Skip to content

Ongoing SolarWinds breach / PayPal smshing / Babuk Locker

The massive SolarWinds breach still arouses discussions and controversy. Now it turns out that Microsoft source code was exposed. In the first article, we wonder what does it mean for users and organizations. What more? Babuk Locker – new year, new ransomware, PayPal smishing, and new victim identification technique.

SolarWinds breach: Microsoft source code exposed. What does it mean for users and organizations?

Microsoft confirmed last week that attackers were able to view some of its source code. Maybe there is no increase in security risk. However, access to source code could make some steps easier for attackers.

During the investigation Microsoft has not found evidence of access to production services or customer data, nor has it discovered that its systems were used to attack other companies. It did find, however, that an internal account had been used to view source code in a number of code repositories – the affected account didn’t have permissions to change any code or engineering systems.

Microsoft’s software is among the most widely deployed in the world, It’s an appealing target, in particular among advanced attackers like those behind the SolarWinds incident.

While it’s certainly concerning, and we don’t know the full extent of what attackers could see, Microsoft’s threat-modelling strategy assumes attackers already have some knowledge of its source code. Microsoft made a big push for secure software development in Windows Vista. It didn’t make the decision to open-source the code but designed it with the assumption that could possibly happen someday. Source code is viewable within Microsoft, and viewing the source code isn’t tied to heightened security risk.

Microsoft’s practice isn’t common. However, Microsoft is a big enough target, with people regularly reverse engineering its code, that it makes sense.

While attackers were only able to view the source code, and not edit or change it, this level of access could prove helpful with some things – for example, writing rootkits.

There is still much we don’t know regarding this intrusion. What have the attackers already seen? Where was the affected code? Were the attackers able to access an account that allowed them to alter source code? For now, we must leave these questions unanswered. In the meantime, security specialists advise organizations to continue applying security patches as usual and stick with the infosec basics.


Don’t get caught! The newest PayPal phishing texts state your account is ‘limited’

A new SMS text phishing (smshing) campaign pretends to be from PayPal, stating that your account has been permanently limited unless you verify your account by clicking on a link. 

PayPal smishing

When PayPal detects suspicious or fraudulent activity on an account, the account will have its status set to “limited,” which will put temporary restrictions on withdrawing, sending, or receiving money.

But this time, clicking on the enclosed link will bring you to a phishing page. It prompts you to log in to your account, as shown below. If you log in, the entered PayPal credentials will be sent to the threat actors. The phishing page then goes a step further as it will try to collect further details from you, including your name, date of birth, address, bank details, and more.

Smishing scams are becoming increasingly popular, so it is always important to treat any text messages containing links as suspicious. If a target falls for any of these ruses, the combination of information could be used for identity theft, bank fraud, or fraudulent purchases. The data could just as well be compiled into lists that are then sold to other scammers on dark web marketplaces. If the victim also recycles their login credentials across multiple accounts, black hats could infiltrate other accounts, including banking, social media, and email accounts.


New Year, New Ransomware: Babuk Locker Targets Large Corporations

It’s a new year, and it comes with new ransomware called Babuk Locker that targets corporate victims in human-operated attacks.

Babuk Locker is a new ransomware operation that launched at the beginning of 2021 and has since amassed a small list of victims from around the world. Demands range from $60,000 to $85,000 in Bitcoin.

Babuk Locker’s coding seems amateurish. However, it includes secure encryption (ChaCha8 and Elliptic-curve Diffie–Hellman) that prevents victims from recovering their files for free.

When launched, hackers can use a command-line argument to control how the ransomware should encrypt network shares and whether they should be encrypted before the local file system. The command-line arguments that control this behavior are:

  • lanfirst
  • lansecond 
  • nolan 

Once launched, the ransomware will terminate various Windows services and processes known to keep files open and prevent encryption. The terminated programs include database servers, mail servers, backup software, mail clients, and web browsers.

When encrypting files, Babuk Locker will use a hardcoded extension .__NIST_K571__ and append it to each encrypted file. A ransom note named How To Restore Your Files.txt will be created in each folder. One of notes seen contains the victim’s name and links to images proving that the threat actors stole unencrypted files during the attack. The Babuk Locker Tor site is nothing fancy and simply contains a chat screen where the victim can talk to the threat actors and negotiate a ransom.

Babuk Locker authors are leading to create a dedicated leak site following the double-extortion trend. So far, they are using a hacker forum to leak their stolen data.


New malware uses WiFi BSSID for victim identification

Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim’s IP address and check it against an IP-to-geo database like MaxMind’s GeoIP to get a victim’s approximate geographical location. However, IP-to-geo databases are known for their wildly inaccurate results, as telcos and data centers tend to acquire or rent IP address blocks on the free market.

Still, this method is widely adopted today, But from time to time, some hackers use the BSSID technique on top of the first. 

A new malware strain – discovered by Xavier Mertens, a security researcher at the SANS Internet Storm Center – is using the WiFi AP MAC address to get that information. The BSSID (Basic Service Set Identifier) is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi. You can see the BSSID on Windows systems by running the command:

netsh wlan show interfaces | find “BSSID”

Back to the malware…

Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov. This database is a collection of known BSSIDs and the last geographical location they’ve been spotted at.

These types of databases are quite common these days and are usually used by mobile app operators as alternative ways to track users when they can’t get access to a phone’s location data directly.

Checking the BSSID against Mylnikov’s database would allow the malware to effectively determine the physical geographical location of the WiFi access point the victim was using to access the internet, which is a far much accurate way of discovering a victim’s geographical position.

But using both methods together could allow malware operators to confirm that the initial IP-based geolocation query is correct with the second BSSID method. In other words, this way they could be able to double-check a victim’s geographical location – and get more or less 100 percent accurate results. 


About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.