Ongoing SolarWinds breach / PayPal smshing / Babuk Locker

The massive SolarWinds breach still arouses discussions and controversy. Now it turns out that Microsoft source code was exposed. In the first article, we wonder what does it mean for users and organizations. What more? Babuk Locker – new year, new ransomware, PayPal smishing, and new victim identification technique.

SolarWinds breach: Microsoft source code exposed. What does it mean for users and organizations?

Microsoft confirmed last week that attackers were able to view some of its source code. Maybe there is no increase in security risk. However, access to source code could make some steps easier for attackers.

During the investigation Microsoft has not found evidence of access to production services or customer data, nor has it discovered that its systems were used to attack other companies. It did find, however, that an internal account had been used to view source code in a number of code repositories – the affected account didn’t have permissions to change any code or engineering systems.

Microsoft’s software is among the most widely deployed in the world, It’s an appealing target, in particular among advanced attackers like those behind the SolarWinds incident.

While it’s certainly concerning, and we don’t know the full extent of what attackers could see, Microsoft’s threat-modelling strategy assumes attackers already have some knowledge of its source code. Microsoft made a big push for secure software development in Windows Vista. It didn’t make the decision to open-source the code but designed it with the assumption that could possibly happen someday. Source code is viewable within Microsoft, and viewing the source code isn’t tied to heightened security risk.

Microsoft’s practice isn’t common. However, Microsoft is a big enough target, with people regularly reverse engineering its code, that it makes sense.

While attackers were only able to view the source code, and not edit or change it, this level of access could prove helpful with some things – for example, writing rootkits.

There is still much we don’t know regarding this intrusion. What have the attackers already seen? Where was the affected code? Were the attackers able to access an account that allowed them to alter source code? For now, we must leave these questions unanswered. In the meantime, security specialists advise organizations to continue applying security patches as usual and stick with the infosec basics.


Don’t get caught! The newest PayPal phishing texts state your account is ‘limited’

A new SMS text phishing (smshing) campaign pretends to be from PayPal, stating that your account has been permanently limited unless you verify your account by clicking on a link. 

PayPal smishing

When PayPal detects suspicious or fraudulent activity on an account, the account will have its status set to “limited,” which will put temporary restrictions on withdrawing, sending, or receiving money.

But this time, clicking on the enclosed link will bring you to a phishing page. It prompts you to log in to your account, as shown below. If you log in, the entered PayPal credentials will be sent to the threat actors. The phishing page then goes a step further as it will try to collect further details from you, including your name, date of birth, address, bank details, and more.

Smishing scams are becoming increasingly popular, so it is always important to treat any text messages containing links as suspicious. If a target falls for any of these ruses, the combination of information could be used for identity theft, bank fraud, or fraudulent purchases. The data could just as well be compiled into lists that are then sold to other scammers on dark web marketplaces. If the victim also recycles their login credentials across multiple accounts, black hats could infiltrate other accounts, including banking, social media, and email accounts.


New Year, New Ransomware: Babuk Locker Targets Large Corporations

It’s a new year, and it comes with new ransomware called Babuk Locker that targets corporate victims in human-operated attacks.

Babuk Locker is a new ransomware operation that launched at the beginning of 2021 and has since amassed a small list of victims from around the world. Demands range from $60,000 to $85,000 in Bitcoin.

Babuk Locker’s coding seems amateurish. However, it includes secure encryption (ChaCha8 and Elliptic-curve Diffie–Hellman) that prevents victims from recovering their files for free.

When launched, hackers can use a command-line argument to control how the ransomware should encrypt network shares and whether they should be encrypted before the local file system. The command-line arguments that control this behavior are:

  • lanfirst
  • lansecond 
  • nolan 

Once launched, the ransomware will terminate various Windows services and processes known to keep files open and prevent encryption. The terminated programs include database servers, mail servers, backup software, mail clients, and web browsers.

When encrypting files, Babuk Locker will use a hardcoded extension .__NIST_K571__ and append it to each encrypted file. A ransom note named How To Restore Your Files.txt will be created in each folder. One of notes seen contains the victim’s name and links to images proving that the threat actors stole unencrypted files during the attack. The Babuk Locker Tor site is nothing fancy and simply contains a chat screen where the victim can talk to the threat actors and negotiate a ransom.

Babuk Locker authors are leading to create a dedicated leak site following the double-extortion trend. So far, they are using a hacker forum to leak their stolen data.


New malware uses WiFi BSSID for victim identification

Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim’s IP address and check it against an IP-to-geo database like MaxMind’s GeoIP to get a victim’s approximate geographical location. However, IP-to-geo databases are known for their wildly inaccurate results, as telcos and data centers tend to acquire or rent IP address blocks on the free market.

Still, this method is widely adopted today, But from time to time, some hackers use the BSSID technique on top of the first. 

A new malware strain – discovered by Xavier Mertens, a security researcher at the SANS Internet Storm Center – is using the WiFi AP MAC address to get that information. The BSSID (Basic Service Set Identifier) is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi. You can see the BSSID on Windows systems by running the command:

netsh wlan show interfaces | find “BSSID”

Back to the malware…

Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov. This database is a collection of known BSSIDs and the last geographical location they’ve been spotted at.

These types of databases are quite common these days and are usually used by mobile app operators as alternative ways to track users when they can’t get access to a phone’s location data directly.

Checking the BSSID against Mylnikov’s database would allow the malware to effectively determine the physical geographical location of the WiFi access point the victim was using to access the internet, which is a far much accurate way of discovering a victim’s geographical position.

But using both methods together could allow malware operators to confirm that the initial IP-based geolocation query is correct with the second BSSID method. In other words, this way they could be able to double-check a victim’s geographical location – and get more or less 100 percent accurate results. 


Do you have thirst for knowledge? There are ten more cybersecurity stories below

  1. FBI warns of Egregor ransomware extorting businesses worldwide (Bleeping Computer)
  2. Researcher Breaks reCAPTCHA With Google’s Speech-to-Text API (Threat Post)
  3. SolarWinds breach: The more we learn, the worse it looks (ZDNet)
  4. Nissan Source Code Leaked via Misconfigured Git Server (Dark Reading)
  5. Nvidia Warns Windows Gamers of High-Severity Graphics Driver Flaws (Threat Post)
  6. Bugs in Firefox, Chrome, Edge Allow Remote System Hijacking (Threat Post)
  7. WhatsApp will share your data with Facebook and its companies (Security Affairs)
  8. It’s Not the Trump Sex Tape, It’s a RAT (Threat Post)
  9. Google fixed a critical Remote Code Execution flaw in Android (Security Affairs)
  10. This new phishing attack uses an odd lure to deliver Windows trojan malware (ZDNet)