Backdoor Found in Codecov 💻, Telegram Used to Control Malware 💬, REvil Targets Apple 🍏

CyberLite Apr 27, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

📰 News

Catching you up on everything important that happened this week…

🛠 Backdoor in Codecov

Codecov is a tool that helps developers test their code by showing which parts of are being successfully tested and which are being missed. This week Codecov found that a backdoor had been present in one of their tools for four months. The affected tool (Bash Uploader) was used by developers to upload their testing reports to Codecov for analysis. The backdoor allowed attackers to export authentication keys and tokens used by the application being tested. At the moment it's unclear who installed the backdoor. Codecov claims to have 29,000 customers including Procter & Gamble, web hosting firm GoDaddy and software company Atlassian.  Link.

🦊 Telegram Used to Control Malware

Security Researchers at Check Point Software have been analysing a remote access trojan (RAT) known as ToxicEye that's often used to install ransomware. They found that the attackers were using an unorthodox method to control the malware - they'd built Telegram into ToxicEye and were using it to send commands in the form of Telegram messages.

The suspected reason for this is really interesting, Idan Sharabi, Research Manager at Check Point said “We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyber attacks, which can bypass security restrictions”. Telegram talks a good talk when it comes to security, so it's not surprising that many organisations allow it on their network. Link.

🔐 Ransomware Gang REvil Target Apple

The REvil ransomware gang launched a ransomware attack against Quanta, a Taiwanese electronics manufacturer who counts Apple as one of its customers. This enabled REvil to get their hands on the design schematics for lots of Apple products, including the new iMacs and iPads that were announced this week.

Just hours before the iMac/iPad announcement REvil leaked the details about all the products being unveiled. To really stick it in, they've now demanded $50 million dollars from Apple to return all the other stolen files. Link.

📧 Passwordstate Password Manager Update Added Backdoor

Attackers were able to compromise their update mechanism for the enterprise password manager Passwordstate, developed by Click Studios. Attackers added malware that attempted to harvest passwords stored in Passwordstate.

Everyone in security will bang on and on about why you should be using a password manager, but do your research and pick a good one. Link.

💸 Attackers Hiding External Sender Warnings on Emails

Many organisations use email security products that add a warning to emails that from "external sources", that's anyone outside of your organisation. This is a common tactic that's used to protect employees from phishing attacks, as external emails are more likely to be malicious. These products add the warnings by inserting HTML and CSS into the email before showing it to a user. However, researchers have found a way to add their own CSS instructions that ensure that any warning that's inserted isn't shown to the user.

In an ideal world these warnings are built into the email client (e.g. Outlook) itself so that the warnings will be unaffected by any code an attacker has added to the email. Link.

🤔 Parler Returns to the App Store

Apple has approved the return of Parler, one of the apps removed from the store in January for failing to remove content that may have incited violence during the Capitol riots.

Apple says that Parler's content moderations changes are acceptable and it can be allowed back App Store. It's good to see Apple reviewing and amending it's decision here given how complex content moderation is, Parler won't be the last app to find itself struggling with it. But we'll have to wait and see if everything Parler's said actually pans out in reality. Link.

🛢 NitroRansomware Asks for Discord Gift Codes

NitroRansomware is a ransomware strain with a pretty unusual method for getting victim's to pay their ransom. They're asking users to purchase a Discord Nitro gift code and then input it into malware to decrypt their files.

Discord is a communication platform frequented by gamers that provides voice, video and text chat. Normally it's free to use but you can purchase a premium subscription known as Nitro for $9.99 a month. Conveniently for these attackers you can also purchase gift codes which can be redeemed for one months of Nitro.

So why do this? Gift codes have been used before in ransomware attacks because the criminal infrastructure already exists for reselling gift cards and they can be used for money laundering. Although Discord Nitro is certainly a strange choice - surely an Amazon or iTunes gift card would be easier for attackers. Link.

🛠 Cellebrite Reverse engineering

Cellebrite is a company that specializes in breaking into locked phones and extracting data, their devices are used by law enforcement across the globe. They recently announced that they added support for the encrypted messaging platform Signal, which founder Moxie Marlinspike wasn't particularly keen on. So Moxie got his hands on a Cellebrite device and carried out his own security analysis.

In a surprise to nobody, despite the device's purpose being to exploit vulnerabilities - the security of the device itself was very poor. By placing a specially crafted file on a phone and plugging it into the Cellebrite machine Moxie was able to execute any code that he wanted. So he created a file that alters any data that a Celebrite machine extracts from a smartphone, making everything extracted from the phone useless. But the file doesn't stop there, it also goes through all the data that the device has extracted from other phones and alters that as well.

Moxie closed off the blog post by hinting that an upcoming Signal update would install this anti-Cellebrite file on a number of user's devices. He did offer to disclose all of the vulnerabilities he found in Cellebrite's software, but only if they disclosed all the vulnerabilities that they use to break into locked iPhones; given that's the crux of Cellebrite's business it's not likely. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

A vulnerability in Pulse Secure VPN is being actively exploited, its a zero-day authentication bypass and as of writing no patch has been made available. Link.

An interesting vulnerability was discovered this week in Homebrew, a popular software package manager for Linux and MacOS. The vulnerability would allow attackers to add malicious code into Homebrew repositories without it being approved by the repository's owners. Link.

Two vulnerabilities in QNAP applications have been patched. QNAP produce network attached storage (NAS) devices and software that accompanies them. The vulnerabilities were an SQL injection and an authentication bypass. Link.

Google released an update on Tuesday for Chrome that fixed seven vulnerabilities, one of which was being actively exploited. Link.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

Back in 2016 Apple was asked to unlock the iPhone of the San Bernardino terrorist, when they refused law enforcement turned to security companies, who happily obliged. The Washington Post has published a long story that covers all the details we didn't hear about. Link.

During the pandemic we've been using QR codes much more, whether that be to sign-in to venues or filling out what feels like thousands of pandemic related forms. But they do present an incredibly easy way for an attacker to get people to visit a website that they assume is trustworthy. Link.

The latest MacOS version allows you to edit push notifications, so the obvious next step for the internet was to built Flappy Bird inside of a notification. Link.

I've heard of Quantum computers but the idea of a quantum internet was completely new to me. Here's an article about a recent breakthrough. Link.

With Jeff Bezos leaving Amazon it was time for his final shareholder letter. The biggest takeaway was that he saw Amazon's winning the vote to prevent unionisation as a signal that they have to do better. Hopefully this will lead to some changes for the 1 million people who now count themselves as Amazon employees. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.