Perpetual IT

Naked Security has written and talked about Sebastien Vachon-Desjardins before, in both article and podcast form.

Vachon-Desjardins had been a federal government worker in the Canadian Capital Region (he comes from Gatineau in Quebec, directly across the river from the federal capital Ottawa in Ontario)…

…but he seems to have decided that joining the cybercrime underworld would be much more lucrative than his government job, and it seems that did indeed rack up a small fortune in illegal earnings.

He was tracked down, arrested, and convicted in his native Canada, and sentenced to nearly seven years in a Canadian prison.

Not long after starting his sentence, however, the Canadians released him from prison specifically so he could be extradited to Tampa, Florida, to face federal charges in the US.

As Chester Wisniewski put it in our March 2022 podcast on the topic:

Sebastien is temporarily “on loan” to the Americans, so they can punish him, but when he comes back, he still has to face his sentence here in Canada.

LEARN MORE ABOUT RECENT MALWARE BUSTS (FIRST SECTION)

Conviction and sentencing

Back in July 2022, Vachon-Desjardins decided to plead guilty in the US, with his plea document noting:

On or about January 27 and 28, 2021, the Royal Canadian Mounted Police executed search warrants at Vachon-Desjardins’ home and on safe deposit boxes held by Vachon-Desjardins at National Bank, Gatineau, Quebec.

During these searches, law enforcement seized, among other assets , all bitcoin contained in the defendant’s BTC Wallet 3Pxki6pFFKC12YSn8JtDs3ZrEg3pFTHnHd.

This seized bitcoin was derived primarily from ransom funds paid by victims of NetWalker Ransomware attacks.

The amount seized was just under BTC 720, worth about US$23 million in early 2021, and still worth about US$14 million today.

There was plenty more criminality to which Vachon-Desjardins admitted, however, with the court document going on to say:

Law enforcement identified and seized copies of the server that operated as the backend, or internal-facing, server of the NetWalker Tor Panel and the NetWalker Blog. This server contained detailed transactional information as to the NetWalker developers and affiliates. The transactional records revealed that during the course of the conspiracy, approximately 100 affiliates had been active, and victims had paid approximately 5058 bitcoin in ransoms (an approximate total of US$40 million based on the value of bitcoin at the time of each transaction).

These records also tied Vachon-Desjardins to the successful extortion of approximately 1864 bitcoin in ransoms (an approximate total of US$21.5 million based on the value of bitcoin at the time of each transaction) from dozens of victim companies across the world, including [a victim in Tampa, Florida].

This apparently identifies Vachon-Desjardins as a very significant NetWalker affiliate, responsible for more than 35% of ransom money extorted overall, and thus presumably also being responsible for about one-third of the group’s attacks.

He’s now been sentenced, with the Tampa Bay Times reporting that he’ll spend 20 years in a US prison.

According to the Tampa Bay Times, the judge in the case noted:

You have one of the worst cases I’ve ever seen. This is Jesse James meets the 21st century. [… This] is bad stuff. If you had gone to trial [i.e. had not pleaded guilty], I would have given you life.

When he’s finished his US prison sentence, Vachon-Desjardins will be returned north of the border to to finish his 7-stretch in Canada.

LEARN MORE ABOUT THE NETWALKER RANSOMWARE

Elvis, you might say, has left the building, but only to be transported from court to federal prison.

In this case, we’re referring to Elvis Eghosa Ogiekpolor, jailed for 25 years in Atlanta, Georgia for running a cybercrime group that scammed close to $10,000,000 in uunder two years from individuals and business caught up in so-called romance and BEC scams.

Five other co-conspirators who seem to have “worked for” Ogiekpolor have already pleaded guilty in this case; as far as we know, they haven’t been sentenced yet.

BEC is short for business email compromise, an umbrella term for a form of online scam in which the attackers acquire login access to email accounts inside a company, so that the fraudulent emails they send don’t just seem to come from the company they’re attacking, but actually do come from there.

This sort of scam is also commonly, if somewhat confusingly, known as CEO fraud or CFO fraud, because BEC criminals aim to get access to the email of the most influential employees they can.

Those names don’t denote that the CEO or CFO is carrying out the fraud, but rather that their names and email accounts have been taken over to issue fake payment instructions to staff, suppliers and customers, thus diverting incoming and outgoing payments to rogue bank accounts.

As you can imagine, crooks with access to an employee’s real mailbox can pull off all sorts of low-tech but effective scamming tricks, including:

• Learning when large payments are due, and which suppliers or customers are involved.
• Replying positively to emails from worried colleagues asking, “Is this for real?”
• Telling colleagues who are suspicious not to contact IT or SecOps.
• Deleting fake emails from the Sent folder so the genuine user never sees them.
• Matching the style of the genuine user by copying-and-pasting common phrases.
• Persuading the other party to treat the request as commercially confidential.
• Defrauding customers of the company, not merely the company itself.

Businesses can end up defrauded of millions of dollars by BEC criminals who have the social engineering “skills” to misdirect well-meaning employees:

In Ogiekpolor’s case, the US Department of Justice (DOJ) reported:

At trial, the jury heard from several businesses – representing just a small sample of the total number of companies defrauded – who had been victimized by spoof emails. In each case, the victim-business believed it was making a payment, often several hundreds of thousands of dollars, to a long-standing vendor only to subsequently learn that they had been tricked into sending the money to an account controlled by Ogiekpolor and thereby defrauded.

Crimes against the person

Romance scams, sadly, are targeted against individuals, rather than companies, but they can be very lucrative for the criminals, and destructively life-changing for their victims.

These scams often play out on legitimate dating sites, where the scammers typically take the profile details and photo of someone they think the victim might actually quite like…

…after which the scammers court the victim, often over an extended period of time, by pretending to be their perfect match.

The victim and their new “romantic partner” will never meet in real life, so the scammer can make claims about themselves, their appearance and their background that will never directly be put to the test:

Only when the victim has fallen for the scammer, and thinks that they can be trusted, will the scammer introduce money into the equation.

The amounts may start small, but vulnerable victims may ultimately be conned out of their life savings, as the DOJ reports:

[O]ne romance fraud victim was convinced to wire $32,000 to one of the accounts Ogiekpolor controlled because her “boyfriend” (one of the men online) claimed a part of his oil rig needed to be replaced but that his bank account was frozen. This victim borrowed against her retirement and savings to provide the funds, which ultimately required her to refinance her home to pay back the loan. Another victim testified that she was convinced to send nearly $70,000 because the man she met on eHarmony claimed to need money to promptly make payment on several invoices due to a frozen bank account.

What to do?

>TO PROTECT YOUR BUSINESS FROM BEC

• Create a central email account for staff to report suspicious emails. Get your SecOps team (or your MDR team if you have partnered with a third-party service) to examine suspected scam emails, because they know what to look for. Even if an unusual email comes from the internal account of a colleague, not from an outsider, replying to the sender to ask if it’s genuine or not will give you a false sense of security. If the email account was not hacked, you will get a legitimate answer saying, “Yes, it’s genuine.” But if the account was hacked, you will get exactly the same response, claiming to “confirm” the truthfulness of the original message, but the “confirmation” will be a lie.
• If in doubt, check with the sender of the email directly. Don’t use email if you suspect that their email may be compromised. Call them up (if you know their voice), pop into their office (if you can), or use a separate way of communicating with them if your goal is to raise suspicions that their email has been hacked. As explained above, BEC scammers typically trim both the Inbox and the Sent folders of victim’s accounts so that even if they review their recent email correspondence carefully, fake messages sent in their name will not show up.
• Require secondary authorisation for changes in account payment details. Don’t make it easy for crooks to trick your business into paying funds into the wrong account by leaving it to a single person to amend the relevant database entry. Get a second pair of eyes on the request (and see point 2 above about how to confirm that the original request was genuine) before allowing it to go through and you could save yourself hundreds of thousands of dollars.

TO PROTECT YOURSELF, FRIENDS AND FAMILY FROM ROMANCE SCAMS

• Slow down when dating talk turns from friendship, love or romance to money. It’s Cybersecurity Awareness Month right now, and one of the catch phrases of #cybermonth is: Stop. Think. Connect. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you. That needn’t be down to serendipity or because you have found a genuine match. The other person could simply have read your various online profiles carefully in advance.
• Listen openly to your friends and family if they try to warn you. Criminals who use romance or dating as a lure think nothing of deliberately setting you against your family as part of their scams. They may even “counsel” you not to let your friends and family in on your new “relationship”, pitching their romantic interest as something that your conservative, hidebound friends and family will simply never understand. Don’t let the scammers drive a wedge between you and your family as well as between you and your money.
• Watch the video below for encouragement and advice . You can also read a full transcript of the video if you prefer written articles to the spoken word. Click on the cog below to speed up playback or turn on captions:

[embedded content]

Scam calls are a nuisance at best, because they’re intrusive, and a social and financial evil at worst, because they prey on those who are vulnerable.

You probably get dozens or hundreds of them a year, often in waves of several a day, where the caller claims to be from Amazon (about a credit card charge charge that doesn’t exist), from Microsoft (about a computer virus that isn’t there), from the police (about a copyright infringement you haven’t committed), from your bank (about suspicious transactions that haven’t actually happened), from the tax office (about penalty charges you don’t owe)…

…or from any of a number of sources that fraudulently put you under pressure to agree to do something you later regret, such as transfer money from your bank account, hand over personal information such as passwords or payment card details, or install malicious software that lets the scammers remotely rummage through your computer.

Scammers of this sort are typically based in high-pressure criminal call centres outside your country, but they make use of internet-based calling services that costs pennies a minute to make calls anywhere in the world, yet show up on your phone with a local number to give them an air of legitimacy and traceability.

Not quite a scam

Sometimes, however, the callers aren’t quite scammers, and they really are based in your country, working for a registered company, calling from a number that really is local.

They might be promoting a legitimate service, such as something environmental to do with green energy, roof insulation or double-glazed windows, but they may very well call you against your will, even calling you repeatedly after you ask them to stop doing so, use high-pressure sales tactics, and make disinguenous or even dishonest claims to legitimise their calls.

We receive a lot of unwanted calls, and although outright scammers (those who have nothing real to sell and nothing even vaguely legitimate to offer) outnumber the “chancers”, we nevertheless still get plenty of calls that genuinely do originate locally, and represent local registered businesses claiming to be operating lawfully in this country.

We’re on our local equivalent of the national Do Not Call list (known in the UK by the very bland and neutral name TPS, short for Telephone Preference Service, as though anyone would ever prefer to opt into this stuff), so none of these callers, whether they’re outright cybercriminals or just local telesales chancers, are supposed to be calling at all.

And that raises two related questions:

• Is it worth reporting the outright scammers? They’re almost certainly outside the jurisdiction of your own authorities, and even if they get kicked off their current internet phone service, they’ll soon be back via another one. The names of the callers are fake and they don’t work for the companies or organisations they claim anyway. Why report them if nothing is ever likely to come of it?
• Is it worth reporting the local chancers? Given that they know they can be traced, and aren’t really trying to hide, it often feels as though they must have some sort of regulatory cushion. Certainly they sometimes couch their calls as though they’re part of an official government programme, to give the impression that they’re entitled (or even required) to call you. Why bother to report them if they’ve got an apparently valid cover story?

Report rogues if you can

The answer to both the questions above is, “Yes, it is.”

To be clear, we’re not suggesting that it’s your civic duty to report every scammy or dubious call you get, because even in countries where call reporting has been made very efficient, it does require you to record the caller’s number, write down as many details as you can remember, and then go to a website to input all the offending information.

Doing that every single time you get an unwanted call is an undertaking most people simply don’t have time for.

But if no one ever says anything, then something you can be sure of is that the regulator in your country will be able to do nothing.

On the other hand, if enough people do take the trouble to submit reports, then regulators will sometimes be in a strong position legal position to do something, even if it feels rather modest compared to the scale and efforontery of the operators they’re acting against.

For example, the Information Commissioner’s Office (ICO) opened its account for this year’s Cybersecurity Awareness Month with enforcement actions against four British peddlers of allegedly environment-friendly products and services: Posh Windows UK (fined £150,000 for calling nearly half-a-million “do not call” telephone subscribers), Green Logic UK (fined £40,000), Eco Spray Insulations (fined £100,000), and Euroseal Windows (fined £80,000).

These fines (or, more precisely, monetary penalties) may seem very modest, typically clocking in at well under £1 for every person who was illegally called, but they do at least make a point that companies who don’t play by the rules will be punished.

We also suspect, or at least hope, as more and more fines of this sort are issued and publicised, that the excuse that a company “didn’t knowingly set out to violate privacy regulations by making unlawful calls”, or words to that effect, will carry less and less water…

…and that more and more victims of this sort of call will be willing to provide evidence to the regulator to follow up on complaints.

For example, in one of the cases linked to above, the ICO’s rebuttal of the company’s claim that it had acquired consent via in-person house visits was greatly helped by a complainant who reported:

[The claim that I gave my details to a canvasser who called at the house] is totally fictional as I always send door to door salesmen packing, especially double glazing salesmen. I am not sure where they have had my land line number from. I asked them several times to remove my details from their database. They continued to phone me on several occasions and every time I asked them where they had got my details from…

Likewise, even if there is little that your regulator can do directly to prosecute pure-play scam callers from other countries, regularly reporting offenders does at least draw attention to the internet telephony companies who are happy to provide services to these scammers.

Ultimately, this may occasionally turn up enough evidence about the clients of the service provider to persuade the authorities in the country where the scammers are based to investigate at their end, and to tackle the scammers in their home jurisdiction.

What to do?

Here are links for reporting rogue calls in a selection of countries:

Report in the US: https://www.usa.gov/telemarketing#item-37207
Get on the US “do not call” list: https://www.donotcall.gov/

Report in Canada (English): https://lnnte-dncl.gc.ca/en/Consumer/Complaint/#!/
Get on the Canadian “do not call” list: https://lnnte-dncl.gc.ca

Report in the UK: https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/
Get on the UK “do not call” list: https://www.tpsonline.org.uk/

Report in Australia: https://www.donotcall.gov.au/consumers/lodge-a-complaint/
Get on the Australian “do not call” list: https://www.donotcall.gov.au/

Get on the blocklist and report in France: https://www.bloctel.gouv.fr/

DON’T PANIC… BUT BE READY TO ACT

With Paul Ducklin and Chester Wisniewski

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT

Just when you hoped the week would quieten down and yield you some SecOps downtime over the weekend…

…and along comes a brand new zero-day hole in Microsoft Exchange!

More precisely, two zero-days that can apparently be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution (RCE) on the Exchange server itself.

Microsoft quickly published official guidance about these vulnerabilities, summarising the situation as follows:

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.

At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.

As far as we can see, there are two silver linings here:

• The bugs can’t be triggered by just anyone. Sure, any remote user who has already logged into to their email account over the internet, and whose computer is infected by malware, could in theory have their account subverted to launch an attack that exploits these bugs. But just having your Exchange server accessible to email users over the internet is not enough on its own to expose you to attack, because so-called unauthenticated invocation of these bugs is not possible.
• Blocking PowerShell Remoting can limit attacks. According to Microsoft, blocking TCP ports 5985 and 5986 on your Exchange server will limit (if not actually prevent) attackers from chaining from the first vulnerability to the second. Although attacks might be possible without relying on triggering PowerShell commands, intrusion reports so far seem to suggest that PowerShell execution was a necessary part of the attack.

Memories of ProxyShell

If this attack reminds you of the ProxyShell vulnerability from about a year ago, you’re not alone in thinking that.

According to GTSC, the Vietnamese cybersecurity company that first researched and reported these new holes, researchers “detected exploit requests in IIS logs with the same format as [the] ProxyShell vulnerability”.

Notably, the sort of threat-hunting query that we recommended for ProxyShell exploit spelunking back in 2021 seems to work for detecting abuse of these new zero-days, too:

SELECT grep.*
FROM file
CROSS JOIN grep ON (grep.path = file.path)
WHERE
file.path LIKE 'C:\inetpub\logs\LogFiles\W3SVC%\u_ex210[89]%'
AND grep.pattern = 'autodiscover.json'

Microsoft, too, notes that “[the detection we] created in response to ProxyShell can be used for queries as there are similarities in function with this threat.”

Of course, we don’t yet know whether the new attack can be pulled off without leaving this specific tell-tale sign in your logs.

In other words, if you find trigger signs similar to those left behind by PowerShell exploits, you definitely have evidence of an attack, but absence of these signs is not evidence of absence.

According to GTSC, in attacks they’ve investigated so far, the cybercriminals used their unauthorised RCE powers to implant and run a variety of follow-on malware, including:

• Webshells implanted to open a web-based backdoor for later. Webshells typically allow follow-on attacks to embed arbitrary system commands, with arbirary command arguments, into regular looking HTTP requests. The webshell then directly executes the desired command with the privileges of the web server itself.
• Credential dumping malware. Credential stealers typically snoop around on disk and in memory (if they have sufficient privilege) looking for plaintext passwords, session cookies and authentication tokens that could allow what’s known as lateral movement to other computers on the network.
• Zombie malware in the form of DLLs loaded into legitimate-looking processes. One DLL sample their researchers analysed could be remotely fed with encrypted instructions to dump system information, run arbitrary commands, launch C# modules, and modify files and folders on the infected system.

We will update this article as we learn more, including reporting when Microsoft gets patches out to close these holes.

Threat hunting advice

For threat hunting advice from GTSC, who discovered and reported the bugs, from Microsoft, and from Sophos, please see:

▶ https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

▶ https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

▶ https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/

What to do?

Mitigations include:

• Block PowerShell Remoting to reduce the risk of RCE. As mentioned above, blocking TCP ports 5985 and 5986 will limit attacks on your Exchange server, according to Microsoft.
• Use a URL Rewrite Rule to block known attack triggers. GTSC and Microsoft have explanations of how to use IIS Server URL rewriting rules to detect and neutralise common forms of this attack.
• Ensure behavioural endpoint threat detection is enabled, even on servers. As mentioned above, GTSC reports that attacks seen so far include the implanting of webshells and malware DLLs to run arbitrary commands, manipulate files and extract system information. This gives you numerous potention detection-and-response indicators to get on top of a successful attack.
• Consider deauthenticating logged-in email users. If you can perform some sort of endpoint security assessment on each user’s device before allowing them to reauthenticate, you will reduce (albeit not eliminate) the risk of already-compromised devices being co-opted into launching attacks. You will also remove from what’s kwown as your overall attack surface any users who don’t need to be logged on, or who don’t even remember they logged on in the first place.
• Apply any patches as soon as they are available. So far, only limited attacks have been reported, mostly in South East Asia, and GTSC is deliberately witholding details of the vulnerabilities until patches are out. But remember that once patches are published, cybecriminals will immediately start working backwards towards working exploits in the hope of catching out those who are tardy at applying updates.

So far [2022-09-30T13:30Z], it looks as though the most important things to bear in mind are: [a] the tips and techniques you learned for hunting down ProxyShell attacks are almost certainly going to be helpful here, albeit not the only tools you may need; [b] despite the similarities (and notwithstanding anything you may have seen online), this isn’t ProxyShell, so your your ProxyShell patches won’t protect you from it; and [c] when patches do arrive, assume that they will be reverse engineered back into working exploits very quickly, so don’t delay in applying them.

LEARN MORE ABOUT WEBSHELLS AND HOW TO PREVENT THEM