© WWW.CISA.GOV
>> Once a machine is compromised, a netcat process is spawned
to create an encrypted channel that can receive commands from
other peers. And if an infected machine is rebooted, it doesn’t
matter, as FritzFrog thoughtfully adds its own SSH key to the
machine, creating a persistent backdoor. It’s a fileless malware
too, so peers send ‘proto-files’ to one another by arranging in-
memory blobs, which are reconstructed and decrypted at the
other side, leaving no trace.
>> All this might sound like only server operators need worry,
but is a desktop not just a server with a screen and fewer
services? We should probably not get complacent. Many readers
will have devices on their home networks that are reachable by
SSH, web, or any number of other interfaces. Raspberry Pis,
Kodi instances, and NAS boxes can easily be identified (such as
by using the shodan.io scanning engine) and, if they still have the
default passwords, they are as good as owned.
>> Many readers will be running VPSes or cloud instances, and
it’s really important to keep the software on these up to date.
One of the most popular (and useful) uses for these is running
Nextcloud—and no one wants their Nextcloud data to be lost or
held to ransom.
>> If you’re running Nextcloud, do yourself a favor and hit up
the security scan at https://scan.nextcloud.com. It will give your
security a grade, rating it from A+ to F, and offer you helpful
advice on how to get a better grade. This covers simple things
like upgrading to a supported version (Nextcloud 22 is out,
hooray!) as well as more complex things, such as configuring a
Content Security Policy (CSP) on your web server.
>> Good ‘old-fashioned’ spam never really went out of fashion
(and poisoned email attachments are a popular way to spread
ransomware), so anyone running a mail server should take extra
care. Email server hosting software Mail-in-a-box (MAIB) makes
this easy, but despite the complications in setting up your own
mail server (we still don’t understand Glue Records), it’s actually
trivially easy for malware to set one up in the blink of an eye.
>> This apparent paradox comes from the fact that malware
really just wants to send lots and lots of mail. Of course, it
doesn’t care about receiving it, and it doesn’t even care if most
relays reject the vast amounts of spam it spews forth.>> It has been estimated that takings from the
ransomware industry are running to over $20 billion per
year and that there is one ransomware attack every 11
seconds. Despite REvil shutting up shop (or having their
shop otherwise shut down), there’s no indication that
these attacks are slowing down or becoming in any way
less lucrative.
>> However, law enforcement and the tech industry
are fighting back. In October 2021, Ukrainian Yaroslav
Vasinskyi was arrested in Poland, having been indicted
in the US in August. Vasinskyi, alongside Yevgeniy
Polyanin, who was arrested in Russia in January this
year, is alleged to have been involved with REvil. The US
Government has stated that it is willing to offer a reward
of up to $10 million for information on REvil’s leadership,
and $5 million for information on anyone planning to
launch an attack with its software.It’s worth remembering that a determined and resourceful
adversary could probably hack a regular desktop user if
they wanted to, regardless of your choice of OS. But that
doesn’t mean we should give up, switch off our firewalls and
scream “it’s PASSWORD1” into the bleak night.
Recycled passwords are a common cause of attack and
there’s no reason not to be using a password manager
today. We recommend the open-source KeePassXC
(https://keepassxc.org/), which can be run on Windows
or Linux, but there are all kinds of other FOSS offerings as
well as cloud solutions. If you prefer things text-based, on
Linux there’s the pass program that can manage a clean
password hierarchy via GPG and (optionally) Git.
Protecting your important accounts with Two Factor
Authentication (2FA) should be a given now. And using your
phone as a second factor isn’t infallible. Many applications
and services now support time- or hop-based One-Time
Passwords, and you don’t have to use Google Authenticator
to use them. Even Google’s own services allow you to use
an alternative application. Authy by Twilio is popular, but
for optimal open-source goodness, we wouldn’t hesitate
to recommend Aegis. You’ll find it on the F-Droid app store,
alongside everything you need for a Google-free phone.
If the worst happens and you do get hit by a cyber-attack,
there are agencies that can help. In the US, we have the
Cybersecurity and Infrastructure Security Agency (https://
http://www.cisa.gov), while in the UK, there is the National Cyber
Security Centre (https://www.ncsc.gov.uk).FINAL THOUGHTS
>> Cybercowboys want your 1990s PCs and they won’t rest
until they have your cyberdollars or other digital tokens.MAR 2022 MAXIMU MPC 71