Threat Source newsletter (July 14, 2022) — Are virtual IDs worth the security risk of saving a few seconds in the TSA line?

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

I’ve started flying again on a somewhat regular basis now that work conferences and out-of-state vacations are becoming a thing again. I took about 18 months or so off flying during the peak of the pandemic, but now I’ve received by second booster shot of the vaccine and am confident in the ability to acquire N95 masks when I need them.

One thing I didn’t miss about flying at all is the airports themselves — lines upon lines, waiting forever just to check a bag, and having to pay $6 for a cup of coffee from a Subway because that’s the only restaurant that happens to be open at 5 a.m.

There’s certainly a temptation to try to streamline the entire airport process by consolidating your personal information into one app. In Maryland, where I live, they recently rolled out the use of state IDs in Apple Wallet and use them at airports. And American Airlines now has its own travel app where users can consolidate their driver’s license, passports, TSA Pre-Check and more in one place to make flying easier. And other states have pledged to work on going digital with their IDs. But I’m hesitant to be willing to take the security risk with these apps in exchange for just not having to fumble around with a physical ID while I’m waiting in the TSA line. During the COVID-19 pandemic, many states rolled out their own tracking apps to alert users if they’ve potentially been exposed, and eventually to log their vaccination status.

It didn’t take long for bad actors to start taking advantage of these apps. North Dakota’s state-run app almost immediately violated its own terms of service by sending users’ location data and personal information to advertisers. And in Pennsylvania, up to 72,000 people may have had their personal information affected as part of a data leak at a third-party contact-tracing service.

And this could be said for pretty much anything in security, but I simply ask — “What could go wrong?”

I have no doubt the people who create these apps have the best intentions in mind. But when you start adding on layers of bureaucracy, plus the blurred lines that come with governments enlisting third parties to create apps on their behalf, and then bad guys looking into every nook and cranny for their next foothold, there are too many unknowns with these plans.

I certainly see the appeal of being able to always keep digital versions of my ID on my phone. It could probably help me avoid some awkward stares from fellow travelers the next time I’m at the airport as I spend the extra 30 seconds fishing out my boarding pass and ID.

But this has got to be another example of consumers sacrificing privacy for the sake of convenience, and I’m not even sure how much of a convenience they are.

**The one big thing **

The Transparent Tribe APT just won’t go away. We’ve been tracking this threat actor for more than a year, and now they’re shifting again by targeting college-aged students in India. This group traditionally goes after government organizations and other government-adjacent companies in the region, likely seeking out sensitive information. The attacks resulted in the deployment of CrimsonRAT, Transparent Tribe’s malware of choice for establishing long-term access into victim networks.

**Why do I care? **Regardless of whether you’re a potential target for this group, it’s clear that everyone in the security space should be following Transparent Tribe. They’ve gone from a relatively unknown group operating on the Indian subcontinent to an actor we’ve continuously followed and has widened their target scope in recent months. Anyone hit with the group’s signature CrimsonRAT malware could have sensitive information stolen, including the attacker being able to take screenshots, log keystrokes and run certain processes on the endpoint. **So now what? **Organizations must always be on the lookout for these types of highly motivated adversaries. In-depth defense strategies based on a risk analysis approach can deliver the best prevention results. However, this should always be complemented by a strong incident response plan that’s been tested with tabletop exercises and reviewed and improved every time it’s put to the test on real engagements. Additionally, there are several Snort rules and ClamAV signatures that protect against this group’s tactics and tools.

Other news of note

A group known as Predatory Sparrow is claiming responsibility for a series of cyber attacks on steel facilities in Iran, one of which caused a fire at a plant. Additionally, they group dumped nearly 20 GBs of documents they claim include information connecting the facilities to Iran’s Revolutionary Guard Corps. Predatory Sparrow also launched a Telegram page, where it posted the message, “These companies are subject to international sanctions and continue their operations despite the restrictions. These cyber-attacks, being carried out carefully to protect innocent individuals." Other attacks from the group came in 2021 when they targeted an Iranian railway system and a state-run gasoline distribution center. (CyberScoop, Yahoo!, BBC)

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) selected four encryption algorithms it says can withstand threats from quantum computing, with a new standard expected to come in about two years. Current encryption methods are not expected to hold up as other countries develop quantum computing technologies that can break those algorithms. Once the new encryption standards are created, companies will be urged, but not necessarily required, to adopt them. It’s recommended that organizations take inventory of applications that use the current public key encryption standards in preparation for the switch. (VentureBeat, DarkReading, Wired)

Apple released a new Lockdown Mode for its major operating systems that can help victims respond to spyware attacks. If enabled, Lockdown Mode turns off certain functions on the devices that may be vulnerable to attack and remote monitoring, including message attachments, shared photo albums and mobile device management. The announcement comes as more instances of governments using spyware have come to light, targeting high-profile journalists, politicians and activists. Apple is offering a $2 million bug bounty to anyone who can discover a vulnerability in Lockdown Mode. (CNET, Apple)

**Can’t get enough Talos? **

• Talos Takes Ep. #103: What we can learn from a recent AvosLocker attack
• Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGPU
• Vulnerability Spotlight: Adobe Acrobat DC use-after-free issues could lead to arbitrary code execution
• Microsoft Patch Tuesday for July 2022 — Snort rules and prominent vulnerabilities
• Threat Roundup for July 1 - 8
• Pakistani Hackers Targeting Indian Students in Latest Malware Campaign

**Upcoming events where you can find Talos **

A New HOPE (July 22 - 24, 2022)
New York City

BlackHat U.S. (Aug. 6 - 11, 2022)
Las Vegas, Nevada

DEF CON U.S. (Aug. 11 - 14, 2022)
Las Vegas, Nevada

**Most prevalent malware files from Talos telemetry over the past week **

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

MD5: aa367b2ef077ffd51bf0597237ef513e

Typical Filename: 1302323352.exe

Claimed Product: N/A

Detection Name: W32.DFC.MalParent

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer.scr

Claimed Product: 梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

MD5: a7742a6d7d8b39f1a8cdf7f0b50f12bb

Typical Filename: wrsanvs.exe

Claimed Product: N/A

Detection Name: W32.Auto:91e994229a.in03.Talos