Banking Trojan Evades Play Store Controls; User Management Risks; Bot Responsibilities

There is a level of implicit trust given to both Google Play and the Apple app store. Both do a good job vetting applications before placing in their app store. That said, this is the second example in the last few weeks where their vetting processes fell short. Expect cybercriminals to continue to target these app stores, and others, as part of a supply chain attack.

Curtis Dukes

It is far easier for an attacker to gain unauthorized access to victim assets/data through valid user credentials than through ‘hacking’ the network. Ideally, as part of proper account management, user credentials, especially admin privileges, are removed upon employee departure. Organizations should revisit employee departure checklists and reinforce system accounts removal as an immediate action.

Curtis Dukes

A few factors to contemplate over your morning coffee: First, the account wasn't deactivated in a timely fashion. Second, these admin accounts didn't require MFA. Third these accounts also worked for the VPN. Even if you're holding an account for someone returning, that account should be unusable during that gap. At a bare minimum, require MFA for admin (privileged accounts) and remote access. Allowing admin accounts to activate the VPN should raise concerns of separation of duties. Some of you may disagree with me on the last one; if you have the use case, and it's legitimate, make sure that you have sufficient authentication strength, monitoring and risk acceptance.

Lee Neely

It is sad that we are still seeing major breaches implicating reusable credentials.

William Hugh Murray

This lines up with our policy for the use of LLM tools by SANS.edu students: It is ok to use them for some tasks, but you are responsible for the answers if you use them. Just like when search engines like Google started to be used to find answers, one of the real skills has become to figure out which answers to trust. Companies should be held responsible if they use "chatbots" without the necessary safeguards, in particular if the customer is not intentionally abusing bugs in the bot's responses.

Johannes Ullrich

There are many legal rulings to come about corporate liability erroneous and/or malicious use of AI. Odds are pretty high companies will be held liable. Governance (which includes security but many other processes) of AI initiatives will become just as important as good sys admin hygiene on servers has proven to be.

John Pescatore

An interesting defense used by Air Canada – that it can’t be held liable for the actions of a representative [chatbot in this case]. Really? It’s an interactive part of the company’s website, whether it provides correct information or not. Bottom line: Air Canada failed the standard of reasonableness test as determined by the judge.

Curtis Dukes

Good precedent. Both enterprises and individuals are responsible for all the results of their use of AI tools. It is fundamental. Tools cannot be responsible for their use.

William Hugh Murray

These five flaws have CVSS scores from 7.9 to 9.6. The ARM version 2023.2.3 service release appears to address all five. While there is no evidence of exploitation in the wild, keep in mind that even though it's been almost 4 years (March 2020) since their supply chain compromise, SolarWinds is still going to garner extra attention from attackers.

Lee Neely

Having been in the Army Guard for well over 20 years now, I have a decent grasp of bureaucracies and the impediments they can create. I'm thrilled that these international organizations have been able to pull together and have real effects. Congratulations!

Christopher Elgee

Europol released a statement (https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation) this morning with more details on the operation. So far two people have been arrested, over 200 #cryptocurrency accounts seized, and more importantly lots of data gathered from over 42 servers that will hopefully lead to more operations and arrests. The decryption keys for #Lockbit are now also available on the #NoMoreRansom portal (https://www.nomoreransom.org/en/decryption-tools.html) This is one of the most extensive and successful law enforcement operations against cyber criminals. Congratulations to all involved and thank you for making the internet safer.

Brian Honan

International law enforcement has been on a tear these past two months – takedown of botnets, disruption of ransomware gangs, recovery of ransomware keys, etc. In this case, all we know is that the website has been taken over but it’s doubtful that’s the extent of law enforcement action against LockBit.

Curtis Dukes

Not going to lie here, I'm loving these takedowns. Consider the effectiveness of international law enforcement cooperation today versus the challenges outlined by Clifford Stoll in The Cuckoo's Egg. Cooperation involved agencies from 10 countries including the US, UK, Australia, Germany, the Netherlands, Japan, France, and Switzerland. LockBit is responsible for as much as a quarter of all ransomware attacks in some countries. US authorities detected at least 1,700 LockBit attacks in 2023. Apparently, the FBI breached the gang's operations servers using a PHP exploit and their source code, victim information and chats were seized.

Lee Neely

Pentesters, remember: Yes, find and exploit this if it's in your client's environment. BUT the fix here is not only "Patch it." Be sure to give a recommendation about how to adjust their patching process so they can stay ahead of the next one!

Christopher Elgee

This vulnerability, CVE-2024-25600, unauthenticated RCE, CVSS score 9.8. This flaw only works with unauthenticated users. The fix adds both input sanitization and permissions checks to the code. Given that it's WordPress, even if your WAF is blocking this attack, get on updating that theme WordPress is a hot target. In addition to making sure your themes, plugins, and base are configured for auto-update, make sure that you have a threat feed on WordPress security issues.

Lee Neely

While the fix was only released last week, Exchange server flaws, not unlike WordPress flaws, are blood in the water for attackers, and should be near the top of your list for applying fixes. With the impact and occurrence of Exchange flaws, you may want to look again at total cost of ownership vs a hosted option. For those with a hybrid option, because you had a critical function which won't run in the hosted service, revisit that analysis, including the use case to be sure there isn't an alternative.

Lee Neely

Here are two shocking things in the headlines. One: companies numbering in the tens of thousands need to be patching exchange. Two: at least 28,000 on-premises exchange servers are left in the wild. Fascinating.

Moses Frost

It is difficult to comment on this without knowing the denominator. Suffice it to say that there are so many instances of MS Exchange server that is likely that many will not be patched on a timely basis.

William Hugh Murray

The Zeus banking trojan was shut down in 2014, which was followed by a Zeus successor, the SpyEye RAT, which was shut down in 2016 (leaders currently serving a 24-year sentence), and Penchukov joined the IcedID team in 2018. When IcedID, a banking credential stealer, added ransomware to its capabilities, the efforts to take it down escalated, resulting in his arrest. Sentencing for Penchukov is scheduled for March 9th.

Lee Neely

Remarkable transparency here, not only explaining what happened and notifying affected users, but also steps taken to mitigate it. Beyond the topic of third-party risk/impact, it'd be good to discuss having sufficient visibility into an application; this is a good use case of how that can be advantageous.

Lee Neely