departments in the US. These you know dub blue leaks and they exposed and leaks by DDoS’s secrets group and a contain thousands and thousands of sensitive documents from the last 10 years with official and personal information. So it was quite a major breach. I’m actually surprised this hasn’t got a lot of light in the media and I have my suspicions why. I won’t be voicing those opinions. Or suspicions. It’s a shocking some of the stuff that was released. So it was just these are some tweets that went up on Twitter as this obviously, this was released on Twitter. It was a tweet that went out by the DDoS secrets. They basically did not reply with all these other information. So such as this one on the left is if you wondered if police tracked Facebook events to find protests, then the answer is yes. And it’s essentially a document from Heping County Sheriff’s Office. And they basically report on them tracking Facebook events and planning where the protests are going to and people have said that they go into these Facebook events and then there’s an action plan as well as to how they’re going to combat this protest. Now, that’s freedom of speech, number one out the window and the second one. So this one was another interesting one. So they show support on on L.A. tweeted back saying, remember, always hide your tattoos and everything, indicating who you are. They are looking closely. Medics are now marked as extremeness because they are helping injured protesters. There’s basically reports, intelligence reports on medics that have been helping protesters that have been injured than they are in the process of protesting. And apparently they are now matches as extremists. Which is, yeah…. And another one ever wondered what kind of information Google shares with law enforcement. Well, in this one, Google seems to have supplied email address and IP address, phone number, login times. What video they watched, what they commented on the video. So this is obviously a report on a YouTube video. And the time that they watched it, where they watched it from. And obviously, this apparently is in terms of wider investigation into supposed to use a watching YouTube videos now. It’s interesting, I wonder if this YouTube video actually related to anything that’s happening at the moment or whether it was just, you know, a Katy Perry video or something like that.Yeah, you’ll never know. And then subsequently, data secrets got taken down. And the author of DDoS secrets, also that Twitter account, Twitter account got taken down now. This was I found quite funny because Twitter supposedly said that they took the Twitter account down because it was leaking person identifiable information. However, in everything that they in all the tweets that had been basically in the thread, all the person identifiable information had been redacted. So there was no personal identifiable information available yet they still had supposed grounds to ban the account, which I found quite funny. But essentially in this Blue Leaks attack, there was, I think, U.S. agencies from Alabama, Austin, Boston, Colorado, California, Delaware, and then there was file for FBI association also included. Well, I think this all relates back to these Netcenter National Fusion Centre Association servers and being part of this security breach that were basically these fusion centres, these fusion hopes for intelligence sharing.
DAVID TAYLOR [00:23:21] I really couldn’t get hold of when they involved in another… someone you’d just be efficient attack, I think being as the sentinel company. Being the National Center, Fusion Center Association. So let’s be efficient attacks going out and try to send around ransomware and that was involved and sentinel on their web post, web browser as well.
JOSHUA READ [00:23:44] Yeah. Yeah. I think that I think the main thing I’m shocked about with this is many around the content of these reports. I personally haven’t looked to these blue leaks information but I got enough of one blog with all the screenshots from the images and that was provided that was well I think the term freedom of speech is quite clearly being tied up in a bag and put tied up a bag with rocks and thrown in the road. Some workers. Yeah, it’s a funny old world, let’s just say that. It’s yeah, I don’t really want to comment anymore on this. It’s quite infuriating.
DAVID TAYLOR [00:24:32] It is a rabbit hole. I think the whole privacy things and there’s a lot going on that probably not just in America, probably, as you can see, there’s clearly going on in other countries. But we’ll leave that story that for now and go on to our final one. Into another devilish activity. So this is the Lucifer malware that appeases critical vulnerabilities on Windows machines.
JOSHUA READ [00:24:52] Yes. This was a new variant of crypto jachin and DDoS based malware. It was exploits very, quite old vulnerabilities. I found this from quite odd. There was implemental network, unit fight 2, who were the ones that provided the IoT season report around this cryptocurrency malware. There’s a whole list of vulnerabilities that I think the main one, CVE 2019-9081, which is a aluminite component for the lafel framework. And it was at best a remote code execution vulnerability from 2019. And there was remote code execution and vulnerability is present in this attack vector that was that date back to 2014. And so it, you know, they’re using very old vulnerabilities and I think it was how many was until one, two, three. Yes, there’s 11 vulnerabilities that were found to be exposed to this attack vector. All of them and all of them are well over a year old. And there’s patches available for every single one of these abilities. They’ve been available for over a year. So this would only recover if deplyoed on our own patch system. Now, I think we all know I appreciate those folks watching at home that compact systems do set on networks. That’s, you know, some systems can’t be patched after, you know, they have to rely on legacy set ups. They have to rely on legacy applications to run, which does rely on old style registries. You know, old style other applications to form its function. So they have a difficult one book. My advice around this one would just be patch. The malware will scan for all the TCP ports mainly 1,3,5 and 1,4,4,3 which is RPC and MSC port. It will find targets and then use brute force credentials different attacks to in order to obtain access. Then the malware infects the targets through IPC, WMI, SMB and FTP. So it is quite, I’d say it’s quite sophisticated based in malware. But the first attack with using Lucifer’s version 1 was detected on June the 10th and then a day later, they released Lucifer version 2. So the quiet quick in developing stuff. And according to the report, it’s wreaked havoc on the target machine. So simply patch your systems and if you have a vulnerability management tool, you could maybe look for these specific CVE’s. Maybe, you know, if you find these specific vulnerabilities on these systems, then patch them or even re-architecture application. It’s always gonna be quite dangerous. I think we’ll post the IOCs the port post for this. Followers from malware, there’s a lot of domains and patches and identifiers for the files. If you want to get yourself on your AV solution or your seem solution then I guess. But yeah, essentially the to turn for this is patching systems. Again, I can’t play enough, I think especially working. We should work from home at the moment. Obviously patching is quite a difficult process but I think. You know, I think there’s a lot of companies that have re-thought that patchin solution in their patchin process, especially around timeframes. And I think it’s the correct thing, you know that the days of CBSS scores being the only measurement of how vulnerable you are to vulnerability it is outdated. There’s so many other aspects of vulnerabilities that need to be assessed before you start undertaking patchin CBSS score is a blind way of looking at vulnerabilities. There’s more versions of CBSS that you can look up to assess your environment and make it more bespoke to you.
DAVID TAYLOR [00:29:29] And if you’re struggling, I guess you can engage with a managed service provider like Celerity. Shameless plug there vulnerability management as a service. But just drop that and that just to keep the bosses happy. So have you got anything more on that? Well, I think that’s all we’ve got time for today.
JOSHUA READ [00:29:47] So that’s all we’ve got some from today.
DAVID TAYLOR [00:29:49] Well, I think we’ve actually just locked at it live in 30 minutes as we do. Thank you for watching. And we’ll catch you next week for another episode of Secure with Celerity. See you then.