Resecurity has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators.
“In the Box” dark web marketplace is leveraged by cybercriminals to attack over 300 financial institutions (FIs), payment systems, social media and online-retailers in 43 countries
Resecurity, the California-based cybersecurity company protecting major Fortune 500 companies, has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators. The marketplace is known as “InTheBox”, and has been available for cybercriminals in the TOR network from at least the start of May 2020, however since then it has transformed from a cybercriminal service operating privately into the largest marketplace known today for it’s sheer number of unique tools and so called WEB-injects offered for sale.
Such malicious scenarios are purposely developed by fraudsters and used for online-banking theft and financial fraud. Web-injects are integrated into mobile malware to intercept banking credentials, payment systems, social media and email provider credentials, but it doesn’t end there, these malicious tools also collect other sensitive information such as credit card information, address details, phone and other PII. This trend comes from the “Man in The Browser” (MiTB) attacks and WEB-injects designed for traditional PC-based malware such as Zeus, Gozi and SpyEye. Later, cybercriminals successfully applied the same approach to mobile devices, because modern digital payments are extremely interconnected when it comes to mobile applications used by consumers.
According to the experts from Resecurity, the identified “In The Box” marketplace may now proudly be called the largest and most significant catalyst for banking theft and fraud involving mobile devices. The significance of findings is highlighted by the quality, quantity and spectrum of the available malicious arsenal. Currently, cybercriminals are offering over 1,849 malicious scenarios for sale, designed for major financial institutions, ecommerce, payment systems, online retailers, and social media companies from over 45 countries including the U.S, the U.K, Canada, Brazil, Colombia, Mexico, Saudi Arabia, Bahrain, Turkey, and Singapore. The supported organizations targeted by cybercriminals include Amazon, PayPal, Citi, Bank of America, Wells Fargo, DBS Bank, etc. During November 2022 the actor arranged a significant update of close to 144 injects and improved their visual design.
The operators behind “IntheBox” marketplace are closely connected to developers of major mobile malware families including Alien, Cerberus, Ermac, Hydra, Octopus (aka “Octo”), Poison, and MetaDroid. Cybercriminals rent mobile malware based on a subscription-based fee ranging from $2,500 – $7000 and in some cases task underground vendors to develop purposely designed injects for particular services or applications to ensure successful credential theft on mobile devices. Such malicious scenarios are designed identically to their legitimate counterpart applications but contain fake forms which intercept the logins and passwords of the victim. In addition to that, the mobile malware enables criminals to intercept 2FA code sent via SMS by the bank or to redirect an incoming call containing verification details. As the years pass, the malware market for mobile banking has become extremely mature, and most Dark Web actors stopped selling it, they’ve switched over to potentially renting, or to privately using it.
Every year, the number of mobile-oriented malware increases exponentially. According to independent studies, almost every 1 in 5 users on mobile devices may be compromised with mobile malware. The bad actors leverage smart tactics to bypass anti-fraud filters and conduct banking theft confirming all verification codes without looking suspicious – using amounts above limits and sending them in parts. The amount of typical banking theft varies between $5,000 – $15,000 per consumer and $50,000 – $250,000 per enterprise depending on the size and business activity. In total, the loss from fraud exceeds 5,6 billion USD in 2022. In combination with other types of fraud such as business email compromisation, money laundering and investment scams that create a huge shadow economy with trillions of dollars circulating in the underground.
“The cybercriminals are focusing on mobile devices more than ever, because modern digital payments are impossible without them. Successful disruption of mobile malware networks and associated cybercriminal services is crucial for protecting financial institutions and consumers around the world” – said Christian Lees, Chief Technology Officer (CTO) of Resecurity. “With the rapid growth of fraudulent activity in our post-pandemic world, bad actors continue to upgrade their tooling arsenal to attack customers of major financial institutions (FIs), e-commerce platforms and online marketplaces allowing them to benefit from the upcoming Christmas and New Year’s holidays. According to collected statistics in Q4 2022 by Resecurity®, Digital Forensics & Incident Response (DFIR) engagements conducted on Fortune 500 companies from multiple regions including North America, APAC, LATAM and Middle East & North Africa (MENA). Cybercriminals are especially successful when attacking mobile devices and leveraging gained access for further unauthorized access and financial theft.” – he added.
The catalyst behind mobile banking malware distribution was uncovered by Resecurity’s HUNTER unit, who investigate cybercrime activities by hunting the actors behind it in close collaboration with international law enforcement agencies and industry partners.
The intelligence behind the architecture, ecosystem, profiles of actors and acquired malicious scenarios have been shared with FS-ISAC and Google Security Team so the defenders can develop signatures and tactics to properly protect mobile users. The majority of mobile malware supported by “InTheBox” is oriented towards devices using Google Android, that’s why proactive intelligence sharing with the Google Security Team will facilitate enhanced consumer protection, saving millions of USD in light of the upcoming Christmas and Winter Holidays, known as the peak of fraudulent activity because of the increase in online transactions and payments.
A critical stack-based buffer overflow bug, tracked as CVE-2022-23093, in the ping service can allow to take over FreeBSD systems.
The maintainers of the FreeBSD operating system released updates to address a critical flaw, tracked as CVE-2022-23093, in the ping module that could be potentially exploited to gain remote code execution.
The ping utility allows testing the reachability of a remote host using ICMP messages, it requires elevated privileges to use raw sockets. It is available to unprivileged users with the installation of a setuid bit set. This means that when ping runs, it creates the raw socket, and then revokes its elevated privileges.
“ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.” reads the advisory for this issue. “The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.”
A remote attacker can trigger the vulnerability, causing the ping program to crash and potentially leading to remote code execution in ping.
“The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrainted in how it can interact with the rest of the system at the point where the bug can occur.” continues the advisory.
Researchers are recommended to upgrade vulnerable systems to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.
The maintainers of the FreeBSD operating system pointed out that there is no workaround is available.
The North Korea-linked Lazarus APT spreads fake cryptocurrency apps under the fake brand BloxHolder to install the AppleJeus malware.
Volexity researchers warn of a new malware campaign conducted by the North Korea-linked Lazarus APT against cryptocurrency users. The threat actors were observed spreading fake cryptocurrency apps under the fake brand BloxHolder to deliver the AppleJeus malware for initial access to networks and steal crypto assets.
The APT group employed the AppleJeus malware since at least 2018 to steal cryptocurrencies from the victims.
The new campaign observed by Volexity started in June 2022, the APT group registered the domain name bloxholder[.]com, and then set up a website related to automated cryptocurrency trading.
The new campaign attributed to Lazarus started in June 2022 and was active until at least October 2022.
In this campaign, the threat actors used the “bloxholder[.]com” domain, a clone of the HaasOnline automated cryptocurrency trading platform.
The website is a clone of the legitimate website, HaasOnline (haasonline[.]com.)
The attackers used the website to distribute a Windows MSI installer masquerading as the BloxHolder app, which was used to install AppleJeus malware along with the QTBitcoinTrader app.
“This discovered file, the “BloxHolder application”, is actually another case of AppleJeus being installed alongside the open-source cryptocurrency trading application QTBitcoinTrader that is available on GitHub. This same legitimate application has previously been used by the Lazarus Group, as documented in this report from CISA.” reads the report published by Volexity. “The MSI file is used to install both the malicious and legitimate applications at the same time.”
In October 2022, the researchers observed the Lazarus Group installing AppleJeus using a weaponized Microsoft Office document, named ‘OKX Binance & Huobi VIP fee comparision.xls,’ instead of an MSI installer.
The document contains a macro split into two parts, the first one is used to decode a base64 blob that contains a second OLE object containing a second macro. The initial document also stores several variables, encoded using base64, that allow defining where the malware will be deployed in the infected system.
The last stage payload is downloaded from a public file-sharing service, OpenDrive.
Volexity experts were not able to retrieve the final payload employed since October, but they noticed similarities in the DLL sideloading mechanism which is similar to the one used in the attacks relying on MSI installer.
“While the file was no longer available at the time of analysis, based on public sandbox results for the file in question, the downloaded payload, “Background.png”, embeds the following three files:
“Logagent.exe” – a legitimate file (md5: eb1e19613a6a260ddd0ae9224178355b)
“wsock32.dll” – a side-loaded library internally named HijackingLib.dll (md5: e66bc1e91f1a214d098cf44ddb1ae91a)
“56762eb9-411c-4842-9530-9922c46ba2da” – an encoded payload decoded by “wsock32.dll”
“continues the analysis. “The three files are dropped on disk using hardcoded offsets that can be found in the second macro.”
Experts speculate Lazarus used DLL sideloading to avoid malware analysis, the threat actors also noticed that recent AppleJeus samples obfuscated strings and API calls using a custom algorithm.
“The Lazarus Group continues its effort to target cryptocurrency users, despite ongoing attention to their campaigns and tactics. Perhaps in an attempt to allude detection, they have decided to use chained DLL side-loading to load their payload. Additionally, Volexity has not previously noted the use of Microsoft Office documents to deploy AppleJeus variants.” concludes volexity. “Despite these changes, their targets remain the same, with the cryptocurrency industry being a focus as a means for the DPRK to bolster their finances.”
Law enforcement agencies can extract data from the infotainment systems of thousands of different car models.
Data managed by infotainment systems in modern vehicles are a valuable source of information for the investigation of law enforcement agencies.
Modern vehicles come with sophisticated infotainment systems that are connected online and that could represent an entry point for attackers, as demonstrated by many security experts over the years.
Law enforcement and intelligence worldwide are buying technologies that exploit weaknesses in vehicle systems.
Recently security the security expert researcher Sam Curry warned of vulnerabilities in mobile apps that exposed Hyundai and Genesis car models after 2012 to remote attacks. An attacker could exploit these flaws to unlock and start the vehicles.
The experts also exploited these flaws in attacks targeting the SiriusXM “smart vehicle” platform used by several car makers, including Toyota, Honda, FCA, Nissan, Acura, and Infinity.
An attacker only needs to know the car’s identifying number, known as a VIN, to launch the attack against a target vehicle.
Vulnerabilities in infotainment systems can be generally exploited by remote attackers to lock/unlock a vehicle, interact with several features of the cars (hooking up to drivers’ connected devices), and locate them.
According to a report published by Forbes, federal law enforcement agencies, with immigration and border cops are using technologies that can exploit similar weaknesses to extract data from 10,000 different car models.
“The ability to gather piles of evidence on a potential crime from an automobile—sometimes more than can be obtained from a smartphone and often less well secured—is something that immigration and border cops have increasingly latched on to in 2022.” Forbes reports. “Court documents and government contracting records show the agencies tasked with monitoring the Mexican border have spent record sums on car hacking tools, while talking up the extraordinary amount of valuable evidence that can be reaped from onboard computers.”
Privacy advocates are raising the alarm on surveillance activities operated by law enforcement by collecting data from connected systems in modern cars.
“New cars are surveillance on wheels, sending sensitive passenger data to carmakers and police. Cars also store enormous amounts of passenger data onboard, where police can extract it using specialized tools. We estimate that law enforcement agencies could have accessed car data hundreds of thousands of times in 2020.” warned a report published by Surveillance Technology Oversight Project (S.T.O.P.). “Constitutional loopholes allow access to most data on cars without a warrant. Police can access information from car-connected phones and online accounts without the warrant typically required.”
Forbes reported the case of a recent search of a 2019 Dodge Charger, “used to facilitate the transportation or movement of noncitizens without legal status into and throughout the United States” near, the Mexican border. The police was able to access the infotainment system of the vehicle to obtain a broad range of information, including the suspect’s location, user passwords, email addresses, IP addresses and phone numbers.
Forbes also reports another case related to an investigation conducted by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) in Missouri in October. In that case, the law enforcement body used the car hacking technology to gather information from a 2022 Ford F-150.
The ATF investigator pointed out that connected systems in modern vehicles can be targeted to recover a vast amount of data and also spy on a phone connected to the car without access to the phone itself.
ATF confirmed that digital technologies can be used to target over 10000 different vehicle models.
“There are over 10,000 supported vehicles by BMW, Buick, Cadillac, Chevrolet, Chrysler, Dodge, Fiat, Ford, GMC, Hummer, Jeep, Lincoln, Maserati, Mercedes, Mercury, Pontiac, Ram, Saturn, Toyota and Volkswagen,” ATF wrote.
Forbes reported that Customs and Border Protection and Immigration Customs Enforcement have this year spent record sums on car forensics technologies provided by vehicle forensics firm Berla.
The company provides a collection of tools named iVe that supports investigators throughout the entire vehicle forensics process, it includes a mobile application for identifying vehicles, a hardware kit for acquiring systems, and forensic software for analyzing data.
“According to government contract records, in August CBP spent over $380,000 on iVe, nearly eight times its previous single biggest purchase of $50,000 from 2020. ICE, which has been buying Berla’s tools and trainings since 2010, spent $500,000 on iVe in September, well over twice its previous record of $200,000. In a May 2022 contract, CBP specifically asked for “vehicle infotainment forensic extraction tools, licenses, and training” from Berla.” continues Forbes.
US DHS Cyber Safety Review Board will review attacks linked to the Lapsus$ extortion gang that hit multiple high-profile companies.
The Department of Homeland Security (DHS) Cyber Safety Review Board announced that it will review cyberattacks linked to the extortion gang Lapsus$, the gang breached multiple high-profile companies in recent years.
“Today, the U.S. Department of Homeland Security (DHS) announced that the Cyber Safety Review Board (CSRB) will review the recent attacks associated with Lapsus$, a global extortion-focused hacker group. Lapsus$ has reportedly employed techniques to bypass a range of commonly-used security controls and has successfully infiltrated a number of companies across industries and geographic areas.” reads the CSRB announcement.
The review aims at developing a set of actionable recommendations for how organizations can improve their resilience to these types of attacks. The final report will be transmitted to President Biden through Secretary of Homeland Security Alejandro N. Mayorkas and CISA Director Jen Easterly.
“The Cyber Safety Review Board has quickly established itself as an innovative and enduring institution in the cybersecurity ecosystem,” said Secretary Alejandro N. Mayorkas. “With its review into Lapsus$, the Board will build on the lessons learned from its first review and share actionable recommendations to help the private and public sectors strengthen their cyber resilience.”
As directed by President Biden through Executive Order 14028 Improving the Nation’s Cybersecurity, Secretary Mayorkas established t
The CSRB was established on February 2022 under the direct order of President Biden through Executive Order 14028 with the intent of improving the Nation’s Cybersecurity.
The group of experts is tasked with reviewing and assessing significant cybersecurity events to allow public and private organizations to better protect US networks and infrastructure.
“The CSRB is composed of highly esteemed cybersecurity leaders from the federal government and the private sector. The CSRB does not have regulatory powers and is not an enforcement authority. Instead, its purpose is to identify and share lessons learned to enable advances in national cybersecurity. Robert Silvers, DHS Under Secretary for Policy, serves as Chair and Heather Adkins, Google’s Vice President for Security Engineering, serves as Deputy Chair.” continues the announcement.
In October, the Federal Police of Brazil announced the arrest of an individual suspected of being linked to the LAPSUS$ extortionist gang. The authorities did not disclose info about the individual, it seems that the suspect is a teenager.
The arrest is the result of an international police operation codenamed Operation Dark Cloud that was launched in August 2022.
The Brazilian police, the Polícia Federal, launched its investigation in December 2021 after the website of Brazil’s Ministry of Health suffered a data breach. Threat actors stole 50TB of data and deleted COVID-19 vaccination data of millions of Brazilian citizens.
The Lapsus$ gang claimed responsibility for the attack, the group also hit other federal government websites, including the Ministry of Economy, Comptroller General of the Union, and the Federal Highway Police.
In September, the City of London Police arrested a 17-year-old teenager on suspicion of hacking, however, experts believe the arrest could be linked to the recent security breaches suffered by Uber and Rockstar Games.
Uber revealed that the threat actor behind the intrusion is affiliated with the LAPSUS$ hacking group.
The threat actor behind the Uber hack, which goes online by the moniker Tea Pot (aka teapotuberhacker), also claimed to have Rockstar Games, the gaming firm behind GTA 6.
The arrest is the result of a joint investigation conducted by City of London Police with the U.K. National Crime Agency’s cybercrime unit.
Experts spotted a new data wiper, dubbed CryWiper, that was employed in destructive attacks against Russian mayor’s offices and courts.
Researchers from Kaspersky discovered a previously unknown data wiper, dubbed CryWiper, that was employed in destructive attacks against Russian mayor’s offices and courts.
The malware masquerades as ransomware, but the analysis of the code demonstrates that it does not actually encrypt, but only destroys data in the infected system.
According to Kaspersky, the wiper was first spotted in the fall of 2022 when it was employed in an attack against an organization’s network in the Russian Federation.
“After examining a sample of malware, we found out that this Trojan, although it masquerades as a ransomware and extorts money from the victim for “decrypting” data, does not actually encrypt, but purposefully destroys data in the affected system.” reads the report published by Kaspersky. “Moreover, an analysis of the Trojan’s program code showed that this was not a developer’s mistake, but his original intention.”
The CryWiper sample analyzed by the researchers is a Windows 64-bit executable that was written in C++ and compiled using the MinGW-w64 toolkit and the GCC compiler. The experts pointed out that this development process for C/C++ malware developers for Windows is unusual.
The experts believe the malware was specifically designed to target Windows systems because it uses many calls to WinAPI functions.
Once executed, CryWiper uses the Task Scheduler and the schtasks create command to create a task to run its file every 5 minutes.
The the wiper contacts the command and control server using an HTTP GET request and passes the name of the infected system as a parameter.
The C2 in turn responds with either a “run” or “do not run” command, in order to determine if the malware have to start.
In some cases, the researchers observed execution delays of 4 days (345,600 seconds) to hide the logic behind the infection.
Upon receiving a run response, CryWiper stops processes related to MySQL and MS SQL database servers, MS Exchange mail server and MS Active Directory web services using the taskkill command. This action unlocks files used by the above legitimate applications before encrypting them.
CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.
The wiper also deletes shadow copies on the compromised machine to prevent victims from restoring the wiped files.
The malware also changes the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections registry setting to prevent RDP connections to the infected system.
In order to destroy user files, the wiper generates a sequence of data using the pseudo-random number generator “Mersenne Vortex” overwrite the original file content.
The malware appends the .CRY extension to the files it has corrupted and drops ransom notes (‘README.txt’) demanding for 0.5 Bitcoin for the decrypted.
“CryWiper positions itself as a ransomware program, that is, it claims that the victim’s files are encrypted and, if a ransom is paid, they can be restored. However, this is a hoax: in fact, the data has been destroyed and cannot be returned. The activity of CryWiper once again shows that the payment of the ransom does not guarantee the recovery of files.” concludes the report.
Google released security updates to address a new Chrome zero-day flaw, tracked as CVE-2022-4262, actively exploited in the wild.
Google rolled out an emergency security update for the Chrome web browser to address a new zero-day vulnerability, tracked as CVE-2022-4262, that is actively exploited.
The vulnerability was reported by Clement Lecigne of Google’s Threat Analysis Group on November 29, 2022.
“CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google’s Threat Analysis Group on 2022-11-29” reads the advisory published by Google. “Google is aware that an exploit for CVE-2022-4262 exists in the wild.”
As usual, Google did not share technical details about the vulnerability in order to allow users to update their Chrome installations. Anyway, threat actors can exploit the flaw to potentially achieve arbitrary code execution.
Google fixed the zero-day with the release of 108.0.5359.94 for Mac and Linux and 108.0.5359.94/.95 for Windows, which the company plans to roll out over the coming days/weeks
CVE-2022-4262 is the ninth actively exploited Chrome zero-day addressed by Google this year, below is the list of the other zero-day fixed by the tech giant:
Qualys researchers demonstrated how to chain a new Linux flaw with two other two issues to gain full root privileges on an impacted system.
Researchers at the Qualys’ Threat Research Unit demonstrated how to chain a new Linux vulnerability, tracked as CVE-2022-3328, with two other flaws to gain full root privileges on an affected system.
The vulnerability resides in the snap-confine function on Linux operating systems, a SUID-root program installed by default on Ubuntu.
The snap-confine is used internally by snapd to construct the execution environment for snap applications, an internal tool for confining snappy applications.
The CVE-2022-3328 is a Snapd race condition issue that can lead to local privilege escalation and arbitrary code execution.
“In February 2022, Qualys Threat Research Unit (TRU) published CVE-2021-44731 in our “Lemmings” advisory. The vulnerability (CVE-2022-3328) was introduced in February 2022 by the patch for CVE-2021-44731).” reads the post published by Qualys.
“The Qualys Threat Research Unit (TRU) exploited this bug in Ubuntu Server by combining it with two vulnerabilities in multipathd called Leeloo Multipath (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973), to obtain full root privileges.”
The experts chained the CVE-2022-3328 flaw with two recently discovered flaws in Multipathd, which is a daemon in charge of checking for failed paths.
Multipathd runs as root in the default installation of several distributions, including Ubuntu.
The two vulnerabilities in the Multipathd are:
CVE-2022-41974 (CVSS 7.8) – The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.
CVE-2022-41973 (CVSS 7.0) – The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
“Successful exploitation of the three vulnerabilities lets any unprivileged user gain root privileges on the vulnerable device. Qualys security researchers have verified the vulnerability, developed an exploit and obtained full root privileges on default installations of Ubuntu.” Qualys added.
The FAQ section included in the advisory confirms that the vulnerability is not remotely exploitable.
Once a niche technology, drones are about to explode in terms of market growth and enterprise adoption. Naturally, threat actors follow the trend and exploit the technology for surveillance, payload delivery, kinetic operations, and even diversion.
There exists a class of tiny and highly maneuverable devices that introduce a variety of cybersecurity risks you probably haven’t considered before.
Drones currently occupy a unique legal position as they are classified as both aircraft and networked computing devices. From a malicious drone operator perspective, this inherently grants a high level of advantageous legal ambiguity and protection to criminals operating drones as counter-attacking efforts taken by victims may violate protective regulations or laws applicable to aircraft, but also anti-hacking laws meant to provide protections to personal computers, their data, and networks.
This article is going to explore cybersecurity considerations surrounding drone platforms through an initial review of drone market trends, popular drone hacking tools, and general drone hacking techniques that may be used to compromise enterprise drone platforms, including how drone platforms themselves may be used as malicious hacking platforms.
A secondary outcome of this article is to help spur awareness around a once niche space of technology that is about to explode in terms of market growth and enterprise adoption.
According to research firm Statista, the global retail drone market is expected to reach $90 billion by 2030, with Defense, Enterprise, and Logistics being the primary industries driving growth. Within the United States alone, nearly 300,000 commercial pilot licenses have been issued as of 2022, compared to nearly 1 million individual drones that have been registered with the Federal Aviation Authority(FAA) per weight and commercial compliance rules2.
This number does not account for drone platforms operated by amateur pilots or hobbyists that do not require professional licensure or those that operate under weight limitation thresholds (typically <250 grams = no licensing/registration requirement.) that require registration with local or federal authorities.
In China, the retail drone market reached $15 billion in 2021, with projections to exceed $22 billion by 2024. Drone pilot licenses issued throughout China exceed the United States, with over 780,000 registered pilots and close to 850,000 registered drones.
These numbers inform of the possibility that a once uncluttered skyline may soon be teeming with millions of drone aircraft, and questions begin to arise regarding the sanctity of enterprise security, privacy, and potential cybersecurity threats sourcing from the sky.
Departing from the general market statistics concerning drones, it is prudent to better understand how a flying laptop poses a threat to enterprise operations. From a cybercriminal perspective, drones are an ideal tool to carry out malicious attacks because they generally provide a greater layer of separation between the bad actor, the aircraft itself, and the actions executed by the physical drone platform.
Laptops or workstations primarily operate in 2D space physically and are more easily associated to an end user whereas a flying, computerized aircraft with a range of 10km can be harder to trace to a specific individual or geographical area. Drones also offer cybercriminals a great degree of flexibility in their usage because they are affordable, highly modifiable, they can operate across a greater range of weather conditions, flight distances, and altitudes versus semi-stationary workstations hackers traditionally operate from.
Let’s dive into some examples of how enterprises must account for external drones entering their airspace and cyber threats to drones operated by the enterprise.
An external drone not owned or operated by the enterprise can achieve many objectives useful to cyber criminals wishing to attack an organization. These objectives include but are not limited to site surveillance, photographic reconnaissance, physical or electronic payload delivery, kinetic operations (flying a drone into something for a specific purpose), and as a diversionary tactic.
A prime example is using a drone to fly over a potential target to visually map out physical security barriers prior to a robbery, identifying security guard patrol locations and schedules, or determining if anyone even responds to the aircraft while it is present. Drone platforms are also commonly used globally to smuggle contraband such as drugs, cellphones, or weapons into prisons with an alarming success rate.
Enterprises with sound counter drone programs in place may still be limited in how they respond to external drone threats as it is commonly unlawful to simply shoot them down or capture them. Within the United States for example, operating a drone within Class G, uncontrolled airspace over another entity’s property without advanced notice is legally allowed. Some state and local laws allow property owners and businesses to file trespass claims against operators but the difficulty is often associating the drone platform to its operator and serving them written notice.
Similar laws allowing some degree of aerial trespass exist throughout other international jurisdictions including Australia, Singapore and the United Kingdom with certain limitations. Enterprises are at a further disadvantage as malicious drone platforms cost anywhere from a few hundred to a thousand dollars while Counter Unmanned Aircraft Systems (CUAS) can cost well into the millions of dollars per annum simply just for the software subscription, not the personnel to operate it.
From a risk management perspective, drone mitigation using detective controls such as CUAS are simply non-sustainable for many enterprises as the costs will typically far exceed the inherent risks.
Attacks against enterprise-owned drones
Cyberattacks against drones that an enterprise owns and operates is an entirely different animal. Further considerations must be taken to secure onboard storage of the drone, ensure routes drones travel are relatively safe (i.e., free from obstacles, sparsely populated, etc.) and that Wi-Fi or Radio Frequency (RF) signals used by drone platforms are properly encrypted against eavesdropping or manipulation.
Most drone platforms provide an onboard mini or micro storage disk port for local storage. Common attacks against enterprise drones include platform takeover, where an attacker uses RF, Wi-Fi or a subscription service like Aerial Armor to detect flight paths of a drone in a geographical area, perform de-authentication attacks, take over control of the drone and land the stolen drone in a location of its choosing.
From here, the attacker can physically remove onboard storage and pilfer the contents, depending on the storage configuration or potentially introduce malware via the SD card port, then leave the drone for the owner to find. Cybercriminals may also attempt to poison the geolocation instructions or Return To Home (RTH) coordinates of the drone to intentionally damage the aircraft or use it for other nefarious purposes causing the enterprise monetary damages in lost drone equipment, legal trouble, and reputational harm.
Let’s overview common tools or platforms built specifically to hack drones and see how some of these may assist cybersecurity applications in real world scenarios.
The first tool previewed in this article is Dronesploit, a Command Line Interface (CLI) solution which directly resembles and is similarly structured to the Metasploit Framework. Dronesploit seeks to combine various tools useful for penetration testing specific to drone platforms.
Dronesploit is dependent on Aircrack-ng being installed and fully functional in addition to having an appropriate wireless network adapter capable of sniffing wireless networks and performing packet injection. The first step before launching Dronesploit is to put an available wireless network interface into monitor mode using the “Airmon-ng start wlan0” command. Monitor mode status can be verified before proceeding by issuing the “iwconfig” command.
Once the wireless network interface is placed into Monitor mode, Dronesploit should be launched from a secondary command window while allowing the monitored interface to remain active. Dronesploit is ready to use once all warning messages stop prompting the user to take specific action (such as starting an interface in ‘Monitor’ mode).
Dronesploit is ideal for assessing Wi-fi based drones like DJI Tello or Hobbico drone platforms but has some general-purpose auxiliary modules that are effective across many drone models.
Some of the broadly useful commands reside in Dronesploit’ auxiliary family of modules. Metasploit users will be happy to see that Dronesploit leverages familiar command-lets to select modules, set various options and execute drone attacks.
Below is an example of the “wifi/find_ssids” command, outlining the monitored interface being used, and time out values. Dronesploit can also directly call various elements of aircrack-ng to capture and attempt to crack WPA2 wireless handshakes making it a highly versatile tool.
Danger Drone platform
The next tool the article will preview is the Danger Drone platform, as developed and discussed by penetration testing provider Bishop Fox. Dangerdrone is an affordable, mobile drone platform, leveraging a 3D printed airframe, with a Raspberry Pi small single-board computer.
It is optimized to carry a Wi-Fi pineapple for wireless network auditing and several other USB peripherals like Alfa wireless network interfaces to support aerial penetration testing efforts from a flying drone. Imagine a drone flying onto private property unnoticed, landing on the roof of a building, and performing wireless network attacks against the computers underneath or around it. Scary stuff…
The article will conclude with some more pointed drone pentesting examples using Aircrack-ng itself. Using the monitored interface from the Dronesploit example, aspects of Aircrack-ng can be used to perform several useful drone security tests, including identification of wireless drone networks, de-authentication of connected devices like a drone controller, or cracking of the WEP/WPA keys.
The below example shows how the “Airodump-ng wlan0” command is useful for identifying nearby drone wi-fi signals, including the MAC address of the broadcasting device, the network encryption scheme, and the wireless authentication standard used by the drone. In the example below, a hobbyist-level drone from Sanrock using Open Wi-Fi and a DJI drone with enhanced Wi-Fi security protections are identified.
Drones will establish a private Wi-Fi network to allow user interaction between the controller and mobile application for drone operations. The Sanrock drone has an open Wi-fi network standard that doesn’t require authentication, such as use of a Pre-shared key, to connect to it. A quick way to find the IP address of the drone Wi-Fi network in question is to try connecting to the broadcasting SSID from either Kali Linux or another system, like a mobile phone and once connected, running “ipconfig /all” to compare the IP address information to the connection properties of the drone network. Vulnerability scans and various other tools can be directed at this address to uncover other targets and start assessing them for points of entry.
Switching back to Aircrack-ng, a de-authentication attack can be accomplished using airodump-ng in conjunction with aireplay-ng. These attacks are useful for either drone takeover or obtaining the wireless network key for offline cracking. Attackers can successfully sabotage Return to Home (RTH) instructions using geolocation poisoning, where the communications between pilots and the drone platform are interrupted, initiating internal drone safety routines that automatically instruct the drone to navigate to and land in a pre-configured location, allowing physical theft of the platform.
The below command highlights how Airodump-ng is used to first discover a connected station (or client like a mobile device), and send de-authentication frames that disconnect the client. In this case, the Sanrock drone has no Wi-fi authentication mechanism like a WPA pre-shared key to capture, but tests did result in mobile application disconnection and drone takeover.
The second command “airodump-ng -c 1 –bssid 98:C9:7C: -w capture19 wlan0” is used to start a live capture file which is used primarily to capture WEP/WPA pre-shared keys and other useful details. The capture file can be sent to aircrack-ng later to attempt brute force cracking of the pre-shared key but is outside the scope of this article. With the capture running, the “aireplay-ng -0 100 -a 98:C9:7C13:8B:34 -c 3C:2E:FF:BE:9F:03 wlan0” command can be issued which results in de-authentication of the connected client. Notice a high degree of lost ethernet frames, indicating an interrupted connection. Assessments could continue using tools like Nmap and its scripting engine to locate open ports or OpenVAS to perform vulnerability scanning. With this in mind, a common trend begins to emerge showing how similar drone platforms are to mobile computing devices like laptops, and enterprises should consider assessing drone risk in a similar context.
This article doesn’t encourage unauthorized assessment of drone platforms not owned by the reader, nor does it educate the reader on in-depth hacking techniques against such platforms. The article simply demonstrates very basic approaches that may be used to assess enterprise drone security and assist enterprises in formulating defensive strategies based on their risk profile.
The article briefly showcased short-term drone market projections, which reflect the likelihood of drone presence globally. The article covered common malicious use cases enacted by bad actors, such as reconnaissance, some of the tools and platforms available to cybercriminals, and live examples of how these tools may be used maliciously.
Enterprises are accustomed to contending with cyber threats, which operate on the same ground-based playing field as they do. Now, they must be more vigilant than ever, as they must account for cyberattacks sourcing from the sky. It is vital that enterprises understand their position on drone-based risks and ensure appropriate policies, procedures, and that personnel are positioned to respond to these threats accordingly.
About the author: Adam Kohnke, contributor at CyberNews
Cuba ransomware gang received more than $60 million in ransom payments related to attacks against 100 entities worldwide as of August 2022.
The threat actors behind the Cuba ransomware (aka COLDDRAW, Tropical Scorpius) have demanded over 145 million U.S. Dollars (USD) and received more than $60 million in ransom payments from over 100 victims worldwide as of August 2022, the US government states.
Like other ransomware gangs, Cuba used ‘double extortion’ techniques which means that it exfiltrates data from the target systems before encrypting them and demanding a ransom payment, threatening to publicly release it if payment is not made.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory that provides technical details about the gang’s operations, including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware.
“FBI has identified a sharp increase in the both the number of compromised U.S. entities and the ransom amounts demanded by Cuba actors.” reads the report. “Since spring 2022, Cuba ransomware actors have expanded their TTPs. Third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.”
Since December 2021 Cuba operators are continuing to target U.S. entities Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.
Cuba gang has leveraged multiple techniques to gain initial access into victims’ networks, including the exploitation of nown vulnerabilities in commercial software [T1190], phishing campaigns [T1566], compromised credentials [T1078], legitimate remote desktop protocol (RDP) tools [T1563.002].
Once gained initial access, the attackers distributed Cuba ransomware on compromised systems using the Hancitor loader.
Below are the vulnerabilities exploited by the group in its attacks:
CVE-2022-24521 – elevation of privilege flaw in Windows Common Log File System (CLFS) Driver
CVE-2020-1472 – elevation of privilege flaw in Netlogon remote protocol (aka ZeroLogon)
In May, MalwareHunterTeam found evidence that links Cuba and the Industrial Spy crew.
Since spring 2022, multiple reports also linked RomCom RAT actors to the Cuba gang.
Experts found multiple flaws in three Android Keyboard apps that can be exploited by remote attackers to compromise a mobile phone.
Researchers at the Synopsys Cybersecurity Research Center (CyRC) warn of three Android keyboard apps with cumulatively two million installs that are affected by multiple flaws (CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483) that can be exploited by attackers to compromise a mobile phone.
Keyboard and mouse apps connect to a server on a desktop or laptop computer and transmit mouse and keyboard events to a remote server.
These three Android apps (Lazy Mouse, PC Keyboard, and Telepad) are Keyboard apps available on the official Google Play Store and are used as remote keyboard and mouse.
CyRC experts warn of weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps.
“An exploit of the authentication and authorization vulnerabilities could allow remote unauthenticated attackers to execute arbitrary commands. Similarly, an exploit of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords.” reads the analysis published by CyRC.
“Mouse and keyboard applications use a variety of network protocols to exchange mouse and keystroke instructions. Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different. The CyRC found vulnerabilities that enable authentication bypasses and remote code execution in the three applications, but did not find a single method of exploitation that applies to all three.”
Impacted software are:
Telepad versions 1.0.7 and prior
PC Keyboard versions 30 and prior
Lazy Mouse versions 2.0.1 and prior
Below are the details of the critical vulnerabilities:
CVE-2022-45477 Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
CVE-2022-45479 PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
CVE-2022-45481 The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.
CVE-2022-45482 The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.
The vulnerabilities were initially disclosed on August 13, 2022 and the CyRC reached published the advisory because they have yet to receive a response from the development teams behind these apps.
This is the timeline for these vulnerabilities:
August 13, 2022: Initial disclosure
August 18, 2022: Follow-up communication
October 12, 2022: Final follow-up communication
November 30, 2022: Advisory published by Synopsys
“The CyRC reached out to the developers multiple times but has not received a response within the 90 day timeline dictated by our responsible disclosure policy. These three applications are widely used but they are neither maintained nor supported, and evidently, security was not a factor when these applications were developed.” concludes the report. “The CyRC recommends removing the applications immediately.”