Microsoft and NSA say a security bug affects millions of Windows 10 computers

Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.

The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software — like ransomware — on a vulnerable computer.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.

CERT-CC, the the vulnerability disclosure center at Carnegie Mellon University, said in its advisory that the bug can also be used to intercept and modify HTTPS (or TLS) communications.

Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and classified the bug as “important.”

Independent security journalist Brian Krebs first reported details of the bug.

The National Security Agency confirmed in a call with reporters that it found the vulnerability and turned over the details to Microsoft, allowing the company to build and ready a fix.

Only two years ago the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The agency used the vulnerability to create an exploit, known as EternalBlue, as a way to secretly backdoor vulnerable computers. But the exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.

Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch that once the vulnerability was discovered, it went through the vulnerabilities equities process, a decision-making process used by the government to determine if it should retain control of the flaw for use in offensive security operations or if it should be disclosed to the vendor. It’s not known if the NSA used the bug for offensive operations before it was reported to Microsoft.

“It’s encouraging to see such a critical vulnerability turned over to vendors rather than weaponized.”

Neuberger confirmed Microsoft’s findings that NSA had not seen attackers actively exploiting the bug.

Jake Williams, a former NSA hacker and founder of Rendition Infosec, told TechCrunch that it was “encouraging” that the flaw was turned over “rather than weaponized.”

“This one is a bug that would likely be easier for governments to use than the common hacker,” he said. “This would have been an ideal exploit to couple with man in the middle network access.”

Microsoft is said to have released patches for Windows 10 and Windows Server 2016, which is also affected, to the U.S. government, military and other high-profile companies ahead of Tuesday’s release to the wider public, amid fears that the bug would be abused and vulnerable computers could come under active attack.

The software giant kept a tight circle around the details of the vulnerabilities, with few at the company fully aware of their existence, sources told TechCrunch. Only a few outside the company and the NSA — such as the government’s cybersecurity advisory unit Cybersecurity and Infrastructure Security Agency — were briefed.

CISA also issued a directive, compelling federal agencies to patch the vulnerabilities.

Williams said this now-patched flaw is like “a skeleton key for bypassing any number of endpoint security controls,” he told TechCrunch.

Skilled attackers have long tried to pass off their malware as legitimate software, in some cases by obtaining and stealing certificates. Last year, attackers stole a certificate belonging to computer maker Asus to sign a backdoored version of its software update tool. By pushing the tool to the company’s own servers, “hundreds of thousands” of Asus customers were compromised as a result.

When certificates are lost or stolen, they can be used to impersonate the app maker, allowing them to sign malicious software and make it look like it came from the original developer.

Dmitri Alperovitch, co-founder and chief technology officer at security firm CrowdStrike, said in a tweet that the NSA-discovered bug was a “critical issue.”

“Everyone should patch. Do not wait,” he said.

Mozilla says a new Firefox security bug is under active attack

Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in “targeted attacks” against users.

The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox’s just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer.

In practical terms, that means an attacker can quietly break into a victim’s computer by tricking the victim into accessing a website running malicious JavaScript code.

But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.

Browser vulnerabilities are a hot commodity in security circles as they can be used to infect vulnerable computers — often silently and without the user noticing — and be used to deliver malware or ransomware. Browsers are also a target for nation states and governments and their use of surveillance tools, known as network investigative techniques — or NITs. These vulnerability-exploiting tools have been used by federal agents to spy on and catch criminals. But these tools have drawn ire from the security community because the feds’ failure to disclose the bugs to the software makers could result in bad actors exploiting the same vulnerabilities for malicious purposes.

Mozilla issued the security advisory for Firefox 72, which had only been out for two days before the vulnerability was found.

Homeland Security’s cyber advisory unit, the Cybersecurity and Infrastructure Security Agency, also issued a security warning, advising users to update to Firefox 72.0.1, which fixes the vulnerability. Little information was given about the bug, only that it could be used to “take control of an affected system.”

Firefox users can update their browser from the settings.

Travelex suspends services after malware attack

Travelex, a major international foreign currency exchange, has confirmed its suspended some services after it was hit by malware on December 31.

The London-based company, which operates more than 1,500 stores globally, said it took systems offline to “as a precautionary measure in order to protect data” and to stop the spread of the malware.

Its U.K. website is currently offline, displaying a “server error” page. Its corporate site said the site was offline while it makes “upgrades.”  According to a tweet, Travelex said staff are “unable to perform transactions on the website or through the app.” Some stores are said to be manually processing customer requests.

Other companies, like Tesco Bank, which rely on Travelex for some services, have also struggled during the outage.

Travelex’s U.K. website is currently offline. (Screenshot: TechCrunch)

The company said no customer data has been compromised “to date,” but did not elaborate or provide evidence for the claim.

It’s also unclear why the company took two days to disclose the security incident.

The company declined to identify the kind of malware used in the attack, citing an ongoing forensic investigation. In the past year, several high-profile companies have been increasingly targeted by ransomware, a data encrypting malware, which only unscrambles the data once a ransom has been paid. Aluminum manufacturing giant Norsk Hydro and the U.K. Police Federation were both hit in March, then Arizona Beverages and Aebi Schmidt in April, and shipping company Pitney Bowes in October.

Several local and state governments have also been attacked by ransomware. New Orleans declared a state of emergency last month after its systems were hit by ransomware.

A Travelex spokesperson would not comment beyond the statement.

No, Spotify, you shouldn’t have sent mysterious USB drives to journalists

Last week, Spotify sent out a number of USB drives to reporters with a note: “Play me.”

It’s not uncommon for reporters to to receive USB drives in the post. Companies distribute USB drives all the time, including at tech conferences, often containing promotional materials or large files, such as videos that would otherwise be difficult to get into as many hands as possible.

But anyone with basic security training under their hat — which here at TechCrunch we do — will know to never plug in a USB drive without taking some precautions first.

Concerned but undeterred, we safely examined the contents of the drive using a disposable version of Ubuntu Linux (using a live CD) on a spare computer. We examined the drive and found it was benign.

On the drive was a single audio file. “This is Alex Goldman, and you’ve just been hacked,” the file played.

The drive was just a promotion for a new Spotify podcast. Because of course it was.

The USB drive that Spotify sent journalists. (Image: TechCrunch)

Jake Williams, a former NSA hacker and founder of Rendition Infosec, called the move “amazingly tone deaf” to encourage reporters into plugging in the drives to their computers.

USB drives are not inherently malicious, but are known to be used in hacking campaigns — like power plants and nuclear enrichment plants — which are typically not connected to the internet. USB drives can harbor malware that can open and install backdoors on a victim’s computer, Williams said.

“The files on the USB itself may contain active content,” he said, which when opened can exploit a bug on an affected device.

A spokesperson for Spotify did not comment. Instead, it passed our request to Sunshine Sachs, a public relations firm that works for Spotify, which would not comment on the record beyond that “all reporters received an email stating this was on the way.”

Plugging in random USB drives is a bigger problem than you might think. Elie Bursztein, a Google security researcher, found in his own research that about half of all people will plug in random USB drives into their computer.

John Deere earlier this year caused a ruckus after it distributed a promotion drive that actively hijacked the computer’s keyboard. The drive contained code which when plugged in ran a script, opened the browser, and automatically typed in the company’s website. Even though the drive was not inherently malicious, the move was highly criticized as malware often acts in an automated, scripted way.

Given the threats that USB drives can pose, Homeland Security’s cybersecurity division CISA last month updated its guidance about USB drive security. Journalists are among those who are frequent targets by some governments, including targeted cyberattacks.

Remember: always take precautions when handling USB drives. And never plug one in unless you trust it.

New Orleans declares state of emergency following ransomware attack

New Orleans declared a state of emergency and shut down its computers after a cyber security event, the latest in a string of city and state governments to be attacked by hackers.

Suspicious activity was spotted around 5 a.m. Friday morning. By 8 a.m., there was an uptick in that activity, which included evidence of phishing attempts and ransomware, Kim LaGrue, the city’s head of IT said in a press conference. Once the city confirmed it was under attack, servers and computers were shut down.

While ransomware was detected there are no requests made to the city of New Orleans at this time, but that is very much a part of our investigation, New Orleans Mayor LaToya Cantrell said during a press conference.

Numerous local and state governments have been plagued by ransomware, a file-encrypting malware that demands money for the decryption key. Pensacola, Florida and Jackson County, Georgia are just a few examples of the near-constant stream of ransomeware attacks over the past year. Louisiana state government was attacked in November, prompting officials to deactivate government websites and other digital services and causing the governor to declare a state of emergency. It was the state’s second declaration related to a ransomware attack in less than six months.

Governments and local authorities are particularly vulnerable as they’re often underfunded and unresourced, and unable to protect their systems from some of the major threats.

New Orleans, it appears was somewhat prepared, which officials said was the result of training and its ability to operate without internet. The investigation is in its early stages, but for now it appears that city employees didn’t interact with or provide credentials or any information to possible attackers, according to officials.

“If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking,” said Collin Arnold, director of Homeland Security, adding that they’ve gone back to pen and paper for now.

Police, fire and EMS are prepared to work outside of the city’s internet network. Emergency communications are not affected by the cybersecurity incident, according to city officials. However, other services such as scheduling building inspections are being handled manually.

New Orleans’s Real-Time Crime Center does work off the city network, however the cameras throughout the city record independently, so right now all of those cameras are still recording regardless of connectivity to the city’s network, Arnold added. 

Federal, state and local officials are now involved in an investigation into the security incident.

 

Justice Dept. charges Russian hacker behind the Dridex malware

U.S. prosecutors have brought computer hacking and fraud charges against a Russian citizen, Maksim Yakubets, who is accused of developing and distributing Dridex, a notorious banking malware used to allegedly steal more than $100 million from hundreds of banks over a multi-year operation.

Per the unsealed 10-count indictment, Yakubets is accused of leading and overseeing Evil Corp, a Russian-based cybercriminal network that oversaw the creation of Dridex. The malware is often spread by email and infects computers, silently siphoning off banking logins. The malware has also been known to be used as a delivery mechanism for ransomware, as was the case with the April cyberattack on drinks giant Arizona Beverages.

The Russian hacker is also alleged to have used the Zeus malware to successfully steal more than $70 million from victims’ bank accounts. Prosecutors said the Zeus scheme was “one of the most outrageous cybercrimes in history.”

Yakubets’ wanted poster. (Image: FBI/supplied)

Justice Department officials, speaking in Washington DC with their international partners from the U.K.’s National Crime Agency, said Yakubets also provided “direct assistance” to the Russian government in his role working for the FSB (formerly KGB) from 2017 to work on projects involving the theft of confidential documents through cyberattacks.

Prosecutors said Evil Corp was to blame for an “unimaginable” amount of cybercrime during the past decade, with a primary focus on attacking financial organizations in the U.S. and the U.K.

“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” said Brian Benczkowski, assistant attorney general in the Justice Department’s criminal division, in remarks.

The State Department announced a $5 million reward for information related to the capture of Yakubets, who remains at large.

In a separate statement, Treasury secretary Steven Mnuchin said the department issued sanctions against Evil Corp for the group’s role in international cyber crime, including two other hackers associated with the group — Igor Turashev and Denis Gusev — as well as seven Russian companies with connections to Evil Corp..

“This coordinated action is intended to disrupt the massive phishing campaigns orchestrated by this Russian-based hacker group,” said Mnuchin.

Read more:

LA warns of ‘juice-jacking’ malware, but admits it has no cases

Los Angeles’ district attorney is warning travelers to avoid public USB charging points because “they may contain dangerous malware.”

Reading the advisory, you might be forgiven for thinking that every USB outlet you see is just waiting for you to plug in your phone so it can steal your data. This so-called “juice-jacking” attack involves criminals loading malware “on charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users,” it reads. “The malware may lock the device or export data and passwords directly to the scammer.”

But the county’s chief prosecutor’s office told TechCrunch said that it has “no cases” of juice-jacking on its books, though it said there are known cases on the east coast.When asked where those cases were, the spokesperson did not know. And when asked what prompted the alert to begin with, the spokesperson said it was part of “an ongoing fraud education campaign.”

Which begs the question — why?

Security researcher Kevin Beaumont tweeted that he hasn’t seen “any evidence of malware being used in the wild on these things.” In fact, ask around and you’ll find very little out there. Several security researchers have dropped me messages saying they’ve seen proof-of-concepts, but nothing actively malicious.

Juice-jacking is a real threat, but it’s an incredibly complicated and imperfect way to attack someone when there are far easier ways.

The idea, though — that you can plug in your phone and have your secrets stolen — is not entirely farfetched. Over the years there have been numerous efforts to demonstrate that it’s possible. As ZDNet points out in its coverage of the juice-jacking warning, the FBI sent out a nationwide alert about the threat after security researcher Samy Kamkar developed an Ardunio-based implant designed to look like a USB charger to wirelessly sniff the air for leaky key strokes. And just earlier this year, a security researcher developed an iPhone charger cable clone that let a nearby hacker run commands on the vulnerable computer.

LA recommend using an AC power outlet and not a charging station, and to take your cables with you. That’s sound advice, but it’s just one of many things you need to do to keep your devices and data safe.

American Cancer Society’s online store infected with credit card stealing malware

The American Cancer Society’s online store has become the latest victim of credit card stealing malware.

Security researcher Willem de Groot found the malware on the organization’s store website, buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page, like similar attacks targeting British Airways, Ticketmaster, AeroGarden, and Newegg.

The attackers, known as Magecart, use their stolen credit card numbers to sell on the dark web or use the numbers for committing fraud.

de Groot said in a blog post explaining the breach, shared exclusively with TechCrunch, that the code was designed to send collected credit card numbers to a third-party server, operated by the attacker. The code was malformed, leading to it being inserted twice. When the malicious code was decoded, it revealed the web address of the the hacker’s third-party server.

acs magecart

The card skimming malware on the American Cancer Society’s store’s website. (Image: TechCrunch)

Trend Micro said the domain is known to be used by Magecart. The domain is registered in Moscow, but the website itself loads nothing more than a decoy page.

The code was injected into the online store at some point late last week. de Groot informed the organization of the incident as soon as he found the code on Thursday by calling its anti-fraud hotline, but the code was not immediately removed. After we reached out Friday, the code was no longer present.

American Cancer Society spokesperson Kathi Dinicola did not return requests for comment.

It’s not known how many users were affected, but anyone who entered information through the American Cancer Society late last week should contact their payments provider.

Police hijack a botnet and remotely kill 850,000 malware infections

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers.

The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer.

Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America.

According to a blog post announcing the bust, security firm Avast confirmed the operation was successful.

The security firm got involved after it discovered a design flaw in the malware’s command and control server. That flaw, if properly exploited, would have “allowed us to remove the malware from its victims’ computers” without pushing any code to victims’ computers, the researchers said.

The exploit would have dismantled the operation, but the researchers lacked the legal authority to push ahead. Because most of the malware’s infrastructure was located in France, Avast contacted French police. After receiving the go-ahead from prosecutors in July, the police went ahead with the operation to take control of the server and disinfect affected computers.

The French police called the botnet “one of the largest networks” of hijacked computers in the world.

The operation worked by secretly obtaining a snapshot of the malware’s command and control server with cooperation from its web host. The researchers said they had to work carefully as to not be noticed by the malware operators, fearing the malware operators could retaliate.

“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”

With a copy of the malicious command and control server in hand, the researchers built their own replica, which disinfected victim computers instead of causing infections.

“[The police] replaced the malicious [command and control] server with a prepared disinfection server that made connected instances of Retadup self-destruct,” said Avast in a blog post. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw.”

In doing so, the company was able to stop the malware from operating and remove the malicious code to over 850,000 infected computers.

Jean-Dominique Nollet, head of the French police’s cyber unit, said the malware operators generated several million euros worth of cryptocurrency.

Remotely shutting down a malware botnet is a rare achievement — but difficult to carry out.

Several years ago the U.S. government revoked Rule 41, which now allows judges to issue search and seizure warrants outside of their jurisdiction. Many saw the move as an effort by the FBI to conduct remote hacking operations without being hindered by the locality of a judge’s jurisdiction. Critics argued it would set a dangerous precedent to hack into countless number of computers on a single warrant from a friendly judge.

Since then the amended rule has been used to dismantle at least one major malware operation, the so-called Joanap botnet, linked to hackers working for the North Korean regime.

US Cyber Command has publicly posted malware linked to a North Korea hacking group

U.S. Cyber Command, the sister division of the National Security Agency focused on offensive hacking and security operations, has released a set of new samples of malware linked to North Korean hackers.

The military unit tweeted Wednesday that it had uploaded the malware to VirusTotal, a widely used database for malware and security research.

It’s not the first time the unit has uploaded malware to the server — it has its own Twitter account to tell followers which malware it uploads. On one hand the disclosure helps security teams fight threats from nation states, but it also gives a rare glimpse inside the nation state-backed hacking groups on which Cyber Command is focused.

The uploaded malware sample is named Electric Fish by the U.S. government. Electric Fish is a tunneling tool designed to exfiltrate data from one system to another over the internet once a backdoor has been placed.

Electric Fish is linked to the APT36 hacking group.

FireEye says APT36 has distinctly different motivations from other North Korean-backed hacking groups like Lazarus, which was blamed for the Sony hack in 2016 and the WannaCry ransomware attack in 2017. APT36 is focused on financial crimes, such as stealing millions of dollars from banks across the world, the cybersecurity firm said.

Electric Fish was first discovered in May, according to Homeland Security’s cybersecurity division CISA, but APT36 has been active for several years.

A recently leaked United Nations report said the North Korean regime has stolen more than $2 billion through dozens of cyberattacks to fund its various weapons programs.

APT36 has amassed more than $100 million in stolen funds since its inception.