Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Source newsletter (Sept. 8, 2022) — Why there is no one-stop-shop solution for protecting passwords

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

It seems like there’s at least one major password breach every month — if not more. Most recently, there was an incident at Plex where all users had to reset their passwords.

Many users pay for a password management service — which is something I’ve talked about a ton for Talos. But even those aren’t a one-size-fits-all solution. LastPass, one of the most popular password management services, recently suffered a breach of their own internal development environment, though as of right now, it doesn’t appear like any users’ primary passwords were compromised.

This got me curious about how people prefer to manage their passwords, so I threw up a poll on our Twitter asking our readers how they managed their passwords. Paid password management services like LastPass and 1Password were the most popular response, followed by web browser-based managers like the ones Chrome and Safari offer. Several of the replies reminded me that there is another popular option I managed to neglect: open-source, operating system-independent solutions like KeePass. These are an appealing option because they’re free, while many of the other services I’ve mentioned charge a monthly or yearly fee, and they are cloud-based with strong encryption of the passwords they store, which is especially appealing for people jumping between operating systems or machines.

These aren’t perfect solutions either, though, because many of these open-source solutions rely on unofficial ports to mobile operating systems to run on phones and they are a bit harder to parse for the “everyday” user. I would have more faith in my parents to download an app from 1Password and be able to figure it out than trying to use open-source software in their web browser, and they are the types of users most likely to fall victim to something like a phishing scam looking to break into these password managers.

Web browser managers also aren’t as secure as other managed options and open the door to some serious consequences if a bad actor is to compromise your Google account login and then steals every other login you have.

Unless users are ready to go back to the old-fashioned “write everything down in a notebook” solution, which also has its own set of problems, it seems like there is no perfect solution to keeping passwords safe. Instead, we need to learn from the benefits of each of these types of solutions to improve our password hygiene.

We could all afford to mix up our passwords and use long strings with multiple types of characters like web browsers will encourage users to do. But we also need several layers of authentication to access our primary password like users need to do for paid software services.

And even then, we still have a long way to go to encourage the “average” user and administrator about secure passwords. I recently learned that the Wi-Fi password at my wife’s health care-based office is a string of numbers so easy to guess I wouldn’t even feel bad for just typing it out here (but I won’t) — so maybe we need to clear that hurdle before we start trying to convert everyone to open-source password managers.

The one big thing

The Lazarus Group, a well-known state-sponsored threat actor, is adding to its arsenal with a new trojan Talos recently discovered called “MagicRAT.” Lazarus deployed MagicRAT in several instances after the successful exploitation of vulnerabilities in VMWare Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.

Why do I care? The discovery of MagicRAT in the wild is an indication of Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide. Lazarus is already a formidable threat actor that’s been incredibly active this year, including major cryptocurrency-related attacks aimed at generating money for the North Korean government and subverting international sanctions. Any new developments from this group are noteworthy for the security community at large. So now what? In the attacks we observed, Lazarus Group commonly exploited VMware vulnerabilities, so users should update any products they’re using as soon as possible. Additionally, we’ve released new Snort rules and OSqueries to detect any MagicRAT activities and block it before the attackers can get any further.

Top security headlines from the week

The newest version of a well-known banking trojan on the Google Play store is masquerading as legitimate antivirus software and has already been installed on tens of thousands of devices. SharkBot, which was first discovered in February, infects Android users and then tries to initiate unwanted bank transfers by stealing users’ login information and intercepting SMS multi-factor authentication messages. The malware disguises itself as two apps: Mister Phone Cleaner, which has more than 50,000 downloads so far on the Google Play store, according to security researchers, and Kylhavy Mobile Security, which has been downloaded more than 10,000 times. Affected victims are in several different countries, including the U.S., Spain, Australia, Poland, Germany and Austria. (Bleeping Computer, Tech Monitor) Many students are heading back to school across the U.S., which also means an increased risk of cyber attacks for those schools. Threat actors traditionally try to target the education sector during this period when schools are more susceptible to an attack and more likely to pay any ransom payments. The massive, combined school district in Los Angeles, California was hit with a ransomware attack this week, forcing more than 600,000 students and staff to reset their passwords. It’s currently unclear what information if any, was stolen, but students could attend school as planned after the Labor Day weekend. The U.S. federal government even deployed cybersecurity-related agencies to the district to assist with the district’s recovery. (NPR, Washington Post) Local police departments have been using a little-known location-tracking service since 2018 that can allow them to track suspects’ locations without a warrant. The software, called Fog Reveal, allows the customer to use data harvested from others’ smartphones to track the location and other activities of suspects. Law enforcement has already used it to investigate several different types of crimes, including murder investigations and potential crimes surrounding the attempted insurrection on the U.S. Capitol on Jan. 6, 2021. However, the use of the software is rarely mentioned in court documents when used as part of a criminal trial. (Associated Press, Vice Motherboard)

Can’t get enough Talos?

North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues Researcher Spotlight: How Asheer Malhotra looks for ‘instant gratification’ in threat hunting Threat Roundup for Aug. 26 – Sept. 2 Talos Takes Ep. #111 (XL Edition): Talos’ update on our work in Ukraine

Upcoming events where you can find Talos

Cisco Security Solution Expert Sessions (Oct. 11 & 13) Virtual

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 MD5: 8c69830a50fb85d8a794fa46643493b2 Typical Filename: AAct.exe Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681 MD5: f1fe671bcefd4630e5ed8b87c9283534 Typical Filename: KMSAuto Net.exe Claimed Product: KMSAuto Net
Detection Name: PUA.Win.Tool.Hackkms::1201

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7 MD5: 0e4c49327e3be816022a233f844a5731 Typical Filename: aact.exe Claimed Product: AAct x86 Detection Name: PUA.Win.Tool.Kmsauto::in03.talos

TALOS
#vulnerability#web#android#mac#google#cisco#ddos#git#vmware#auth#chrome#wifi

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

Many users pay for a password management service — which is something I’ve talked about a ton for Talos. But even those aren’t a one-size-fits-all solution. LastPass, one of the most popular password management services, recently suffered a breach of their own internal development environment, though as of right now, it doesn’t appear like any users’ primary passwords were compromised.

This got me curious about how people prefer to manage their passwords, so I threw up a poll on our Twitter asking our readers how they managed their passwords. Paid password management services like LastPass and 1Password were the most popular response, followed by web browser-based managers like the ones Chrome and Safari offer. Several of the replies reminded me that there is another popular option I managed to neglect: open-source, operating system-independent solutions like KeePass. These are an appealing option because they’re free, while many of the other services I’ve mentioned charge a monthly or yearly fee, and they are cloud-based with strong encryption of the passwords they store, which is especially appealing for people jumping between operating systems or machines.

These aren’t perfect solutions either, though, because many of these open-source solutions rely on unofficial ports to mobile operating systems to run on phones and they are a bit harder to parse for the “everyday” user. I would have more faith in my parents to download an app from 1Password and be able to figure it out than trying to use open-source software in their web browser, and they are the types of users most likely to fall victim to something like a phishing scam looking to break into these password managers.

Web browser managers also aren’t as secure as other managed options and open the door to some serious consequences if a bad actor is to compromise your Google account login and then steals every other login you have.

Unless users are ready to go back to the old-fashioned “write everything down in a notebook” solution, which also has its own set of problems, it seems like there is no perfect solution to keeping passwords safe. Instead, we need to learn from the benefits of each of these types of solutions to improve our password hygiene.

We could all afford to mix up our passwords and use long strings with multiple types of characters like web browsers will encourage users to do. But we also need several layers of authentication to access our primary password like users need to do for paid software services.

And even then, we still have a long way to go to encourage the “average” user and administrator about secure passwords. I recently learned that the Wi-Fi password at my wife’s health care-based office is a string of numbers so easy to guess I wouldn’t even feel bad for just typing it out here (but I won’t) — so maybe we need to clear that hurdle before we start trying to convert everyone to open-source password managers.

**The one big thing **

The Lazarus Group, a well-known state-sponsored threat actor, is adding to its arsenal with a new trojan Talos recently discovered called “MagicRAT.” Lazarus deployed MagicRAT in several instances after the successful exploitation of vulnerabilities in VMWare Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.

**Why do I care? **The discovery of MagicRAT in the wild is an indication of Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide. Lazarus is already a formidable threat actor that’s been incredibly active this year, including major cryptocurrency-related attacks aimed at generating money for the North Korean government and subverting international sanctions. Any new developments from this group are noteworthy for the security community at large. **So now what? **In the attacks we observed, Lazarus Group commonly exploited VMware vulnerabilities, so users should update any products they’re using as soon as possible. Additionally, we’ve released new Snort rules and OSqueries to detect any MagicRAT activities and block it before the attackers can get any further.

Top security headlines from the week

The newest version of a well-known banking trojan on the Google Play store is masquerading as legitimate antivirus software and has already been installed on tens of thousands of devices. SharkBot, which was first discovered in February, infects Android users and then tries to initiate unwanted bank transfers by stealing users’ login information and intercepting SMS multi-factor authentication messages. The malware disguises itself as two apps: Mister Phone Cleaner, which has more than 50,000 downloads so far on the Google Play store, according to security researchers, and Kylhavy Mobile Security, which has been downloaded more than 10,000 times. Affected victims are in several different countries, including the U.S., Spain, Australia, Poland, Germany and Austria. (Bleeping Computer, Tech Monitor)

Many students are heading back to school across the U.S., which also means an increased risk of cyber attacks for those schools. Threat actors traditionally try to target the education sector during this period when schools are more susceptible to an attack and more likely to pay any ransom payments. The massive, combined school district in Los Angeles, California was hit with a ransomware attack this week, forcing more than 600,000 students and staff to reset their passwords. It’s currently unclear what information if any, was stolen, but students could attend school as planned after the Labor Day weekend. The U.S. federal government even deployed cybersecurity-related agencies to the district to assist with the district’s recovery. (NPR, Washington Post)

Local police departments have been using a little-known location-tracking service since 2018 that can allow them to track suspects’ locations without a warrant. The software, called Fog Reveal, allows the customer to use data harvested from others’ smartphones to track the location and other activities of suspects. Law enforcement has already used it to investigate several different types of crimes, including murder investigations and potential crimes surrounding the attempted insurrection on the U.S. Capitol on Jan. 6, 2021. However, the use of the software is rarely mentioned in court documents when used as part of a criminal trial. (Associated Press, Vice Motherboard)

**Can’t get enough Talos? **

  • North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns
  • Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues
  • Researcher Spotlight: How Asheer Malhotra looks for ‘instant gratification’ in threat hunting
  • Threat Roundup for Aug. 26 – Sept. 2
  • Talos Takes Ep. #111 (XL Edition): Talos’ update on our work in Ukraine

**Upcoming events where you can find Talos ****Most prevalent malware files from Talos telemetry over the past week **

MD5: a087b2e6ec57b08c0d0750c60f96a74c

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201

MD5: 8c69830a50fb85d8a794fa46643493b2

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201

MD5: f1fe671bcefd4630e5ed8b87c9283534

Typical Filename: KMSAuto Net.exe

Claimed Product: KMSAuto Net

Detection Name: PUA.Win.Tool.Hackkms::1201

MD5: 0e4c49327e3be816022a233f844a5731

Typical Filename: aact.exe

Claimed Product: AAct x86

Detection Name: PUA.Win.Tool.Kmsauto::in03.talos

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information