Researchers have uncovered new malware that targets Telegram, the end-to-end encrypted instant messaging service.
Cisco Talos researchers noticed the first version of this malware -- dubbed the Telegrab malware -- on April 4, and a variant of it on April 10. The first version, they said, stole browser credentials, cookies and text files from the system. The second version, however, was also able to collect Telegram's desktop cache and encryption key files, and login data for the Steam website.
According to Vitor Ventura and Azim Khodjibaev, security researchers at Talos, the Telegrab malware doesn't break or exploit any vulnerability in Telegram. Instead, "it affects the desktop version of Telegram, which does not support Secret Chats and has weak default settings," they wrote in a blog post. "The malware abuses the lack of Secret Chats which is a feature, not a bug. Telegram desktop by default doesn't have the auto-logout feature active. These two elements together are what allows the malware to hijack the session and consequently the conversations."
Ventura and Khodjibaev discovered a series of YouTube videos that provide guidance on how to access and use Telegram cache data to hijack Telegram sessions. They believe with "high confidence" that the author of the videos is also the author of the Telegrab malware.
The author, they said, goes by the names Racoon (sic) Hacker, Eyenot -- an anglicized version of the Russian Енот -- and Racoon (sic) Pogoromist (sic).
"The cursory analysis of the video indicates that Racoon (sic) Hacker is a native Russian speaker and has an advanced understanding of the Python programming language," Ventura and Khodjibaev explained, noting that many of the videos posted by the same author mention similar techniques to those used in the variants of the Telegrab malware.
The Talos researchers said Telegrab primarily targets Russian-speaking victims and intentionally avoids IP addresses connected to anonymizer services.
"When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant. However, this shows how a small operation can fly under the radar and compromise thousands of credentials in less than a month, having a significant impact on the victim's privacy," wrote Ventura and Khodjibaev, adding that the credentials and cookies enable the malware author to access victim information on websites like gmail.com and google.com.
"The malware samples analyzed are not particularly sophisticated, but they are efficient."
In other news
- The former CSO at Uber, Joe Sullivan, announced this week that he is joining Cloudflare to head its security team. Sullivan was accused of covering up a data breach at Uber that affected over 57 million riders and drivers by paying hackers $100,000 to delete the stolen data. He later denied those claims, but was still fired from Uber in November 2017 for his role in the breach. Prior to Uber, Sullivan worked as the CSO at Facebook and held positions in the legal departments of PayPal and eBay. In a blog post announcing his new position as CSO of Cloudflare, Sullivan said he felt he found a company that matches his "passion for securing the whole internet."
- Security researchers at Imperva published a proof of concept (PoC) for an attack method that uses a Universal Plug and Play (UPnP) protocol exploit to launch distributed denial-of-service attacks. The PoC "proves that UPnP devices can be used to obfuscate the source port data of amplification payloads," Imperva researchers explained in a blog post detailing the attack. Imperva's research detailed a PoC for DNS amplification attacks, but the team said that the technique would also work for amplification attacks using Simple Service Discovery Protocol and Network Time Protocol, as well as any other kind of amplification vectors. "This adds up to a major paradigm shift in the way amplification attacks are mitigated today," the researchers said. "With source IP and port information no longer serving as reliable filtering factors, the most likely answer is to perform deep packet inspection (DPI) to identify amplification payloads -- a more resource-intensive process, which is challenging to perform at an inline rate without access to dedicated mitigation equipment."
- The U.S. Department of Homeland Security (DHS) released its new cybersecurity strategy this week. The 35-page document outlines DHS's plan to "keep pace with the evolving cyber risk landscape" for the next five years by "reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient." DHS expects more than 20 billion devices will be connected to the internet by 2020, and notes that the threats to security come from everywhere. "Motivations include espionage, political and ideological interests, and financial gain," the document states. "Nation-states continue to present a considerable cyber threat. But non-state actors are emerging with capabilities that match those of sophisticated nation-states." Stressing the severity of the risk, DHS also said that the number of cyber incidents reported to DHS between 2006 and 2015 increased "more than ten-fold (sic)." The department's plan revolves around five pillars: risk identification; vulnerability reduction; threat reduction; consequence mitigation; and enabling cybersecurity outcomes.