The Good, the Bad and the Ugly in Cybersecurity – Week 26

The Good

This week saw good news as cops in Europe busted a gang said to be behind several million euros worth of fraud. In a joint operation run by Belgian and Dutch police, an organised crime group involved in phishing, fraud, scams and money laundering was dismantled.

As a result of the operation, police made nine arrests and seized electronic devices, designer jewelry, firearms, cryptocurrency and tens of thousands of euros in cash. The arrested individuals were men between the ages of 25 and 36 and a 25-year-old woman.

europol cyber crime

The gang’s MO involved sending victims phishing links via email, text messages and chat apps including WhatsApp. The links led to fake banking websites, where victims were lured into entering their banking credentials, which the gang subsequently harvested.

It is believed the gang stole several million euros and used money mules to cash out the proceeds. Investigators believe that the group may also have been involved in drugs and firearms trafficking.

While the victims appear to have largely been located in Belgium, the suspects were all arrested in the Netherlands. This is another good example of how important collaboration between different law enforcement agencies is in tackling the cross-border nature of cyber crime.

The Bad

Last month we reported on a new zero-click remote code execution vulnerability affecting the Microsoft Windows Support Diagnostic Tool (ms-msdt) popularly known as Follina and more formerly tracked as CVE-2022-30190. This week, Ukrainian cyber defense outift CERT-UA spotted exploitation of Follina via a lure document titled “Nuclear Terrorism A Very Real Threat.rtf”.

It seems that the Russian intelligence GRU-linked threat actor APT28 is using fear of nuclear war to distribute malware via a poisoned Word document.

APT28 Follina exploitation

According to other researchers, the document is weaponized with Follina and downloads and executes a .Net executable that steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The stolen data is then exfiltrated via email to an attacker-controlled email account.

Several other attacks leveraging CVE-2022-30190 have been attributed to various APTs since Follina was first discovered four weeks ago, including Chinese-linked hackers and another Russian APT threat actor widely known as Sandworm. APT28 is just the latest jumping on the bandwagon.

While browser theft isn’t the most heinous of cyber crimes that organizations have to worry about, it’s worth remembering that credentials stored in browsers can provide threat actors with the kind of initial access they crave for long-tail hacks that are difficult to attribute or trace. It’s also a timely reminder for organizations to revisit their coverage for the Follina vulnerability. Microsoft finally got around to patching the flaw in its June 14th update and security teams are urged to ensure they take appropriate mitigation measures.

The Ugly

240 million users of cloud storage service MEGA received unwelcome news this week when researchers showed the company’s privacy claims fell somewhat short of the truth. MEGA advertises itself as offering “secure cloud storage and communication privacy by design”, boasting that “MEGA has a robust cryptographic process…no one will ever be able to access your data on MEGA. Even in the exceptionally improbable event MEGA’s entire infrastructure is seized!”

Mega bug

Unfortunately, it turns out that it is precisely the “robust cryptographic process” that is insecure. The research says that MEGA–or some entity with control over MEGA’s infrastructure–can decrypt user data and that a malicious service provider could insert files into a user’s cloud storage.

In an advisory, MEGA admitted that the research identified flaws that could be exploited “either by MEGA acting maliciously or by an external party acting similarly”. Presumably, that includes MEGA complying with any confidential law enforcement or government order it might be served with.

The problem lies in the way MEGA “rolled its own” cryptographic architecture, a double-whammy which means that while the company has patched the initial attack vector used by the researchers, it has not resolved the underlying weaknesses due to the complexity of its own architecture. The company did reward the research team from ETH Zurich with a “significant payment”, but whether MEGA users will be satisfied that their data remains unreadable by the company, law enforcement, or “bad actors” remains to be seen.