All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly reviewing the news for interesting stories and developments in the cybersecurity world. Here’s what stood out to us during the week of September 27, 2021. We’ve also included the comments from a few folks here at Tripwire VERT.
REvil Ransomware Group Goes Offline
Back in July 2021, CyberNews reported that the REvil ransomware group’s website and infrastructure had gone offline. It was just a few weeks later when the security community witnessed the emergence of BlackMatter. This ransomware project “incorporated in itself the best features of DarkSide, REvil, and LockBit,” per The Record. Whatever that means, it didn’t stop REvil from re-emerging later in the year, as reported by Bleeping Computer.
John Wenning | Security analyst at Tripwire
Nearly all varieties of ransomware simply leave your computer alone if you have a Russian keyboard installed. KrebsonSecurity also had an article on this topic titled, “Try This One Weird Trick Russian Hackers Hate.” This article says, “The fact that there is a malware whitelist (i.e., do not operate) on computers with Russian keyboard layouts doesn’t necessarily mean it comes out of Russia.” That may be true, but I think the important takeaway isn't where the malware originated from but the fact that there is a “simple trick” that can provide a good degree of protection just by installing a keyboard.
To add a Russian keyboard:
- Windows Key + "X"
- Go To Settings
- Time and Language
- Language
- Add a Language and then select “Russia” Language and you are done.
If you have inadvertently switched to the Russian keyboard layout, you can toggle back by using the Windows Key and the space bar.
Script Helps Facilitate Windows 11 Installs on Incompatible Hardware
At the end of September, Bleeping Computer covered the emergence of a script that allows users to bypass Microsoft’s requirements for installing Windows 11. It does this by allowing people to install the new operating system (OS) on devices that might lack TPM 2.0, Secure Boot, and other hardware. Those who use the script run certain risks, however. Microsoft said that users who install Windows 11 on incompatible hardware might not get security updates, thus leaving them potentially more vulnerable to digital threats.
Ed Bull | Security researcher for Tripwire
Microsoft has said that unsupported systems might not get security updates. Learn more here.
Attackers Can Abuse Apple AirTag to Phish Users’ iCloud Accounts
The Apple AirTag is designed to help forgetful users keep track of their belongings. All they need to do is attach an AirTag device to their keys or their bike, and they can then use the Find My app to locate it. Notwithstanding the benefits of such a device, KrebsonSecurity wrote that malicious actors can use AirTag to launch iCloud phishing attempts.
Tyler Reguly | Manager of software development at Tripwire
I find this very interesting. AirTags seem like a great idea to me. I was a Tile user, but I found they were rather limited in their functionality. AirTags eliminate a lot of the shortcomings that I felt existed within the Tile offering. However, their popularity makes attacks like this a real risk.
I was recently made aware of parents in, as my sister put it, "Facebook mommy groups" discussing putting AirTags in bracelets purchased off Amazon and using them to track their children. This use case makes it even more likely that an unsuspecting parent at a park may be inclined to pick up a lost AirTag and scan it. Combining a tag with one of these bracelets in a setting popular with children may even increase the likelihood that someone will attempt to return it. As for Apple's responsiveness, I have heard this before, so I'm not surprised by that.
Women, Minorities Singled Out for Cybercrime Attempts
Threatpost covered a survey in which researchers discovered that certain demographic groups are more likely to encounter digital threats than others. For instance, 79% of women said that they receive text messages from unknown numbers carrying malicious links. That’s compared to 73% of men. Similarly, 45% of BIPOC people said that someone has attacked their social media accounts. Only 40% of white people said the same.
Darlene Hibbs | Engineer of software development at Tripwire
Most of the findings in this article seem pretty predictable. Lower income people being more likely to be victimized by cybercrime is likely due to wanting to believe scams that promise to solve some of their financial issues. Older people having their credit card information stolen more often could be due to less familiarity with technology in general. Women being more likely to have their social media accounts hacked can be explained by women having more social media accounts and being more active on them.
What did stand out as interesting to me is that high-level income people can lose more money online while still feeling safer. But I have to wonder about the average numbers given in the survey since the higher value for high-level income would have come from a smaller sample size, as well. It can make sense that they would still feel safer online since losing money would probably have a smaller impact on their overall well-being than a smaller amount of money could have on a lower income person.
Microsoft: Basic Authentication to Be Disabled in October 2022
On September 26, Bleeping Computer shared Microsoft’s announcement that it would begin permanently disabling Basic Authentication for all protocols starting on October 1, 2022. Basic Authentication is an HTTP-based scheme that simplifies the authentication process. However, it makes it easy for attackers to steal credential theft and more difficult for admins to implement multi-factor authentication (MFA).
Andrew Swoboda | Engineer of software development at Tripwire
Basic authentication is finally being disabled on October 1st in Microsoft Exchange. Forcing users to modern authentication methods will definitely improve security for their users. Basic authentication should have been retired a long time ago.
Mirai Variant Using New Router Zero-Day for Distribution
Network Security Research Lab at 360 observed Mirai_ptea_Rimasuta, a variant of the Mirai botnet, abusing a zero-day flaw in RUIJIE routers to spread. Its analysts also witnessed the malware using a new built-in mechanism to determine whether it was running in a sandbox.
Craig Young | Principal security researcher with Tripwire VERT
It's really interesting to see how Mirai has evolved in the five years since the source was released. I've spent some time analyzing and reversing Mirai samples before, and the XOR "encryption" is totally laughable, so it is unsurprising that someone would have replaced this.
What is more interesting is that attack groups are still finding it useful to target unmaintained devices with default password attacks. The fact that attackers are still targeting these systems indicates that there is still an abundance of low-hanging fruit vulnerabilities plaguing the Internet of Things. It begs the question of whether we need ISPs and governments to step in by cleaning up “vulnerability debt” on the Internet.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next news roundup comes out? Subscribe to our newsletter here.