News Wrap: Valentine’s Day Scams and Emotet’s Wi-Fi Hack

OkCupid security vulnerability

Top stories of this week include a new Emotet Wi-Fi hack and Robbinhood ransomware operators using a “bring your own bug” technique.

Threatpost editors Tara Seals and Lindsey O’Donnell-Welch break down the top stories for this week, ended Feb. 14, including:

Listen to the full news wrap below or download direct here.

Below find a lightly-edited transcript of this podcast.

Lindsey O’Donnell-Welch: Welcome to the Threatpost news wrap. It’s the week ended February 14, which is Valentine’s Day and you’ve got Lindsey O’Donnell-Welch here today with Tara Seals to talk about the biggest news stories from this week. Tara, how’s it going?

Tara Seals: Pretty good. How are you doing Lindsey?

LO: I’m good. Good. Hopefully you haven’t received any Valentine’s Day themed phishing emails this week. I know that that’s a big theme I’m sure for bad actors.

TS: Yeah, definitely. I have been rather immune to it, which is good. So but then I’m not signed up for dating apps and that type of thing. You know, I’ve been married for 22 years.

LO: True, true. Yeah. So there was actually, you know, there is kind of some of this topical research out there today, just on the topic of Valentine’s Day. I know BitDefender had a post about kind of a new phishing scam. That is luring iPhone owners with a kind of romance themed hook. And I know you were looking at that, is that kind of the run of the mill type of Valentine’s Day phishing story? Or is there any interesting or unique twist there?

TS: Yeah, well, it’s kind of interesting because so this particular phishing scam starts off with, basically, if you’re a user of this of this dating app, then you’ll get a spam message that comes through. And then if you click on that, and it takes you to, to a phishing page that you can’t really do anything with it, it is kind of like a static image, other than the links that are inside so you’re confined to this page. And you can’t do anything with it other than click the links or exit out of it. So if you’re the curious type, and you’re like “what is going on with this?” and you and you start kind of clicking around the scene, you know why the screen is a static and acting strangely, then you end up, you know, basically being taken to all kinds of different malicious pages for ad fraud and some other things. Or it might bring up a, you know, secondary thing that says slot machine scam, which is kind of interesting. So, you click on one of the links, and then it comes up, and it says that you can become a millionaire today, you’re today’s lucky winner, you know, click here to play the slot machine game, and that basically just creates a vortex of different malicious activities. So it’s kind of ingenious, really.

LO: Yeah, I think it’s interesting just in terms of using romance as a hook. Obviously, these romance scams work obviously, but you know, whenever I see these types of messages in my Twitter inbox or even just on Facebook, because I see them a lot on social media. I just immediately discount it as a scam but it is interesting that it does work and a lot of people do fall for this and I wonder if it being Valentine’s Day if there’s like kind of heightened emotions around wanting to be with someone or something like that, that are making people fall for these scams even more. It’s always interesting, the emotional aspect that goes into that.

TS: Yeah, for sure. It’s social engineering at its finest and I you know, never ceases to amaze me actually how good cyber criminals are sort of taking the pulse of what’s going on out there…And definitely things like Valentine’s Day where you know, people are going to be feeling a little vulnerable maybe or, or maybe they’re you know, elated because they’re in a new relationship or something and they’re not paying as much attention as they should be. And it’s really similar too because the coronavirus that we’ve seen is starting to really ramp up the past week or so I think we were talking earlier, you had like three reports of phishing scams related to coronavirus coming through.

LO: It’s either playing kind of on those themes of love or I guess fear, because those are the two that really seemed to work is these romance scams. But then also, like you said, Tara, there’s an article you wrote about this last week, there have been tons of malicious scams and malspam campaigns around coronavirus. And a lot of bad actors are tapping into that. And I think that’s kind of what we see a lot with phishing schemes in general. I know and it seems to be working too. I know that the I think the FBI this week came out with their annual cyber crime report where they talked about like the number of incidents that have been reported to the FBI and like how much that victims have lost and you know, these numbers are always pretty staggering, but they said that overall businesses and victims had lost $3.5 billion to cyber criminals over the last year and reported more incidents of cybercrime to the FBI ever. But they were saying that email account compromise and BEC and internet type of scams, like phishing costs people, you know, a large chunk of this figure in terms of losses, and I know BEC scams alone costs people, I think it was $1.7 billion in 2019. So I think that that is reflective of how bad actors are really kind of digging into these trends and really taking it to the next level and playing on victims’ emotions. And just this week also, there was reports that a phishing scam had actually hit the Puerto Rico government, an agency had actually paid out $2.6 million due to one of these scams. So it’s not just like kind of a one off in terms of targeting one victim and they fall for it. It’s really prevalent and hitting like these large scale businesses and corporations and even government agencies. I think that’s just really interesting.

TS: It really is interesting. And I mean that Puerto Rico story was, you know, not only completely tragic, but you know, it again, as you say, it just illustrates the fact that no one is immune to these very fundamental level, I mean, these are pretty basic criminal approaches that they’re taking, right? You know, these are these are tried and true tactics. I mean, people know about these things, and that they circulate and what we certainly think that, you know, someone, you know, on a governmental level would be sort of aware of this type of thing. But, you know, the criminals go back to that well, because it works and they continue to do well with it.

LO: There was a phishing campaign that I reported on earlier this week that I think it was targeting PayPal users and as part of that campaign, you know, it started with them asking for the victims PayPal credentials, and then, once they put that in, it would go and ask for their payment card data. And then, you know, it kept going and going until it was asking for social security numbers and uploaded photos of their credit cards and their passports. And I think that just goes to show that you know, cyber criminals are really trying to take what they can get at this point, especially if victims are falling for it. So that’s definitely going to continue as a trend, unfortunately, and I don’t see phishing even though phishing isn’t necessarily a sexy topic. I think it’s one of the biggest issues and security and it’s not going away anytime soon. So but beyond kind of all the phishing that we’re seeing, the phishing attacks, there was some really interesting news about Emotet this week that I thought we should talk about. Basically, researchers found a new Emotet malware sample that had the ability to spread to insecure Wi Fi networks that were located nearby the device that had been infected and you know, Emotet, it’s a malware that’s already prevalent since it returned I think back in September 2019. And it continues to take on new evasion and social engineering techniques for stealing credentials, and you know, spreading Trojans and whatnot. And so, it definitely has popped up a bunch in the past few months. But I do think that this tactic really stands out as one that can kind of bring Emotet to the next level. And the researchers who discovered this agreed and that’s because if the malware can spread to nearby Wi Fi networks, it can then infect the devices connected to them, and essentially, rapidly escalate Emotet’s spread. So I think that’s particularly bad because, you know, say someone’s device gets infected, hackers could potentially jump to their office network if it’s not secured properly, or to other networks that are nearby. And I think it’s not good for enterprises in particular.

TS: Yeah, it’s pretty interesting actually. I mean, as you pointed out, Emotet continues to evolve and add to its bag of tricks and consistently getting more and more sophisticated and switching at tactics and all of that kinds of thing. But this actually is a really new wrinkle because it makes it more wormable essentially. So it can just self propagate through the use of Wi Fi networks and being able to sort of take to the air like is really, you know, it was really interesting, and definitely stood out to me, you know, in terms of malware evolution, I mean, that’s very creative and innovative, I think on the part of Emotet’s operators.

LO:  I think that Emotet and the way that they did it too is interesting, basically, the Emotet sample will first infect an initial system with a self extracting file, and that contains the binaries that are used for the Wi Fi spreading, and what those binaries will do is they’ll first search for and profile the nearby wireless networks. So they’ll look at their SSID, their signal and encryption and their network authentication method, and then they’ll use brute force loops where they plug in passwords from an internal password list until they find the correct one. And it wasn’t clear whether that internal password list was from an already compromised list or, or what but that was something I reached out to researchers for further information because I thought that was kind of interesting. And then after that, the binary begins to enumerate and attempt to brute force passwords for the devices that are on this newly infected network. And that includes administrator accounts, which of course opens up a whole new bag of malicious activities there. And then once successful the binary will install and victim devices and pretend to be a service called Windows Defender System Service and then continue this process so as you can imagine, this would just rapidly rapidly spread Emotet. So I think what researchers were suggesting was in this case, obviously look out for malspam types of messages. But the bigger issue here is that potential victims should use strong passwords to secure their wireless networks to prevent something like this from happening, which obviously they should be doing anyways, but this just kind of expounds how that they should be doing that.

TS: Yeah, no, for sure. I mean, the fact that that can all happen with no user interaction whatsoever, and then like bam, an entire corporate LAN could potentially be infected is pretty interesting. But as you say like the failsafe mechanism here would be strong passwords. So once again, you know, it goes back to basic security it, you know, let’s make sure that we have a strong password or you know better authentication system for corporate assets. And you know, obviously this goes for consumers as well.

LO: I thought that was an interesting new method. But there was another interesting method too that you actually wrote about this week that researchers discovered and that was, as you termed it, “bring your own bug”, a tactic that was discovered being used by the operators behind the Robbinhood ransomware in a recent cyberattack. Can you talk a little bit more about what that was.

TS:  Yeah, sure. So this was research from Sophos. And actually I can’t take credit for “BYO Bug,” I really liked it though so sorry. But they were actually the ones that like coined that. So basically, the perpetrators behind this Robbinhood ransomware attack basically infected a computer and with an insecure driver that contains a vulnerability, so they were able to update a target computer, update the firmware using a peripheral hardware driver, that Windows computers would actually see as being legitimate because it’s a validly signed certificate that it’s using. And so a Windows computer would be able to accept that as being legit, essentially updates the firmware and then once you’re in, once that’s done and that that driver is installed on that computer, well, it’s insecure, it contains vulnerability. So then the criminals can go back and then exploit that vulnerability to attack the windows kernel.

LO: Yeah, that’s really that’s a really interesting technique. And I know, it was, in this case used by the Robbinhood ransomware, which, as you mentioned in your article is best known for being behind that encryption attack on the city of Baltimore in 2019. Did the researchers mentioned whether this was a technique that either had been used or was being used by other bad actors or I know that they did say this was something that would definitely increase in the future. But is this something that is only being used at this point by Robbinhood?

TS: Yeah, so this was that this was a novel technique that, you know, these researchers anyway, had not seen them a while before. So and in particular, it’s using the vulnerable drivers the driver from Gigabyte, which makes motherboards for computers on so Gigabyte actually has deprecated, this particular driver. So it’s not, it’s not out there for new model computers, and it’s still floating around, the code is floating around, and the certificate has not been revoked on it. So you know, that it’s obviously a nice, nice tool. And so now … the researchers were speculating that it’s very likely that we’ll see that replicated and other campaigns using other malware, and also using other vulnerable drivers because they play up Gigabyte drivers, it’s not the only one that could be employed in this manner, because there are plenty of others that have been, you know, deprecated because they’re vulnerable, but you know, still have valid certificates that go on with them. Stay tuned, basically.

LO: The Gigabyte driver was deprecated, too. I feel like that’s only helpful for bad actors, and especially in terms of this attack.

TS: Yeah, well, and one of the questions that I had actually was, so Verisign is the one that issued the certificate for it did release on the driver. So I would think that the fix here would just be to revoke the certificate. And I’m not sure, I did send the email to Sophos to find out if they reach out Verisign requesting that are, what the remediation would be going forward. But yeah, I mean, clearly, you know, failing to revoke certificates for drivers that have been deprecated no longer in use, would seem to be a best practice. I mean, I realized that, you know, it’s a lot to keep up with, if you’re a certificate authority, but it’s still you know, seems as though that’s a that’s a easily exploitable hole.

LO: Yeah, I think you know that was another really big story this week and also this week was Patch Tuesday, craziness.

TS:  Everyone loves it.

LO: But yeah, there were a couple. I know, Tara, you covered Microsoft’s massive Patch Tuesday. I think they had 99 patches for this week. And then I had covered some of the vulnerabilities addressed by Adobe and Intel. And then also the Firefox 73 update by Mozilla to their browser, updating some of the security bugs. Were there any bugs from your standpoint, just before we wrapped up this week that really stood out to you for Microsoft?

TS:  Yeah. So as you mentioned, there were 99 patches. So you know, take one down, pass it around. Most notably though, so there were five of those bags that had already been disclosed, including one that was a zero day announced at the end of January, a memory corruption vulnerability that, you know, was listed as critical for most Internet Explorer versions, basically allowing remote code execution. So Microsoft had warned about this and said that there was a patch that was going to be forthcoming. And lo and behold, here it is on Patch Tuesday. So that should be prioritized according to researchers for any admin, along with the four other publicly disclosed bugs, because obviously, attackers would have a leg up on exploiting those because they’ve known about them pre patch. So that was kind of notable. And the other thing too, is that, you know, there were only 12 critical vulnerabilities out of all 99 so that’s seen as the good news. Some of them were kind of interesting – one that really leapt out at me was actually a link remote code execution vulnerability, which is really similar to a bag that was exploited by the Stuxnet malware back in 2012. Which if listeners remember, that’s the malware that was pioneered by the U.S. and Israel to take out the Iranian nuclear uranium enrichment facility, it is kind of a big deal. And it made use of an exploit for a link vulnerability that was very, very similar to this one. And that attack got around some air gaps defenses and so it’s the same situation here, Dustin Child at Trend Micro’s Zero Day Initiative said that this particular bug can also be exploited around air gap defenses as well. So that’s, you know, kind of kind of disturbing just for the implications for industrial environments and critical infrastructure.

LO: Yeah, Microsoft’s February update was I think it was probably one of the biggest that we’ve seen in a while. I’m not sure what the previous ones in terms of how many bugs were patched, if they were close to this, or if this was the biggest one that has been, you know, offered up, but Microsoft also this month isn’t going to be updating Windows 7. That’s kind of an interesting twist in it, too.

TS: Yeah, definitely. So that that, you know, that obviously, presents some overhead for administrators as well. Also, researchers told us that that, you know, even though it’s a lot of vulnerabilities, and to answer your question, the previous, I think, was back in August with 93 vulnerabilities and I think, prior to that, I mean, for you know, months if not years, that had not been anywhere close to this number. So, you know, it’s notable for the size for sure. Researchers did say that a lot of patches can be knocked out just with standard action process. So, you know, if you update the Windows then that that takes care of about 50 of the bugs right there, which is good. And then Office Updates will resolve a lot of the other ones. But you do have a couple of outliers that you’re going to have to manually go in and kind of schedule and, and take care of this. And so, you know, hopefully, it’s not too much to do some of the risk. And for administrators, they will have a little bit of work.

LO: You know, for all our listeners, it’s obviously important to patch and make sure that all your systems are up to date. So, Tara, thanks for coming on to the Threatpost podcast today and talking about some of the really interesting stories that we wrote about over the past week.

TS:  Yeah, thanks for having me and Happy Valentine’s Day. I hope you have some champagne or something in your future.

LO:  Definitely. For our listeners, catch us next week on the Threatpost podcast.

Also, check out our podcast microsite, where we go beyond the headlines on the latest news.

Suggested articles

The State of Secrets Sprawl – Podcast

In this podcast, we dive into the 2022 edition of the State of Secrets Sprawl report with Mackenzie Jackson, developer advocate at GitGuardian. We talk issues that corporations face with public leaks from groups like Lapsus and more, as well as ways for developers to keep their code safe.