Thursday, September 8, 2022

Threat Source newsletter (Sept. 8, 2022) — Why there is no one-stop-shop solution for protecting passwords


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

It seems like there’s at least one major password breach every month — if not more. Most recently, there was an incident at Plex where all users had to reset their passwords.  

Many users pay for a password management service — which is something I’ve talked about a ton for Talos. But even those aren’t a one-size-fits-all solution. LastPass, one of the most popular password management services, recently suffered a breach of their own internal development environment, though as of right now, it doesn’t appear like any users’ primary passwords were compromised. 

This got me curious about how people prefer to manage their passwords, so I threw up a poll on our Twitter asking our readers how they managed their passwords. Paid password management services like LastPass and 1Password were the most popular response, followed by web browser-based managers like the ones Chrome and Safari offer. Several of the replies reminded me that there is another popular option I managed to neglect: open-source, operating system-independent solutions like KeePass. These are an appealing option because they’re free, while many of the other services I’ve mentioned charge a monthly or yearly fee, and they are cloud-based with strong encryption of the passwords they store, which is especially appealing for people jumping between operating systems or machines.  

These aren’t perfect solutions either, though, because many of these open-source solutions rely on unofficial ports to mobile operating systems to run on phones and they are a bit harder to parse for the “everyday” user. I would have more faith in my parents to download an app from 1Password and be able to figure it out than trying to use open-source software in their web browser, and they are the types of users most likely to fall victim to something like a phishing scam looking to break into these password managers.  

Web browser managers also aren’t as secure as other managed options and open the door to some serious consequences if a bad actor is to compromise your Google account login and then steals every other login you have.  

Unless users are ready to go back to the old-fashioned “write everything down in a notebook” solution, which also has its own set of problems, it seems like there is no perfect solution to keeping passwords safe. Instead, we need to learn from the benefits of each of these types of solutions to improve our password hygiene.  

We could all afford to mix up our passwords and use long strings with multiple types of characters like web browsers will encourage users to do. But we also need several layers of authentication to access our primary password like users need to do for paid software services.  

And even then, we still have a long way to go to encourage the “average” user and administrator about secure passwords. I recently learned that the Wi-Fi password at my wife’s health care-based office is a string of numbers so easy to guess I wouldn’t even feel bad for just typing it out here (but I won’t) — so maybe we need to clear that hurdle before we start trying to convert everyone to open-source password managers.  
  

The one big thing 


The Lazarus Group, a well-known state-sponsored threat actor, is adding to its arsenal with a new trojan Talos recently discovered called “MagicRAT.” Lazarus deployed MagicRAT in several instances after the successful exploitation of vulnerabilities in VMWare Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.  

Why do I care? 

The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide. Lazarus is already a formidable threat actor that’s been incredibly active this year, including major cryptocurrency-related attacks aimed at generating money for the North Korean government and subverting international sanctions. Any new developments from this group are noteworthy for the security community at large. 

So now what? 

In the attacks we observed, Lazarus Group commonly exploited VMware vulnerabilities, so users should update any products they’re using as soon as possible. Additionally, we’ve released new Snort rules and OSqueries to detect any MagicRAT activities and block it before the attackers can get any further.  

 

Top security headlines from the week


The newest version of a well-known banking trojan on the Google Play store is masquerading as legitimate antivirus software and has already been installed on tens of thousands of devices. SharkBot, which was first discovered in February, infects Android users and then tries to initiate unwanted bank transfers by stealing users’ login information and intercepting SMS multi-factor authentication messages. The malware disguises itself as two apps: Mister Phone Cleaner, which has more than 50,000 downloads so far on the Google Play store, according to security researchers, and Kylhavy Mobile Security, which has been downloaded more than 10,000 times. Affected victims are in several different countries, including the U.S., Spain, Australia, Poland, Germany and Austria. (Bleeping Computer, Tech Monitor

Many students are heading back to school across the U.S., which also means an increased risk of cyber attacks for those schools. Threat actors traditionally try to target the education sector during this period when schools are more susceptible to an attack and more likely to pay any ransom payments. The massive, combined school district in Los Angeles, California was hit with a ransomware attack this week, forcing more than 600,000 students and staff to reset their passwords. It’s currently unclear what information if any, was stolen, but students could attend school as planned after the Labor Day weekend. The U.S. federal government even deployed cybersecurity-related agencies to the district to assist with the district’s recovery. (NPR, Washington Post

Local police departments have been using a little-known location-tracking service since 2018 that can allow them to track suspects’ locations without a warrant. The software, called Fog Reveal, allows the customer to use data harvested from others’ smartphones to track the location and other activities of suspects. Law enforcement has already used it to investigate several different types of crimes, including murder investigations and potential crimes surrounding the attempted insurrection on the U.S. Capitol on Jan. 6, 2021. However, the use of the software is rarely mentioned in court documents when used as part of a criminal trial. (Associated Press, Vice Motherboard


Can’t get enough Talos? 

Upcoming events where you can find Talos 



Most prevalent malware files from Talos telemetry over the past week  


MD5: a087b2e6ec57b08c0d0750c60f96a74c    
Typical Filename: AAct.exe    
Claimed Product: N/A      
Detection Name: PUA.Win.Tool.Kmsauto::1201 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 8c69830a50fb85d8a794fa46643493b2 
Typical Filename: AAct.exe 
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

MD5: f1fe671bcefd4630e5ed8b87c9283534 
Typical Filename: KMSAuto Net.exe 
Claimed Product: KMSAuto Net  
Detection Name: PUA.Win.Tool.Hackkms::1201 

MD5: 0e4c49327e3be816022a233f844a5731 
Typical Filename: aact.exe 
Claimed Product: AAct x86 
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.