Two themes are predominant in this edition of Week in Review:

 #1—Cybercriminals are always watching and looking for specific information on you or vulnerabilities in your systems; and 

#2—Criminals (either independent or those sponsored by nation-states) will take the easiest and most efficient way to hack your system. 

This week we summarize the problems with unencrypted location data and tracking used by mobile applications, a new Remote Access Trojan (RAT) that uses a popular messenger application on mobile devices for command and control, and a recent National Security Agency (NSA) cybersecurity advisory on current Common Vulnerabilities and Exposures (CVEs) leveraged by Chinese state-sponsored attackers.

Who’s Watching Who?

While location data and tracking have countless legitimate uses, the extent to which apps are potentially revealing users’ location data to criminal elements is concerning.

An independent, non-profit watchdog agency focused on improving digital accountability recently reported on several popular apps exposing their users’ location data. These apps had been downloaded almost 10 million times. 

The problem centers around an open-source SDK called MoPub, which enables app monetization through social media advertising. MoPub works by collecting precise GPS location information to help apps deliver relevant advertising. In 2018, cybersecurity firms discovered that MoPub transmitted highly detailed, unencrypted location data. While the MoPub SDK has since been updated, older versions of the software are still unpatched and used by several popular apps. 

Location tracking by apps is a standard and heavily used tool by countless industries, including advertising and retail, to target critical audiences’ trends. In most cases, the data is encrypted, only available through legitimate purchase, and only used to identify patterns and not individuals. However, a 2018 New York Times article examined location tracking in-depth and found that while the applications doing the tracking, claim to ‘anonymize’ the data, so much information is available that it is relatively easy to ‘connect the dots’ and identify individuals (for example, by looking up who lives at a specific address where a smartphone is often found.) In particular, unencrypted data poses a significant threat if an app is hacked, since cybercriminals, terrorist organizations or governments could use the data to stalk and target individuals.

You can read more on this SDK and the dangers of unencrypted data in this article. 

RAT Malware Controls Go Mobile

A new type of Remote Access Trojan (RAT) is making the administration and control of the malware a lot easier for criminals. It is also available as a “malware as a service” (MaaS) for only $45 a pop.

RATs have always been an attractive weapon in a cybercriminal’s arsenal. Used to conduct covert digital surveillance of computing systems or enable unauthorized access to PCs and servers, RAT malware is used to infect a system and create a backdoor to provide criminals with unrestricted access to that computer or network. Remote Access Trojans are often used to change computer settings, access connected systems, browse and steal files, or monitor user behavior.

The challenge with RATs is that they need to be controlled on the backend by the cybercriminal, which means using not only some form of network protocol but also typically a laptop or desktop system.

Enter T-RAT 2.0, a new Remote Access Trojan currently promoted on Russian-speaking hacking forums. For only $45, criminals can infect a system and control it on their mobile device through channels on the Telegram messaging app. The Trojan’s author claims it gives buyers quicker and simpler access to infected computers from any location, on any device (including mobile devices), and the ability to activate data-stealing or control features as soon as infection occurs and before the RAT is discovered and disabled.

According to reports, T-RAT can do plenty to mess with a computer system, including:

• Log keystrokes
• Control the webcam
• Steal cookies and passwords 
• Grant full access to file systems
• Record audio
• Disable the Taskbar
• Take screenshots
• Disable the Task Manager
• Execute CMD & PowerShell commands
• Restrict access to websites or cloud services
• Force quit processes 

Notably, the T-RAT promoters also advertise that the malware is compatible with most Chromium-based browsers. Its “Stealer” component supports several communication platforms, including Steam, Telegram, Skype, NordVPN and Discord. 

This is not the first time criminals have leveraged the Telegram app for RAT command and control purposes. Previous Telegram-based RATs have included Telegram-RAT, HeroRAT, TeleRAT and RATAttack.

More information on T-RAT 2.0, including screenshots of the malware’s advertising is available in this article.

Patch Early, Patch Often

Last week the United States National Security Agency (NSA) released an advisory of the top 25 Common Vulnerabilities and Exposures (CVEs) most often targeted by Chinese state-sponsored attackers. This list includes vulnerabilities, bugs, and flaws in many products and services. 

According to the NSA, state-sponsored cyber attacks are “one of the greatest threats” to US national security, defense systems, organizations, and industrial bases. The type of information attractive to state-sponsored attacks can include “sensitive intellectual property, economic, political, and military information.” 

A key component to protecting US national security and our defense infrastructure is constant attention to patching vulnerabilities. No software is ever created perfectly, and unavoidably vulnerabilities will be discovered in the software’s coding. While cybercriminals often find and leverage weaknesses in a particular software’s coding, vulnerabilities are also usually seen by the software developer themselves or independent software experts participating in “bug bounty” programs.

State-sponsored attackers typically follow the same process to exploit computer software and systems as other cybercriminals, including identifying a target, gathering information, identifying vulnerabilities, developing an exploit, or reusing an existing exploit to leverage the vulnerability, and then initiating the exploitation operation. 

While some of the NSA-listed CVEs have specific additional mitigations, the NSA also recommends the following general mitigation steps:

• Keep systems and products updated and patched as soon as possible after patches are released.
• Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes and reviews of accounts a good practice.
• Disable external management capabilities and set up an out-of-band management network.
• Block obsolete or unused protocols at the network edge and disable them in device configurations.
• Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
• Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.

It is also important to note that the NSA advises organizations that the list of 25 vulnerabilities “…is non-exhaustive of what is available or perhaps used by Chinese state-sponsored cyber actors but is a list of those being operationalized by China.” Meaning…even if you fix these vulnerabilities, expect Chinese state-sponsored attacks to continue as other vulnerabilities become known.

For more information, visit this official NSA Cybersecurity Advisory on the “Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities.” You can also read this article on the 25 most attacked vulnerabilities by Chinese hackers.

Final Words

When it comes to threat awareness, detection and protection, one of the biggest mistakes any individual or corporation can make is assuming cybercriminals or nation-state attackers are without creativity, ingenuity or business sense. In particular, I am drawn to the resourcefulness behind the development of the T-RAT malware, which leverages the mobile messenger app “Telegram” for RAT command and control. 

In this case, cybercriminals recognized that time is of the essence when it comes to accessing a targeted computer system because the minute the victim becomes aware they’re being targeted, access would likely be blocked. Criminals and attackers understand they can’t be chained to a command and control protocol on a laptop or desktop 24/7. So, why not use a mobile device instead?

I’ve always argued that cybercriminals are good business people. To run a business, it is necessary to create efficiencies that maximize overall product/service effectiveness and profits. This is why it pays never to underestimate cybercriminals or state-sponsored attackers. The vast majority of the time, big money is riding on their endeavors, making them highly driven to find creative ways to achieve their goals successfully.

Staying one step ahead of criminals takes time, patience and commitment. While we may never fully achieve complete protection from cybercrime, it helps to be as creative, ingenious and dedicated as the criminals themselves.

As always, security is an action. We get out what we put into it.