This week we report on claims of a $20 million ransomware attack against a major US car brand and its parent company, the failure of a major app developer to fix known vulnerabilities in a mobile app for Android devices, and problems with a zero-day bug in WebKit-based browsers that enables criminal malvertisers to redirect iOS users to websites containing malicious advertising campaigns.

Apparent $20M ransomware attack targets major US car company

After a major US car brand and its parent company experienced a nationwide IT outage early last week, news sources started reporting that automotive company had been targeted with a DoppelPaymer ransomware attack—a claim that the car company has denied.

The car company’s problems began on or around February 14, with a nationwide “outage” that affected mobile vehicle control apps, phone services, owner portals, internal dealership sites, and payment systems. In particular, the non-functioning mobile vehicle control app caused significant consternation among this brand’s car owners, since it provided remote start, charging, locking and unlocking of the vehicle, and control of the car’s climate control systems. With dangerous cold weather and storms hitting the country, and with massive power outages in places like Texas, customers took to social media to describe their frustration, with many stating that they had quite literally found themselves ‘out in the cold’ with limited ability to get into their cars and get warm.

On February 16, Bleeping Computer reported the outage and suggested the possibility of a ransomware attack based on information coming from individual dealerships. The next day, security researchers at Bleeping Computer appeared to confirm this suspicion by obtaining a copy of the ransom note created during the attack. The ransom note—released by Bleeping Computer—uses the double extortion method, demanding $20 million for the decryptor and the promise not to release stolen data. The ransom note also specifically names the car brand and its parent company.

In addition to the ransom note, Bleeping Computer also published images of the victim page on the DoppelPaymer Tor payment site. The page claimed that a “huge amount” of data was stolen from this motor company and would be released in 2 – 3 weeks should the company refuse to negotiate with the criminals.

Yet, in spite of strong evidence that both the car brand and parent company were victims of the DoppelPaymer ransomware, five full days later both companies were claiming they were simply experiencing an extended system outage and there was no evidence of a ransomware attack. Hmm.

DoppelPaymer

The Doppelpaymer ransomware is believed to be based on the BitPaymer ransomware that originated in 2017, although there are some differences. Doppelpaymer initiates its criminal activities by first infiltrating systems via spam emails containing spear-phishing links or malicious attachments. Once the malicious code is activated, the system is instructed to download additional advanced capabilities. Once inside the system, the criminals do not immediately encrypt the devices. Instead, they move laterally to find high-value information to steal. Once the high-value data is exfiltrated, the encryption payload is executed. Doppelpaymer also changes user passwords before forcing a system restart into safe mode to prevent further user entry into the system.

In addition to the coverage by Bleeping Computer, details on this massive and alleged ransomware attack can also be found here and here.

App creator ignoring requests to patch bugs in Android app with almost two billion downloads

Despite three months of warnings about unpatched vulnerabilities in the SHAREit app, the application’s developers still have not responded.

SHAREit is an Android mobile app—downloaded 1.8 billion times—that allows users to share files between people and devices. According to security experts, malicious code installed on a victim’s Android device can hijack the SHAREit app’s legitimate features to run custom code, overwrite files, and install additional third-party apps. The SHAREit app is also highly susceptible to a “man-in-the-disk” attack, in which sensitive app resources can be deleted, edits, or replaced.

Security researchers discovered the app’s problems three months ago and immediately alerted the app vendor. However, when no response was forthcoming, the security researchers decided to disclose their research publicly.

This isn’t the first time vulnerabilities have been discovered with SHAREit. The bevy of ongoing problems has resulted in the app being banned in at least one country due to concerns about national security.

Multiple news sources have reached out to the app vendor but have not received any response as of this posting.

You can read more on this story here and here.

Malvertising group redirecting web users to websites with fake gift card scams

Security researchers reported last week that the ‘ScamClub’ malvertising group had exploited a zero-day vulnerability in WebKit-based browsers to inject malicious code and redirect unsuspecting users to fake websites touting gift card scams. The malicious ad impressions spiked as high as 16 million in a one-day period.

The attacks leveraged a bug (CVE-2021–1801) that enabled the ScamClub criminals to run malicious code by bypassing the HTML Inline Frame element (iframe) sandboxing policy in Safari and Google Chrome browsers applications for iOS.

The ScamClub is infamous for malvertising attacks that involve inundating the advertising ecosystem with massive volumes of malicious ads, on the premise that even if most of the ads are blocked, enough will get through undetected to generate impressions. ScamClub is known for targeting iOS users in particular.

In this malicious ad campaign, researchers found that the ScamClub criminals had delivered over 50 million malicious impressions over a 90-day period.

The vulnerabilities were reported to both the Apple WebKit and Google teams in June, with patches for Chrome released in December 2020 and patches for Safari in early February 2021.

You can learn more about the ScamClub and this particular attack here, here, and here.

Final Words

One of the themes that emerged in this week’s articles is the difference in how organizations respond to a security problem. It seems some companies acknowledge the problem and get to doing what they can to fix it, while other companies either ignore the security concern or issue confusing statements suggesting alternative facts about the source of the problem.

When it comes to cybercrime, it is essential to remember that most individual states and U.S. territories do have legislation requiring notification of security breaches involving personal information. Depending on the type of information involved in the breach, other laws or regulations may apply, such as the HIPAA Breach Notification Rule.

If your organization is notified of a vulnerability or you experience a breach, it pays to take some time to understand your obligation when it comes to your response.

Information and recommendations on responding to a cyberattack can be found at these sources:

• Federal Trade Commission—Data Breach Response: A Guide for Business
• NIST—Responding to a Cyber Incident
• NIST—How to Respond to a Cyber Attack
• FBI—Cyber Crime
• Department of Homeland Security, Cybersecurity & Infrastructure Security Agency—Cyber Incident Response