How to make your Google Drive or Microsoft OneDrive private - Manila Bulletin

How to make your Google Drive or Microsoft OneDrive private - Manila Bulletin
Obtaining a decryption key? Third-party risk. Ensiko PHP webshell described. Update on alleged Cloudflare breach. - The CyberWire
New ThiefQuest ransomware discovered targeting macOS users - ZDNet

Posted: 26 Jul 2020 06:18 PM PDT

Written by Prof. Rom Feria

For most users, cloud storage is provided by either Google or Microsoft, or both. Google Drive and Microsoft OneDrive are familiar with educators and students due to their their institutions' subscriptions. In addition, you get free storage from either companies, when you sign up for their free Gmail or Office 365 accounts. Whilst both companies secure your data, your data are not guaranteed to be private — yes, the data is encrypted at rest, but the encryption used are managed by them, not you. What does this mean? Well, they can always decrypt it, right? It is always a good idea to control and manage your encryption, and not providing these companies access to the keys/passwords.

I know of two (2) ways of keeping your data private using open source software, whilst hosting it on Google Drive or Microsoft OneDrive. One is cryptomator <"https://cryptomator.org">. This, in my opinion, is the easiest route to encrypting data on your cloud storage. It supports Windows, macOS, Linux, Android and iOS. The desktop versions of the software are free (but if you want dark mode, you need to donate a minimum of US$15). The iOS and Android versions are not free, however, with the iOS version going for PhP249 and the Android at PhP289. To create your encrypted vault on Google Drive or Microsoft OneDrive, you will need to have their respective applications, at least on the desktop, installed and configured. Since I refuse to install any of these two applications, I did not continue with Cryptomator. I did not consider paying for the mobile version, too, so I did not test it.

Instead of Cryptomator, I opted for rclone. I wrote about rclone before, but this time, I will expound further on how I have it configured. I have installed rclone on my Raspberry Pi 4 at home (which also serves as my Pi-hole, file server, and WireGuard VPN server).

Using "rclone config", I have created a connection between my Raspberry Pi (RPi) and my Google Drive, and named it gdrive. This specific connection is not encrypted. It simply allows me to access everything stored on my Google Drive. However, this is not what I want — I want an encrypted storage. So invoking "rclone config" again, I created an encrypted subdirectory off of gdrive (it will ask you for a password, and another optional password — I used both), and called it gdsecret. Now, every subdirectory created on gdsecret will be obfuscated, and any file stored in it will be encrypted.

Using gdsecret, storing and retrieving files, requires that you always use the rclone application. Whilst this should not be a big deal, I decided that to allow scripts and applications access, and to be able to access it from my iPhone and iPad Pro, I need to get my favorite SFTP iOS/iPadOS application, ShellFish (PhP449 in-app purchase), to support it (unfortunately, baking in rclone into the ShellFish application is not on the developer's radar at this point). So to do this, I created a mount point "/mnt/gdsecret" on my RPi, and issued the "rclone mount" command on gdsecret to make the encrypted remote drive appear as a usual remote storage. Now, when I use the iOS/iPadOS Files app with ShellFish, gdsecret appears just like an ordinary drive, but with the added encryption support. Files retrieved are automatically decrypted, too. The same goes for scripts and applications that I run on the RPi. Nice, eh?

On the desktop, you can simply use Samba to mount "/mnt/gdsecret", but this requires that you configure Samba on the server, e.g., RPi, which I decided not to do, since I'd rather use SFTP.

Whilst I can easily connect to the RPi from outside of my home network, thanks to WireGuard, I decided to create a US$5/mo instance on Linode to serve as an alternative WireGuard VPN server for me, and also as another rclone node, with the same configuration as my home RPi. So now I have two points of entry to my encrypted Google Drive storage.

Using rclone now allows me to take advantage of the free Google Drive space, whilst keeping everything encrypted and away from Google's eyes. I can do the same for Microsoft OneDrive, too, but that at the moment, I don't have any compelling reason to do it.

CLICK HERE TO SIGN-UP

Obtaining a decryption key? Third-party risk. Ensiko PHP webshell described. Update on alleged Cloudflare breach. - The CyberWire

Posted: 28 Jul 2020 06:52 PM PDT

Garmin confirmed, ABC News reports, that it sustained a cyberattack last Thursday. While its online services were disrupted and some files encrypted, Garmin has concluded that no customer data were compromised. Despite saying that files were encrypted, Garmin did not characterize the incident as a ransomware attack. WIRED calls it (as have others) an attack by Evil Corp using WastedLocker ransomware.

Sky News reported that Garmin had obtained a decryption key that enabled file recovery, but said the company "did not directly make a payment to the hackers." This has prompted speculation that payment might have been made through a third-party. As Decrypt notes, that wouldn't necessarily protect Garmin from exposure to US sanctions enforcement.

Another ransomware attack has moved from a third-party vendor to its intended target. The Wall Street Journal reports that customer data were taken from SEI Investments when M.J. Brunner, developer of an investment dashboard used by SEI, was compromised and the information was lost. SEI says its own systems weren't hacked.

FrontRush, a provider of athletic recruiting and amateur athletic management software, disclosed that one of its AWS S3 buckets was left exposed to the Internet. It contained personally identifiable information.

Trend Micro describes Ensiko, a PHP webshell the researchers say has ransomware capabilities among other functionalities. It's also likely to be resistant to the vigilantism that's recently hobbled Emotet.

SiliconAngle reports that Cloudflare says the breach Ukrainian authorities disclosed over the weekend had nothing to do with Cloudflare, that the company was not breached.

New ThiefQuest ransomware discovered targeting macOS users - ZDNet

Posted: 30 Jun 2020 12:00 AM PDT

Security researchers have discovered this week a new ransomware strain targeting macOS users.

Named OSX.ThiefQuest (or EvilQuest), this ransomware is different from previous macOS ransomware threats because besides encrypting the victim's files, ThiefQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallet-related files from infected hosts.

"Armed with these capabilities, the attacker can main full control over an infected host," said Patrick Wardle, Principal Security Researcher at Jamf. This means that even if victims paid, the attacker would still have access to their computer and continue to steal files and keyboard strokes.

Wardle is currently one of the many macOS security researchers who are analyzing this new threat.

Others who are also investigating EvilQuest include Thomas Reed, Director of Mac & Mobile at Malwarebytes, and Phil Stokes, macOS security researcher at SentinelOne.

Reed and Stokes are currently looking for a weakness or bug in the ransomware's encryption scheme that could be exploited to create a decryptor and help infected victims recover their files without paying the ransom.

ThiefQuest is distributed via pirated software

But the researcher who first spotted the new ThiefQuest ransomware is K7 Lab security researcher Dinesh Devadoss.

Devadoss tweeted about his finding yesterday, June 29. However, new evidence surfaced in the meantime has revealed that EvilQuest has been, in reality, distributed in the wild since the start of June 2020.

Reed told ZDNet in a phone call today that Malwarebytes found ThiefQuest hidden inside pirated macOS software uploaded on torrent portals and online forums, such as a pirated version of music production app Ableton, DJ mixing software Mixed In Key, and security tool Little Snitch.

Russian forum spreading pirated macOS app infected with OSX.EvilQuest
Image: ZDNet via Malwarebytes

However, Reed told us he believes the ransomware is most likely more broadly distributed, leveraging many more other apps, and not just these three.

Wardle, who published an in-depth technical analysis of ThiefQuest earlier today, said the malware is pretty straightforward, as it moves to encrypt the user's files as soon as it's executed.

Once the file encryption scheme ends, a popup is shown to the user, letting the victim know they've been infected and their files encrypted.

The victim is directed to open a ransom note in the form of a text file that has been placed on their desktop, which looks like the one below:

Stokes told ZDNet the ransomware will encrypt any files with the following file extensions:

.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat

After the encryption process ends, the ransomware installs a keylogger to record all the user's keystrokes, a reverse shell so the attacker can connect to the infected host and run custom commands, and will also look to steal the following types of files, usually employed by cryptocurrency wallet applications.

"wallet.pdf"
"wallet.png"
"key.png"
"*.p12"

In his own analysis of ThiefQuest, Reed also noted that the ransomware also attempts to modify files specific to Google Chrome's update mechanism, and use the files as a form of persistence on infected hosts.

"These [Chrome update] files had the content of the patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed," Reed said. "However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it's unclear what the purpose here is."

Furthermore, researchers also noted that the ThiefQuest also doesn't include a method through which victims could contact the ransomware authors, or a method through which the malware authors could track payments. This means that any victims who pay won't likely receive a decryption key to recover their files, as there is no way for the ThiefQuest group to say who paid and who didn't.

All victims infected by this point should consider their data lost forever, unless researchers find a way to break the encryption and recover their files.

At the time of writing, security researchers couldn't say for sure if ThiefQuest was created as a ransomware from the get-go, or if the ransomware module was added later, on top of another existing remote access trojan. One theory that is becoming more popular as researchers keep analyzing the code was that ThiefQuest started out as a regular infostealer, but was later expanded into ransomware with a low-quality file-encryption module that ended up destroying user files.

Wardle, who has created several open-source macOS security tools, said that a tool he released in 2016, named RansomWhere, can detect and stop EvilQuest from running. Reed also said that Malwarebytes for Mac was also updated to detect and stop this ransomware before it does any damage.

ThiefQuest is the third ransomware strain that has exclusively targeted macOS users after KeRanger and Patcher. Another macOS ransomware strain called Mabouia only existed at a theoretical level and was never released in the real world.

Article updated on July 2 after security researchers renamed the ransomware from EvilQuest to ThiefQuest, as the previous name was also used by Chaosoft Games for one of their Steam games and the game maker requested researchers change it to avoid confusion.

Search This Blog

Android Full Encryption