Security Weekly News Episode #49 - July 14, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. News - SAP NetWeaver Vuln, More TikTok Wars, & TrickBot - 02:00 PM-02:30 PM
This week, Even more TikTok wars, MGM Grand data for sale, Karens, SAP Vulnerability, Mirai Returns with 9 new exploits, and the Secret Service! Jason Wood joins us for Expert Commentary on how TrickBot Sample Accidentally Warns Victims They’re Infected!
Doug White's Content:
- SAP vulnerability rated 10 found in NetWeaver.
- 142 Million credentials from the MGM Grand hotels reported.
- New Mirai Variant targets 9 vulnerabilities and focuses on IoT.
- US Secret Service creates new CyberFinancialFraud Task Force, the CFTF.
- US President confirms Cyberattack was conducted in 2018 on IRA.
- Amazon bans TikTok and then backs off with no explanation.
- US says "strong action" coming on banning TikTok.
- FBI Warns of increasing activity against K-12 schools systems.
- So many Karens, so little time.
Jason Wood's Content:
Even criminal operations make mistakes sometimes.
If you’ve worked on developing or deploying software, you know something about the constant push to meet aggressive release deadlines. Apparently, this doesn’t change if the software you are releasing is malware. TrickBot just slipped up and warned victims that they were infected instead of silently carrying out its operations. If you aren’t familiar with this bit of malware TrickBot is a recurring pain in the butt for organizations and security folks. It is primarily a banking trojan that will also download secondary payloads for execution. The malware is under very active development, both to add new features and to try to evade defenses. It’s something that seems to come in waves via malicious emails.
The ThreatPost article for this story indicates that a new version of the malware was released, but this time it had an issue. A new credential stealer for browsers was added to the malware, but instead of saying quiet, it pops up a warning that says, “You see this message because the program named grabber gathered some information from your browser. If you do not know what is happening it is the time to start be worrying. Please, ask your system administrator for details.” Not exactly what the folks managing TrickBot would want.
TrickBot has the ability to add new modules fairly readily and, as I said earlier, is under constant development. It has added functionality like credential harvesting, backdoors, and reconnaissance commands. The blog post also mentions it has a new dll named socksbot.dll, so a Socks5 proxy may be coming soon. To keep all this working as security defenses adapt to detect and block TrickBot, they have to change these modules up fairly regularly. In this case, something got released to live campaigns that shouldn’t have been.
Vitali Kremez provided the research into this new version of the malware and posed a worrying hypothesis for how TrickBot’s development works. He said, “based on our assessment, it is hypothesized [that] if developed by an outsider coder, this test module possibly reveals the nature of the TrickBot operations as…hiring coders under the ruse of legitimate anti-malware activity development.” So the author of this module may not have even been aware that they were writing code for a criminal operation. Or at least they may be telling themselves that it’s legitimate research and ignoring red flags that indicate it might be something else. They wouldn’t be the first to fall prey to this type of duplicity.
Back in 2018, three members of the Fin7 group were arrested for their operations in stealing credit card information. As part of the indictment against the individuals, it was revealed that Fin7 used a front company to recruit and employ people who may not have been aware that they were participating in the activity. The company supposedly offered penetration testing and other offensive security services. They could then hire people to conduct portions of the assessment, who may have thought they were working for a legitimate security firm. Or at least provide the feeling that they were, as long as they didn’t look into things too closely. Marcus Hutchins shared a similar experience of working on something that may or may not have been legit. Then when his contact demanded work that he knew was only for illegal operations, he essentially felt blackmailed into carrying it out. Definitely a crappy position to be in.
Anyway, the story about TrickBot’s misstep is a bit amusing and worth your time to read. It doesn’t make much of it, but there is also a warning here to anyone who has a nagging suspicion that their financial backer might not be legit. It is entirely possible that these folks have been recruited into a criminal operation and aren’t being told what is actually going on. If it is at all possible, I’d highly recommend getting out of it and finding another job that is clearly legit. Even in the time of plague, there’s opportunity and legal security work out there.