Improper implementations of authentication APIs at a global crypto wallet service provider could have resulted in the loss of account control — and millions of dollars — from personal and business accounts.

A cryptocurrency wallet service provider serving more than 2 million users worldwide and managing about $3 billion worth of Bitcoin was found to contain API vulnerabilities tied to how external authentication logins were implemented. 

The bugs are fixed, but the discovery illustrates the high stakes involved in implementing APIs securely, researchers say — and the difficulties in doing so.  

According to a report shared with Dark Reading from Salt Labs, the research division of Salt Security, a series of vulnerabilities (CVEs were not assigned) could have allowed actors take over a large portion of a user's account in the system.  

This vulnerability would have given a malicious actor full access, along with the ability to perform multiple financial actions on behalf of that user, including the transfer of funds to any location of their choice.

"Once we successfully logged in to a user's accounts, we can potentially use any functionality available to the user, including funds transfer, viewing transactions history, seeing the user's personal data, which might include name, address, bank account number, and other valuable data," Salt researchers note in the report.

The first bug involved the common feature found in mobile apps that allow users to log in using an external service, like Apple ID, Google, Facebook, or Twitter. In this case, the researchers examined the "log in with Google" option — and found that the authentication token mechanism could be manipulated to accept a rogue Google ID as being that of the legitimate user.

The second bug allowed researchers to get around two-factor authentication. A PIN-reset mechanism was found to lack rate-limiting, allowing them to mount an automated attack to uncover the code sent to a user's mobile number or email.

"This endpoint does not contain any sort of rate limiting, user blocking, or temporary account disabling functionality. Basically, we can now run the entire 999,999 PIN options and get the correct PIN within less than 1 minute," according to the researchers.

Each security issue on its own provided limited abilities to the attacker, according to the report. "However, an attacker could chain these issues together to propagate a highly impactful attack, such as transferring the entire account balance to his wallet or private bank account."

Yaniv Balmas, vice president of research at Salt, explains there are two factors that made these vulnerabilities impactful and dangerous.

"First, it is very easily exploitable, and second, a successful exploitation could lead to millions of dollars — or more — being stolen from personal and business accounts," he says.

**Poor API Implementations: An Important Object Lesson**

As noted, the wallet-provider quickly fixed the API implementations in question, but there are important takeaways from the analysis, Balmas explains. After all, as the entire cryptocurrency market is relatively young, most of the services in this domain are heavily dependent on APIs as part of their core technologies.

"I have yet to see any cryptocurrency service that does not publish some sort of API to ease automated interactions with its functionalities," he says. “This reliance on APIs in turn surfaces another problem."

He explains API are designed to be dynamic and rapidly evolving interfaces for core business functionalities, which is obviously very positive from the user perspective.

"However, this same behavior opens the door for many security issues and vulnerabilities that may go unnoticed," he says. "Hence, we see with great frequency in our research efforts a relatively poor state of API security, sometimes with serious business implications."

**API Security Issues a Major Concern as Usage Grows**

As agile development grows in popularity, organizations are turning to APIs, resulting in broader attack surfaces more vulnerable to exploitation by threat actors. A recent analysis by application security firm Imperva and risk-strategy firm Marsh McLennan of breaches involving APIs revealed US companies face a combined $12 billion to $23 billion in losses in 2022.

Meanwhile, a March report from Salt Labs found API attacks increased a whopping 681% in the last year, with API attack traffic growing at more than twice the rate of nonmalicious traffic. Again, much of that could be due to implementation and configuration error: In May, for instance, Shadowserver Foundation researchers discovered that 380,000 Kubernetes API servers were open to the public Internet, representing 84% of all global Kubernetes API instances observable online.

**API Attack Surface Must Be Tracked, Monitored**

Balmas notes another issue with APIs and their nature is that once an API ecosystem gets big, it becomes very hard to have a complete handle on it. With multiple applications and internal services each publishing their own unique sets of APIs, it is very hard for the maintainers sometimes to even know which APIs are published at any given point in time.

"This is why API visibility and consolidation measures are sometimes the very first — and important — step to securing a company's APIs," he says.

Balmas recommends that cryptocurrency platforms, and any other heavy API users, should start paying more attention to the API attack surface that they expose.

"This new attack surface should be carefully tracked and monitored," he adds. "The services behind it should be more carefully reviewed on a periodic basis to make sure no new security issues have been introduced, and behavioral monitoring should be applied on the ongoing traffic to spot anomalies that might be happening in an effort to find and exploit vulnerabilities."

Buggy 'Log in With Google' API Implementation Opens Crypto Wallets to Account Takeover

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

The implementation of defense-in-depth architectures and operating system hardening technologies have altered the threat landscape. Historically, zero-click, singular vulnerabilities were commonly discovered and exploited. The modern-day defensive posture requires attackers to successfully chain together multiple exploit techniques to gain control of a target system. The increased utilization of dynamic analysis systems has driven attackers to evade detection by requiring input or action from the user. Sometimes, the victim must perform several manual steps before the underlying payload is activated. Otherwise, it remains dormant and undetectable through behavioral analysis.

It is well known that client-side attacks are the predominant access vector for most initial access. Web browser and email-based malware campaigns target users through phishing, social engineering, and exploitation. Productivity and business tools from vendors like Adobe and Microsoft are widespread and provide attackers with many options. Combining the lack of security awareness training and well-developed social engineering tactics frequently results in users permitting the execution of malicious embedded logic like weaponized macros or other scripts. Analysis of these common malware carriers is time-consuming and tedious, and it requires expert skills. To adequately prevent, detect, and respond to these threats, an organization must throw everything at the problem and augment this previously human-intensive process.

Deep File Inspection (DFI) is one approach to ease the burden associated with continuous security monitoring. DFI is a static-analysis engine that inspects beyond Layer 7 of the OSI model, essentially automating the work of your typical SOC analyst or security researcher. Regardless of the complexity of evasive techniques a threat actor utilizes, DFI dissects malicious carriers to expose embedded logic, semantic context, and metadata. Coercive graphical lures are extracted and processed through a machine vision layer, adding to the semantic context of the original file. Commonly used obfuscation methods and encoding mechanisms are automatically discovered and deciphered.

A public concern that SOC analysts, IR teams, and security researchers encounter is the limited availability of context for detection analytics. In the case of intrusion prevention systems, resources are limited to microseconds of time and kilobytes of analyzable data. Intrusion detection systems can typically dig deeper, taking additional milliseconds to expose further data.

Regarding the time-analysis trade-off, the next step up is behavioral monitoring or sandboxed execution. This class of solutions detonates samples in a virtualized environment and annotates the system's behavior for threat detection; this process is both compute- and time-intensive, taking minutes to analyze each file. There is a middle ground where a few additional seconds can provide previously unseen detection opportunities.  

**Use Case: Qbot Malware Delivered via Follina and Malspam**

An example of an evasive threat is the recent TA570 campaigns that delivered Qbot malware with thread-hijacked emails. This wave of malspam utilized two different methods to provide the payload. The first method used a shortcut LNK to run a DLL with the hidden attribute. The second method is a Word document using the Follina (CVE-2022-30190) exploit.

    

Figure 2. Recent Qbot threat sequence. Source: InQuest

The attached HTML file contains an antiquated JS function to convert the embedded base64 string into a zip archive and prompt the victim to download. When extracted, the zip file contains a disk image that will be mounted showing either a shortcut or the shortcut and word document. The shortcut will execute the Qbot DLL within the directory with the hidden attribute set. At the same time, the Word file will attempt to exploit the MSDT vulnerability and download the payload from a remote server.

It is challenging for many solutions to carve the zip archive from the encoded HTML, extract the IMG file, and identify the weaponized contents. In this example, multiple threat signatures are seen from ambiguities within the SMTP headers, down to the hidden DLL or Follina document.

    

Figure 3. Variety of signatures alerts. Source: InQuest

Another interesting approach for detection is the concept of retrospective analysis or RetroHunting. While DFI creates a new dimension of data, RetroHunting provides a new dimension of time for analyzing historical events. The appearance of Follina and other zero-day vulnerabilities illustrates the usefulness of this capability by facilitating the detection of previously unseen alerts with emerging threat intelligence and detection logic.

In addition to a library of predeveloped signatures, analysts can develop user-defined YARA rules to combine strings, bytes patterns, and regular expressions via flexible conditional logic.

When confronted with novel attack techniques being encountered in the wild, security leaders must provide an opportunity to empower your detection operations and overcome the limitations inherent with other malware prevention solutions. A free resource to test the efficacy of a mail provider's security controls is the Email Security Assessment.

**About the Author**

    

Josiah Smith has almost a decade of experience in the realm of security. Before becoming a threat engineer, Josiah worked as a cyber operator, overseeing signature management and host-based detection programs. He spent several years in a room without windows, focusing on network detection, threat hunting, and IR investigations. He began his career as a member of the US Air Force, and most of his experience is with the DoD.

Empower Your Security Operations Team to Combat Emerging Threats

It's time to tap the large reservoir of talent with analytical skills to help tackle cybersecurity problems. Train workers in cybersecurity details while using their ability to solve problems.

When I decided to get a degree in criminal justice, cybersecurity wasn't top of mind for me. I just wanted to get justice for folks who had been wronged.

But as I learned more about the criminal justice system in the United States, it wasn't long before I made a pivot. In my junior year in college, while working for a degree in history, I received an unpaid internship to work at a small company in New Hampshire. It was there that I got my introduction to the cybersecurity world — and it led to an epiphany.

I realized that what I learned in college about human behavior extends in the same way to any criminal — whether we're talking about the physical or cyber worlds, a similar logic applies. Since I had always wanted a job where I could develop my analytical skills, cybersecurity was an unexpected fit.

**Tapping an Untapped Talent Pool**

This field can also be an unexpected fit for some of the hundreds of thousands of people who enter the job market each year, even if they graduate with degrees other than computer science. Cybersecurity suffers from a talent shortage and we're making it worse by not tapping this reservoir of potential talent.

There's no one-size-fits-all handbook to guide the battle against cybercriminals. Most often, it requires cybersecurity defenders to fit together different pieces of a human puzzle that will vary depending on a myriad of geographical, political, and cultural influences.

Essentially, this boils down to problem-solving on a global scale. Yet, whether it's cybercrime or physical crime, it's possible to read into the motivations of the threat actors and understand why they're doing the things they do. And then, once we know that, we get closer to predicting their next steps. This is where people with finely honed analytic skills can make excellent cyber sleuths.

Clearly, it's important to possess technical knowledge. But I think you can always teach technical skills to curious minds who enjoy a challenge. The critical thinking aspect is harder to come by. People who possess top-flight problem-solving abilities can make a difference and leverage their skills and fill the cybersecurity ranks with badly needed talent. It's key to have skilled individuals who are capable of training and teaching these individuals.

**Understanding Criminal Motivations**

In terms of adversary detection, there are several variables to consider. But you don’t need to be a veritable Sherlock Holmes to understand the criminal mindset. We need people who can determine what motivates someone to commit a certain act, and subsequently identify the likely next potential actions a threat actor would conduct, whether we’re talking about a distributed denial-of-service (DDoS) attack or a home intrusion.

When it comes to deciphering criminal groups, we repeatedly find similar patterns.

Cybercriminals can often be lazy and tend to choose targets that are designated as "easier," or simply target everyone to see what sticks. Professional cybercriminal groups develop and distribute malware on a global scale, and some groups can be very sophisticated and financially motivated. For example, advanced persistent threat (APT) groups are highly sophisticated professionals that tend to be motivated to carry out the theft of sensitive information, and sometimes, the destruction or prevention of resource access. With Russia-sponsored groups increasingly active since the Ukraine invasion, we can sometimes see both motivations simultaneously. Cyber espionage is solely motivated by information, and threat actors will go to great lengths and show extreme patience to get it. Nation-state groups arguably have the most resources at their disposal, and they can function with different motivation depending on their given objectives.

So, the process of adversary detection comes down to making logical deductions to understand how cybercriminals approach their goals. Once we know what the bad guys tend to do, then it becomes easier to detect their behavior. That's not to dismiss the complexity of the task. Attacker detection is challenging, but not impossible.

It's about getting that full picture of the actor, their motivations, and how they like to operate. Just like Sun Tzu said a long time ago, "If you know the enemy and know yourself, you need not fear the result of a hundred battles."

Cybersecurity Has a Talent Shortage & Non-Technical People Offer a Way Out

With the world potentially less than a decade away from breaking current encryption around critical data, researchers weigh in on planning for the post-quantum world.

The National Institute of Standards and Technology has selected four candidates to form the basis of future data-protection technologies to resist attack by quantum computers, the US science agency said on July 5.

NIST has also advanced four other candidates for additional scrutiny and has called for more proposals for digital signature algorithms by the end of summer.

Security experts have warned that practical quantum computers, which could be less than a decade away, could break many of today's popular encryption algorithms, such as RSA and elliptic curve cryptography — hence the need for post-quantum cryptography (PQC). The selection is part of a long standardization process that will continue, likely resulting in actual standardized algorithms in 2024.

Once the PQC algorithms are turned into a final standard, companies would be advised to use the recommendations, says Dustin Moody, a mathematician in the computer security division at NIST.

"The point of our standardization project was to identify the most promising solutions, and we feel we've done that," he says. "We expect the algorithms we standardize will be widely adopted and implemented by industry and around the world."

**Quantum Looms to Break Encryption**

The selection of the four algorithms marks the latest milestone in the effort to future-proof current data-security measures against what is sometimes known as the "store-and-break threat." The problem is not just whether adversaries have the ability to decrypt a message today, but whether they can develop the ability to decrypt the message in the future. A classified message sent today that needs to be kept secret for the next 30 years could be captured and stored until a computer is created capable of breaking the encryption.

For that reason, experts are looking to the future. In March, for example, the Quantum-Safe Working Group of the Cloud Security Alliance (CSA) set a deadline of April 14, 2030, by which companies should have their post-quantum infrastructure in place. While admittedly arbitrary, technical experts believe that around that time a quantum computer will be able to decrypt current encryption methods using a well-known algorithm invented by mathematician Peter Shor, the CSA stated in March.

While current cryptography is nearly impossible to break with today's classical computers, quantum-computing attacks could be used against many common types of public-key encryption, such as RSA, elliptic curve cryptography, and Diffie-Hellman key exchange.

"Today, data of long-term value encrypted by traditional cryptography is already at risk to quantum," Jim Reavis, co-founder and CEO of the Cloud Security Alliance, said in the March statement. "In the near future, any type of sensitive data will be at risk. There are solutions, and the time is now to prepare for a quantum-safe future."

**4 Promising Post-Quantum Algorithms**

The four NIST-approved algorithms all serve different purposes. The two primary algorithms, CRYSTALS-Kyber and CRYSTALS-Dilithium — in a nod to popular science fiction, named after types of crystals in Star Wars and Star Trek, respectively — are recommended by NIST for use in most applications, with Kyber able to create and establish keys and Dilithium to be used for digital signatures. In addition, two other algorithms — FALCON and SPHINCS+ — also advanced as candidates for digital signatures.

Three of the four algorithms are based on mathematics known as structured lattices, which can be calculated at speeds comparable to current encryption, says NIST's Moody.

"In comparison with current algorithms like RSA or ECC, lattice algorithms are just as fast if not faster when comparing things like key generation, encryption, decryption, digital signing, and verification," he says. "They do have larger public key and ciphertext and signature sizes than the existing algorithms, which may potentially be a challenge when incorporating them into applications and protocols."

The selection of multiple algorithms is a necessity in the post-quantum world, says Duncan Jones, head of cybersecurity for quantum-computing firm Quantinuum.

"Unlike today's algorithms, such as RSA or elliptic curve cryptography (ECC), these new post-quantum algorithms cannot be used for both encryption and data signing," he said in a statement sent to Dark Reading. "Instead, they are used for only one task or another. This means we will be replacing a single algorithm, such as RSA, with a pair of different algorithms."

Until the algorithms pass the final round of the standardization process, estimated to be completed in 2024, organizations should focus on planning their migration and assessing their data-security needs, says NIST's Moody. There is always the chance that the specifications and parameters could change slightly before the standard is finalized, he says.

"To prepare, users can inventory their systems for applications that use public-key cryptography, which will need to be replaced before a cryptographically relevant quantum computers appear," he says. "They can also alert their IT departments and vendors about the upcoming change, and make sure their organization has a plan to deal with the upcoming transition."

Inside NIST's 4 Crypto Algorithms for a Post-Quantum World

Cybersecurity teams continue to emphasize intrusion prevention over incident response, despite US government action.

While few cybersecurity professionals are putting all of their eggs into the intrusion prevention basket, one-third are favoring intrusion prevention over incident response (IR) at a proportion of 80/20 or more.

That's according to a May 2022 Dark Reading report, titled "Breaches Prompt Changes to Enterprise IR Plans and Processes." The 2022 Incident Response Survey polled 188 IT and cybersecurity professionals about their IR capabilities.

A total of 34% of respondents said they prefer to put 80% (21% of respondents), 90% (10% of respondents), or 100% (3% of respondents) of their resources into intrusion prevention over IR. Another 34% also prioritized prevention, with 21% preferring a 70/30 split and 13% dropping to 60/40. Less than a quarter (24% in total) weighted the two approaches evenly or favored IR over prevention, with 13% of that total backing an even split of resources. Eight percent didn't have an opinion.

The numbers from 2021 were very similar, with only a slight shift toward a more even distribution of resources. For example, the 80/20 split was only 18% in 2021, whereas 60/40 and 50/50 both sat three points higher at 16% apiece versus 2022's 13%.

These results back up the overall perception that organizations still put more effort into preventing intrusions than remediating them. For example, a 2021 survey by Wakefield Research, on behalf of Red Canary, Kroll, and VMware, showed that 36% of companies didn't have a detailed incident response plan in place. And last year's Strategic Security Survey by Dark Reading revealed high levels of interest in perimeter defense techniques, with 72% saying that intrusion prevention and detection measures were effective or highly effective.

Pressure from the US government and cyber insurance companies might swing the pendulum toward IR, however. Indeed, in March 2022, US President Joe Biden signed into law the Cyber Incident Reporting Act, which requires critical infrastructure industries to report intrusions quickly and act to remediate them. While that law will apply only to the 16 sectors considered critical, it points the way for other organizations looking to build an IR plan.

For more, download the whole report.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Prevention Takes Priority Over Response

US government warns healthcare and public-health organizations to expect continued attacks involving the manually operated "Maui" ransomware.

The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department on Wednesday warned about North Korean state-sponsored threat actors targeting organizations in the US healthcare and public-health sectors. The attacks are being carried out with a somewhat unusual, manually operated new ransomware tool called "Maui."

Since May 2021, there have been multiple incidents where threat actors operating the malware have encrypted servers responsible for critical healthcare services, including diagnostic services, electronic health records servers, and imaging servers at organizations in the targeted sectors. In some instances, the Maui attacks disrupted services at the victim organizations for a prolonged period, the three agencies said in an advisory.

"The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” according to the advisory. “Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting \[healthcare and public health\] Sector organizations."

**Designed for Manual Operation**

In a technical analysis on July 6, security firm Stairwell described Maui as ransomware that is notable for lacking features that are commonly present in other ransomware tools. Maui, for instance, does not have the usual embedded ransomware note with information for victims on how to recover their data. It also does not appear to have any built-in functionality for transmitting encryption keys to the hackers in automated fashion.

The malware instead appears designed for manual execution, where a remote attacker interacts with Maui via the command line interface and instructs it to encrypt selected files on the infected machine and exfiltrate the keys back to the attacker. 

Stairwell said its researchers observed Maui encrypting files using a combination of the AES, RSA, and XOR encryption schemes. Each selected file is first encrypted using AES with a unique 16-byte key. Maui then encrypts each resulting AES key with RSA encryption, and then encrypts the RSA public key with XOR. The RSA private key is encoded using a public key embedded in the malware itself.

Silas Cutler, principal reverse engineer at Stairwell, says the design of Maui's file-encryption workflow is fairly consistent with other modern ransomware families. What's really different is the absence of a ransom note. 

"The lack of an embedded ransom note with recovery instructions is a key missing attribute that sets it apart from other ransomware families," Cutler says. "Ransom notes have become calling cards for some of the large ransomware groups \[and are\] sometimes emblazoned with their own branding." He says Stairwell is still investigating how the threat actor is communicating with victims and exactly what demands are being made.

Security researchers say there are several reasons why the threat actor might have decided to go the manual route with Maui. Tim McGuffin, director of adversarial engineering at Lares Consulting, says manually operated malware has a better chance of evading modern endpoint protection tools and canary files compared with automated, systemwide ransomware. 

"By targeting specific files, the attackers get to choose what is sensitive and what to exfiltrate in a much more tactical fashion when compared to a 'spray-and-pray' ransomware," McGuffin says. "This 100% provides a stealth and surgical approach to ransomware, preventing defenders from alerting on automated ransomware, and making it more difficult to use timing or behavior-based approaches to detection or response.”

From a technical standpoint, Maui doesn't utilize any sophisticated means to evade detection, Cutler says. What could make it additionally problematic for detection is its low profile.

"The lack of the common ransomware theatrics — \[such as\] ransom notes \[and\] changing user backgrounds — may result in users not being immediately aware that their files have been encrypted," he says.

**Is Maui a Red Herring?**

Aaron Turner, CTO at Vectra, says the threat actor's use of Maui in a manual and selective manner could be an indication that there are other motives behind the campaign than just financial gain. If North Korea really is sponsoring these attacks, it is conceivable that ransomware is only an afterthought and that the real motives lie elsewhere. 

Specifically, it's most likely a combination of intellectual property theft or industrial espionage combined with opportunistic monetization of attacks with ransomware.

"In my opinion, this use of operator-driven selective encryption is most likely an indicator that the Maui campaign is not just a ransomware activity," Turner says.

The operators of Maui certainly would not be the first by far to use ransomware as cover for IP theft and other activities. The most recent example of another attacker doing the same is China-based Bronze Starlight, which according to Secureworks appears to be using ransomware as cover for extensive government-sponsored IP theft and cyber espionage.

Researchers say that in order to protect themselves, healthcare organizations should invest in a solid backup strategy. The strategy must include frequent, at least monthly, recovery testing to ensure the backups are viable, according to Avishai Avivi, CISO at SafeBreach

"Healthcare organizations should also take all precautions to segment their networks and isolate environments to prevent the lateral spread of ransomware," Avivi notes in an email. "These basic cyber-hygiene steps are a much better route for organizations preparing for a ransomware attack \[than stockpiling Bitcoins to pay a ransom\]. We still see organizations fail to take the basic steps mentioned. … This, unfortunately, means that when (not if) ransomware makes it past their security controls, they will not have a proper backup, and the malicious software will be able to spread laterally through the organization's networks."

Stairwell also has released YARA rules and tools that others can use to develop detections for the Maui ransomware.

North Korean State Actors Deploy Surgical Ransomware in Ongoing Cyberattacks on US Healthcare Orgs

Apple's new Lockdown Mode protects devices targeted by sophisticated state-sponsored mercenary spyware attacks.

Apple today announced a new feature called Lockdown Mode that automatically locks down any system functionality that could be hijacked by even the most sophisticated, state-sponsored mercenary spyware to compromise a user device.

While Apple acknowledged in its statement announcing the initiative that the number of users who might need Lockdown Mode is small, protecting those who face grave cybersecurity threats is worth the effort, the company says.

"While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are," Ivan Krstić, Apple's head of security engineering and architecture, said about the new Lockdown Mode function. "That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world doing critically important work in exposing mercenary companies that create these digital attacks."

Apple's Lockdown Mode will be available this fall with iOS 16, iPadOS 16, and macOS Ventura. When launched, Lockdown Mode will:

*   Block message attachment types other than images, and disable some features like link previews
*   Disable just-in-time JavaScript compilation unless the user specifically excludes a trusted site from restriction
*   Block incoming invitations, service requests, and FaceTime calls unless the user previously contacted the sender
*   Block wired connections with a computer or accessory when the iPhone is locked
*   Block the installation of configuration profiles and the device's enrollment in mobile device management (MDM)

Along with Apple's announcement of the new Lockdown Mode, the company said it would provide a $10 million cybersecurity grant to researchers working on ways to prevent these targeted attacks and offer a $2 million bug bounty for finding flaws in Lockdown Mode's protections.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Debuts Spyware Protection for State-Sponsored Cyberattacks

Here's how I did it and how you can protect your company against such physical/digital hybrid attacks.

Most companies have strategies in place to educate employees about network security. But there has been a lot less awareness and education on how to reduce "phygital" risks — that is, physical devices that launch digital attacks against a company's computer networks.

Another name for these phygital attacks is "warshipping." Essentially, a malicious hacker creates an Internet-enabled device — for example, a miniature computer — and sends it through physical mail in an attempt to compromise a company's computer network. What's more, because so many employees have yet to return to their physical offices post-lockdown, these devices can easily sit for months unattended in unopened mail on desks and in mailrooms, gathering data and exploiting vulnerabilities in a company's network.

It's frighteningly easy and inexpensive to make your own DIY version of a warshipping device. With just three hours, a couple of hundred dollars, and a few YouTube videos, nearly anyone can do it. To show you exactly how easy it is, I'm going to talk about how I built a warshipping device and then discuss what you can do to protect your company against these attacks.

**Building a Warshipping Device**

Prepare yourselves for a bit of a technical jump into hardware and software. We don't have the space here to go into every aspect of building a warshipping device, but the following should give you a harrowing sense of exactly how easy and inexpensive the process can be.

**Building hardware.** The foundation of any warshipping device is as simple as a hobbyist circuit board not much bigger than a credit card, which can operate like a miniature computer. One example is a Raspberry Pi, which is easily found online and arrives with the required software, or at least software that can also be easily found online.

Next you need a Wi-Fi dongle of some kind so your warshipping device can connect to the Internet wirelessly. A USB Wi-Fi adapter and a memory card with at least 32 GBs of storage, along with a SIM card to enable a cellular connection and optional GPS device, will complete the hardware requirements.

**Software prerequisites.** Raspberry Pis have their own Ubuntu-based operating system (OS) called Raspberry Pi OS.

Next you'll need to establish remote access. You need to find your device's IP address so you can connect to it through your computer or another device. To do that, you can run a scan on your local network or use a smartphone app. Next enter the default password for a Raspberry Pi, which is "raspberry." You now have a functional warshipping device.

**Ready for warshipping.** At last you can install your software for warshipping. Your actual warshipping software comes in two parts: your optional GPS software if you want to keep track of your device location and Kismet or a similar network-detecting software.

Kismet acts as a packet sniffer, which finds and captures packets of data from a network to store or forward that information. So Kismet can potentially be used to grab data from your network.

Your device is now ready to cause a world of pain for some poor IT team. All you have to do is send it in the mail, and when it arrives you can access sensitive data or find a vulnerable access point for an attack via the cellular connection. Then you could join the realm of malicious hackers who are costing companies worldwide $2.9 million every minute due to cybercrime.

**Key Takeaways**

So what are some useful takeaways from all of this?

First, you need to realize that this threat isn't going away. These attacks are simply too easy to launch and too hard to address. After all, who has the time to sort through all of that incoming mail as soon as it arrives?

Second, you need to develop phygital security measures as part of your overall cybersecurity efforts. Packages can sit in mailrooms for weeks — or these days, months — before someone processes them. Any of those packages could contain a warshipping device that can use their idle time gathering data from your network. Because warshipping devices can be small enough to fit between two pieces of cardboard, even an opened empty box you're saving in the mailroom to be reused at a later date could be a threat. 

To address the issue, you can start by immediately processing packages that are incorrectly addressed, since these will get returned to the sender. But you should go beyond that to process all unopened mail as quickly as possible and never retain used packaging materials in the mailroom. You can also look into the latest mail-scanning technology, which can detect these devices while avoiding the harmful effects of X-rays.

Third, network discovery software can help you pick up on unusual traffic and detect any new devices the minute they connect to your network. That means you can potentially detect a warshipping device before any damage is done. In addition, the wave of layoffs in the recent Great Resignation, insider threats from individuals who are or formerly were authorized users in your network are just as common and may be harder to detect, since these people may have access to approved credentials and devices.

Fourth, educate your employees. They likely have no idea that packages they left on their desks for a few days while they were working remotely could have a warshipping device inside, so do them and yourselves a favor by alerting them to the possible threat.

If there's one thing you've learned from this article, it should be that the phygital world is a dangerous place. But just knowing about the danger is half the battle. So now you know.

I Built a Cheap 'Warshipping' Device in Just 3 Hours — and So Can You

The hospitality giant said data from 300-400 individuals was compromised by a social-engineering scam targeting the Baltimore airport.

Marriott International has acknowledged yet another data breach, this time impacting between 300 and 400 individuals.

Marriott told Dark Reading that it was a social-engineering scam that was able to trick a single hotel employee into turning over credentials for computer access. Now, the attackers want extortion money. The hotel chain added that it's preparing to notify people who were compromised.

DataBreaches.net was first to report on the latest Marriott compromise after the outlet said the threat actors contacted it to boast about the breach. The report said the Marriott attackers specifically targeted the Marriott at the BWI airport in Baltimore, Md., and were able to exfiltrate 20 GBs of data, including credit card details.

"The threat actor did not gain access to Marriott's core network," a Marriott spokesperson said in a statement to Dark Reading. "Our investigation determined that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property."

The spokesperson added that the company was already aware of the incident and investigating before the attacker contacted Marriott with payment demands. Marriott refused to pay and is working with law enforcement, the person said.

According to the DataBreaches.net report, some of the information exposed included personal identifiable information (PII) for flight crews staying at BWI, including names, flight numbers and times, employment position, room number, and the credit card used for booking.

**Attack Follows Massive Marriott Breach in 2020**

This latest incident pales in comparison to the 2020 Marriott breach that exposed the PII of more than 5.2 million members of the hotel chain's loyalty program. But it illustrates how vulnerable organizations can be to follow-on attacks after an initial compromise, according to Jack Chapman, vice president of threat intelligence at Egress.

"As this latest data breach demonstrates, organizations that are victims of previous attacks are more likely to be targeted in the future," Chapman said in an email to Dark Reading. "Social engineering is a highly effective tool, and cybercriminals know that an organization's people are its biggest vulnerability — which is why they return to this technique again and again."

The results are undeniable: social engineering works.

"A primary mechanism being used by adversaries is social engineering," Saryu Nayyar, CEO and founder of Gurucul, explained via email. "It's simple and effective. And it means that initial compromise is dependent on human behaviors and is therefore impossible to prevent 100% of the time. All it takes is one successful compromise to circumvent most preventive controls."

Finding and securing the organization's most valuable data is a good first step to protecting against these increasingly common social engineering schemes, James McQuiggan, a security awareness advocate at KnowBe4, says.

"Too often, in data breaches, it is discovered that users have access to more data required to do their tasks effectively, and it is only found after the breach when it's on the Dark Web being copied around that the user did not need it," McQuiggan adds. "Any sensitive data, like names, emails, or other personnel data like HR reviews, are to be protected with multifactor authentication to increase the protection and reduce the risk of an attacker having easy access."

Marriott Data Breach Exposes PII, Credit Cards

They may be environmentally friendly, but the surging popularity of electric cars and plug-in hybrids puts the nation's electrical grid at greater risk for malfeasance.

Is the US electrical grid — a 70-year-old behemoth — equipped to handle the load of nearly 607,000 new electric vehicles (EVs) on the roads? As a security guy working in critical national infrastructure (CNI), I wonder. I know the threats facing the US power grid and see it struggling against an already strained capacity. So let's "strength test" this load, see if the grid can handle all those EVs, and discuss what can be done if not. As the one CNI sector that singlehandedly underpins nearly all the others, it matters. 

According to BloombergNEF, there will be nearly 1 million new EVs per month — or one about every three seconds. In the UK, 17% plan to buy an electric vehicle in the next year and nearly 70% would do so if money were no object. It's no surprise, therefore, that BloombergNEF predicts more than 26 million EVs on the road by the end of 2026. An insurance consultancy estimates there will be roughly 4 million in California alone by 2030, and a report by BloombergNEF predicts that by 2040, nearly 60% of global passenger vehicle sales will be electric. From a purely emissions-based standpoint, it's almost too good to be true. But what are the consequences?

**Too Big for the Grid**

The grid also faces the challenge of supporting a fast-growing fleet of EVs and plug-in hybrids (PHEVs) that may overextend its current capacity.

The current grid is something of a marvel, made up of 9,200 generating units, 600,000 miles of transmission lines, and more than 1 million megawatts of generating capacity. However, it was built when the current electrical needs of a household were a few lightbulbs and a toaster back in the '60s. Now, think about an average Thursday night — your kids are home, there are TVs going in every room, you're running a load of wash, nobody remembered to turn the lights off in the bathroom (of course), someone's gaming, someone's streaming, someone's microwaving something, your toddler is talking to Alexa, and you're charging your Tesla. Now add 26 million more Teslas and you see the problem.

Plus, the current grid is built to give, not receive, energy. This becomes an issue with new sustainable sources of energy putting energy back into the system — like wind turbines, solar panels, and (yes) electric vehicles. We're forcing the current grid far beyond its intended use; to do any more, some suggest switching to a smart grid, which unlike the current infrastructure can give _and_ receive power, and its capacity will be much larger than what we have now. Large loads — like EV charging stations, heating and cooling systems, and football stadiums — can crash the grid, bringing the kind of instability we're trying to avoid and generally being bad for business.

Adopting a transactive method like the above can help offset the overall impact of electric vehicles on the power grid and keep things running smoothly. If done right, it will be more energy-efficient, able to load balance, and more stable. If we're to face a future where nearly 60% of all cars will require a charging station, a new grid, or focused improvements to the one we have, it's not only nice but needed.

**Securing the Grid Against EVs**

Besides overload, the biggest challenge EVs bring to the grid is security. They're huge Internet of Things devices with wheels, and the liability couldn't be higher. As of now, the IoT still represents a not-so-distant past where technology would fly off the line with minimal (if any) security controls. Yes, there are laws now, but with cloud connectivity, remote access, and various app integrations that may or may not have the same standards of security, risks are still around. As it stands, Bluetooth hacks can unlock car doors and charging stations are being held for ransom.

And according to Yury Dvorkin, an electrical and computer engineering expert at New York University, charging stations can be entry points for cyberattacks directed at the American energy grid. All it takes is one weak point in the giant, interconnected network of an electric vehicle and soon a hacker can have access to the US energy supply.

As Lear Corp.'s Andre Weimerskirch has pointed out, "An electric vehicle has far more hardware chips and software components than an internal combustion engine. More complexity means we need to be more careful around security in general."

My suggestion to energy providers would be to not wait — shore up your cybersecurity posture against a time when less-than-secure EVs hit the market. I imagine it will be like a second IoT wave (quite literally): hastily added devices released with only secondary thought to security and the onus falling primarily on the user. If you're going to allow EVs — and all the connectivity, technology, and vulnerabilities they bring — anywhere near your power utility, learn the risks and build your cybersecurity strategy around government standards for the energy industry.

Source

DARKReading