Threat Source newsletter (Oct. 6, 2022) — Continuing down the Privacy Policy rabbit hole

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

As I wrote about last week, I’ve been diving a lot into apps’ privacy policies recently. And I was recently made aware of a new type of app I never knew existed — family trackers.

There are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me — it’d be a supped-up version of Find my Friends on Apple devices so I’d never have to ask my teenager (granted, I’m many years away from being at that stage of my life) when they were coming home or where they were.

Just as with all other types of mobile apps, there are pitfalls, though.

Life360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be selling precise location data on its users, potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn’t intend to let adversaries see this information, they don’t have direct control over how those third parties handle the information once it’s sold off.

The app’s current and updated privacy policy states that it "may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes.” However, users do have the ability to opt out of this inside the app.

There is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have used Apple’s AirTags in the past to unknowingly track people, eventually to the point that Apple had to address the issue directly and provide several updates to AirTags’ security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings.

This is truthfully just an area of concern I had never considered before. Many parents would do anything for their children’s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we’ve said before, no one truly has “nothing to hide,” especially when it comes to minors or vulnerable populations. I’m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.

The one big thing

Microsoft warned last week of the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

Why do I care?
Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.
So now what?

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. While Microsoft continues to update their mitigations, some security researchers posit they can be bypassed. Talos has released several Snort rules to detect the exploitation of these vulnerabilities and associate malware families used in these attacks.

Top security headlines from the week

More than 2 million Australians’ personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company’s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver’s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. (ABC News, Nine News)

The Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. (Axios, Los Angeles Times)

The infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. (Bleeping Computer, Security Affairs)

Can’t get enough Talos?

Upcoming events where you can find Talos

Cisco Security Solution Expert Sessions (Oct. 11 & 13)

Virtual

GovWare 2022 (Oct. 18 - 20)

Sands Expo & Convention Centre, Singapore

Conference On Applied Machine Learning For Information Security (Oct. 20 - 21)

Sands Capital Management, Arlington, Virginia

Most prevalent malware files from Talos telemetry over the past week

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

MD5: f1fe671bcefd4630e5ed8b87c9283534

Typical Filename: KMSAuto Net.exe

Claimed Product: KMSAuto Net

Detection Name: PUA.Win.Tool.Hackkms::1201

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f

MD5: a779d230c944ef200bce074407d2b8ff