The Good, the Bad and the Ugly in Cybersecurity – Week 42

The Good

It has been a rather busy week for the good guys in cyber-land. In addition to the whittling of Trickbot’s infrastructure, this week a coordinated effort between Europol and several countries dealt a harsh blow to a well-established money laundering operation. Multiple members of the QQAAZZ group were charged in connection to their long-running “cash-out” service (aka money laundering).

This group advertised their services in high-traffic crime forums. They provided a critical service to operators of large botnets as well as those running cryptocurrency theft operations. Among their clients were many of the most prolific and high profile malware families, including actors behind Trickbot and Dridex.

The indictment against the QQAAZZ group outlines their activities. It is estimated that since 2016, the group facilitated the laundering of tens of millions of dollars in illicit funds. The group was extremely well distributed, leveraging “hundreds of corporate and personal bank accounts at financial institutions throughout the world”. These accounts were all used as repositories for funds extorted, or harvested, from victims of associated malware attacks. The QQAAZZ group members, spread all across the globe, would then filter or tunnel the funds, take a small ‘cut’ for their services, and then provide the newly-obfuscated monies to their clients…often in the form of cryptocurrency.

So called “cash out” or “bank drop” services are a dime a dozen in the cybercrime landscape; however, this group’s ties to top-tier malware operations put them in a unique and dangerous position. These legal victories are critical in the ongoing battle against sophisticated cybercriminals. Hopefully the momentum will increase as the law synchronizes more with the current state of cybercrime. Any effort that makes it more difficult for the bad guys to profit is a good thing!

The Bad

This week included the 2nd Tuesday of the month. Of course we all know what that means: Patch Tuesday! There are several critical flaws covered in this months’ release from Microsoft. While none of the newly-documented flaws are quite as severe as Zerologon, there are some vulnerabilities that definitely need to be reviewed and mitigated.

One in particular, CVE-2020-16898, seems to be getting a large portion of attention. This flaw affects the Windows TCP/IP stack and can potentially lead to a DoS (denial-of-service) or remote code execution. The issue specifically relates to the improper handling of ICMPv6 Router Advertisement (RA) packets. Exploitation of the vulnerability requires that an attacker send specially-crafted ICMPv6 RA packets to an exposed remote host. Due to the relative simplicity of exploitation, some are referring to this as a new variation on the ‘Ping of Death’.

As of this writing (October 15th), we have not yet observed true, in-the-wild, exploitation of this vulnerability. There are, however, multiple proof-of-concept exploits available, which suggests that it is only a matter of time before we see the arrival of in-the-wild attacks leveraging this flaw.

Microsoft’s October security release cycle addresses CVE–2020-16898, but there are also a few workarounds that may be helpful for interim mitigation. ICMPv6 RDNSS can be disabled, thus removing exposure to the flaw. For Windows 1709 and above, the following PowerShell command can be issued to disable ICMPcv6 RDNSS:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

It is also important to note that the vulnerability is not publically routable. Exploit-laden packets can only be transmitted via the local subnet. We recommend that organizations review the details around CVE-2020-16898, as well as all the other releases in this month’s update and take necessary action to mitigate risk and/or reduce exposure to this potentially dangerous flaw.

The Ugly

The debate over encryption “backdoors”, or whether governments and law enforcement should be able to circumvent encryption for their own needs is volatile and divisive. It is difficult to even discuss without taking, or appearing to take, a side. For today’s purposes, we do not wish to engage in, or add sparks to, that fiery debate. However, it is important to be aware of current events and developments pertaining to this issue. Recently, the Five Eyes intelligence-sharing collective along with government representation from multiple countries met to discuss this very topic. Specifically, the talks were focused on enabling governments, as well as law enforcement, to have special abilities to access otherwise-hardened end-to-end encrypted communications.

These talks, which included delegates from India and Japan, resulted in a statement urging large technology companies to cooperate with a solution that meets these needs. Part of the statement reads:

“…while encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online.”

The signatories to the statement, which include the UK’s Home Secretary Priti Patel and US AG William Barr, go on to state that:

“we challenge the assertion that public safety cannot be protected without compromising privacy or cyber security. We strongly believe that approaches protecting each of these important values are possible…”

Given the nature of this topic, most relevant technology companies are hesitant to entertain these requests. Adding further complexity to the debate, the current statement pertains not only to standard encrypted messaging but also more robust encrypted systems including “device encryption, custom encrypted applications, and encryption across integrated platforms”.

Regardless of where you may stand on this issue, we encourage you to review the newly-released press release, and stay abreast of the efforts of various governments and organizations as they relate to the ongoing safety, security and privacy of all global citizens.