Risky Biz News: Half of 2022's zero-days are variants of older vulnerabilities

In other news: APT40 hires students to translate hacked data; Walmart denies ransomware attack; and cyber-insurance rates are stabilizing.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

If you lurk around enough security people and if you read enough infosec write-ups, at one point or another, you are going to run across the phrase "make 0-day hard."

If that sounds familiar, it's because the phrase is the unofficial motto of Project Zero, which is Google's most (in)famous security team, tasked with finding, tracking, and studying software vulnerabilities.

While Project Zero researchers have a broad range of responsibilities, one of their initial undertakings was to track the use of zero-days (previously unknown software vulnerabilities) in attacks that take place in the real world, studying their root cause, and then trying to spot if certain attacks can be prevented by working with vendors on fixing a particular bug class.

Since 2019, this job has primarily fallen under the task of Maddie Stone, a San Francisco-based security engineer who joined Project Zero from Android's security team. Her name is on most root cause analysis (RCA) reports published by the P0 team over the past few years, and you'll regularly find Stone presenting her and Project Zero's work at security conferences every few months.

Stone and Project Zero's work on putting together highly-detailed RCA reports have greatly contributed to making vendors and other security researchers aware of the fact that, in many cases, software vendors take the easy way out and release patches that address a particular attacker's exploit code, but do not fix the underlying issue in the software's code and how the software was designed to work.

This has led to situations where threat actors study the vendor's patch, find a new way to exploit the underlying issue, and launch new attacks with a new variant of the same zero-day.

While Stone slightly touched on this issue in the past, in a report published in April that analyzed the zero-days deployed in the wild throughout 2021 and in another report about the zero-days exploited in 2020, she now has new numbers to paint a new picture of this old problem.

In a new report published on Thursday, Stone said that 9 of the 18 zero-day vulnerabilities that were detected being used in the wild in the first half of 2022 have been variants of older vulnerabilities.

"At least half of the 0-days we've seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests," Stone said.

"On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug."

Stone argues that vendors should do more root cause analysis of their own. First, because it helps the security industry; second, because it helps the company's own developers too; but third, and most important, because it makes an attacker's job harder and may delay future attacks.

When 0-day exploits are detected in-the-wild, it's the failure case for an attacker. It's a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can't be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they're forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes.

Breaches and hacks

OpenSea malicious insider: OpenSea, today's largest NFT marketplace, has suffered a malicious insider incident. The company said that an employee of Customer.io, its email delivery vendor, misused their access to download the email addresses of OpenSea users who signed up for the marketplace's newsletter.

Walmart denies ransomware attack: US retail giant Walmart has denied getting hit by a ransomware attack. The company's name had been recently listed on the leak site of the Yanluowang ransomware gang, with the group claiming to have encrypted between 40,000 and 50,000 of the retailer's systems.

Harmony hack linked to North Korea: Experts from blockchain tracking company Elliptic have linked the $100 million hack of the Harmony inter-blockchain bridge to North Korean state-sponsored hackers. The finding is terrible news for the platform's customers, as it is now highly unlikely that the attackers would return any of the stolen funds. According to blockchain security firm PeckShield, the attackers have already laundered roughly $36 million of the stolen funds already. In the meantime, Harmony has increased its bounty on any information on the attackers from $1 million to $10 million, a sum they are also willing to offer to the attackers to return the stolen funds. Fat chance, though!

DDoS attacks hit Norway: The Norwegian National Security Authority blamed a series of large DDoS attacks against Norwegian companies on Tuesday on "a pro-Russian criminal group."

Geographic Solutions incident: A cyberattack has disrupted the activities of Geographic Solutions, a Florida-based company that provides unemployment claims and job placement for several US state governments. NBC News reports that the incident has impacted the services provided by departments of labor and related agencies in at least nine states, as well as the DC area.

Macmillan ransomware incident: Macmillan, one of the Big Five publishers of English language content, has been hit by ransomware, according to a report from Publishers Weekly. The incident appears to have taken place over the weekend, and the company said that some systems might be affected while they work to restore systems.

General tech and privacy

Google goes after YouTube scams: Google said on Thursday that it plans to remove the option for YouTube channel owners to hide their subscriber counts as a measure to fight spam on the platform. The measure is meant to fight a recent trend where threat actors are creating accounts mimicking legitimate ones and running various scams to defraud users. The idea is to show subscriber numbers at all times, which would allow regular users to differentiate between a legitimately popular account and a scammy one with almost no followers. [Read the full report in TechCrunch]

Chrome Password Manager updates: Google has rolled out a series of updates to the Chrome Password Manager. New features include grouping passwords for the same sites and apps together, the possibility of adding a home screen shortcut for the password manager utility, the ability to easily fix weak or compromised passwords, the possibility to manually add passwords to the manager, and a unified user interface across all platforms.

Coordinated action against Google: Ten consumer groups, under the coordination of the European Consumer Organisation (BEUC), have filed complaints with data protection agencies in their countries against Google for using misleading language and design choices that funnel users towards its "surveillance systems." BEUC said complaints had been filed in France, the Czech Republic, Norway, Greece, and Slovenia.

Government, politics, and policy

Israel warned US about power grid attacks: The Commander of Israel's vaunted IDF Unit 8200, the country's SIGINT agency, told Israeli media this week that his team warned the US of attempts from Iranian hackers to attack US power plants. Col. U., as he is identified, said they discovered the plot while investigating attacks on its water facilities last year.

RCMP admits to using spyware: Officials from Canada's Royal Canadian Mounted Police admitted for the first time that they used spyware in past investigations. The tools were used by the RCMP's CAIT (Covert Access and Intercept Team) in 10 past operations, dating as far back as 2018, according to a document shared by the agency with the Canadian Parliament last week. Officials said they resorted to intrusive spyware because targets switched to encrypted communication channels and wiretaps became ineffective.

NATO to create cyber rapid response force: At the recent NATO members conference in Madrid, Spain, the Alliance announced plans to create a rapid response cyber force team so members can respond faster to "significant malicious cyber activities." [Additional coverage in Cyberscoop]

UK removes Chinese-made cameras: The UK Department of Work and Pensions has banned the use and purchase of Chinese-made security cameras. Current cameras will be replaced over the next three years. The UK DWP now becomes the second UK government agency to ban Chinese-made cameras after the UK Department of Health and Social Care, according to the SCMP.

Cybercrime and threat intel

Uber CISO case: A US judge expanded the legal case against Joseph Sullivan, the former Uber CISO, to also include wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed the personal information of 57 million passengers and drivers, Reuters reported.

Ukraine phishing gang arrest: Ukraine's Cyber Police detained this week nine suspects that were part of a cybercrime group that ran more than 400 phishing sites. Most of the phishing sites mimicked EU websites offering financial assistance to Ukrainians. Officials said the gang stole an estimated 100 million hryvnias from their victims, worth around $3.4 million.

8220 gang: Microsoft has a Twitter thread on the recent activities of the 8220 Gang, a cryptocurrency-mining group active since early 2021. Microsoft says the group has been recently seen exploiting vulnerabilities like CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access against Linux systems, confirming similar observations from Check Point earlier this month.

Threat actor unmasked: A Romanian security researcher has delved into the workings of a recent phishing campaign mimicking the Romanian ANAF (National Agency for Fiscal Administration) and linked it to a threat actor based in Brazil.

Hacker-for-hire scene, international outlook: Google's TAG team has published an overview of the hacker-for-hire scenes in India (Appin and Belltrox), Russia (Void Balaur), and UAE. According to Google, the UAE group is particularly interesting because they are linked to the original developers of H-Worm, a malware strain also known as njRAT, and some of their campaigns have been documented as far back as 2018. As part of its report, Google also added more than 30 domains used by these companies to its Safe Browsing API, so users receiving emails or navigating to the sites will now receive security alerts.

Hacker-for-hire scene, Indian scene: Reuters investigative reporters Raphael Satter and Christopher Bing have published an in-depth piece on the activities of several India-based hacker-for-hire companies—such as Appin, BellTroX, and CyberRoot—that have breached lawyers & litigants on behalf of Western private eye firms.

Malware technical reports

YTStealer: Intezer's Joakim Kennedy took a deep dive into YTStealer, a new infostealer that has been specifically designed to steal YouTube account authentication cookies and has been used solely in targeted attacks against YouTube account owners. One of the malware's most innovative features is that YTStealer also navigates to a YouTube account owner's Studio page, from where it grabs information about the user's channels, such as channel name, how many subscribers it has, how old the channel is, if it is monetized, an official artist channel, and if the name has been verified.

MedusaLocker: CISA, the FBI, FinCEN, and the US Treasury have released a security advisory on the MedusaLocker ransomware. The agencies said the ransomware gang behind MedusaLocker has been active as recently as May 2022, and the gang has heavily relied on vulnerabilities in the Windows RDP service for initial access to victims' networks.

SessionManager IIS backdoor: Security researchers from Kaspersky have discovered a new IIS backdoor trojan that they named SessionManager. Researchers said SessionManager has been used against NGOs, government, military, and industrial organizations in Africa, South America, Asia, Europe, Russia, and the Middle East, starting from at least March 2021. Kaspersky said the malware appears to be a variant of the older OwlProxy backdoor and is most likely the work of the Gelsemium threat actor.

Toll fraud malware: Microsoft has a report out on what it calls "toll fraud malware," also known as WAP billing or premium number schemes.

New stealer detected: Broadcom's security team said it discovered a new infostealer named RecordStealer being used in the wild. An AhnLab report also has some details about this new malware strain.

Black Basta: A Trend Micro report details new tactics employed by Black Basta affiliates, who are now using the QakBot trojan for initial access into corporate networks and the PrintNightmare to expand their access.

FluBot trojan: Fox-IT researchers have published a technical report on the history and evolution of the FluBot Android banking trojan, a botnet that has been recently seized with the help of Europol. The researchers found that FluBot heavily relied on servers located in the Netherlands and that they do not rule out a FluBot comeback if they move future infrastructure to "safer" hosting companies.

APTs and cyber-espionage

Cryptocurrency crash: Blockchain tracking companies like Chainalysis and TRM Labs have told Reuters that the recent and sudden crash in cryptocurrency values has wiped out tens of millions from North Korea's caches of stolen cryptocurrency. For example, a North Korean cache of stolen funds lost about 80-85% of its value from last year and is now worth less than $10 million.

Chinese espionage: A Financial Times investigation found that members of the APT40 cyber-espionage group have lured Chinese students who spoke good English into working as translators for a front company that secretly and unbeknownst to them had them translate hacked documents or material needed for target reconnaissance. The FT said APT40 employed more than 140 students in this scheme, which operated out of the island of Hainan, where the Department of Justice and Intrusion Truth previously linked APT40's base of operation.

Vulnerabilities and bug bounty

XSS bug can steak your browser credentials: Researchers from GoSecure have found that the autofill feature in browsers like Chrome, Edge, Firefox, Opera, and Internet Explorer can be abused to steal user credentials from certain sites; if the same sites are also vulnerable to some sort of cross-site scripting (XSS) bugs.

Zoho ManageEngine vulnerability report: Horizon3 researchers have published a report on CVE-2022-28219, an unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory. The vulnerability allows attackers to take over ManageEngine systems and then the local network by compromising domain admin accounts.

Unrar vulnerability in Zimbra: SonarSource researchers have discovered a vulnerability in the Unrar tool, part of the Zimbra CMS, which could be exploited to take over Zimbra instances.

Jenkins plugin vulnerabilities: The Jenkins project has published a security advisory warning about vulnerabilities in 25 plugins.

Call stack spoofing: F-Secure's William Burgess has published a technical write-up on a technique named call stack spoofing that can be used to confuse EDR products and hide malicious operations.

Infosec industry

New tool: eCrimeLabs has released and open-sourced a new tool called the MISP Purge Events tool. The name is self-explanatory.

Cyber insurance state: After a series of costly cyber-attacks have led to a spike in cyber-insurance rates, insurance broker Marsh said in a report released this week that rates are now stabilized again. [More on The Record]