This Week in Security: a New 'Type' of Breach Leaks, and a Galaxy Falls

Andromeda Purged From the Criminal Universe

The week began with a rather significant announcement out of Europol. The Andromeda botnet (and associated economy) was taken down via a joint effort from international law enforcement agencies. The FBI, EC3[1], J-CAT[2], Eurojust, and several private sector entities cooperated to bring down Andromeda and related operations.

The Andromeda botnet has been in operation since 2011. The Andromeda malware was sold heavily in a variety of configurations in numerous crime forums and markets. One of the strengths in the design was the modularity, allowing for easy expansion of functionality (ex: additional keyloggers, form-grabbers, and other similar plug-ins.). Like many other ‘kits’ of days past (DNA, Dark Comet, Pony Loader), it was very easy to use, expand and manage. Also similar to kits of that ilk, it was common for less-sophisticated criminals to gain access to ‘cracked’ or otherwise ‘free’ versions of the kit. 

Because of the built-in modularity, Andromeda functioned very well as both a multi-function Remote Access Trojan (RAT) and as a vehicle to spread and maintain other/additional malware. According to a press release out of Europol:

“Andromeda’s main goal was to distribute other malware families. Andromeda was associated with 80 malware families and, in the last six months, it was detected or blocked on an average of over 1 million machines every month. Andromeda was also used in the infamous Avalanche network, which was dismantled in a huge international cyber operation in 2016.”

The story becomes even more interesting, from an OPSEC perspective, when we learn how the author was identified via his ICQ number, which was tied to him since at least 2005. This ICQ was tied to his criminal operations (often under the alias ‘Ar3s’) as well as personal communications, thereby removing any doubt that ‘Ar3s’ and Sergey ​Jaretz, were indeed the same person/entity.

Jaretz/Ar3s is tied to other well-known tools, one example being SMTP Bruter.

It’s always nice to see these types of successful takedowns occur.  That being said, for every one that is taken down, there is a seemingly infinite supply of other threats/kits/bots out there filling their place. Continuing to embrace strong computer-user hygiene and employing powerful prevention controls is paramount to staying safe and threat-free.

Virtual Keyboard Vendor Leaks Real Information

There was no shortage of breach and leak news this week. One of the more disturbing examples came by way of A.I.Type. According to the recent reports, approximately 31 million people were affected by a poorly configured MongoDB database, which was exposed to the universe. Close to 577 GB of user data was stored in a manner for all to see.

The real issue here (beyond the database security issue) is the ‘robustness’ of the user data. In addition to basic name and email address data, the company was also storing device information (make, model, IMEI and IMSI numbers, screen resolution and stats, and more). On top of this, it was reported that even more ‘personal’ data was leaked, including trended location data along with network and associated identification information. 

As always, one must ask a) How much do these third-party apps really need access to in order to perform their core function (in this case a custom keyboard), and b) how much are we willing to give up in order to use/enjoy these apps? It always boils down to a risk management decision, and the real power is in the hands (literally) of the device users. 

Even more concerning, in this particular case, is that this is not the first time A.I.Type has fallen under scrutiny around privacy issues. In 2011 they were called out for transmitting and storing keystrokes in *plain text*. Again, the real power is in our existing choice to stay educated and decide how much we want to risk by installing and using any piece of additional code on our devices. Staying hyper-aware and approaching app installs as a risk-based decision can go a long way to preventing your data from being left out for all to see.

Data Breach Disclosure Bill Introduced

On the subject of breaches, a new bill introduced by the Senate could impose actual jail time upon executives for failure to properly disclose a data breach. The Data Security and Breach Notification Act would absolutely require that affected companies report data breaches within 30 days. 

Penalties of at most 5 years in prison, and/or fines, could result if it is determined that executives concealed or failed to report a breach. This comes hot on the heels of catastrophic announcements from the likes of Equifax, Uber, and others.

The legislation was introduced by Bill Nelson (Florida), Richard Blumenthal (Connecticut) and Tammy Baldwin (Wisconsin).  While it varies by state, there are ‘breach notification’ laws in 48 states.

[1] Europol’s European Cybercrime Centre
[2] Joint Cybercrime Action Task Force