Cyber Pulse: Edition 172 | 24 January 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Fake "Amazon" crypto token investment scam steals Bitcoin from victims

A new cryptocurrency-related scam is abusing the Amazon brand to dupe would-be investors into handing over Bitcoin (BTC). Even though regulators worldwide are clamping down on fraud – through tax legislation, securities offering registration, tighter rules surrounding cryptocurrency adverts, and by keeping a close eye on initial coin offerings (ICOs) – exit scams, rug pulls and theft are still rampant. Interest in cryptocurrency, and now NFTs, continues to escalate, providing a breeding ground for new scams to appear on a daily basis.

Cybersecurity researchers from Akamai Technologies outlined a new fraudulent campaign that leverages Amazon's name to promote a fraudulent "Amazon to create its own digital token" scheme. The cyber attackers gave visitors roughly 30 seconds to read the fake release before they were automatically redirected to a domain that offered pre-sale tokens. The website in question was fully functional and required signing up email account confirmation and user profile creation. At this stage, visitors were asked to then pay for the pre-sale tokens with their own cryptocurrency, including Bitcoin (BTC) and Ethereum (ETH). As the tokens are non-existent, these funds then ended up in the wallets of attackers. Akamai has reported its findings to Amazon. 

Meanwhile, Crypto.com confirmed that 483 users were hit in an attack that saw over $31m in coins withdrawn. Around $14 million in ether, just over $17 million in bitcoin, and $66,200 in other cryptocurrencies were withdrawn during the incident. After issuing hints at final numbers during the week, Crypto.com has made an official statement on the incident that saw it pause its users' ability to withdraw funds.

"In the majority of cases we prevented the unauthorised withdrawal, and in all other cases customers were fully reimbursed," the company said.

The company said it has also added a new policy where the first withdrawal to a whitelisted address must wait 24 hours, as well as a programme to refund users up to $250,000 if unauthorised withdrawals are made and certain terms are met.

Meanwhile, Check Point Research (CPR) said that scammers are now turning their attention to smart contracts, with misconfigurations utilised to launch new crypto tokens, before an inevitable "rug pull" takes place. Rug pulls occur when developers of a crypto or virtual asset project manipulate a token's perceived worth and then abandon the project – taking investor funds with them.

Attackers abusing Microsoft and AWS public cloud services to spread RATs

A malicious campaign has been discovered spreading variants of NetWire, Nanocore, and AsyncRAT while using public cloud infrastructure to host them. The campaign has been active since October 2021. Cisco Talos researchers found that the hacker group has been using public cloud including Microsoft and Amazon to host their malware and compromise dynamic DNS for C2 activities.

The spear-phishing attacks mostly targeted entities based in the US, Italy, Singapore and Canada, while some targets were seen in Spain and South Korea as well. The aim was to steal sensitive information. Such campaigns usually begin with an invoice-themed phishing email laden with a ZIP file attachment. Accessing those download next-stage payloads hosted on an AWS EC2 instance or Azure server leads to the deployment of different RATs, including AsyncRAT, Nanocore, and NetWire. The attackers have used complex code and secured malware using several layers of obfuscation.

The multi-layered obfuscation technique manifests the complexity with which cybercriminals operate. It also underlines the trend that cybercriminals are increasingly looking for, as well as adopting, innovative ways to hide their malware. The abuse of public cloud services is a recent example of this trend, which is expected to grow further in near future.

Crypto protocol publicly announces flaw exploited by attackers

The hack against users of Multichain is getting worse as a cybersecurity researcher calls the incident “the worst way to treat a vulnerability”. Earlier this week, Multichain, a platform that allows users to swap tokens between blockchains, publicly announced that there was a flaw that made accounts vulnerable to hackers. The announcement, predictably, prompted several hackers to rush and try to exploit the vulnerability. One of them stole more than $1.4 million dollars, and another one offered victims to return 80% of the funds they stole in a message posted to the Ethereum blockchain, keeping the rest as “tips for me saving your money” on Wednesday.

In the official Telegram channel of Multichain, previously known as Anyswap, countless victims are asking whether the company will return their money and complaining that scammers are trying to impersonate the company in an attempt to steal even more money from victims.

Meanwhile, more hackers have joined the heist, with more than $1 million stolen since Wednesday afternoon for a total of roughly $3 million, according to a cybersecurity researcher who has been monitoring the hack. The researcher criticised Multichain for the way it handled the vulnerability, saying that by announcing it publicly before notifying all users, the company tipped the hackers off and prompted them to start stealing money.

Interestingly, a key recommendation of the Bank of Russia's recent crypto consultation paper is to ban local exchanges as just one means of promoting financial stability, national security and consumer protection.

McAfee Agent bug lets hackers run code with Windows SYSTEM privileges

McAfee Enterprise (now rebranded as Trellix) has patched a security vulnerability discovered in the company's McAfee Agent software for Windows, which enabled attackers to escalate privileges and execute arbitrary code with SYSTEM privileges. The company has fixed the high severity local privilege escalation (LPE) flaw tracked as CVE-2022-0166 and discovered by CERT/CC vulnerability analyst Will Dormann, and issued security updates with the release of McAfee Agent 5.7.5 on January 18.

"McAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows," Dormann explained.

Following successful exploitation, threat actors could persistently execute malicious payloads and potentially evade detection during attacks. While only exploitable locally, threat actors commonly exploit this type of security flaw during later stages of their attacks, after infiltrating the target machine to elevate permissions for gaining persistence and further compromising the system.

Japan's Supreme Court rules cryptojacking scripts are not malware

A man found guilty of using the Coinhive cryptojacking script to mine Monero on users' PCs while they browsed the web has been cleared by Japan's Supreme Court on the grounds that crypto mining software is not malware. Tokyo High Court ruled against the defendant, 34-year-old Seiya Moroi, on charges of keeping electromagnetic records of an unjust program. That unjust program was Coinhive, a "cryptojacking" script that mines for Monero by pinching some CPU cycles when users visit a web page that includes the code. Moroi ran the code on his website.

Coinhive has been blocked by malware and antivirus vendors as it slows down other processes, increases utility bills, and creates wear and tear on your device. But in many ways Coinhive's Javascript code acts no differently to advertisements. Moroi posted to a site promoting his UX and UI design business to offer his side of the story. He also argued that he revealed the presence of Coinhive, so was not acting deceptively. Nor did Moroi intend to profit from his efforts – he just wanted to keep up with tech trends. He also argued that his efforts didn't really make any money; the script yielded less than ¥1,000 ($8.79) – a sum so paltry it was hard to cash out of Monero.

Cisco bug gives remote attackers root privileges via debug mode

Cisco has fixed a critical security flaw discovered in the Cisco Redundancy Configuration Manager (RCM) for Cisco StarOS Software during internal security testing. The vulnerability, tracked as CVE-2022-20649, enables unauthenticated attackers to gain remote code execution (RCE) with root-level privileges on devices running the vulnerable software.

"A vulnerability in Cisco RCM for Cisco StarOS Software could allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container," Cisco said. As the company further explains, the vulnerability exists due to the debug mode being incorrectly enabled for specific services. "An attacker could exploit this vulnerability by connecting to the device and navigating to the service with debug mode enabled. A successful exploit could allow the attacker to execute arbitrary commands as the root user," Cisco added.

However, for unauthenticated access to devices running unpatched software, the attackers would first need to perform detailed reconnaissance to discover the vulnerable services. Cisco's Product Security Incident Response Team (PSIRT) said that the company is not aware of exploitation of this vulnerability in ongoing attacks.

Microsoft Edge adds security mode to thwart malware attacks

A new security feature in the latest beta of the Microsoft Edge browser can help protect web surfers from zero-day attacks. Redmond is positioning Edge’s new security mode as an extra layer of protection for Windows, macOS, and Linux computers and seeks to mitigate unforeseen attacks based on historical trends. When enabled, the feature improves user security on the Internet with the help of Hardware-enforced Stack Protection, Arbitrary Code Guard (ACG), and Content Flow Guard (CFG), according to a Microsoft document. The company said corporate network administrators can now ensure that end-user desktops are protected against zero-days by enabling a new set of Group Policies.

“These policies also make sure that important sites and line of business applications continue to work as expected. This feature is a huge step forward because it lets us mitigate unforeseen active zero days,” Microsoft said.  

The new Group Policies include Enhance Security Mode (to simply enhance the security state in Edge), Enhance Security Mode Bypass List Domains (the improved security mode won’t be enforced on the domains on this list), and Enhance Security Mode Enforce List Domains (the security mode will always be enabled for the domains in this list). The latest Edge beta release also allows users to set a custom primary password they can use to authenticate themselves and have the browser autofill saved passwords in web forms. The feature is meant to prevent unauthorised users from logging into websites using passwords that have been saved to Microsoft Edge.

UK’s Cyber Security Center publishes new guidance to fight smishing

UK’s National Cyber Security Center (NCSC) has published new guidance for organisations to follow when communicating with customers via SMS or phone calls. The goal of the new guidelines is to make it harder for scammers to trick the public and lead users to phishing sites. This action comes in response to an alarming rise in scams that spoof popular brands, with fake parcel deliveries being the dominant theme.

The NCSC urges businesses to do their part in protecting consumers and fighting the rising threat of scams, and the main way to achieve this is by making legitimate and fraudulent communications easier to discern. When organisations use SMS to communicate with an audience, the NCSC recommends that they use the following guidelines to assure recipients that a text is legitimate:

• Use a five-digit number instead of a regular phone number.
• Use a SenderID that appears in place of the sending number, indicating that the sender is trustworthy.
• Use the same SenderID consistently across all communications and register it with the MEF.
• Try not to include web links in SMS, but if it’s absolutely necessary, do not use URL shortening services that obscure the domain.
• Use as few SMS distribution providers as possible, and audit all messages to validate the content.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.