Viry a Červi

Executive summary

The Cybercrime Ecosystem is a series of articles explaining how cybercriminals operate, what drives them, what techniques they use and how we, regular Internet users, are part of that ecosystem. The articles will also cover technical details and up-to-date research on the threat landscape to provide a more realistic understanding of why this is a problem and how we can prevent it.

This article describes current problems with cybercriminals infecting websites with malicious code. It is very common to see cybercriminals exploit vulnerabilities in blogging software such as WordPress and Joomla! for injecting their malicious code. This is very effective, as many blogs are whitelisted, are not detected as suspicious websites by anti-virus software and get a lot of traffic. In my research, I decided to investigate this further and see what the current threat landscape looks like by researching the most visited blogs in Sweden.

In my research, I noticed that the majority of the blogs were running outdated versions of not just the WordPress core, but plugins, too. Their vulnerabilities would allow both authenticated and unauthenticated users to execute system commands, inject malicious code, such as JavaScript, and perform SQL injections to get access to the database. Please note that none of the vulnerabilities have been verified; they are simply based on the publicly available version number identified in the research.

Introduction

Attacking websites and infecting them with malicious code is probably one of the most common types of attacks by cybercriminals. It will allow criminals to perform multiple attacks against visitors to the website. They can basically control all the visitors and redirect their browsers to any website they want, while the visitor may not be aware it is happening. The link to the infected website can be sent by email, in a personal message on a social media platform or any other common way.

By redirecting the visitors to a website under the criminals’ control, they can, for example, exploit vulnerabilities in the browser or other client software such as Java, Flash, Acrobat Reader, VLC, Microsoft Office and tons of others.

They can also redirect the user to scam/spam sites, for example, by tricking users into downloading a fake software update or scaring them to make them pay a ransom. Lately, we have also seen that criminals can utilize the browser itself for cryptocurrency mining, etc. or use it as a zombie in a larger botnet for denial-of-service attacks.

Cybercriminals can hack into blogs by using many different methods, such as exploiting software vulnerabilities or getting access to admin panels, getting remote access (SSH, telnet) with known or leaked passwords, or in some cases, even buying legitimate ads, poisoning these with malicious code, and displaying on the targeted website. This technique is called Malvertising.

I decided to look at the biggest CMS system (WordPress) and the top 50 biggest and most visited blogs in Sweden to see if they were vulnerable against any common and known vulnerabilities. Not all of the top 50 websites where running WordPress; some of them were running custom software or another CMS system. Another obstacle was that it was not possible to ascertain the exploitability of the identified vulnerabilities. I could only base my research on the version of the software/plugin they were running, whereas not all plugins disclose their version numbers, so this report is based only on the version numbers that I have been able to identify.

Tools and techniques used

Determining the version number of a specific plugin or piece of software is straightforward enough: you simply need to look at the source code of the website and follow the links on the website. WordPress provides a few common methods of determining the version number: one of these is to see if the system has RSS (feeds) enabled. By accessing the feed, you also get the version number: it will have a tag.

In addition to this, you can also start enumerating the plugins directory and see if there are any “readme” or installation notes. Most of the plugins have their version number written down in the readme/changelog/installation files or even print the version on the page.

Once the version number has been identified, there is a plenty of public resources you can use to check if that specific plugin is vulnerable to any known attacks. I used mainly two sources, which were www.exploit-db.com and www.wpvulndb.com.

A screenshot from wpvulndb.com

A screenshot from exploit-db.com

To automate this process, I teamed up with the WPscan team who have a tool/API allowing users to scan WordPress sites and automatically query the wpvuldb.com database via a nice API to check if the identified plugins and versions are prone to any known vulnerabilities. I thank WPscan for their support in this project! It would have taken me much longer to do this manually.

Statistics

The results were very interesting: I noticed that the most visited blogs in Sweden where running outdated software. Thirty-seven percent of the top 40 blogs in Sweden where running an outdated version of WordPress, with the oldest version being from 2012, vulnerable to a lot of exploits—even full remote code execution allowing the attacker to compromise not just the WordPress installation, but the server it is running on, too. When checking the server hosting this extremely old WordPress installation, I found that 13 other websites were running on the same server. Most of the outdated WordPress installations where from 2018.

RELEASE DATE VERSION VULNERABILITIES 2012-06-27 3.4.1 41 2013-06-21 3.5.2 19 2016-06-21 4.3.5 19 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2019-03-13 5.1.1 1 2019-06-18 5.2.2 8 2019-09-05 5.2.3 6 2019-09-05 5.2.3 6

Source: cvedetails.com and wpvulndb.com

Another interesting fact is that 55% of the researched sites where running the latest version of WordPress, and out of those systems, 50% had a plugin with a history of being vulnerable, but due to the fact that the version number could not be determined, we do not know if they are still vulnerable. Only four out of these 22 systems had vulnerabilities which were verified via the version number.

Spreading the malware

As mentioned before, this is a very common way for cybercriminals to spread malware, but how does it work in real life? After the WordPress site is compromised, the most common technique is to redirect the user to a so-called exploit kit. This is a system which will enumerate the browser, and if a list of requirements is met, deliver the malicious payload to the victim. For example, some of the requirements may be to exploit a certain browser only, if the exploit kit only has exploits for Firefox. In that case, nothing will happen if you visit the website in Chrome or Internet Explorer.

More advanced exploit kits also enumerate certain users from certain countries, possibly even excluding certain IP addresses from known security companies, law enforcement agencies and other people. The exploit kit also keeps track of successfully infected victims, so the cybercriminals can easily perform their operations or sell access to the infected computers.

Exploit kits do not just deliver malware—they can deliver any payload, e.g. by simply redirecting a user to another website or displaying ads. You yourself may have been redirected to a survey or some kind of “amazing” offer. This could have been done using the same techniques as mentioned above.

Examples of recent and large attacks:

• https://www.kaspersky.com/blog/malicious-websites-infect-iphones/28493/
• https://securelist.com/whos-who-in-the-zoo/85394/
• https://securelist.com/largest-website-in-sweden-spreading-malicious-code/58250/
• https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/thousands-compromised-websites-spreading-malware-via-fake-updates/
• https://news.drweb.com/show/?i=13388&lng=en&c=5

Database leaks

One of the biggest motivators for cybercriminals is financial gain, and although that does not apply to everyone—some attackers have political motivation, others just do it for the adrenaline—making money is still a strong incentive. The cybercriminal ecosystem is huge, and cybercriminals benefit from everything they compromise. Simple things, such as email databases, access to compromised systems or infected computers, email and password combinations, and a lot more are all sold on the black market.

Almost exactly one year ago, I wrote about how much stolen data was being sold on the black market.

Blogs are a goldmine for collecting user data, as they get a lot of visitors who, in many cases, maintain an account on the website to be able to comment on posts. Another reason is that it is very easy to perform social engineering attacks against the visitor, display a fake login page and trick the user into logging in to access “hidden” content.

However, cybercriminals can also exploit SQL injection vulnerabilities both in the WordPress core and many plugins that have these. The vulnerability will allow an attacker to query the underlying database, retrieve data from it, and in some cases, even modify and read/write files in the file system.

Fortinet has written a very good article on some of the SQL injection vulnerabilities they found a few months ago.

Are we doomed?

I personally think that this is not a problem we can blame on the technology, because if you look at, say, WordPress, the system is very good at informing you as an administrator that there are updates available. As you can see from the screenshot below, the available updates are shown in two places: Plugins and Dashboard, where WordPress core updates will show up as well.

One reason why the plugins or software is not updated might be that the current theme is not designed to work with the latest version of the plugin and might not function properly if the plugins are updated. Another reason might be that the people administrating the WordPress installation are marketing/PR agencies or web designers, who are only responsible for the layout, not security.

I think that anyone running a website should take a little more responsibility, not just for their brand, but for the systems they use, too. Regardless of whether you are an influencer, personal blogger or e-commerce website, it should be your best interest to ensure that you are not making the life of cybercriminals easy. If you are only a customer using these blogging platforms, please ask your provider what their policy is for making sure that the blog is secure.

As a regular Internet user, you need to make sure that you are securing your device and keeping your digital identity safe. A very good tip is to use protection against malicious code, which will identify and prevent these attacks even if the blog or website is infected.

You also need to ensure that you are not reusing your passwords on every site. One example of how you can create strong and unique passwords for every site, without using any additional software, can be found here.

Even if you do all of these, it is also very important that you make sure your device and any software installed on it is up to date with the latest security patches. Running the latest and secure versions makes a great difference.

I am also very glad that you took the time to read this article. It means that we are actually starting to make a difference, and the effort that we, security nerds, do reaches people such as yourself. Thank you and please share this knowledge with people who you believe might benefit from it. We cannot solve everything with technology, and we need to use our common sense and share knowledge among ourselves. We need your help with doing just that!

Though active for not much longer than a year, GandCrab had been one of the most successful ransomware operations. In a paper presented at VB2019 in London, McAfee researchers John Fokker and Alexandre Mundo looked at the malware code, its evolution and the affiliate scheme behind it. Today we publish both their paper and the recording of their presentation.

Read more

Self-assessment phishing and phone scam alert raised

The UK’s tax authorities have issued an official warning to contractors to watch out for self-assessment scams - and they don’t mean IR35 for a change.…

Fraudster oversaw operation with contraband phone

A convicted fraudster housed in a maximum security prison in Nigeria managed to pull off a $1m (£775,000) online scam from behind bars.…

Rights warriors want governments to actually, y'know, do something – anything

Amnesty International says the "pervasive surveillance" practiced by Facebook and Google represents a threat to human rights, a claim the two companies dispute.…

Twitter wagged its finger at the UK's Conservative party for renaming its press account "factcheckUK" during a live TV debate.

The Coalition Against Stalkerware launched this week, with the aim of offering a centralized location for helping victims of stalkerware, as well as defining what stalkerware is in the first place.

In scope RCE Mozilla bug bounty payouts have also tripled to reach $15,000.

Linux users running the enterprise-search platform Solr are potentially vulnerable to remote code execution attack.

Further details of the flaw, which has recently been patched by Microsoft, were disclosed Tuesday by researchers.

The majority give outside partners, contractors and suppliers administrative access -- without strong security policies in place.

The passwords of more than 2.2 million users of a gaming and cryptocurrency website were dumped online after dual data breaches.

Are you for real? splutters surveyor Sophos

Half of UK public sector IT chiefs think the data they're responsible for protecting is less valuable than private sector information, according to a survey by antivirus firm Sophos.…

A now-patched-hole could have allowed remote code execution that could have exposed files and messages. Update your WhatsApp now.

It was sucking up private profiles by requiring users to hand over their logins, giving it access to whatever accounts they follow.

The bug was fixed at least a month ago so users receiving dynamic email content have one less thing to worry about.

If you've been happily using Adobe Reader 2015 software for the last few years, you're in for a rude awakening.

Lock the front door, you chumps

A British video-editing startup exposed what is claimed to be "thousands" of user-uploaded videos, including family films and home-made pornography, in an unsecured Amazon AWS bucket.…

Nothing is more difficult than making predictions. Rather than trying to gaze into a crystal ball, we will be making educated guesses based on what has happened during the last 12 months, to see where we can see trends that might be exploited in the near future.

This is what we think might happen in the coming months, based on the knowledge of experts in this field and our observation of APT attacks – since APT threat actors have historically been the center of innovation.

The next level of false flag attacks

The use of false flags has become an important element in the playbook of several APT groups. In the past, this has generally involved trying to deflect attention away from those responsible for the attack – for instance, the usage of Russian words in Lazarus group malware, or Romanian words by WildNeutron. In one notable case – the Olympic Destroyer attack – the Hades APT group sought to go further than just clouding the waters of attribution by forging elements of the attack to make it seem like the work of a different threat actor. We believe that this will develop further, with threat actors seeking not only to avoid attribution but to actively lay the blame on someone else.

For instance, this could include the usage of established backdoors by other unrelated APT actors, the theft and re-use of code (the recently published case of Turla reusing code from an unknown Iranian group, outlined by the UK NCSC and NSA comes to mind) or deliberately leaking source code so that other groups adopt it and muddy the waters further.

On top of all that, we should consider how actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult. Mixing a couple of false flags into this equation, where security researchers are hungry for any small clue, might be enough to divert authorship to someone else.

From ransomware to targeted ransomware

In the last two years we’ve seen a decline in numbers of all-purpose widespread ransomware attacks as cybercriminals have become more targeted in their use of this type of malware – focusing on organizations that are likely to make substantial payments in order to recover their data. We are calling this technique ‘targeted ransomware’. Throughout the year, we recorded several cases where attackers used targeted ransomware, and we think that a likely future development will be more aggressive attempts to extort money. A potential twist might be that, instead of making files unrecoverable, threat actors will threaten to publish data that they have stolen from the victim company.

In addition to targeted ransomware, it is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. For instance, ransomware in consumer products, such as smart TVs, smart watches, smart cars/houses/cities. As more devices become connected to the internet, cybercriminals will also be looking for ways to monetize their access to these devices. Ransomware is, unfortunately, the most effective tool for extracting a financial profit from the victims.

New online banking and payments attack vectors

A new potential attack vector for cybercriminals could open up with the new banking regulations that have recently come into full effect across the EU. The PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties who wish to provide services to bank customers, it is likely that attackers will seek to abuse these new mechanisms with new fraudulent schemes.

More infrastructure attacks and attacks against non-PC targets

Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems: VPNFilter and Slingshot, for example, targeted networking hardware. The benefit to an attacker, of course, is that once they have compromised such devices, it gives them flexibility. They could opt for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In our threat predictions for 2019, we considered the possibility of ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker. In June, it was revealed that hackers had infiltrated the networks of at least 10 cellular telcos around the world, and had remained hidden for years. In some cases, it seems they had been able to deploy their own VPN services on telco infrastructure. The convergence of real and cyber worlds brought about by the profusion of IoT devices offers growing opportunities for attackers; and it’s evident that threat actors are aware of the potential. This year it was reported that unknown attackers stole 500MB of data from NASA’s Jet Propulsion Laboratory using a Raspberry Pi. In December last year, the UK’s Gatwick airport was brought to a standstill for fear of a possible collision after at least one drone was sighted above one of the runways. While it’s unclear whether this was the result of a hobbyist drone owner or a determined DDoS attacker, the fact remains that part of the country’s critical infrastructure was brought to a standstill because of the use of a drone. The number of such attacks will undoubtedly grow.

In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. While most infections in industrial facilities continue to be from ‘mainstream’ malware, this fact itself highlights just how vulnerable these facilities can be. While targeted attacks on critical infrastructure facilities are unlikely ever to become a mainstream criminal activity, we do expect to see the number grow in the future. Geo-political conflicts are now played out in a world where the physical and cyber are increasingly converging; and, as we have observed before, such attacks offer governments a form of retaliation that lies between diplomacy and war.

Increased attacks in regions that lie along the trade routes between Asia and Europe

Clausewitz’s dictum, “War is merely the continuation of politics by other means”, can be extended to include cyberconflict, with cyberattacks reflecting wider real-world tensions and conflicts. We have seen numerous examples. Consider, for example, accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. We’ve seen it in the ‘naming-and-shaming’ of alleged Chinese hackers in US indictments. The widespread use of mobile implants to surveil ‘persons of interest’ is another example.

There are several ways this could play out. They include a growth in political espionage as governments seek to secure their interests at home and abroad. This could mean monitoring the activities of ‘undesirable’ individuals or movements within the country, as well as those of potential opponents abroad. It is likely to extend also to technological espionage in situations of potential or real economic crisis and resulting instability. This could result in new attacks in regions that lie along trade routes between Asia and Europe, including Turkey, East and South Europe and East Africa.

It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. On the one hand, this could be used as a way to establish plausible deniability and thereby avoid sanctions if the finger of suspicion is pointed at one state by another. On the other hand, it could enable more aggressive use of technology, as several justice departments seem keen to open the door to different kinds of ‘lawful interception’ to collect evidence on computers. One likely response from criminal groups will be greater use of encryption and the Darknet to conceal their operations.

Increasing sophistication of attack methods

It is hard to know exactly how advanced the top-class attackers really are and what kind of resources they have in their pockets. Of course, every year we learn a bit more: for instance, a few years ago we observed an apparent endless supply of zero-days for resourceful attackers who were ready to pay for them. This year we observed several examples, but probably the most interesting is the one involving at least 14 exploits for iOS during the last two years, as exposed by Google in August.

The new isolation methods implemented for Microsoft Word and other software traditionally targeted in spear-phishing campaigns might have a significant impact in malware delivery methods, forcing less sophisticated actors to change the way they spread malware.

We believe it is likely that additional interception capabilities, similar to the Quantum insert attacks described a few years ago, are already being used; and hopefully we will be able to discover some of them.

It also seems likely that attackers will exfiltrate data with non-conventional methods, such as using signaling data or Wi-Fi/4G, especially when using physical implants (something we also believe is probably being overlooked). In a similar vein, we believe more attackers will use DoH (DNS over HTTPS) in the future to conceal their activities and make discovery more difficult. Finally, it is possible that during the coming months we will start discovering more UEFI malware and infections as our ability to see such systems is slowly improving.

Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries.

A change of focus towards mobile attacks

During the last 10 years, an important transition has taken place: the main storage for our digital lives has moved from the PC to mobiles. Some threat actors were quick to notice this and begin focusing on developing attack tools for mobiles. While we have constantly been predicting a huge increase in the number of attacks against mobiles, the observations from the field haven’t always reflected this inferred evolution. However, the lack of observations of a phenomenon doesn’t necessarily imply that it’s not happening.

We have already discussed how an attacker abused at least 14 zero-day vulnerabilities in iOS to target certain minorities in Asia. We also saw recently how Facebook sued the Israeli company NSO for allegedly misusing its servers (to deploy malware to intercept user data). We also saw how Android zero-click, full persistence exploits are now more expensive (according to Zerodium’s price list) than those for the iPhone.

All of this is telling us how much money attackers are investing in developing these technologies. It is clear to all of them how nearly everyone has a phone in his/her pocket and how valuable the information on those devices is. Every year we see new movements in this direction. We also see how complicated it might be for security researchers to obtain more technical details about attacks on such platforms, given the lack of visibility or accessibility.

There are no good reasons to think this will stop any time soon. However, due to the increased attention given to this subject by the security community, we believe the number of attacks being identified and analyzed in detail will also increase.

The abuse of personal information: from deep fakes to DNA leaks

We have previously discussed how data leaks help attackers to craft more convincing social engineering attacks. Not every adversary has a complete profile of potential victims to abuse, which makes the increasing amount of leaked data very valuable. This is also true for ‘less targeted’ attacks like the ransomware cases we have already discussed.

In a world where logged data continues to grow, we can see the danger in what could be considered especially sensitive leaks, for instance when it comes to biometric data. Also, widely discussed deepfakes are providing the technology to make such attacks a possibility, especially when combining this with less obvious attack vectors such as video and audio. We should not forget how this can be automated, and how AI can help with the profiling and creation of such scams.

Yes, all this sounds futuristic, but it is very similar to some of the techniques discussed for driving election advertisements through social media. This technology is already in use and it is just a matter of time before some attackers take advantage of it.

The future holds so many possibilities that there are likely to be things that are not included in our predictions. The extent and complexity of the environments in which attacks play out offer so many possibilities. In addition, no single threat research team has complete visibility of the operations of APT threat actors. We will continue to try and anticipate the activities of APT groups and understand the methods they employ, while providing insights into their campaigns and the impact they have.

 Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020 (PDF, English)

Haven't gotten around to patching since last Spring? Now would be a good time

Thousands of Oracle E-Business Suite customers are vulnerable a security bug that can be exploited for bank fraud.…