Archive for March 19, 2024

Over 50,000 Vulnerabilities Discovered in DoD Systems Through Bug Bounty Program

Posted in Commentary with tags on March 19, 2024 by itnerd

The Department of Defense Cyber Crime Center (DC3) announced that it processed its 50,000th vulnerability since introducing its crowd-sourced ethical hacking vulnerability disclosure program:

Unlike short-duration bug bounties, VDP’s crowd-sourced ethical hackers report vulnerabilities continuously as part of a defense-in-depth approach. Through its function as the focal point for receiving vulnerability reports, DC3 VDP continues to contribute significantly to DoD’s overall security.

Olivier Beg, Co-Founder and Chief Hacking Officer at Hadrian had this to say:

“The DoD reaching 50,000 processed vulnerabilities through its Vulnerability Disclosure Program is a major milestone!  As a security researcher who has submitted to the VDP, I’ve seen firsthand the program’s dedication to continuous improvement. The expansion of scope and focus on automation make it an attractive option for researchers to contribute to national security.

I’m excited about the DoD VDP’s future. With continued emphasis on researcher recognition, transparency around remediation efforts, and greater accessibility for the security community, this program has the potential to become a true benchmark for cybersecurity collaboration.”

Bug bounty programs are great for surfacing all sorts of issues. This is an initiative that I applaud and I hope to see more of going forward.

Leave a comment »

Appdome Delivers Real-Time Defense To Social Engineering Attacks On Mobile Apps

Posted in Commentary with tags on March 19, 2024 by itnerd

Appdome today unveiled its new Social Engineering Prevention service on the Appdome Platform. The new service enables mobile brands to continuously detect, block and intervene the moment social engineering attacks attempt to exploit user trust or manipulate user behavior. The new service includes several new real-time defenses against voice phishing (vishing), remote desktop control, FaceID bypass, fake applications, and SIM swapping, all of which protect user safety, brand reputation, business continuity, and revenue generation.

Social engineering attacks exploit brand trust by using impersonation and psychological manipulation to cause mobile users to divulge sensitive information, such as passwords, OTP keys, and more, perform actions in a mobile app on behalf of the attacker, or install new apps that give the attacker control over the user’s mobile device. Such mobile app attacks can have far-reaching consequences for consumers, including account takeover, financial loss, identity theft, confusion, and fear. Traditionally social engineering attacks were only discovered after an attack was successful, leaving mobile brands and users with months of financial, reputational, and emotional harm. Now, brands have the power of the first real-time solution to detect and intervene in social engineering attacks the moment they happen, disrupting the multi-billion-dollar social engineering fraud ecosystem.

Appdome’s Social Engineering Prevention empowers mobile brands to break the cycle of live attacks by detecting and defending in real time the top methods social engineering attackers use to injure brands and users:

  • Voice Phishing (Vishing) Fraud: Uses behavioral analysis to detect when mobile end users’ activity in a mobile app coincides with a potentially malicious phone call, via attacks such as FakeCalls.
  • Remote Desktop Control: Detects third-party applications, such as TeamViewer, used in social engineering attacks to remotely control mobile devices and applications.
  • Biometric (FaceID) Bypass: Detects when an attacker attempts to spoof, fake or bypass biometric (facial) recognition in Android and iOS mobile apps, such as in GoldPickaxe. 
  • SIM Swapping: Detects when an attacker uses the mobile application with a replacement SIM card that the attacker controls.
  • Admin-SU Profiles: Detects if the device has an MDM, admin-SU, or similar profile installed on the device, which could spy or control the user’s application.
  • Trojan Apps: Prevent trojan apps, embedded with Malware such as FjordPhantom, used to spy on end users and gather data for social engineering attacks.

The new Social Engineering Prevention features can be deployed stand-alone or combined with any or all of Appdome’s 300+ other mobile app security, anti-fraud, anti-malware, geolocation compliance and other defenses. Together, Appdome makes it easy for mobile brands to unify mobile app defenses vs. the cost and complexity of cobbling together several disparate technologies to attempt to achieve a workable defense.

Like all of Appdome’s mobile app defenses, the new social engineering prevention features are available in several enforcement modes – in-app defense, in-app detection, and using Appdome’s Threat-Events™ in-app control framework. Threat-Events allows mobile brands to gather data on each attack, control the user experience and create beautiful on-brand mobile experiences when attacks happen. Mobile brands can use Threat-Events to leverage the power of their brand voice to break the cycle of a social engineering attack by restricting transactions, triggering SMS check-ins or educating users with in-app popups when threats are present. Mobile brands can track and monitor social engineering attacks via Appdome’s ThreatScope™ Mobile XDR, either before or after the deployment of social engineering prevention features.

For more information on Appdome’s Social Engineering Prevention service, visit https://www.appdome.com/mobile-fraud-detection/social-engineering-prevention/.

Leave a comment »

Here’s The Story Of One Of My Clients Who Just Narrowly Avoided Getting Caught Up In A #Scam

Posted in Commentary with tags on March 19, 2024 by itnerd

Yesterday was a typical Monday for me. Which meant that I was busy as Monday and Fridays are my busy days. I had just come back to my home office after seeing a number of clients and found a voice mail with an urgent request for a call back from one of my clients. I could hear the panic in her voice so I called her back. And what unfolded next was someone who was clearly freaked out by a run in with a pop up scammer.

Before I get into the weeds of the story, let me quickly explain what a pop up scam is. Pop ups are generated by websites to offer users additional information or guidance (such as how to fill in a form, how to apply a discount code, etc.). So a pop up is typically not harmful. However, scammers have leveraged pop ups to allow them to perpetrate their scams in a variety of ways. Scammers use pop-up scams to make money by preying on concerned users who want to ensure their computer is secure and extorting money from you to fix problems and resolve threats that do not exist. Or they want to get into your computer to collect information to steal your identity or steal your money, or both. In the worst case, these pop-ups can install malware onto your computer which can cause all sorts of damage and issues.

Back to the story. My client saw this pop up on her computer:

She tried to get rid of this screen, but couldn’t do so. More on that later. She then panicked and called the number on the screen. The scammer who claimed he was a “Level 5 Microsoft Technician” (Fun fact: Microsoft doesn’t have “Level 5 technicians”) then proceeded to execute the scam. He got access to her computer and then blanked her screen so that he could install ConnectWise Screen Connect which would give him access to her computer anytime he wanted to. The reason that the scammer blanked her screen is that he didn’t want her to see what he was up to as that would have made her suspicious. He then ran a variety of commands to convince her that her computer had been “hacked”. For example the scammer ran the “Tree” command inside a command window followed by the “netstat” command to accomplish that. After that he tried to convince her to open her online banking. That’s when she got suspicious and not only ended the call, but she also disconnected her Internet entirely. Then she called me.

Now let me stop here and say something. Scammers rely on putting pressure on you so that you suspend your critical thinking which allows them to do what they want. But my client did not suspend her critical thinking and was able to stop this scam from going further. Or put another way, her “Spidey Sense” went off and she paid attention to it. That’s good because if something doesn’t seem right, it usually isn’t. And you should run from that situation as quickly as possible. Thus I really applaud this client for listening to her gut and taking action to stop the scam before it went too far.

When I arrived on site, I had a look at her computer. The first thing that I dealt with was the installation of ConnectWise Screen Connect. The scammer had installed it as a service, meaning that it not only would activate every time the computer was on, but the owner of the computer would have difficultly finding it and removing it. But because this wasn’t my first rodeo in terms of dealing with scammers, I found it and killed it quickly. I then examined her computer to see what the threat actors did, and it seemed that they were early in executing the scam. So that meant that they likely didn’t have time to do much of anything. I also found the pop up that she encountered and I noted that the pop up made itself take up the entire screen. That made it difficult to close. However, the pop up was designed to have a close button that was small and not easily noticed so that the scammer could “fix” the threat that the pop up allegedly created. Other than that, I could find no other problems with the computer. Thus I had her turn on the Internet.

That’s the good news. Here’s the bad news. On the computer she had a Microsoft Word document with all her passwords on there. Thus I advised her to change all those passwords immediately as I could not guarantee that the scammers didn’t steal this document. The second thing that I advised her to do is to get credit monitoring because the same document had her social insurance number in it. Meaning that there was the possibility of identity theft. Finally, I advised her to watch the computer for any unusual activity.

Now let me dissect some key points of the scam so that you don’t fall victim to something like this:

  • If you encounter a pop up like this. It’s guaranteed to be a scam. Your antivirus software will never require you to call a phone number to resolve an issue. Anything that the antivirus software encounters is usually resolved by the software itself.
  • The pop up can usually be closed without too much of a problem. However, if the pop up will not go away by closing it, try restarting the computer. If that doesn’t work, turn off the computer contact a computer professional for assistance. 
  • Microsoft does not provide support for end users and they never have. Any and all support for Windows is provided by whomever you bought the computer from. As in Dell, or HP, or Lenovo for example.

Finally, I handed the phone number from the picture above to the scam baiter community so that they can have “fun” with these scammers. By that I mean that they will get more intel on them and do things to disrupt their scams. Because I know from experience that getting law enforcement in these situations is difficult at best. But scam baiters can do a lot of damage to these scumbags and expose their activities. Thus that is the best that I can do to make these scumbags pay for what they did to this woman as they really freaked her out. And that’s not cool with me.

Hopefully this story was informative and gives you some insight. If you have any questions, please reach out by leaving a comment below.

Leave a comment »

Tornado Cash used in Lazarus Group’s latest money laundering

Posted in Commentary with tags on March 19, 2024 by itnerd

The thing about cyberattacks is that if the threat actors get paid via say ransomware or outright theft, they need to launder the money somehow so that they can spend it. Otherwise it would have been pointless to “acquire” the cash. Well a new report from The Record shows what the Lazarus Group based out of North Korea will do to launder money:

North Korea’s Lazarus hacking group allegedly has turned back to an old service in order to launder $23 million stolen during an attack in November.  

Investigators at blockchain research company Elliptic said on Friday that in the last day they had  seen the funds — part of the $112.5 million stolen from the HTX cryptocurrency exchange in November — laundered through the Tornado Cash mixing service.  

The use of Tornado Cash stood out to Elliptic because the service was sanctioned by U.S. authorities in August 2022, prompting Lazarus actors to turn to another mixing service called Sinbad.io. The U.S. Treasury Department sanctioned Sinbad.io in November

“Lazarus Group now appear to have returned to using Tornado Cash as a way to launder funds at scale and obfuscate their transaction trail,” Elliptic said, noting that the hackers sent the more than $23 million in about 60 transactions.  

“This change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as Sinbad.io and Blender.io,” the company said. 

The researchers noted that Tornado Cash has been able to continue operating despite the sanctions because it runs on decentralized blockchains, meaning it “cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been.”

Ken Westin, Field CISO, Panther Labs had this comment:

The Lazarus threat group from North Korea have been primarily targeting the crypto currency, financial services and cybersecurity industries. Their techniques focus primarily on developers through social engineering attacks to gain access to code repositories, devops and cloud infrastructure with the goal of gaining access to crypto wallets and accounts, as well as access to code and secrets. These attacks have proven to be quite lucrative, and by stealing cryptocurrency, has provided the North Korean regime a method to evade financial sanctions and further fund their military endeavors. This should be a bigger cause for concern for the the US government and its allies given the collaboration North Korea has with helping the Russian military, where it recently shipped 7K containers of munitions and other military supplies. Although the US has been cracking down on crypto currency mixing services, which are commonly used to launder money through crypto exchanges, North Korea has still been able to take advantage of the rising value of crypto currencies and continue to use these services to convert stolen crypto currency to fund their military operations.

This illustrates how hard it is so shut down avenues for groups like this one to launder money. That means that nations really have to redouble their efforts to make harder and harder for groups to launder money. That way it makes it less profitable for these groups.

Leave a comment »