Garmin global outage caused by ransomware attack, sources say

An ongoing global outage at sport and fitness tech giant Garmin was caused by a ransomware attack, according to two sources with direct knowledge of the incident.

The incident began late Wednesday and continued through the weekend, causing disruption to the company’s online services for millions of users, including Garmin Connect, which syncs user activity and data to the cloud and other devices. The attack also took down flyGarmin, its aviation navigation and route-planning service.

Portions of Garmin’s website were also offline at the time of writing.

Garmin has said little about the incident so far. A banner on its website reads: “We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”

The two sources, who spoke on the condition of anonymity as they are not authorized to speak to the press, told TechCrunch that Garmin was trying to bring its network back online after the ransomware attack. One of the sources confirmed that the WastedLocker ransomware was to blame for the outage.

One other news outlet appeared to confirm that the outage was caused by WastedLocker.

Garmin’s online services have been down for days. The cause is believed to be ransomware, according to two sources with direct knowledge of the incident. (Screenshot: TechCrunch)

WastedLocker is a new kind of ransomware, detailed by security researchers at Malwarebytes in May, operated by a hacker group known as Evil Corp. Like other file-encrypting malware, WastedLocker infects computers, and locks the user’s files in exchange for a ransom, typically demanded in cryptocurrency.

Malwarebytes said that WastedLocker does not yet appear to have the capability to steal or exfiltrate data before encrypting the victim’s files, unlike other, newer ransomware strains. That means companies with backups may be able to escape paying the ransom. But companies without backups have faced ransom demands as much as $10 million.

The FBI has also long discouraged victims from paying ransoms related to malware attacks.

Evil Corp has a long history of malware and ransomware attacks. The group, allegedly led by a Russian national Maksim Yakubets, is known to have used Dridex, a powerful password-stealing malware that was used to steal more than $100 million from hundreds of banks over the past decade. Later, Dridex was also used as a way to deliver ransomware.

Yakubets, who remains at large, was indicted by the Justice Department last year for his alleged part in the group’s “unimaginable” amount of cybercrime during the past decade, according to U.S. prosecutors.

The Treasury also imposed sanctions on Evil Corp, including Yakubets and two other alleged members, for their involvement in the decade-long hacking campaign.

By imposing sanctions, it’s near-impossible for U.S.-based companies to pay the ransom — even if they wanted to — as U.S. nationals are “generally prohibited from engaging in transactions with them,” per a Treasury statement.

Brett Callow, a threat analyst and ransomware expert at security firm Emsisoft, said those sanctions make it “especially complicated” for U.S.-based companies dealing with WastedLocker infections.

“WastedLocker has been attributed by some security companies to Evil Corp, and the known members of Evil Corp — which purportedly has loose connections to the Russian government — have been sanctioned by the U.S. Treasury,” said Callow. “As a result of those sanctions, U.S persons are generally prohibited from transacting with those known members. This would seem to create a legal minefield for any company which may be considering paying a WastedLocker ransom,” he said.

Efforts to contact the alleged hackers were unsuccessful. The group uses different email addresses in each ransom note. We sent an email to two known email addresses associated with a previous WastedLocker incident, but did not hear back.

A Garmin spokesperson could not be reached for comment by phone or email on Saturday. (Garmin’s email servers have been down since the start of the incident.) Messages sent over Twitter were also not returned. We’ll update if we hear back.

Meet EventBot, a new Android malware that steals banking passwords and two-factor codes

Security researchers are sounding the alarm over a newly discovered Android malware that targets banking apps and cryptocurrency wallets.

The malware, which researchers at security firm Cybereason recently discovered and called EventBot, masquerades as a legitimate Android app — like Adobe Flash or Microsoft Word for Android — which abuses Android’s in-built accessibility features to obtain deep access to the device’s operating system.

Once installed — either by an unsuspecting user or by a malicious person with access to a victim’s phone — the EventBot-infected fake app quietly siphons off passwords for more than 200 banking and cryptocurrency apps — including PayPal, Coinbase, CapitalOne and HSBC — and intercepts and two-factor authentication text message codes.

With a victim’s password and two-factor code, the hackers can break into bank accounts, apps and wallets, and steal a victim’s funds.

“The developer behind Eventbot has invested a lot of time and resources into creating the code, and the level of sophistication and capabilities is really high,” Assaf Dahan, head of threat research at Cybereason, told TechCrunch.

The malware quietly records every tap and key press, and can read notifications from other installed apps, giving the hackers a window into what’s happening on a victim’s device.

Over time, the malware siphons off banking and cryptocurrency app passwords back to the hackers’ server.

The researchers said that EventBot remains a work in progress. Over a period of several weeks since its discovery in March, the researchers saw the malware iteratively update every few days to include new malicious features. At one point the malware’s creators improved the encryption scheme it uses to communicate with the hackers’ server, and included a new feature that can grab a user’s device lock code, likely to allow the malware to grant itself higher privileges to the victim’s device like payments and system settings.

But while the researchers are stumped as to who is behind the campaign, their research suggests the malware is brand new.

“Thus far, we haven’t observed clear cases of copy-paste or code reuse from other malware and it seems to have been written from scratch,” said Dahan.

Android malware is not new, but it’s on the rise. Hackers and malware operators have increasingly targeted mobile users because many device owners have their banking apps, social media, and other sensitive services on their device. Google has improved Android security in recent years by screening apps in its app store and proactively blocking third-party apps to cut down on malware — with mixed results. Many malicious apps have evaded Google’s detection.

Cybereason said it has not yet seen EventBot on Android’s app store or in active use in malware campaigns, limiting the exposure to potential victims — for now.

But the researchers said users should avoid untrusted apps from third-party sites and stores, many of which don’t screen their apps for malware.

Ex-NSA hacker drops new zero-day doom for Zoom

Zoom’s troubled year just got worse.

Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

Patrick Wardle, a former NSA hacker and now principle security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.

The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

Wardle’s first bug piggybacks off a previous finding. Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as “root.”

Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.

The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will “automatically inherit” any or all of Zoom’s access rights, he said — and that includes Zoom’s access to the webcam and microphone.

“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.

Because Wardle dropped detail of the vulnerabilities on his blog, Zoom has not yet provided a fix. Zoom also did not respond to TechCrunch’s request for comment.

In the meanwhile, Wardle said, “if you care about your security and privacy, perhaps stop using Zoom.”

Google’s Advanced Protection program for high-risk users now includes malware protection

Google is expanding the feature set for its Advanced Protection Program, a security offering that helps safeguard Google Accounts of those at risk for targeted attacks — like politicians, journalists, activists, business leaders, and others. The program already provides an increased level of protection for these accounts by limiting access to data, blocking fraudulent account access, supporting the use of physical security keys, and more. Today, Google is adding new malware protections to the program, as well.

For starters, those enrolled in the Advanced Protection Program will have Google Play Protect automatically enabled. This is Google’s built-in malware protection for Android that’s currently used to scan and verify 100 billion apps per day, Google notes. The system uses machine learning to automatically scan users’ device and apps to check for harmful behavior and potential security issues. Now, this will be enabled for Advanced Protection Program members and will not be able to be shut off.

The program will also now limit users’ ability to install apps from outside the Play Store, where apps are now scanned for malware before approval. Those from outside the store can present a greater risk. Google will now prevent the download of non-Play Store apps on any devices enrolled in the Advanced Protection Program, with a few exceptions. Users will be able to install non-Play Store apps through other third-party app stores that may have shipped on your device from the device manufacturer. Others can be installed through the developer tool Android Debug Bridge. However, Google says non-Play Store apps that have already been installed won’t be removed and can continue to be updated.

Google launched its Advanced Protection Program in fall 2017, as an opt-in option for those who believe they’re at increased risk of online attacks. The program focuses on defending against phishing, locking down malicious apps, and fending off hackers. The trade-off is reduced convenience as there are additional steps to take during authentication and more limitations on what can be done. But the result is a safer, and free, way to increase the security of your account and device.

The new added protections will roll out gradually to accounts enrolled in Advanced Program on Android devices, to be later this year be followed by new malware protections for Chrome, Google says. However, G Suite users won’t get these new protections now — instead, they’re offered through endpoint management which helps secure devices belonging to mobile workforces.

 

Hackers hit NutriBullet website with credit card-stealing malware

Magecart hackers have struck again, this time targeting the NutriBullet website.

According to new research by security firm RiskIQ, hackers broke into the blender maker’s website several times over the past two months, injected malicious credit card-skimming malware on its payment pages and siphoned off the credit card numbers and other personal data — like names, billing addresses, expiry dates and card verification values — of unsuspecting blender buyers.

The data was scraped and sent to a third-party server, operated by the attackers. The stolen credit card data is then sold to buyers on dark web marketplaces.

NutriBullet fought back each time by removing the malicious code each time. But RiskIQ said that the hackers still have access to the company’s infrastructure, with its hackers targeting NutriBullet’s website as recently as last week.

RiskIQ head of threat research Yonathan Klijnsma warned against using the site until the company “acknowledges our outreach and performs a cleanup.”

NutriBullet’s chief information officer Peter Huh confirmed the intrusions and that it had “launched forensic investigations” into the incident, and claimed it will “work closely with outside cybersecurity specialists to prevent further incursions,” but did not name the outside firm.

Huh and a spokesperson declined to answer our questions, specifically if customers would be notified of the security incident.

It’s the latest attack by Magecart, a group of groups rather than a single entity of hackers, all of which have different motivations and targets but all of which use largely the same tactics and techniques. There are eight known Magecart groups focused on stealing credit card numbers for profit, according to Klijnsma.

Hackers associated with Magecart tactics have in the past few years hit Ticketmaster, British Airways, the American Cancer Society and consumer electronics giant Newegg.

With the help of security outfits AbuseCH and Shadowserver, RiskIQ began efforts to take down the malicious domain that the hackers were using to send stolen credit card numbers. But Klijnsma acknowledged that the group, still with access to NutriBullet’s infrastructure, can keep spinning up new malicious domains and re-infecting the site with credit card-scraping malware.

“They’re learning from past attacks to stay one step ahead,” said Klijnsma. “It’s on the security community to do the same.”

Microsoft and NSA say a security bug affects millions of Windows 10 computers

Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.

The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software — like ransomware — on a vulnerable computer.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.

CERT-CC, the the vulnerability disclosure center at Carnegie Mellon University, said in its advisory that the bug can also be used to intercept and modify HTTPS (or TLS) communications.

Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and classified the bug as “important.”

Independent security journalist Brian Krebs first reported details of the bug.

The National Security Agency confirmed in a call with reporters that it found the vulnerability and turned over the details to Microsoft, allowing the company to build and ready a fix.

Only two years ago the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The agency used the vulnerability to create an exploit, known as EternalBlue, as a way to secretly backdoor vulnerable computers. But the exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.

Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch that once the vulnerability was discovered, it went through the vulnerabilities equities process, a decision-making process used by the government to determine if it should retain control of the flaw for use in offensive security operations or if it should be disclosed to the vendor. It’s not known if the NSA used the bug for offensive operations before it was reported to Microsoft.

“It’s encouraging to see such a critical vulnerability turned over to vendors rather than weaponized.”

Neuberger confirmed Microsoft’s findings that NSA had not seen attackers actively exploiting the bug.

Jake Williams, a former NSA hacker and founder of Rendition Infosec, told TechCrunch that it was “encouraging” that the flaw was turned over “rather than weaponized.”

“This one is a bug that would likely be easier for governments to use than the common hacker,” he said. “This would have been an ideal exploit to couple with man in the middle network access.”

Microsoft is said to have released patches for Windows 10 and Windows Server 2016, which is also affected, to the U.S. government, military and other high-profile companies ahead of Tuesday’s release to the wider public, amid fears that the bug would be abused and vulnerable computers could come under active attack.

The software giant kept a tight circle around the details of the vulnerabilities, with few at the company fully aware of their existence, sources told TechCrunch. Only a few outside the company and the NSA — such as the government’s cybersecurity advisory unit Cybersecurity and Infrastructure Security Agency — were briefed.

CISA also issued a directive, compelling federal agencies to patch the vulnerabilities.

Williams said this now-patched flaw is like “a skeleton key for bypassing any number of endpoint security controls,” he told TechCrunch.

Skilled attackers have long tried to pass off their malware as legitimate software, in some cases by obtaining and stealing certificates. Last year, attackers stole a certificate belonging to computer maker Asus to sign a backdoored version of its software update tool. By pushing the tool to the company’s own servers, “hundreds of thousands” of Asus customers were compromised as a result.

When certificates are lost or stolen, they can be used to impersonate the app maker, allowing them to sign malicious software and make it look like it came from the original developer.

Dmitri Alperovitch, co-founder and chief technology officer at security firm CrowdStrike, said in a tweet that the NSA-discovered bug was a “critical issue.”

“Everyone should patch. Do not wait,” he said.

Mozilla says a new Firefox security bug is under active attack

Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in “targeted attacks” against users.

The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox’s just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer.

In practical terms, that means an attacker can quietly break into a victim’s computer by tricking the victim into accessing a website running malicious JavaScript code.

But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.

Browser vulnerabilities are a hot commodity in security circles as they can be used to infect vulnerable computers — often silently and without the user noticing — and be used to deliver malware or ransomware. Browsers are also a target for nation states and governments and their use of surveillance tools, known as network investigative techniques — or NITs. These vulnerability-exploiting tools have been used by federal agents to spy on and catch criminals. But these tools have drawn ire from the security community because the feds’ failure to disclose the bugs to the software makers could result in bad actors exploiting the same vulnerabilities for malicious purposes.

Mozilla issued the security advisory for Firefox 72, which had only been out for two days before the vulnerability was found.

Homeland Security’s cyber advisory unit, the Cybersecurity and Infrastructure Security Agency, also issued a security warning, advising users to update to Firefox 72.0.1, which fixes the vulnerability. Little information was given about the bug, only that it could be used to “take control of an affected system.”

Firefox users can update their browser from the settings.

Travelex suspends services after malware attack

Travelex, a major international foreign currency exchange, has confirmed its suspended some services after it was hit by malware on December 31.

The London-based company, which operates more than 1,500 stores globally, said it took systems offline to “as a precautionary measure in order to protect data” and to stop the spread of the malware.

Its U.K. website is currently offline, displaying a “server error” page. Its corporate site said the site was offline while it makes “upgrades.”  According to a tweet, Travelex said staff are “unable to perform transactions on the website or through the app.” Some stores are said to be manually processing customer requests.

Other companies, like Tesco Bank, which rely on Travelex for some services, have also struggled during the outage.

Travelex’s U.K. website is currently offline. (Screenshot: TechCrunch)

The company said no customer data has been compromised “to date,” but did not elaborate or provide evidence for the claim.

It’s also unclear why the company took two days to disclose the security incident.

The company declined to identify the kind of malware used in the attack, citing an ongoing forensic investigation. In the past year, several high-profile companies have been increasingly targeted by ransomware, a data encrypting malware, which only unscrambles the data once a ransom has been paid. Aluminum manufacturing giant Norsk Hydro and the U.K. Police Federation were both hit in March, then Arizona Beverages and Aebi Schmidt in April, and shipping company Pitney Bowes in October.

Several local and state governments have also been attacked by ransomware. New Orleans declared a state of emergency last month after its systems were hit by ransomware.

A Travelex spokesperson would not comment beyond the statement.

No, Spotify, you shouldn’t have sent mysterious USB drives to journalists

Last week, Spotify sent out a number of USB drives to reporters with a note: “Play me.”

It’s not uncommon for reporters to to receive USB drives in the post. Companies distribute USB drives all the time, including at tech conferences, often containing promotional materials or large files, such as videos that would otherwise be difficult to get into as many hands as possible.

But anyone with basic security training under their hat — which here at TechCrunch we do — will know to never plug in a USB drive without taking some precautions first.

Concerned but undeterred, we safely examined the contents of the drive using a disposable version of Ubuntu Linux (using a live CD) on a spare computer. We examined the drive and found it was benign.

On the drive was a single audio file. “This is Alex Goldman, and you’ve just been hacked,” the file played.

The drive was just a promotion for a new Spotify podcast. Because of course it was.

The USB drive that Spotify sent journalists. (Image: TechCrunch)

Jake Williams, a former NSA hacker and founder of Rendition Infosec, called the move “amazingly tone deaf” to encourage reporters into plugging in the drives to their computers.

USB drives are not inherently malicious, but are known to be used in hacking campaigns — like power plants and nuclear enrichment plants — which are typically not connected to the internet. USB drives can harbor malware that can open and install backdoors on a victim’s computer, Williams said.

“The files on the USB itself may contain active content,” he said, which when opened can exploit a bug on an affected device.

A spokesperson for Spotify did not comment. Instead, it passed our request to Sunshine Sachs, a public relations firm that works for Spotify, which would not comment on the record beyond that “all reporters received an email stating this was on the way.”

Plugging in random USB drives is a bigger problem than you might think. Elie Bursztein, a Google security researcher, found in his own research that about half of all people will plug in random USB drives into their computer.

John Deere earlier this year caused a ruckus after it distributed a promotion drive that actively hijacked the computer’s keyboard. The drive contained code which when plugged in ran a script, opened the browser, and automatically typed in the company’s website. Even though the drive was not inherently malicious, the move was highly criticized as malware often acts in an automated, scripted way.

Given the threats that USB drives can pose, Homeland Security’s cybersecurity division CISA last month updated its guidance about USB drive security. Journalists are among those who are frequent targets by some governments, including targeted cyberattacks.

Remember: always take precautions when handling USB drives. And never plug one in unless you trust it.

New Orleans declares state of emergency following ransomware attack

New Orleans declared a state of emergency and shut down its computers after a cyber security event, the latest in a string of city and state governments to be attacked by hackers.

Suspicious activity was spotted around 5 a.m. Friday morning. By 8 a.m., there was an uptick in that activity, which included evidence of phishing attempts and ransomware, Kim LaGrue, the city’s head of IT said in a press conference. Once the city confirmed it was under attack, servers and computers were shut down.

While ransomware was detected there are no requests made to the city of New Orleans at this time, but that is very much a part of our investigation, New Orleans Mayor LaToya Cantrell said during a press conference.

Numerous local and state governments have been plagued by ransomware, a file-encrypting malware that demands money for the decryption key. Pensacola, Florida and Jackson County, Georgia are just a few examples of the near-constant stream of ransomeware attacks over the past year. Louisiana state government was attacked in November, prompting officials to deactivate government websites and other digital services and causing the governor to declare a state of emergency. It was the state’s second declaration related to a ransomware attack in less than six months.

Governments and local authorities are particularly vulnerable as they’re often underfunded and unresourced, and unable to protect their systems from some of the major threats.

New Orleans, it appears was somewhat prepared, which officials said was the result of training and its ability to operate without internet. The investigation is in its early stages, but for now it appears that city employees didn’t interact with or provide credentials or any information to possible attackers, according to officials.

“If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking,” said Collin Arnold, director of Homeland Security, adding that they’ve gone back to pen and paper for now.

Police, fire and EMS are prepared to work outside of the city’s internet network. Emergency communications are not affected by the cybersecurity incident, according to city officials. However, other services such as scheduling building inspections are being handled manually.

New Orleans’s Real-Time Crime Center does work off the city network, however the cameras throughout the city record independently, so right now all of those cameras are still recording regardless of connectivity to the city’s network, Arnold added. 

Federal, state and local officials are now involved in an investigation into the security incident.