North Koreans spotted harassing SMBs with malware
Also: Lawyers told to dissuade clients from paying off ransomware crooks, and more
In brief SMBs, beware: Microsoft said this week it has discovered a North Korean crew targeting small businesses with ransomware since September of last year.
The group, which calls itself H0lyGh0st, appears to be primarily motivated by money, Microsoft Threat Intelligence Center (MSTIC) researchers said. After the gang gets its eponymous malware onto a victim's network, it follows the standard ransomware playbook: encrypt files, and demand a Bitcoin payment to restore the data.
According to MSTIC, H0lyGh0st's targets "were primarily small-to-midsized businesses, including manufacturing organizations, banks, schools and event and meeting planning companies." Microsoft believes most were likely victims of opportunity.
H0lyGh0st claims to be acting "to close the gap between the rich and the poor," as well as claiming to help victims increase their security awareness (for a fee, of course). Microsoft said it can't be sure of H0lyGh0st's intentions, and that it's equally plausible the group is or isn't affiliated with the North Korean government.
What is clear from Microsoft's report is that the group is located in North Korea, and that it's at least in communication with another North Korean cybergang known variously as Andariel, DarkSeoul and PLUTONIUM. That crew is believed to be responsible for prior attacks against the South Korean Ministry of Defense, Sony, and SWIFT banks, as well as being the possible developers of the WannaCry ransomware.
While the two have communicated, operate from the same infrastructure set and use custom-made malware with similar names, the MSTICs say their differences "in operational tempo, targeting and tradecraft suggest [H0lyGh0st] and PLUTONIUM are distinct groups."
MSTIC researchers said Microsoft Defender (antivirus and endpoint) are able to detect H0lyGh0st infections. The team also recommends all organizations follow ransomware best practices, like regular backups and thorough, tested recovery plans.
Lawyers urged to steer clients away from paying cyber-ransoms
The chiefs of two UK watchdogs have gently leaned on lawyers in the country this month, urging the briefs to dissuade clients from giving in to ransomware demands.
John Edwards, head of Britain's Information Commissioner's Office, and Lindy Cameron, CEO at the National Cyber Security Centre, said in a letter [PDF] to the Law Society and Bar Council "that an increase in ransomware attacks and payments is indicative of mistaken beliefs about British law."
"It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case," the pair said.
Beyond the common refrain of "payment incentivises more attacks," Edwards and Cameron give some reasons why organizations should't cough up.
For one, ransomware payments aren't usually illegal, they said, but can be depending on sanctions against countries where attackers are located. Changing sanctions means a payment to an attacker could be riskier than believed.
A central misunderstanding appears to be that paying a ransom mitigates risk, and will therefore reduce fines owed to the ICO if the company is found negligent. "This will not reduce any penalties," they wrote in the letter.
What could cause the ICO to recognize mitigation of risk is if organizations "have taken steps to fully understand what has happened and learn from it," as well as properly reporting the incident to the NCSC and law enforcement.
Edwards and Cameron hope that, by writing to the aforementioned legal profession bodies, their message on ransomware payments and responses will be passed onto to lawyers, who in turn will help clients handle infections more appropriately.
According to a recent report from the Institute for Security and Technology, the US and UK lead the world in the number of ransomware incidents. 2022 has shown signs of a slowdown, which the IST report said could be due to organizations quietly paying off exortionists and keeping it all hush hush. Ransomware slingers have also begun extorting businesses without actually encrypting information – instead just siphoning off data – which could also be contributing to fewer reports without a reduction in attacks.
OrBit Linux malware under the microscope
Infosec outfit Intezer has reverse engineered a strain of x86-64 Linux malware that started off the month largely undetected by virus scanners.
Dubbed OrBit, the newly discovered software nasty is able to hook its way into every running process, copies any read or written data, provides remote access, and can be persistent or volatile, once it's been injected into a compromised system.
Earlier this month, none of the scanners in VirusTotal were aware of it, according to Intezer, though now they are getting it.
OrBit does its damage by stashing a malicious shared object file on the system that hijacks functions in libc, libcap, and PAM, when applications and programs are run.
Function hooking is a common malware methodology, but Intezer notes that it doesn't hook functions in the usual way, by loading a shared library through LD_PRELOAD like Symbiote, which Intezer researchers also discovered.
Instead, OrBit loads its malicious content in one of two ways: either by adding the aforementioned shared object to the system's dynamic linker/loader's configuration file, or by patching the binary of the loader itself so it will load the malicious object.
OrBit also uses XOR encrypted strings to steal passwords, akin to previously discovered Linux backdoors, but Intezer said it differs in how it it extracts the information – by hooking read and write functions – and what it does with it – storing it in a specified location on the infected machine.
It takes less than 30 minutes for cybercriminals to launch a new scam
Cybercriminals don't waste time. They move so fast that a report from Sophos found one Facebook 2FA scam going from registering a domain name to sending phishing messages in just 28 minutes.
The two-factor authentication portion of the scam comes after the fake login, which asks for the six-digit code from Facebook Code Generator. Providing it "theoretically gives the criminals anywhere between 30 seconds and a few minutes to use the one-time code in a fraudulent Facebook login attempt of their own," Sophos researchers said.
To further hide evidence of the scam, the phishing domain sends users back to a legitimate Facebook page at the end of the process.
The key thing cybercriminals are looking for in campaigns like this is people in a hurry. "Fight back against their haste by taking your time," Sophos said. The biz recommends carefully checking URLs to verify they aren't disguising the actual destination, use a password manager that associated accounts with a particular URL (and so won't log in to phishing pages), and consider responding to similar emails on a desktop, where a larger screen can more easily reveal hidden URLs or other elements of a scam.
Vice has acquired code from An0m, an encrypted messaging app that was actually an FBI honeypot, and it appears to be cobbled together from open source apps. The code also shows how the Feds were able to read messages: a "ghost" bot hidden from, but included in, An0m user friend's lists was sent copies of every single message. Operation Trojan Shield, of which An0m was the central part, saw the FBI seize more than $148 million along with drugs, vehicles and weapons.
Bored teens are turning to a new racket to pad their allowances: selling commodity malware on Discord, according to Avast researchers. The minors involved in the activity aren't necessarily learning to become hackers, though: Avast said no-code malware building tools with simple customization options are the gateway for today's junior cybercriminals. Avast warns that such simplicity can be deceptive, and simple mistakes by young people can easily lead to the theft of personal data.
Popular drone RC protocol ExpressLRS prone to hijacking
ExpressLRS, an open-source radio control link commonly used by drones thanks to its low latency and high range, has been found to be easily hijacked.
Using only a standard ExpressLRS-compatible transmitter, researchers at NCC Group were able to hijack control "of any receiver after first observing traffic from a corresponding transmitter."
The problem stems from ExpressLRS' use of a binding phrase hardcoded into transmitter and receiver pairs that only uses MD5 hashing, long considered insecure. According to NCC Group, weak security makes it possible to extract part of the phrase from listening to signals, while a combination of brute force and analysis can be used to determine the rest.
"Once the full identifier is discovered, it is then possible to use an attacker's transmitter to control the craft containing the receiver with no knowledge of the binding phrase," NCC Group said. If a drone in flight were hijacked in such a manner, it's likely to cause a crash, researchers wrote.
NCC Group initially disclosed the problem with the owner of the ExpressLRS GitHub repository in December last year, but ExpressLRS' maintainers have rejected pull requests from NCC Group twice; first due to the size of the request, and second because of "differing opinions between NCC and developers," NCC wrote in its report.
NCC recommended that ExpressLRS stop sending UIDs over the control link as well as not sending data used to generate FHSS sequences over the air. NCC also recommends improving the random number generator, which duplicated some values in the FHSS sequence, part of what enables the hack.
It's unclear if those changes have been made outside of NCC's denied pull requests.
Man accused of scamming the poor with fake ISP
An internet service provider in Ohio has turned out to be nothing but a scam to defraud poor families, the FCC alleges.
Kyle Traxler, owner of supposed ISP Cleo Communications, faces a $220,210 fine by the US regulator for abusing its emergency broadband benefit (EBB) program that provided $50 monthly discounts to households meeting certain criteria.
The EBB has since been rolled into the FCC's Affordable Connectivity Program.
Traxler and Cleo Communications, which the FCC said appear to be legally one and the same entity, are accused of wire fraud for taking payments from eligible households with the promise of receiving service and hardware. The service never materialized, we're told, and complaints to the FCC began pouring in.
"Cleo's schemes to defraud consumers under the pretense of participating in the EBB Program caused severe harm not only in monetary terms to the low-income consumers it preyed upon, but also to the trust and goodwill this or any program needs to achieve its purposes effectively," the FCC said in its complaint.
Traxler never enrolled in the EBB program or took funding from the US government, the FCC said, and instead went directly to folks to operate the apparent scam. The FCC is seeking to impose the maximum possible fine, which it said "reflects the scope, duration, seriousness, and egregiousness of Cleo's apparent violations."
This wouldn't be the first time the FCC has caught companies trying to defraud the EBB program. In November, 2021, the FCC Inspector General issued an advisory warning members of eligible communities that ISP sales representatives were falsifying school enrollment for EBB eligibility. ®