Mise à jour de la base de données, veuillez patienter...

Microsoft Corp. today released updates to plug more than 100 security holes in its various Windows operating systems and associated software. If you (ab)use Windows, please take a moment to read this post, backup your system(s), and patch your PCs.

All told, this patch batch addresses at least 115 security flaws. Twenty-six of those earned Microsoft’s most-dire “critical” rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.

Given the sheer number of fixes, mercifully there are no zero-day bugs to address, nor were any of them detailed publicly prior to today. Also, there were no security patches released by Adobe today. But there are a few eyebrow-raising Windows vulnerabilities worthy of attention.

Recorded Future warns exploit code is now available for one of the critical bugs Redmond patched last month in Microsoft Exchange (CVE-2020-0688), and that nation state actors have been observed abusing the exploit for targeted attacks.

One flaw fixed this month in Microsoft Word (CVE-2020-0852) could be exploited to execute malicious code on a Windows system just by getting the user to load an email containing a booby-trapped document in the Microsoft Outlook preview pane. CVE-2020-0852 is one just four remote execution flaws Microsoft patched this month in versions of Word.

One somewhat ironic weakness fixed today (CVE-2020-0872) resides in a new component Microsoft debuted this year called Application Inspector, a source code analyzer designed to help Windows developers identify “interesting” or risky features in open source software (such as the use of cryptography, connections made to a remote entity, etc).

Microsoft said this flaw can be exploited if a user runs Application Inspector on a hacked or booby-trapped program. Whoops. Animesh Jain from security vendor Qualys says this patch should be prioritized, despite being labeled as less severe (“important” versus “critical”) by Microsoft.

For enterprises, Qualys recommends prioritizing the patching of desktop endpoints over servers this month, noting that most of the other critical bugs patched today are prevalent on workstation-type devices. Those include a number of flaws that can be exploited simply by convincing a Windows user to browse to a malicious or hacked Web site.

While many of the vulnerabilities fixed in today’s patch batch affect Windows 7 operating systems, this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

Update, 7:50 p.m.: Microsoft has released an advisory about a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. Critical SMB (Windows file-sharing) flaws are dangerous because they are typically “wormable,” in that they can spread rapidly to vulnerable systems across an internal network with little to no human interaction.

“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,” Microsoft warned. “To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

Microsoft’s advisory says the flaw is neither publicly disclosed nor exploited at the moment. It includes a workaround to mitigate the flaw in file-sharing servers, but says the workaround does not prevent the exploitation of clients.

FBI officials last week arrested a Russian computer security researcher on suspicion of operating deer.io, a vast marketplace for buying and selling stolen account credentials for thousands of popular online services and stores.

Kirill V. Firsov was arrested Mar. 7 after arriving at New York’s John F. Kennedy Airport, according to court documents unsealed Monday. Prosecutors with the U.S. District Court for the Southern District of California allege Firsov was the administrator of deer.io, an online platform that hosted more than 24,000 shops for selling stolen and/or hacked usernames and passwords for a variety of top online destinations.

The indictment against Firsov says deer.io was responsible for $17 million worth of stolen credential sales since its inception in 2013.

“The FBI’s review of approximately 250 DEER.IO storefronts reveals thousands of compromised accounts posted for sale via this platform and its customers’ storefronts, including videogame accounts (gamer accounts) and PII files containing user names, passwords, U.S. Social Security Numbers, dates of birth, and victim addresses,” the indictment states.

In addition to facilitating the sale of hacked accounts at video streaming services like Netflix and Hulu and social media platforms like Facebook, Twitter and Vkontakte (the Russian equivalent of Facebook), deer.io also is a favored marketplace for people involved in selling phony social media accounts.

For example, one early adopter of deer.io was a now-defunct shop called “Dedushka” (“grandpa” in transliterated Russian), a service offering aged, fake Vkontakte accounts that was quite popular among crooks involved in various online dating scams.

The indictment doesn’t specify how prosecutors pegged Firsov as the mastermind behind deer.io, but there are certainly plenty of clues that suggest such a connection. 

Firsov’s identity on Twitter says he is a security researcher and developer who currently lives in Moscow. Previous tweets from that account indicate Firsov made a name for himself after discovering a number of serious security flaws in Telegram, a popular cross-platform messaging application.

Firsov also tweeted about competing in and winning several “capture the flag” hacking competitions, including the 2016 and 2017 CTF challenges at Positive Hack Days (PHDays), an annual security conference in Moscow.

Deer.io was originally advertised on the public Russian-language hacking forum Antichat by a venerated user in that community who goes by the alias “Isis.” A Google Translate version of that advertisement is here (PDF).

In 2016, Isis would post to Antichat a detailed writeup on how he was able to win a PHDays hacking competition (translated thread here). In one section of the writeup Isis claims authorship of a specific file-dumping tool, and links to a Github directory under the username “Firsov.”

In another thread from June 2019, an Antichat user asks if anyone has heard from Isis recently, and Isis pops up a day later to inquire what he wants. The user asks why Isis’s site — a video and music search site called vpleer[.]ru — wasn’t working at the time. Isis responds that he hasn’t owned the site for 10 years.

According to historic WHOIS records maintained by DomainTools.com (an advertiser on this site), vpleer was originally registered in 2008 to someone using the email address hm@mail.ru.

That same email address was used to register the account “Isis” at several other top Russian-language cybercrime forums, including Damagelab, Zloy, Evilzone and Priv-8. It also was used in 2007 to register xeka[.]ru, a cybercrime forum in its own right that called itself “The Antichat Mafia.”

More importantly, that same hm@mail.ru email address was used to register accounts at Facebook, Foursquare, Skype and Twitter in the name of Kirill Firsov.

Russian hacking forums have taken note of Firsov’s arrest, as they do whenever an alleged cybercriminal in their midst gets apprehended by authorities; typically such a user’s accounts are then removed from the forum as a security precaution. An administrator of one popular crime forum posted today that Firsov is a 28-year-old from Krasnodar, Russia who studied at the Moscow Border Institute, a division of the Russian Federal Security Service (FSB).

Firsov is slated to be arraigned later this week, when he will face two felony counts, specifically aiding and abetting the unauthorized solicitation of access devices, and aiding and abetting trafficking in “false authentication features.” A copy of the indictment is available here (PDF).

The federal agency in charge of issuing .gov domain names is enacting new requirements for validating the identity of people requesting them. The additional measures come less than four months after KrebsOnSecurity published research suggesting it was relatively easy for just about anyone to get their very own .gov domain.

In November’s piece It’s Way Too Easy to Get a .gov Domain Name, an anonymous source detailed how he obtained one by impersonating an official at a small town in Rhode Island that didn’t already have its own .gov.

“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source said. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

While what my source did was technically wire fraud (obtaining something of value via the Internet through false pretenses), cybercriminals bent on using fake .gov domains to hoodwink Americans likely would not be deterred by such concerns.

“I never said it was legal, just that it was easy,” the source told KrebsOnSecurity. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”

Now, Uncle Sam says in a few days all new .gov domain applications will include an additional authorization step.

“Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain,” reads a notice published March 5 by the U.S. General Services Administration, which overseas the .gov space.

“This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain,” the statement continues. “This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations.”

The GSA didn’t say whether it was putting in place any other safeguards, such as more manual verification of .gov domain applications. It certainly hadn’t followed up on the fraudulent application from my source before granting him the .gov domain name he sought (exeterri[.]gov). The GSA only did that four days after I asked them for comment, and approximately 10 days after they’d already granted the phony domain request.

“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” the agency said in a written statement at the time, without elaborating on what those additional controls might be.

But I’m left to wonder: If I’m a bad guy who’s willing to forge someone’s signature and letterhead in a fraudulent application for a .gov domain, why wouldn’t I also be willing to fake a notarization? Especially when there are plenty of services in the cybercrime underground that specialize in spoofing these phony attestations for a small fee.

“This is a classic case of ‘we must do something’ and this is certainly something,” said John Levine, a domain name expert, consultant and author of the book The Internet for Dummies.

Levine said it would not be terribly difficult for the GSA to do a slightly more thorough job of validating .gov domain requests, but that some manual verification probably would be required. Still, he said, it’s not clear how big a threat fake .gov domains really are.

“As far as we know, only one person tried to fake a .gov,” Levine said. “Maybe this is good enough?”

The Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security, has argued that more needs to be done to secure the .gov domain space, and is making a play to wrest control over the process from the GSA.

The DOTGOV bill, introduced in October 2019, would “ensure that only authorized users obtain a .gov domain, and proactively validate existing .gov holders,” according to a statement CISA shared with this author last year.

Last week, KrebsOnSecurity reported to health insurance provider Blue Shield of California that its Web site was flagged by multiple security products as serving malicious content. Blue Shield quickly removed the unauthorized code. An investigation determined it was injected by a browser extension installed on the computer of a Blue Shield employee who’d edited the Web site in the past month.

The incident is a reminder that browser extensions — however useful or fun they may seem when you install them — typically have a great deal of power and can effectively read and/or write all data in your browsing sessions. And as we’ll see, it’s not uncommon for extension makers to sell or lease their user base to shady advertising firms, or in some cases abandon them to outright cybercriminals.

The health insurance site was compromised after an employee at the company edited content on the site while using a Web browser equipped with a once-benign but now-compromised extension which quietly injected code into the page.

The extension in question was Page Ruler, a Chrome addition with some 400,000 downloads. Page Ruler lets users measure the inch/pixel width of images and other objects on a Web page. But the extension was sold by the original developer a few years back, and for some reason it’s still available from the Google Chrome store despite multiple recent reports from people blaming it for spreading malicious code.

How did a browser extension lead to a malicious link being added to the health insurance company Web site? This compromised extension tries to determine if the person using it is typing content into specific Web forms, such as a blog post editing system like WordPress or Joomla.

In that case, the extension silently adds a request for a javascript link to the end of whatever the user types and saves on the page. When that altered HTML content is saved and published to the Web, the hidden javascript code causes a visitor’s browser to display ads under certain conditions.

Who exactly gets paid when those ads are shown or clicked is not clear, but there are a few clues about who’s facilitating this. The malicious link that set off antivirus alarm bells when people tried to visit Blue Shield California downloaded javascript content from a domain called linkojager[.]org.

The file it attempted to download — 212b3d4039ab5319ec.js — appears to be named after an affiliate identification number designating a specific account that should get credited for serving advertisements. A simple Internet search shows this same javascript code is present on hundreds of other Web sites, no doubt inadvertently published by site owners who happened to be editing their sites with this Page Ruler extension installed.

If we download a copy of that javascript file and view it in a text editor, we can see the following message toward the end of the file:

[NAME OF EXTENSION HERE]’s development is supported by advertisements that are added to some of the websites you visit. During the development of this extension, I’ve put in thousands of hours adding features, fixing bugs and making things better, not mentioning the support of all the users who ask for help.

Ads support most of the internet we all use and love; without them, the internet we have today would simply not exist. Similarly, without revenue, this extension (and the upcoming new ones) would not be possible.

You can disable these ads now or later in the settings page. You can also minimize the ads appearance by clicking on partial support button. Both of these options are available by clicking \’x\’ button in the corner of each ad. In both cases, your choice will remain in effect unless you reinstall or reset the extension.

This appears to be boilerplate text used by one or more affiliate programs that pay developers to add a few lines of code to their extensions. The opt-out feature referenced in the text above doesn’t actually work because it points to a domain that no longer resolves — thisadsfor[.]us. But that domain is still useful for getting a better idea of what we’re dealing with here.

Registration records maintained by DomainTools [an advertiser on this site] say it was originally registered to someone using the email address frankomedison1020@gmail.com. A reverse WHOIS search on that unusual name turns up several other interesting domains, including icontent[.]us.

icontent[.]us is currently not resolving either, but a cached version of it at Archive.org shows it once belonged to an advertising network called Metrext, which marketed itself as an analytics platform that let extension makers track users in real time.

“Three lines into your product and it’s in live,” iContent enthused. “High revenue per user.”

Another domain tied to Frank Medison is cdnpps[.]us, which currently redirects to the domain “monetizus[.]com.” Like its competitors, Monetizus’ site is full of grammar and spelling errors: “Use Monetizus Solutions to bring an extra value to your toolbars, addons and extensions, without loosing an audience,” the company says in a banner at the top of its site.

Contacted by KrebsOnSecurity, Page Ruler’s original developer Peter Newnham confirmed he sold his extension to MonetizUs in 2017.

“They didn’t say what they were going to do with it but I assumed they were going to try to monetize it somehow, probably with the scripts their website mentions,” Newnham said.

“I could have probably made a lot more running ad code myself but I didn’t want the hassle of managing all of that and Google seemed to be making noises at the time about cracking down on that kind of behaviour so the one off payment suited me fine,” Newnham said. “Especially as I hadn’t updated the extension for about 3 years and work and family life meant I was unlikely to do anything with it in the future as well.”

Monetizus did not respond to requests for comment.

Newnham declined to say how much he was paid for surrendering his extension. But it’s not difficult to see why developers might sell or lease their creation to a marketing company: Many of these entities offer the promise of a hefty payday for extensions with decent followings. For example, one competing extension monetization platform called AddonJet claims it can offer revenues of up to $2,500 per day for every 100,000 user in the United States (see screenshot below).

I hope it’s obvious by this point, but readers should be extremely cautious about installing extensions — sticking mainly to those that are actively supported and respond to user concerns. Personally, I do not make much use of browser extensions. In almost every case I’ve considered installing one I’ve been sufficiently spooked by the permissions requested that I ultimately decided it wasn’t worth the risk.

If you’re the type of person who uses multiple extensions, it may be wise to adopt a risk-based approach going forward. Given the high stakes that typically come with installing an extension, consider carefully whether having the extension is truly worth it. This applies equally to plug-ins designed for Web site content management systems like WordPress and Joomla.

Do not agree to update an extension if it suddenly requests more permissions than a previous version. This should be a giant red flag that something is not right. If this happens with an extension you trust, you’d be well advised to remove it entirely.

Also, never download and install an extension just because some Web site says you need it to view some type of content. Doing otherwise is almost always a high-risk proposition. Here, Rule #1 from KrebsOnSecurity’s Three Rules of Online Safety comes into play: “If you didn’t go looking for it, don’t install it.” Finally, in the event you do wish to install something, make sure you’re getting it directly from the entity that produced the software.

Google Chrome users can see any extensions they have installed by clicking the three dots to the right of the address bar, selecting “More tools” in the resulting drop-down menu, then “Extensions.” In Firefox, click the three horizontal bars next to the address bar and select “Add-ons,” then click the “Extensions” link on the resulting page to view any installed extensions.

A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned. An individual thought to be involved has earned accolades from the likes of Apple, Dell, and Microsoft for helping to find and fix security vulnerabilities in their products.

In 2018, security intelligence firm HYAS discovered a malware network communicating with systems inside of a French national power company. The malware was identified as a version of the remote access trojan (RAT) known as njRAT, which has been used against millions of targets globally with a focus on victims in the Middle East.

Further investigation revealed the electricity provider was just one of many French critical infrastructure firms that had systems beaconing home to the malware network’s control center.

Other victims included one of France’s largest hospital systems; a French automobile manufacturer; a major French bank; companies that work with or manage networks for French postal and transportation systems; a domestic firm that operates a number of airports in France; a state-owned railway company; and multiple nuclear research facilities.

HYAS said it quickly notified the French national computer emergency team and the FBI about its findings, which pointed to a dynamic domain name system (DNS) provider on which the purveyors of this attack campaign relied for their various malware servers.

When it didn’t hear from French authorities after almost a week, HYAS asked the dynamic DNS provider to “sinkhole” the malware network’s control servers. Sinkholing is a practice by which researchers assume control over a malware network’s domains, redirecting any traffic flowing to those systems to a server the researchers control.

While sinkholing doesn’t clean up infected systems, it can prevent the attackers from continuing to harvest data from infected PCs or sending them new commands and malware updates. HYAS found that despite its notifications to the French authorities, some of the apparently infected systems were still attempting to contact the sinkholed control networks up until late 2019.

“Due to our remote visibility it is impossible for us to determine if the malware infections have been contained within the [affected] organizations,” HYAS wrote in a report summarizing their findings. “It is possible that an infected computer is beaconing, but is unable to egress to the command and control due to outbound firewall restrictions.”

HYAS said given the entities compromised — and that only a handful of known compromises occurred outside of France — there’s a strong possibility this was the result of an orchestrated phishing campaign targeting French infrastructure firms. It also concluded the domains associated with this campaign were very likely controlled by a group of adversaries based in Morocco.

“What caught our attention was the nature of the victims and the fact that there were no other observed compromises outside of France,” said Sasha Angus, vice president of intelligence for HYAS. “With the exception of water management, when looking at the organizations involved, each fell within one of the verticals in France’s critical infrastructure strategic plan. While we couldn’t rule out financial crime as the actor’s potential motive, it didn’t appear that the actor leveraged any normal financial crime tools.”

‘FATAL’ ERROR

HYAS said the dynamic DNS provider shared information showing that one of the email addresses used to register a key DNS server for the malware network was tied to a domain for a legitimate business based in Morocco.

According to historic records maintained by Domaintools.com [an advertiser on this site], that email address — ing.equipepro@gmail.com — was used in 2016 to register the Web site talainine.com, a now-defunct business that offered recreational vehicle-based camping excursions just outside of a city in southern Morocco called Guelmim.

Archived copies of talainine.com indicate the business was managed by two individuals, including someone named Yassine Algangaf. A Google search for that name reveals a similarly named individual has been credited by a number of major software companies — including Apple, Dell and Microsoft — with reporting security vulnerabilities in their products.

A search on this name at Facebook turned up a page for another now-defunct business called Yamosoft.com that lists Algangaf as an owner. A cached copy of Yamosoft.com at archive.org says it was a Moroccan computer security service that specialized in security audits, computer hacking investigations, penetration testing and source code review.

A search on the ing.equipepro@gmail.com address at 4iq.com — a service that indexes account details like usernames and passwords exposed in Web site data breaches — shows this email address was used to register an account at the computer hacking forum cracked[.]to for a user named “fatal.001.”

A LinkedIn profile for a Yassine Algangaf says he’s a penetration tester from the Guelmim province of Morocco. Yet another LinkedIn profile under the same name and location says he is a freelance programmer and penetration tester. Both profiles include the phrase “attack prevention mechanisms researcher security tools proof of concepts developer” in the description of the user’s job experience.

Searching for this phrase in Google turns up another Facebook page, this time for a “Yassine Majidi,” under the profile name “FatalW01.” A review of Majidi’s Facebook profile shows that phrase as his tag line, and that he has signed several of his posts over the years as “Fatal.001.”

There are also two different Skype accounts registered to the ing.equipepro.com email address, one for Yassine Majidi and another for Yassine Algangaf. There is a third Skype account nicknamed “Fatal.001” that is tied to the same phone number included on talainine.com as a contact number for Yassine Algangaf (+212611604438). A video on Majidi’s Facebook page shows him logged in to the “Fatal.001” Skype account.

On his Facebook profile, Majidi includes screen shots of several emails from software companies thanking him for reporting vulnerabilities in their products. Fatal.001 was an active member on dev-point[.]com, an Arabic-language computer hacking forum. Throughout multiple posts, Fatal.001 discusses his work in developing spam tools and RAT malware.

In this two-hour Arabic language YouTube tutorial from 2014, Fatal.001 explains how to use a RAT he developed called “Little Boy” to steal credit card numbers and passwords from victims. The main control screen for the Little Boy botnet interface includes a map of Morocco.

Reached via LinkedIn, Algangaf confirmed he used the pseudonyms Majidi and Fatal.001 for his security research and bug hunting. But he denied ever participating in illegal hacking activities. He acknowledged that ing.equipepro@gmail.com is his email address, but claims the email account was hacked at some point in 2017.

“It has already been hacked and recovered after a certain period,” Algangaf said. “Since I am a security researcher, I publish from time to time a set of blogs aimed at raising awareness of potential security risks.”

As for the notion that he has somehow been developing hacking programs for years, Algangaf says this, also, is untrue. He said he never sold any copies of the Little Boy botnet, and that this was one of several tools he created for raising awareness.

“In 2013, I developed a platform for security research through which penetration test can be done for phones and computers,” Algangaf said. “It contained concepts that could benefit from a controlled domain. As for the fact that unlawful attacks were carried out on others, it is impossible because I simply have no interest in blackhat [activities].”