20. Not Just Phishing for the Halibut
Coming up this week on Breaking Badness. Today we discuss: More Doom and Zoom for the Video Conferencing Industry, Holy Mackerel Amazon Accounts No Longer in Their Prime After Targeted Phishing Kit, and The Karma Initiative.
Here are a few highlights from each article we discussed:
- While this vulnerability didn’t sit around for TOO long before being addressed, there are still some frustratingly long durations in this timeline considering the implications of the issue. So Jonathan responsibly disclosed this issue to Zoom on March 26 of this year, though he had actually requested, via Twitter, to get a hold of someone at Zoom a couple of weeks earlier.
- Importantly, in his report, he also described a quick fix that he suggested Zoom could implement to mitigate the problem.
- Unfortunately the process of getting to an eventual fix was slow. In April there were a couple of back-and-forths with folks at Zoom as well as with the security teams at Chromium and Mozilla (who had some of their own suggestions for Zoom).
- Next significant milestone was a meeting to decide how to deal with this, and that was on June 11, and for those of you who aren’t Rain Man, that is at the T-18 days mark for the 90 day responsible disclosure window. At any rate, finally on June 21, Zoom reported the vulnerability was fixed.
- The thing that makes this a big deal is that there were NOT any obvious red flags for the average user, or for that matter even for relatively tech-savvy and security conscious users. You basically had to do some digging around in the command line in order to see whether you had this shadow web server running on your machine—which is an easy enough check to do, but you have to know what to look for before you start looking for it.
- Zoom’s response wasn’t encouraging, especially in the beginning. For example, one of the first suggestions Jonathan made was that they stop giving a meeting host the control of whether the participants had audio and video enabled when joining. They were resistant to that, even in the face of this huge vulnerability. They did end up changing that, but only after the vulnerability had been in the wild for an unacceptably long time.
- As of July 9, they promised to have a full patch out by the next day. It appears that they did in fact release it. And Apple took a slightly more straightforward approach—they rolled out a silent update, also around the 9th or 10th or so of July as far as I can tell, that uninstalled the zoom undocumented web server. That was only a partial fix without the fix from Zoom, however.
- Unfortunately, this story lays bare an uncomfortable truth about security and commercial convenience products: you’re at the mercy of implementation choices made by others, and sometimes they’re going to make poor choices. The most conservative stance an organization can take is to allow only a standard suite of applications that have passed rigorous security review. But the reality for most orgs is they don’t have the ability to do that. And this is a fairly well-known video conferencing tool used by lots of completely legit organizations and users. It’s not like it appeared to be some sketchy thing that would sideload while you were busy torrenting movies or something. So even “patch now” seems like kind of lame advice here. Good web filtering potentially would have reduced the risk of this one to some extent, but certainly not eliminated it, since a lot of web filters would not catch the line or two of code that enabled this exploit.
- 16Shop is a phishing kit – which is a collection of tools for easily launching a phishing page. A lot of phishing kits can be purchased by less tech savvy individuals who only need to tie it to their domain of choice (purchased or hijacked) to have a (usually) nice looking phishing page up and ready to grab credentials.
- 16Shop made noise starting late last year by spoofing the Apple login page. Victims are primarily located in the US and Japan, and receive phishing emails with PDFs that contain links to phishing sites. Along with their apple credentials, the 16Shop kit is also designed to steal credit card and other personal information.
- In May, McAfee researchers noticed a new slew of Amazon phishing pages that looked to be closely related to the old 16Shop apple activity. A Facebook group belonging to the likely actors behind 16Shop changed their profile picture to be reminiscent of Amazon’s logo, further suggesting that Amazon is their next target after Apple.
- The kit originated in Indonesia, made by a hacker who goes by the handle “DevilScreaM”.
- Handles multiple languages including English, Japanese, Spanish, and German.
- The kit emails stolen credentials to the threat actor, but also stores a local copy of them in plain text.
- The kit includes a local blocklist of IPs, including security companies. This is not new or unique to this phishing kit. A lot of kits and malware do this to try to avoid detection, but it’s not super effective (obviously). But it does show that the author of 16Shop has at least put a smidgen of thought into making his kit more effective and persistent by avoiding detection by security companies.
- The new version released in May of this year includes a backdoor that sends all data to the kit author via Telegram. (McAfee suspects that was added by a second actor, not the original author).
- Interestingly, the actual author of the malware has been identified, but no justice has come his way. Tweet thread here.
- Qulab was built to steal information from the browser (history, credentials, cookies) and from other programs (FileZilla, Discord, Steam).
- Its is coded in AutoIT, which is an automation language similar to the BASIC structure that is designed to work only on Microsoft Windows. In this case, it’s downloading from malicious links on youtube videos claiming to have “cracked” free copies of this app. Seems a fitting punishment, imo, if not harsh enough.
This Week’s Hoodie Scale
More Doom and Zoom for the Video Conferencing Industry
[Emily]: 6/10 Hoodies
[Tim]: 6/10 Hoodies
Holy Mackerel Amazon Accounts No Longer in Their Prime After Targeted Phishing Kit
[Emily]: 2/10 Hoodies
[Tim]: 2/10 Hoodies
The Karma Initiative
[Emily]: 0/10 Hoodies
[Tim]: 500 millihoodies/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!