Security week 2

Stay safe. We bring you our regular weekly overview of security news.

LastPass uses built-in advertising and analytics trackers

LastPass is a very popular and established password manager service. Recently, it was discovered that at least its Android version contains elements that are difficult to incorporate with the sensitive data that the application processes. Although the third parties do not receive user passwords themselves, they collect information about IP addresses, screen resolution, time zones, Google Advertising ID, and metadata about generating new passwords and their types. The collection of such information is true for both free and paid versions of the application. The spokesman of the company stated that this functionality can be turned off by heading to Account Settings > Show Advanced Settings > Privacy.

Not all cyber criminals are sophisticated

A short story about how crime in selling stolen electronics through Ebay can be detected by just applying a basic level of forensic analysis. In this particular case, the thieves sold a stolen laptop to a digital forensics investigator through Ebay. 🙂

Security researcher breached the networks of 35 tech companies thanks to a new type of attack

Among the affected companies were prominent names such as Microsoft, Apple, PayPal, Netflix, Tesla, and Uber. The researcher utilized popular repositories such as PyPI, npm, and RubyGems for their attack. Almost all projects nowadays have dependencies in the form of external modules and many solutions are built on open source projects. During development, companies create their own packages that are located on their own internal servers and maintained by them. Repositories always offer the latest versions of packages for installation or updating. They, however, do not check where the package is located, the most important factor is their version. When the researcher discovered the names of the specific internal packages that the companies used, he created packages with identical names, “enriched” with another code. This way, he managed to force the open source repositories to replace the internal packages of the companies by the ones that he had created. 

The flaws got patched up, but this opens up new possibilities of “dependency confusion” attacks for the future.

CSIRT.sk issued a report for 2/2021

In the report (in Slovak) you can find out about new vulnerabilities in MS Windows, MS Office, browsers, Adobe products, Java, .Net, and others.

New tactics used by Chinese APTs: targeting critical infrastructure

A newly-discovered group RedEcho, which, according to researchers, has close ties to the Chinese government, has breached the energy system in India. This is the first time this has happened in the case of Chinese APT groups. The attack started in the second half of 2020, at a time when a dispute over the borders between the two countries started.   Considering the nature of the attacked targets, the chance that this incident can be attributed to industrial espionage seems very little, leaving an attempt to attack the critical infrastructure as a much more likely possibility. It is also likely that this was an attempt to send a clear message to the Indian government. This behavior of Chinese APTs has not been recorded outside of India, however, it is important to recognize this shift in behavior.

North Korean APT group connected to an espionage campaign in arms industry

The Lazarus group has tried to steal sensitive information from suppliers of defense equipment in 12 states since 2020. The initial phase consisted of a spear phishing attack that was realized very precisely. To realize this attack, the group abused the topics of Covid-19, job offers , and    suppliers of defense equipment. It is especially disturbing that the attackers managed to infiltrate even one company network, that was divided into segments, where a strict policy of no transfer of information among the respective segments was applied.

Firefox stops the tracking of users by means of cookies across various sites

The latest release of Firefox contains a new module for the protection of user privacy (Total Cookie Protection – TPC), which inhibits the tracking of users across sites. TPC restricts the use of cookies only for the website that created them. The tracking across different sites has been a common method of detection of user behavior.  It is one among many activities of Mozilla since 2018, when the company committed to increasing the privacy of the users of their browser.

The Chinese version of Flash installs adware

Even though Flash has been unsupported since 31.12.2020, and was uninstalled from the majority of devices in the latest update, there is an exception for China. The Chinese IT sector (in both the state and private spheres) has relied heavily on Flash. Therefore, the Adobe company granted a permission to distribute Flash within China (flash.cn) to Zhong Chang Network, as the sole distributor.  Since then, the updates have started to behave “weirdly”. It was later discovered that besides the updates themselves, additional adware also gets installed on users’ devices.

Bitcoin blockchain is used to maintain control over botnet

The basic requirement for every successful botnet is to keep its C&C servers up. One botnet was discovered to be using an interesting idea for this – it encoded its backup server into blockchain. The IP address is encoded in the last two transactions for the wallet 1Hf2CKoVDyPj7dNn3vgTeFMgDqVvbVNZQq. Using this approach, it is not possible to block the backup server and the attackers are able to change its IP address at their will. At the same time, it is very easy to change the backup server’s IP address for anyone else. It is enough to pay one Satoshi value (the smallest possible bitcoin value – 0.00000001 BTC) to the wallet and the whole computation of the IP address changes. Generally, this is not a completely new approach. Some botnets have previously used GPS coordinates saved in pictures on publicly available servers (or saved in comments on Twitter) to help propagate the servers’ IP addresses.

A malicious extension for Firefox was used to track the Tibetan minority

A Chinese APT group used a specially modified extension for Firefox, which made it possible to gather information from Gmail (e.g. browsing, reading, deleting, archiving, redirection of emails) and Firefox (access to user information on all sites, display of notifications, the modification of privacy settings). The attack was performed using spear phishing and redirected users to a site where the users that were signed in to a Gmail account and used Firefox were identified. These users were then notified to update their Flash, so that they may view the contents of the site fully. Besides that, a malware called ScanBox was installed into their devices, which, among other things, served as a keylogger.

A software bug caused prisoners in Arizona to stay behind bars longer than they should have

In 2019, a law in Arizona was amended, which enabled prisoners of certain categories (e.g. non-violent drug activity) to reduce the length of their sentence by up to 70% under specific conditions. The problem is that the software is unable to identify the prisoners that should have been released sooner, and this bug has not been fixed to this day.

NIST framework for interoperability of Smart Grid

The fourth framework of NIST, informing about the American development of Smart Grid, contains updates to the conceptual model of Smart Grid, introduces new scenarios of communication pathways and an ontology for Smart Grid, provides guidelines to practices and tools of cybersecurity and develops the conception of interoperability profile to make testing and certification easier, to improve the interoperability and functionality of Smart Grid.