IDG Contributor Network: Can you hack me now?

“Can you hear me now?”

With well over 200,000 cell towers up and running in the United States (and counting), the question posed by Verizon in a wildly successful 2011 ad campaign, has been answered in the affirmative for the overwhelming majority of the country. But in the wake of a new, super connected wireless world, some other questions have emerged:

Partnerstroka: Large tech support scam operation features latest browser locker

Tech support scams continue to be one of the top consumer threats in 2018, despite actions from security vendors and law enforcement. Scammers are constantly looking for new ways to reel in more victims, going beyond cold calls impersonating Microsoft to rogue tech support ads using the good name of legitimate brands, and of course, malicious pop-ups.

We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. While it is common for crooks in this industry to reuse design templates, we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstroka.

However we caught up with the same campaign again recently and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome. In this blog post, we share some of our findings on this group and their latest techniques.

Identification

The browser locker is typical of those we normally see, but the crooks have ensured that most browsers and operating systems are covered with their own landing page. This is determined by looking at the user-agent string when the client requests the page to the malicious server. It is further customized via JavaScript functions that perform the “locking” part of the scam.

Different templates for the same browlock domain

The name we track this campaign under is inspired by the string “stroka” found within the HTML source code. That same string (and similar code) was also present in previous JavaScript-based “Police Browlocks” that required users to pay a fine with vouchers. However, because code reuse is common among scammers, it is likely to be an entirely different group.

Campaign identification via redirects, TLD and registrar

The threat actors use dozens of Gmail accounts following a somewhat predictable pattern.

Registrants emails tied to the Partnerstroka campaign

Each email address is tied to anywhere from a few to several hundred .club (gTLD) browlock domains abusing the GoDaddy registrar/hosting platform, with whom we have shared our investigation.

A view of the domains belonging to one email address

We were able to extract over 16,000 malicious domains during a period of several months, but we believe the actual number is much higher. Indeed, our visibility into the depth of this campaign was partly tied to the email addresses we had cataloged and unfortunately, the new privacy laws around whois records hindered our research.

Traffic distribution

We observed different techniques to redirect unsuspecting users to the browlock pages, although malvertising was almost always an element in the chain. The likelihood of getting redirected to one of these browlocks is higher when visiting websites that have less than optimal advertising practices.

BlackTDS

BlackTDS is a Traffic Distribution System (TDS) used by crooks to deliver web threats and avoid unwanted traffic (i.e. not real humans). The kind of traffic that comes out of it ranges from social engineering attacks to infections via exploit kits.

The Partnerstroka group used various ad networks to drive visitors to the browlock page, sometimes directly but often times via the intermediary of an .info gate.

BlackTDS traffic, malvertising, .info gate, and .club browlock

Decoy sites

Another technique the threat actors leveraged was redirects via decoy portals performing what we call “cloaking,” a trick used to only serve malicious content to certain kinds of users and redirect others (non targets) to a benign-looking page instead.

Traffic from decoy sites leading to .club browlock

Blogspot redirects

We also came across a number of blogs hosted on Blogger (now owned by Google). These were either empty or only showed limited content, and again, their purpose was to perform redirects to the browlock pages.

Rogue Blogspot pages used for redirects

Studying their redirection chain more closely, we found something interesting in how the browlock domain was being called. They used a marketing tracker in between that would respond with the latest registered browlock domain:

Redirect from Blogspot to the browlock

Malvertising via injected sites

The majority of activity we are observing lately comes from websites that have been injected with ad code. While some website owners do this purposely to monetize their traffic, it becomes a lot more suspicious when we find matching ad campaign identifiers across domains that have seemingly nothing in common.

Browser locker for Edge on Windows 10 from a malvertising chain

The evil cursor

There are many different documented techniques that can be used to prevent users from closing a tab or browser window, and often times those are specific to each browser. For instance, Edge and Firefox users will often get the authentication required prompt in a loop, while Chrome users are served with more nasty stuff, such as actual attempts to freeze the browser or trigger thousands of downloads.

In early September, we came across the Partnerstroka group again and noticed that they had incorporated a browser locker technique that was working against the latest version of Google Chrome (69.0.3497.81). Similar to other tricks, it effectively prevented from closing the offending page because the mouse cursor had been hijacked.

As can be seen in the animation above, the red dot represents what the user actually clicks on, even though the cursor itself seems to be way off. The code responsible for this unwanted behavior can be found within the HTML body tag:

A few lines of code to alter the mouse cursor

The Base64 blurb decodes to a simple image of a low-resolution mouse cursor, but the important bit is the 128×128 transparent pixel, which essentially turns your cursor into a large box. We reported this issue via the Chromium bug tracker portal, and the first person who replied showed what that custom “evil” cursor looks like:

The new cursor showing an actual (invisible) square

This is one example of many such tricks that can be used against modern browsers. Often times, features that are either well-documented or more obscure turn into attack vectors used to further fool end users, causing them to dial up the scammers for assistance. Indeed, the sound of an alert and a browser that appears to be completely locked up triggers panic for many people. These are essentially the same scare tactics that have been used for ages and still work well.

Similar campaigns

We have noted an increase in tech support scams abusing the NameCheap registrar. While we cannot positively identify that this is also the Partnerstroka group (landing page reuse among scammers is a thing), they definitely share some common traits.

Domain Name: ukxhdp[.]club Registrar URL: http://www.namecheap.com Creation Date: 2018-08-21T15:06:23Z

Planning Doesn’t Have to Be the Enemy of Agile

Executive Summary

Planning was one of the cornerstones of management, but it’s now fallen out of fashion. It seems rigid, bureaucratic, and ill-suited to a volatile, unpredictable world. However, organizations still need some form of planning. And so, universally valuable, but desperately unfashionable, planning waits like a spinster in a Jane Austen novel for someone to recognize her worth. The answer is agile planning, a process that can coordinate and align with today’s agile-based teams. Agile planning also helps to resolve the tension between traditional planning’s focus on hard numbers, and the need for “soft data,” or human judgment.

Leveraging Segmentation to Secure IoT

The rapid deployment of IoT devices has had a significant and lasting impact on the security of today’s evolving network. BYOD, the first significant infusion of IoT devices begun over a decade, was focused mainly on user-owned devices such as mobile phones and laptops. Even then, as system administrators began to wrestle with ways to integrate unsecured and unprotected devices into primarily closed networks, cybercriminals quickly began exploiting this new attack vector.

Evaluating the Threatscape One Year After NotPetya Ransomware Attack

The NotPetya cyber-attack occurred a little over a month after WannaCry, targeting Ukrainian organisations.

The attack was initiated utilising a corrupted update for an accounting and tax software that was almost exclusively used throughout every organisation, private and public, in the country. The malware employed the same SMB exploit that WannaCry leveraged to propagate inside networks, which was effective as many organisations still had yet to apply the patch that was released in early 2017.  Even organisations that had applied the patch to this Microsoft vulnerability were susceptible to infection from the NotPetya malware because it also employed a credential harvesting tool called “Mimikatz” which automates the collection of credentials on Windows systems. This allowed the malware to spread within networks even if the “Eternal Blue” SMB exploit was fixed. Because of the dual propagation technique, the malware could infect organisations external to Ukraine that had an office or branch in the country.

Over 60 Vulnerabilities Patched In Microsoft September Updates

Tripwire’s Vulnerability and Exposure Research Team (VERT) have uncovered and investigated many of the vulnerabilities found within the Microsoft September 2018 Security Updates. Tripwire identified three vulnerabilities as critical with exploitation more likely. One of these is the vulnerability CVE-2018-8440, which takes advantage of a flaw in the task scheduler ALPC (Advanced Local Procedure Call) to escalate privileges.

What is Vulnerability Management Anyway?

Vulnerability management (VM) programs are the meat and potatoes of every comprehensive information security program. They are not optional anymore. In fact, many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program.If you don’t have vulnerability management tools, or if your VM program is ad hoc, there’s no time like the present. In fact, The Center for Internet Security’s #3 Critical Security Control calls out continuous vulnerability assessment and remediation as an integral part of risk and governance programs.If you’re still thinking about a vulnerability management policy as a tactical operations tool to use, occasionally there are a lot of good reasons to reconsider. It should be one of the cornerstones of your security program.A Quick Vulnerability Management DefinitionLet’s start by making sure we’re all talking about the same thing. The vulnerability management process is a continuous information security risk undertaking that requires management oversight. There are four high-level processes that encompass vulnerability management: discovery, reporting, prioritization and response. In a strong vulnerability management framework, each process and sub processes within it need to be part of a continuous cycle focused on improving security and reducing the risk profile of network assets.Vulnerability Management Best PracticesManaging vulnerabilities with discovery and rediscoveryDiscovery is the process by which network assets are found, categorized and assessed. Information about assets should be categorized into data classes such as vulnerability, configuration, patch state, compliance state or just inventory.The discovery phase should find every computing asset (yes, every single one) on your network and build a database of knowledge other VM processes can use. Since your network is in a constant state of change, the information about your assets needs to be continually refreshed.Reports, reports, reportsReporting of the data found during discovery generally provides a number of different outcomes appropriate for different audiences. Reports should create a prioritization matrix that feeds into vulnerability management processes. After all, the raw data on every vulnerability on an enterprise isn’t terribly useful. Ideally, these reports can also be used for tactical operations tasks and, at a higher level, to provide visibility and business-oriented risk metrics to upper management.In VM, Priorities Are (Almost) EverythingPrioritization is a critical vulnerability management process that ranks known risks according to a predefined set of characteristics. For example, prioritization should spark a thought process something like this: Given the current state of the asset from the discovery process, the value of that specific asset and any known threats, how important is it that we spend resources to remediate or mitigate these risks? Alternately, are the known risks on this specific asset at this time acceptable to our business?The goal of prioritization is to use a vulnerability management tool to create a customized list of what to tackle first, second, third and so on. Ideally, this prioritized list of actions is used to feed into ticketing systems for IT ops and drive specific tasks for system operators.Risk ResponseRisk response is the second half of the vulnerability prioritization process. Essentially, risk response is the approach an organization chooses to address the known risks (note: ignoring risk is a not a response).Addressing risk falls into three categories: remediate, mitigate or accept. Remediation can be thought of as the act of correcting a discovered flaw. For example, if a vulnerability is caused by a missing patch, one option is to remediate the problem by installing the patch.On the other hand, mitigation is the act of reducing risk by taking some other action generally outside the immediate realm of the affected system. For example, instead of fixing a discovered web application flaw on your system, you could choose to install a web application firewall. The vulnerability is still there, but with the web application firewall in place, the risk is diminished.Risk acceptance is making a choice to accept the risk without remediation or mitigation. As an example, the security operations team may recommend that lab equipment run antivirus software. However, business stakeholders agree to not use AV software because it would affect engineering test cases. In this case, the business has selected to accept the known risk.In Scope, Out of ScopeNow that we all agree on the importance of vulnerability management and what it includes, we should also discuss things that it doesn’t include because it seems like a lot of people are confused about this.Pen testing not included in vulnerability managementVulnerability management is not a penetration test. Just because a product scans your systems doesn’t mean you have a pen test tool. In fact, the reality is quite the opposite. A vulnerability management scanner is often checking for the presence or absence of a specific condition such as the installation of a specific patch.A pen test tool, on the other hand, will actually attempt to break into the system using predefined exploits. While both types of tests might ultimately deliver the same recommendation, the methods used to arrive at these conclusions are wildly different. If you’re looking for a good pen test, odds are good that you need more than a tool. A pen test should be exhaustive and include physical testing and in-person interviews as well as many other things.Configure thisWhile many vulnerability management systems work in conjunction with configuration management systems, there is an important distinction between the two. In fact, CIS has a lot to say about this. Vulnerability management may uncover problems related to system configuration and flag them as risks. However, the operations and management of system configurations are distinctively part of the configuration management program.Define Continuous VMYour vulnerability management data in is only as good as the last time it was updated. Just like an audit, the data reported is only relevant to the last time an asset was assessed. The key to creating the most relevant data set is to run your vulnerability management program frequently. For some companies, this means daily or weekly. I don’t think you can call your program continuous if you update it once a quarter, and let’s not even talk about annual assessments because we all know the rate of change on networks means annual data is pretty useless eleven months of the year.The Alpha and the Omega (NOT)Vulnerability management is only one piece of a security program. It’s not going to solve the entire risk management challenge. Vulnerability management is the foundation of a security program. You have to start with a comprehensive understanding of what’s on your network. If you don’t know it’s there, there’s no way you can protect it. You also have to understand the risks for every asset on your network in order to effectively prioritize and remediate.In future articles, we will dig deeper into the parameters of a good vulnerability management program including prioritization, coverage and agent vs. agentless.Find out about more Tripwire’s vulnerability management solutions by downloading this Vulnerability Management Buyer’s Guide today.