Techie Feeds

Ransomware: Why do backups fail when you need them most?

Malwarebytes - Fri, 10/22/2021 - 14:11

It’s widely known, and endlessly repeated, that the last, best line of defence against the potentially devastating effects of a ransomware attack is your backups.

So why do we keep hearing things like this:

We’re also feeling relatively confident, we have a very good backup system … and then we find out at about four or five hours after the [ransomware] attack that our backup system is completely gone.

Ski Kacoroski, System administrator, Northshore School District

The quote above comes from a recent Malwarebytes podcast, racing against a real life ransomware attack, in which host David Ruiz interviewed sysadmin Ski Kacoroski about a ransomware attack on the Northshore School District in Washington State.

Kacoroski’s alarming discovery—that the backups he was relying on to restore the school district’s damaged systems were unusable—is not unusual in the aftermath of a ransomware attack. The glib and depressingly common response from some in the IT community is to assume that those involved were idiots, and to blame them for their misfortune, observing with hindsight that they should have known they needed to spend more on this, run that, patch this, check that, etc.

A more realistic, more useful, perspective assumes that system administrators and security folk like Kacoroski are competent, intelligent people who are doing their best to meet multiple requirements in complex environments with limited resources. Starting there, the obvious conclusion from experiences like Kacoroski’s is that backups are hard to get right.

Why do backups fail?

Following the interview with Kacoroski, we set out to find out why getting backups right is so difficult. To help us we approached backup expert Matt Crape, a technical account manager at VMWare, and put exactly that question to him in a follow-up podcast episode, Why backups aren’t a “silver bullet” against ransomware.

This is what we learned from Crape:

Backups are difficult

Crape observed that people often imagine backups are easy, because their only experience of performing backups is doing them at home, where it is easy: You just plug a USB hard drive into your laptop every night and press a button.

But add a few hundred computers and you’re living in a different world.

Step one, says Crape, is figuring out what you’re trying to achieve. To do that you have to work though a series of important but difficult questions, including:

Are you backing up just your data, or your data and your applications? Are you archiving medical information or personally identifiable information that comes with regulatory requirements that dictate where, how, and for how long you can store it? How many copies of the data and applications will you make and where will you keep them? How long will you store each type of data? Do you need versioning? How often are you going to back everything up? Are you going to run the same schedule for all your data, no matter how important it is or how often it changes, or are you going to run different schedules for different things? And how will the scheduling, and the amount of data travlling over the network at different times, affect performance?

A backup archived to tape or the Cloud is only half the story too. It can only be considered a success if you can restore a working system from it, and there are a few things that can derail that.

SQL databases typically have to be stopped before you can take a back up that will usefully restore, for example. Many applications also depend on the existence of other services too (such as DNS, email or authentication) and you’ll need to understand and record those relationships, and have a plan for restoring systems in the right order if you want it all to come back to life.

You also need a process for reviewing those decisions regularly. Businesses evolve and change, and your backups have to keep up.

And finally, having done all that, you’ll need to do something far more difficult—convince someone it’s all worth paying for.

Backups are expensive

According to Crape “That money conversation was always the hardest part”. The problem with backups, he says, is that 99% of the time you don’t need them, so they can seem like money down the drain.

Ransomware changes the calculation considerably. Aside from their day-to-day uses, organisations have historically seen backups as a way to cope with natural disasters and other severe but infrequent events. It is easy to understand why they might put off dealing with that problem until tomorrow in favour of more immediate concerns.

But a ransomware attack isn’t a lightening strike or a once-in-one-hundred-year flood. According to IDC, “more than one third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months”. Other organisations might give you slightly different figures, but there’s no doubt that ransomware attacks are frighteningly common.

Crape suggests that the best way to make the argument for properly staffed and funded backups is to make the conversation about the cost of losing key systems: “How much downtime can we afford for this specific server?What’s the cost of that vs the cost of storing backups for three years?”

Backups are targets

“Had the Empire had better physical security for their backup archives, the Star Wars franchise would be markedly different”.

Matt Crape, Technical Account Manager, VMWare

Backups contain all the information that makes a company tick, which makes them targets for both theft and sabotage. For a modern fable on the menace of insider threats and the importance of physical security for backups, just watch Rogue One: A Star Wars Story, says Crape. “The Death Star blew up because of a backup.”

Ransomware gangs understand that your backups could deprive them of a multimillion dollar payday and will seek them out and delete them if they can. It’s also not unusual for criminal hackers to spend days, weeks, or even months inside the networks of organisations they’ve breached. They use that time to perform reconnaissance and elevate their privileges, so they can reach all parts of the network, including its backups (even Cloud backups). If they can find them, they will destroy them before running their ransomware.

When it is finally run, many kinds of ransomware will also look for and disable or delete shadow copies—a form of local backups—on the machines they infect, cutting off the possibility of restoring those machines with a quick rollback.

If your ransomware recovery plan relies on backups, you will need copies of your data that are offline and off-site, where they are permanently beyond the reach of an attacker who may be resident in your network for months.

Everyone assumes they’re working

According to Crape, another reason that backups let us down when we need them most is that people simply assume they are running correctly. “It’s not uncommon to hear about folks who just don’t check the status, ever”, he told Ruiz. “They’ll check it the first couple of days and then it gets old so they stop paying attention to it, or they turn off notifications because it’s just been running fine. You go to do a restore and you find out, oh, this thing hasn’t run in six months.”

It’s not enough to monitor that the application ran without failing, says Crape. A backup job can run without failing, but that doesn’t mean it did anything; and just because the job ran properly, that doesn’t mean the tape isn’t blank; and having something on tape doesn’t mean you have something that will usefully restore.

If you want to know if your backups are working, you have to test them. And that means doing a full restore into another environment.

Listen to the podcast

To learn more about why backups fail and how you can use them to effectively combat ransomware, listen to the full podcast below, or in your favourite podcast player from AppleSpotify, or Google.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post Ransomware: Why do backups fail when you need them most? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

We dig into the Game Players Code

Malwarebytes - Fri, 10/22/2021 - 14:00

Gaming security is getting a lot of attention at the moment. Rightly so; it’s a huge target for scammers and malware authors. Malicious ads, fake games, survey scams, phishing attacks…whatever you can think of, it’s in use. Some target kids and steal their accounts, selling them on. Others go after parents, who have their payment details tied to various platforms and consoles. Whatever the scammer is into, rich pickings can be theirs for the taking.

As we’ve shown previously, you don’t even have to be on a gaming platform to be at risk from shenanigans. You can run into something bad and gaming-related purely from hanging out somewhere else. These attacks, these tactics, are pervasive.

Some organisations are trying to turn the tide, however.

Step up to the plate, Game Players Code

Banks are noticing just how much time is spent dealing with gaming theft issues. No doubt their support calls tell a grim tale of cancelled cards and reverse charges. Tip: some gaming platforms will actually ban/cancel a gaming account by default should you ever reverse a dubious charge. Never do this if you can help it.

LLoyds Bank, in response to the never-ending glut of financial gaming fraud, has come up with something called “Shield against scams”. This is designed to give younger gamers a helping hand to avoid video game fakery. They’ve also got some well known gamer influencers on board which can only help get the message in front of gamers. Shall we take a look at each tip and see what else we can add to the discussion?

Chat screening and anonymity

SCREEN any chats from strangers, as well as unexpected gifts and special edition or time-limited offers. Never transfer money to someone you haven’t met in person.

HIDE personal information from others at all times, concealing your personal details where possible to avoid them being leaked.

This is a good start. Concealing player information is also helpful. Gaming forums, databases, and websites are often targeted by compromise and data theft. When the hammer falls, it’s probably best to have as few visible bits of personal information as possible. Always check the privacy specifics of whatever platform you’re using.

Some enable settings like real ID (your actual real name) by default, making it visible to whoever has the correct level of permissions. This could be a friend you’ve added, or random players looking at your profile. Other platforms won’t display real names or locations without you physically typing them into your profile. Consoles are a particular concern here because they have so many different settings across multiple menus. Many of them will have a privacy component to them, but you’ll have to dig around and make those connections yourself. It could be a slow process, so set some time aside for that.

Chat, whether in game or via a client, is an inroad to bad messages. You may even run into bogus messages in chat/VoIP land. The “I accidentally reported you” scam is hitting saturation point at the moment. Last but not least, beware of Real Money Trading if you play massively multiplayer online games.

Be cautious with payments

INVESTIGATE any gaming-related purchases before handing over money, such as checking whether the website is blacklisted on https://sitechecker.pro/blacklist-checker/ and only making card payments that offer greater consumer protections.

Another decent tip. Much of the gaming fraud we see at the moment is related to in-game purchases or DLC. Most commonly weapons, skins, outfits and the like. Some gaming platforms like Steam allow gamers to trade items. Fake trade phishes have been around for years and are very popular.

Evaluating the download risk

EVALUATE whether gaming-related downloads are being made from established trusted sources and whether they are safe by checking for malware via https://www.virustotal.com/

Generally speaking, all gaming downloads should be coming from the source (the platform you’re using) directly. Want to play Diablo 3? You’ll be using the Battle.net client on PC. Steam games? You’ll use the big download button inside the Steam client. Uplay? Origin? Epic store? The same rule applies. On a games console, it’s even more locked in. You can’t exactly go wandering off to a rogue download on a PS4.

As far as these files go, in theory you shouldn’t need to scan them (indeed, it isn’t possible to scan them if they’re on a games console). Sometimes things can go wrong with files from an official source, but this is pretty rare. Apply your own better judgment on this one.

Should you stray outside your walled client garden, that’s the time to be suspicious. Messages about free games, dubious offers/adverts, or random uploads to YouTube promising free cracked copies of the latest titles should be given a wide berth. You can certainly use VirusTotal for a quick check, but you should also read up on what it does. We would always recommend using your dedicated security tools in addition to any web-based scan.

Locking down

LOCK your gaming network by using password managers, two-factor authentication within platforms and anti-virus software.

Good tips. There are many gaming platforms. Some of them have titles exclusive to them, or deals which are better than anywhere else. Even if you decide to stick with Steam, certain games will insist on you also using their creator’s gaming platform. So you could fire up a Far Cry game on Steam, but you may need to launch the Uplay client…via Steam…and the game launches from there.

This may have changed, it’s been a few years since I tried it myself. But this is not an uncommon thing to happen.

Before you know it, you don’t just need a secure email tied to your gaming platform. You need logins for Steam, Uplay, Epic, Blizzard, multiple logins for MMORPG launchers, passwords in consoles, passwords everywhere. A password manager is exactly the kind of solution to this headache.

Two-factor authentication was rather uncommon in most gaming circles years ago, but it’s pretty much the default now. You can have it on your PC gaming clients, your consoles, your email. There’s Google Auth, or dedicated apps depending on the game publisher. Whatever your gaming network of choice, this is almost certainly something you can make use of.

Card safety concerns

DELINK your bank details from gaming and online browser accounts. Having two-factor authentication set up on bank transactions and using prepaid cards will also help to keep your money protected.

Payment information on accounts is a risk, but having payment information on any account can be a risk. The question is what can you put in place to lessen this, and how much damage can someone do if they get that information?

Many gaming clients allow you to store details, or delete them as appropriate. For example, you can tell Steam whether or not to remember payment info. You can also load up an account with funds via the Steam wallet, or put certain amounts of money onto the account with gift cards. Yes, someone can still steal an account and if it has £100 sitting on it, that’s bad. Some may argue that’s actually worse than stored card details.

If payment info is stored in Steam, you still have to enter the verification code on the back of the card for any transaction as this isn’t retained. While an account with details stored on it will still be valuable to someone out there, most people can’t simply start spending. They don’t have the code. However, an account with £100 or £300 sitting on it is an instant spend-festival.

As a result, a good tip is to only load up the account with smaller amounts of cash. It’s still bad if it gets stolen, but not £300 bad.

In conclusion…

Any attempt to make gaming realms more secure is a good thing. While you may have to add a bit more context to the tips as they stand, the basics are in place and that’s what we need to encourage young gamers with. Any positive change in habits, whether from the kids or the parents helping behind the scenes, can only be beneficial for everyone.

The post We dig into the Game Players Code appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A bug is about to confuse a lot of computers by turning back time 20 years

Malwarebytes - Fri, 10/22/2021 - 12:16

For those of you that remember the fuss about the Y2K bug, this story may sound familiar.

The Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning to Critical Infrastructure (CI) owners and operators, and other users who get the time from GPS, about a GPS Daemon (GPSD) bug in GPSD versions 3.20 through 3.22.

Y2K

If you don’t remember the Y2K bug, let me remind you quickly. Before the year 2000, lots of computer programs kept track of the year by remembering the last two digits instead of all four. Programs coded this way would work correctly until the first day of the new millennium, when they would assume they’d been transported back in time 100 years to 1900.

Some computer programs don’t care what time it is, but others do, and there were genuine fears that getting the date wrong by -100 years might cause the the lights to go out, or for planes to fall from the sky.

In the end, those big problems didn’t materialize, because everyone received a warning or two, or twenty, way in advance, and there was enough time to take action and fix the broken code.

What’s the bug now?

Alongside telling you where in space you are, the Global Positioning System (GPS) can also tell you where in time you are. To do this, it keeps a count of the number of weeks since January 5, 1980. The main civil GPS signal broadcasts the GPS week number using a 10-bit code with a maximum value of 1,023 weeks. This means every 19.7 years, the GPS week number in the code rolls over to zero.

GPSD is a GPS service daemon for Linux, OpenBSD, Mac OS X, and Windows. It collects data from GPS receivers and makes that data accessible to computers, which can query it on TCP port 2947. It can be found on Android phones, drones, robot submarines, driverless cars, manned military equipment, and all manner of other embedded systems.

Unfortunately, in an echo of the Y2K bug, a flaw in some versions of GPSD could cause time to roll back after October 23, 2021. The buggy versions of the code reportedly subtract 1024 from the week number on October 24, 2021. This would mean Network Time Protocol (NTP) servers using the broken GPSD versions would think it’s March 2002 instead of October 2021.

How bad is it?

For computer systems that have no other time reference, being thrown back in time can cause several security issues. From the perspective of incident handling and incident response, well-synchronized time across systems facilitates log analysis, forensic activities and correlation of events. Losing track of what happened when, can lead to missed incidents.

Even worse is getting shut out. NTP servers using the bugged GPSD version would get thrown back almost 20 years. The Network Time Protocol (NTP) is responsible in many cases to ensure that time is accurately kept. Various businesses and organizations rely on these systems. Authentication mechanisms such as Time-based One-Time Password (TOTP) and Kerberos also rely heavily on time. As such, should there be a severe mismatch in time, users would not be able to authenticate and gain access to systems.

The same would happen in cases where authentication relies on cookies. Websites and services relying on expiring cookies do not respond favorably to cookies from two decades in the future.

And speaking from experience, the last GPS week number reset to zero occurred on April 6, 2019. Many GPS-enabled devices that were not properly designed to account for the rollover event exhibited problems on that date. Other equipment became faulty several months before or after that date, requiring software or firmware patches to restore their function.

Mitigation

Since the affected versions of GPSD are versions 3.20 through 3.22 users should upgrade to version 3.23.1. Going back to older versions such as 3.19 and 3.20 is not recommended since they are unsupported and had bugs. For organizations that are using GPS appliances or rely on GPSD, it is recommended to check if GPSD is being utilized anywhere in the infrastructure and check its corresponding version. It is likely that an upgrade to GPSD will be required if no recent upgrades were performed.

It is also good for system administrators to make a mental note of the date October 24, 2021. If systems that had been authenticating normally start to have authentication issues after the weekend, it could be due to a mismatched date and time.

If you would like to be spared of this roll-back problem completely, the GPS modernization program is adding new civilian signals to the GPS system.

Personal note

Should your system go back to 2002, can you instruct it to tell me to invest in Bitcoin, please?

The post A bug is about to confuse a lot of computers by turning back time 20 years appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Update now! Chrome fixes more security issues

Malwarebytes - Thu, 10/21/2021 - 13:31

For the third time in a month Google has issued an update to patch for several security issues. This time the update patches 19 vulnerabilities, of which 5 are classified as “high” risk vulnerabilities.

In an update announcement for Chrome 95.0.4638.54, Google specifies the 16 vulnerabilities that were found by external researchers.

The CVEs

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

Below are the CVEs attributed to external researchers that got rated as high risk:

  • CVE-2021-37981 (High CVSS 7.7) : Heap buffer overflow in Skia. The vulnerability exists due to a boundary error when processing untrusted HTML content in Skia. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
  • CVE-2021-37982 (High CVSS 7.7): Use after free in Incognito. The vulnerability exists due to a use-after-free error within the Incognito component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
  • CVE-2021-37983 (High CVSS 7.7): Use after free in Dev Tools. The vulnerability exists due to a use-after-free error within the Dev Tools component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
  • CVE-2021-37984 (High CVSS 7.7): Heap buffer overflow in PDFium. The vulnerability exists due to a boundary error when processing untrusted HTML content in PDFium. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
  • CVE-2021-37985 (High CVSS 7.7) : Use after free in V8. The vulnerability exists due to a use-after-free error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Heap buffer overflow

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. So, by creating a specially crafted input, attackers could use this vulnerability to write code into a memory location where they normally wouldn’t have access.

Use after free

Use after free (UAF) is a vulnerability caused by the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Skia

Skia was developed as an open-source graphics library, written in C++ which abstracts away platform-specific graphics API. After Google acquired it in 2005, Chrome uses Skia for nearly all graphics operations, including text rendering.

Incognito

Incognito mode in Google Chrome – and other browsers—is essentially a setting on your web browser to disallow the storing of local data relating to the websites you surf. When surfing the web in this mode, your browsing history will not be recorded.

Dev Tools

Chrome DevTools is a set of web developer tools built directly into the Google Chrome browser. The Chrome DevTools are a set of web authoring and debugging tools that web developers can use to iterate, debug and profile their site.

V8

V8 is Google’s open source JavaScript and WebAssembly engine. Basically, it’s the engine that reads JavaScript V8 and translates the JavaScript code directly into machine code so that computers can actually understand it. This way the code can be run while browsing. WebAssembly is a binary format that allows you to run code from programming languages other than JavaScript on the web efficiently and securely. This format is handled by V8 as well.

PDFium

Pdfium.Net SDK is the leading .Net library for generating, manipulating and viewing files in the portable document format. It is used in Chrome for displaying PDFs and print preview. It’s also used in Android for PDF rendering.

How to protect yourself

If you’re a Chrome user, you should update to version 95.0.4638.54 as soon as possible. Users of other Chromium browsers should be on the lookout for updates that fix the vulnerabilities they will have in common.

The easiest way to update Chrome is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the working exploits. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Stay safe, everyone!

The post Update now! Chrome fixes more security issues appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Chrome targeted by Magnitude exploit kit

Malwarebytes - Thu, 10/21/2021 - 12:47

Exploit kits (EK) are not as widespread as they used to be. One of the reasons is likely that most exploit kits targeted software that is hardly ever used anymore. Internet Explorer, Silverlight, and Flash Player to name a few, have been deprecated, replaced, and quickly lost their user-base.

So, just when you start thinking there is one less threat to worry much about, researchers have found an exploit kit with a keen interest in Chrome. Which, from a business point of view, makes a lot of sense, since Chrome is close to becoming not just a market leader, but almost a monopolist in the browser market.

Chrome has, at the time of writing, a market share of around 65%. The only other browser that reaches a market share that is over 10% is Safari. So if you are in the business of compromising browsers that visit your website or watch your advertisement, having Chrome users on your target list is a big plus.

Or, as Malwarebytes’ Director of Threat Intelligence, Jérôme Segura, put it:

“The future of exploit kits is via Chrome exploits. This could either be an anomaly or the beginning of a new era with big implications for the years to come.”

Magnitude EK

Enter the Magnitude exploit kit. Researchers have found that the Magnitude EK is actively using two vulnerabilities to exploit Chromium-based browsers. Magnitude is used in malvertising attacks to infect victims who visit compromised websites and its payload of choice is the Magniber ransomware.

The vulnerabilities

CVE-2021-21224 is described as a type confusion in V8 in Google Chrome prior to 90.0.4430.85 which allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. V8 is Google’s open source high-performance JavaScript and WebAssembly engine. This vulnerability was patched in April.

CVE-2021-31956 is a Windows NTFS Elevation of Privilege (EoP) vulnerability. This vulnerability can be used in combination with CVE-2021-21224 to escape the Chromium sandbox. This vulnerability was patched in June.

PuzzleMaker

Practically the same combination of vulnerabilities was described in June when Microsoft fixed seven zero-days, including the CVE-2021-131956 we mentioned earlier. Back then, the attacker using these vulnerabilities was dubbed PuzzleMaker. At the time it was unknown which Chrome vulnerability was used by the attacker, but it’s highly likely that it was the same as Magnitude has been found leveraging now.

Payload

There is no malicious payload attached to the Magnitude exploits yet, the attack just exfiltrates the victim’s Windows build number. But reportedly, this is Magnitude EK’s standard procedure to test out new exploits, so this could change quickly if they start to see positive results.

How to protect yourself

It is only on rare occasions that we write about vulnerabilities and then tell you there isn’t much to worry about. But in this case, the only people that have anything to worry about are Windows users that browse the web using Chrome or Chromium based browsers (like Edge), but have disabled its automatic updates and haven’t updated since April. You would also have to run on a non-updated Windows system since June, or run Chrome with the –no-sandbox switch (not recommended). And even then all that would happen if you ran across the Magnitude EK (which usually focuses on South Korea) is getting fingerprinted.

But you do understand that you should update your OS and browser nonetheless, right?

Enable automatic updates

If you want to save yourself the trouble of manually installing updates, there are a few things you can do. For Google Chrome (under Windows) you can choose this page as one of the tabs that opens when you run the browser: chrome://settings/help. If there has been an update since the last time you closed your browser, this page will alert you and initiate a download of the update.

In Windows 10 you can select the Start button, then select Settings > Update & security > Windows Update. Select Advanced options, and then under Choose how updates are installed, select Automatic (recommended).

Stay safe, everyone!

The post Chrome targeted by Magnitude exploit kit appeared first on Malwarebytes Labs.

Categories: Techie Feeds

High school student rickrolls entire school district, and gets praised

Malwarebytes - Wed, 10/20/2021 - 16:04

A student at a high school in Cook County successfully hacked into the Internet-of-Things (IoT) devices of one of the largest school districts in Illinois, and gave everyone a surprise.

Minh (aka @WhiteHoodHacker on Twitter) who attends Elk Grove—a name that curiously resembles the home town of legendary anti-hero, Ash Williams—rickrolled the entire Township High School District 214.

In case you don’t know, rickrolling is an internet meme and a type of bait and switch prank wherein people are expecting one thing (clicking a link, for example) but instead are shown a clip of the 1987 song “Never Gonna Give You Up” by Rick Astley instead.

The end-result of Minh’s work, captured by Minh’s brother

“This story isn’t one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls,” Minh writes in his personal blog, “I did it by hijacking every networked display in every school to broadcast ‘Never Gonna Give You Up’ in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!”

In the post, Minh further revealed that everything started during his freshman year, a time he admitted was “the beginning of my script kiddie phase”. With the help of friends, he was able to scan and find more than 8 million IPs in the internal district network. With that many IPs, he was bound to find devices that were exposed—and he certainly did.

Here’s young Minh, staring back at himself from a security camera he was able to access remotely from his iPad. When informed about this, the district placed camera access behind an access control list (ACL).

Security cameras weren’t the only devices exposed to the student network. Minh was also able to have complete access to the district’s Internet Protocol Television (IPTV) system, a system that delivers multimedia content over IP-based networks. However, he wasn’t able to pull off the school prank he’d been planning until three years later.

Minh called his rickrolling operation “The Big Rick”. Here’s the timeline of events that fateful day. Note that, after the end of the operation, he sent a pentest report to the district’s technical supervisors.

Thanks to scheduling changes schools had to introduce in response to COVID-19 restrictions, Minh and his crew were able to pull off their scheme while avoiding disrupting classes and—yikes!—significant tests. Minh also said that they were prepared to abort the operation if they found that tests were taking place.

Once Minh had finished his prank, he sent a pentest report to the district’s technical supervisors.

“A few days after sending the report through the anonymous email account, we received an email response from D214’s Director of Technology,” Minh continued in his blog, “The director stated that because of our guidelines and documentation, the district would not be pursuing discipline. In fact, he thanked us for our findings and wanted us to present a debrief to the tech team! Later, he revealed the superintendents themselves reviewed and were impressed by our report!”

This is not a typical response from an organization when someone steps forward to show them their technological vulnerabilities. Many in the cybersecurity and tech industries know someone—or have themselves experienced—getting burned by groups or individuals for simply letting them know about what’s wrong with their systems and what they can do better. Let us not forget those two physical penetration testers getting arrested and jailed for doing a job they were hired to do.

Of course, something like this could happen even when there’s support for a bug bounty program. Take, for example, the case of drone-maker, DJI, who offered a bug bounty program but then decided to modify the terms of its scope and attack the security researcher who found major flaws in its product.

It’s no surprise, then, to see Minh’s peers expressed distrust against the D214 administration, even though the latter was open to the possibility of working with him and his crew to remediate and audit the problems.

“We decided I would reveal myself to present our debrief slides with the others remaining anonymous in the Zoom meeting,” Minh continues, “I had planned on announcing my involvement from the beginning since I wanted to publish this blog post. (I was also pretty much the prime suspect anyways.) But, just in case, I scheduled the debrief to take place after I graduated.”

At the end of the day, everything went “extremely well” for everyone involved. Suffice to say, Minh and his crew were one of the lucky ones to belong to a district that is objective enough to see past the prank and focus on the underlying technological vulnerabilities that made it possible to begin with.

The district has also displayed a stance that potentially opens great cybersecurity opportunities not only to Minh and his crew but also to those who aspire to do what they have done in the name of vulnerability disclosure (sans the pranks, of course). This is something that the industry welcomes and what is urgently needed.

“This has been one of the most remarkable experiences I ever had in high school and I thank everyone who helped support me,” Minh concluded.

Let us be the first to say that this fine lady is not the only one doing the happy dance.

(Video by nitw_t on YouTube)

* Image header is taken by Tom Tran

The post High school student rickrolls entire school district, and gets praised appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to delete your Snapchat account

Malwarebytes - Wed, 10/20/2021 - 14:12

Snapchat is an instant messaging app popular with youngsters that allows users to send pictures and videos that are only viewable for short periods.

But while hundreds of millions of daily active users consume and create content with Snapchat, not everyone is pleased with the mobile app.

One of the most significant concerns with Snapchat is that a recipient can record snaps without a creator’s knowledge or consent. And although Snapchat does notify a sender when a recipient takes a screenshot or records a video through proprietary software, some apps allow recipients to circumvent these checks.

If you no longer want to keep your Snapchat account, you can choose to delete it.

How to deactivate your Snapchat account

You may want to deactivate your Snapchat if you just want a break from the app. Currently, there’s no direct way to disable your account temporarily. The only way to deactivate Snapchat is to delete it.

After you delete your Snapchat, the platform gives you 30 days to change your mind before deleting your account permanently. So, to temporarily deactivate your Snapchat, you could cancel the deletion process before the 30-day period ends.

What happens if you delete your Snapchat account?

The instant you complete the Snapchat deletion process, an invisible 30-day timer starts. You now have just over four weeks to change your mind. After 30 days, Snapchat deletes the following data from its database:

  • Account
  • Account settings
  • Friends
  • Snaps
  • Chats
  • Story
  • Device data
  • Location data

According to Snapchat, some of your personal information may remain in the database for “certain legal, security and business needs.”

How to reactivate your Snapchat account

Reactivating your Snapchat account is pretty simple as long as you are still within the 30-day deletion window. Start your Snapchat app and log back in with your credentials. It may take up to 24 hours to reactivate your account.

How to download your Snapchat data

Your Snapchat data carries your login history, account information, profiles, snap and chat history, memories, friends, search history, Bitmoji, and more. You can download your Snapchat data before you delete your account to preserve the information.

  1. Go to accounts.snapchat.com
  2. Log into your account.
  3. Click My Data and then click Submit Request.
  4. You’ll receive a download link to your verified Snapchat email address.
  5. Use the link to download your data.
How to delete your Snapchat account
  1. Go to accounts.snapchat.com
  2. Log into your account.
  3. Scroll down until you see Delete My Account on the Manage My Account page.
  4. Click Delete My Account.
  5. Enter your username and password to confirm.
  6. Click Continue to start the process.
  7. Don’t log into the app again.
  8. Your Snapchat account will be deleted permanently in 30 days.
Can you reactivate your Snapchat account after 30 days?

You won’t be able to log back into your account 30 days after starting the deletion process. However, you can create a new Snapchat account after your old one has expired.

How to protect yourself on social media

Maybe deleting Snapchat is one step too far for you at the moment. If that’s the case, there are steps you can take to help protect yourself while using Snapchat, and any other social media platforms.

Follow our selfie security measures to help prevent your sensitive media from getting into an abuser’s hands. Also avoid these six social media safety sins to help stay secure.

Setting a strong password is also advisable, and make sure each online account you have has a different password. Familiarise yourself with phishing attempts on mobile phones, to lessen the likelihood of you falling for a scam. Lastly, use security for your Android or iOS device to protect against stalkerware and online stalking incidents.

The post How to delete your Snapchat account appeared first on Malwarebytes Labs.

Categories: Techie Feeds

q-logger skimmer keeps Magecart attacks going

Malwarebytes - Tue, 10/19/2021 - 20:59

This blog post was authored by Jérôme Segura

Although global e-commerce is continuing to grow rapidly, it seems as though Magecart attacks via digital skimmers have not followed the same trend. This is certainly true if we only look at recent newsworthy attacks; indeed when a victim is a large business or popular brand we typically are more likely to remember it.

From a research standpoint, we have observed certain shifts in the scope of attacks. For instance, the different threat actors are continuing to expand and diversify their methods and infrastructure. In a blog post about Magecart Group 8, we documented some of the various web properties used to serve skimmers and exfiltrate stolen data.

But at the end of the day, we only know about attacks that we can see, that is until we discover more. Case in point, one particular skimmer identified as q-logger, has been active for several months. But it wasn’t until we started digging further that we realized how much bigger it was.

Q-logger origins

This skimmer was originally flagged by Eric Brandel as q-logger. Depending on how much you enjoy parsing JavaScript you may have a love/hate relationship with it. The code is dense and using an obfuscator that is as generic as can be, making identification using signatures challenging.

Thanks to some data from @sansecio I've come across a new(?) digital skimmer/#magecart I call "q-logger". It has a variety of features, the most peculiar may be the secondary keylogger it uses to try and defend against inspection. 1/16 pic.twitter.com/ME80KMrNg5

— Eric Brandel (@AffableKraut) April 22, 2021

This skimmer can be found loaded directly into compromised e-commerce sites. However, in the majority of cases we found it loaded externally.

The loader

The loader is also an encoded piece of JavaScript that is somewhat obscure. It is injected inline within the DOM right before the text/x-magento-init tag or separated by copious amounts of white space.

One way to understand what the code does is by using a debugger and setting a breakpoint at a particular spot. It is best to either use an already compromised site or bypass the check for the address bar (onestepcheckout).

We can now see the purpose of this script: it is to load the proper skimmer.

The skimmer

As mentioned previously, the skimmer is quite opaque and makes debugging effort difficult and lengthy.

To cut to the chase, the skimmer exfiltrates data via a POST request to the same domain name where the JavaScript is loaded from.

POST https://filltobill5.casa/ HTTP/1.1
Host: filltobill5.casa
[obfuscated data] Threat actor and victims

We were able to collect a few indicators from the threat actor behind this campaign. One was the use of netmail.tk, also observed by Luke Leal, for registering skimmer domains.

Although there are clusters of domains from the same registrant, we see that they are trying to compartmentalize their infrastructure and hide the hosting provider’s true IP address. They also register domains en masse, which allows them to defeat traditional blocklists.

We don’t have a good estimate of how prevalent this campaign is, but we certainly run into it regularly while monitoring e-commerce sites for malicious code. The victims are various small businesses with an online shop running Magento.

Conclusion

The large number of e-commerce sites that are running outdated versions of their CMS is a low hanging fruit for threat actors interested in stealing credit card data. In a sense, there is always a baseline of potential victims that can be harvested.

And every now and again, some opportunities appear. They could be as simple as a zero-day in a plugin or CMS, or maybe an entry point into more valuable targets via a supply-chain attack.

Threat actors are always ready to pounce on those and may well have established their infrastructure ahead of time, waiting for such opportunities.

Malwarebytes customers are protected against this skimmer.

Indicators of Compromise

Email addresses (registrant)

  • wxugvvvu@netmail[.]tk
  • isgskpys@netmail[.]tk
  • zulhqmnr@netmail[.]tk
  • yzzljjkmc@emlhub[.]com
  • foyiy11183@macosnine[.]com

Skimmer domains

adminet[.]site
adminet[.]space
amasterweb[.]site
analistcloud[.]space
analistnet[.]site
analistnet[.]space
analistsite[.]site
analistsite[.]space
analisttab[.]site
analisttab[.]space
analistweb[.]site
analistweb[.]space
analitic-tab[.]site
analitic-tab[.]space
analiticnet[.]site
analitics-tab[.]site
analiticsnet[.]site
analiticstab[.]site
analiticstab[.]space
analitictab[.]site
analitictab[.]space
analiticweb[.]site
analizeport[.]site
analizerete[.]site
analylicweb[.]site
analystclick[.]site
analysttraffic[.]site
analystview[.]site
analystweb[.]site
analyticlick[.]site
analyticmanager[.]site
analyticview[.]site
aneweb[.]site
bublegum[.]xyz
cdnetworker[.]site
cleanerjs[.]site
clickanalyst[.]site
clickanalytic[.]site
cloudtester[.]site
cocolatest[.]sbs
commenter[.]site
connectweb[.]space
domainclean[.]site
domainet[.]site
domainet[.]space
fastester[.]site
fastjspage[.]site
fastupload[.]site
filltobill5[.]casa
foosq[.]one
foundanalyst[.]site
foundanalytic[.]site
fullka[.]online
goos1[.]store
gudini[.]cam
hardtester[.]site
hostcontrol[.]space
httpanel[.]site
indokitel[.]xyz
interage[.]site
ipcounter[.]space
itoltuico[.]cyou

itsector[.]date
jscleaner[.]site
lanetester[.]site
lanlocker[.]site
linkerange[.]site
linkerange[.]space
listmanager[.]space
loockerweb[.]site
magengine[.]site
managerage[.]site
managerage[.]space
managertraffic[.]site
mariaschool[.]xyz
masterlinker[.]site
masternet[.]space
masterport[.]site
mediaconservative[.]xyz
minanalize[.]site
minimazerjs[.]site
netanalist[.]site
netanalist[.]space
netanalisttest[.]space
netanalitic[.]site
netanalitic[.]space
netanalitics[.]site
netcontrol[.]site
netpanel[.]site
netstart[.]space
nettingpanel[.]site
nettingtest[.]site
nettraffic[.]site
ollaholla[.]cyou
onehitech[.]casa
ownerpage[.]site
pagecleaner[.]site
pagegine[.]site
pageloader[.]site
pagenator[.]site
pagestater[.]site
pagesupport[.]site
panelake[.]site
panelake[.]space
panelan[.]site
panelblock[.]site
panelnetting[.]site
panelocker[.]site
pinokio[.]online
planetspeed[.]site
producteditor[.]site
retenetweb[.]site
rokki[.]club
saverplanel[.]site
sectimer[.]site
securefield[.]site
seeweb[.]space
sentech[.]cyou
showproduct[.]site
siteanalist[.]site
siteanalist[.]space
siteanalitic[.]site
siteanalitics[.]site
siteanalyst[.]site

siteanalytic[.]site
sitengine[.]site
sitesecure[.]space
sitetraffic[.]site
slickclean[.]site
slotmanager[.]site
slotshower[.]site
smallka[.]cam
smalltrch[.]cc
soorkis[.]one
spaceclean[.]site
spacecom[.]site
speedstress[.]site
speedtester[.]site
speedtester[.]space
sslmanager[.]site
starnetting[.]site
statetraffic[.]site
statsclick[.]site
storepanel[.]site
suporter[.]site
tab-analitic[.]site
tab-analitic[.]space
tab-analitics[.]site
tab-analitics[.]space
tabanalist[.]site
tabanalist[.]space
tabanalitic[.]site
tabanalitic[.]space
tabanalitics[.]site
tabanalitics[.]space
targetag[.]space
telanet[.]site
telanet[.]space
trafficanalyst[.]site
trafficanalytics[.]site
trafficcloud[.]site
trafficsanalist[.]site
trafficsee[.]site
trafficweb[.]site
truetech[.]cam
unpkgtraffic[.]site
veeneetech[.]world
versionhtml[.]site
viewanalyst[.]site
viewanalytic[.]site
webanalist[.]site
webanalist[.]space
webanalitic[.]site
webanalitics[.]site
webanalylic[.]site
webanalyst[.]site
webmode[.]site
webmoder[.]space
welltech[.]bar
welltech[.]monster
welltech[.]rest

Skimmer URLs

filltobill5[.]casa/state-3.9.min.js
welltech[.]bar/state-5.0.7.js
veeneetech[.]world/tag-2.7.js
goos1[.]store/openapi-3.3.min.js
goos1[.]store/animate-1.6.9.min.js
mariaschool[.]xyz/openapi.min.js
pagecleaner[.]site/state.min.js
foosq[.]one/mobile.js
pinokio[.]online/slick-3.4.min.js
truetech[.]cam/screen-4.6.min.js
onehitech[.]casa/tags-3.0.7.js
rokki[.]club/mobile-1.3.min.js
bublegum[.]xyz/libs.min.js
fastjspage[.]site/utils.js
fastester[.]site/waypoints.min.js
versionhtml[.]site/openapi-4.1.js
itoltuico[.]cyou/library-3.6.js

adminet[.]site/utils.js
ollaholla[.]cyou/common-4.1.js
indokitel[.]xyz/current.min.js
panelake[.]site/tag.js
gudini[.]cam/libs-2.0.js
fullka[.]online/dropdowns-1.6.min.js
welltech[.]monster/mobile-2.3.min.js
welltech[.]rest/widget.min.js
sentech[.]cyou/widget.min.js
smalltrch[.]cc/plugin-1.9.7.js
soorkis[.]one/widget-3.6.7.js
analistcloud[.]space/common.js
smallka[.]cam/plugin-1.1.3.js
loockerweb[.]site/common.js
mediaconservative[.]xyz/script.js
itsector[.]date/waypoints.min.js

YARA rules

rule qlogger_loader_WebSkimmer : Magecart WebSkimmer {     meta:         author = "Malwarebytes"         description = "Magecart (q-logger loader)"       source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/"         date = "2021-10-19"   strings:         $regex = /"load",function\(\)\{\(function\(\)\{/         $regex2 = /while\(!!\[\]\)\{try{var/         $regex3 = /\(\w\['shift'\]\(\)\);\}\}\}/   condition:         all of them } rule qlogger_skimmer_WebSkimmer : Magecart WebSkimmer { meta: author = "Malwarebytes" description = "Magecart (q-logger skimmer)" source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/" date = "2021-10-19" strings: $regex = /return\(!!window\[\w{2}\(/ $regex2 = /\w\(\)&&console\[/ condition: all of them }

The post q-logger skimmer keeps Magecart attacks going appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Protect yourself from BlackMatter ransomware: Advice issued

Malwarebytes - Tue, 10/19/2021 - 16:33

Despite promises made by the BlackMatter ransomware gang about which organizations and business types they would avoid, multiple US critical infrastructure entities have been targeted. Now, the Federal Bureau of Investigation (FBI), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) have issued a warning on BlackMatter ransomware, and tips on how to avoid it.

BlackMatter ransomware

BlackMatter is a ransomware-as-a-service (RaaS) that allows the developers to profit from cybercriminal affiliates who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, and has some similarities to REvil. According to its own site:

 “The project has incorporated in itself the best features of DarkSide, REvil and LockBit”

Promises, promises

On their own leak site, the BlackMatter gang claim not to attack companies belonging to the following six industries, with the caveat that if or when any companies in these industries do get hit, such victims should simply ask for a free decryption:

  • Hospitals
  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)
  • Oil and gas industry (pipelines, oil refineries)
  • Defense industry
  • Non-profit companies
  • Government sector

A recent high-profile victim of BlackMatter was Japan-headquartered manufacturer Olympus which, among others, produces medical equipment. BlackMatter is also named as the likely culprit behind the cybersecurity incident affecting US farmers’ cooperative NEW Cooperative.

All in all, the BlackMatter group have performed attacks against several US-based organizations and demanded ransoms ranging from 80 thousand to 15 million US dollars in Bitcoin and Monero.

How to avoid BlackMatter ransomware

CISA alert lists technical details in the form of Tactics, Techniques, and Procedures (TTPs) based on the MITRE ATT&CK for Enterprise framework, detection signatures, and mitigations.

Most of the mitigation strategies will look very familiar to our regular readers, but it’s always worth repeating them. And you may spot some new ones.

  • Use strong and unique passwords. Passwords shouldn’t be reused across multiple accounts or stored on a system where an adversary may gain access. Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
  • Implement and require Multi-Factor Authentication (MFA) where possible and especially for webmail, virtual private networks, and accounts that access critical systems.
  • Patch and update. Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
  • Limit access to resources over the network. Remove unnecessary access to administrative shares, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity. Use a host-based firewall to only allow connections to administrative shares via Server Message Block (SMB) from a limited set of administrator machines.
  • Implement network segmentation and traversal monitoring. This will hinder an adversary from learning the organization’s enterprise environment. Many attackers use system and network discovery techniques for network and system mapping.
  • Implement time-based access for accounts set at the admin-level and higher. BlackMatter operatives have been noticed to use compromised credentials during non-business hours, which allows them to go undetected for longer periods.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line.
  • Implement and enforce backup and restoration policies and procedures. Doing backups right is not as easy as some may think. Make sure they are recent, cannot be altered or deleted, and cover the entire organization’s data infrastructure.

Furthermore, CISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise:

  • Disable the storage of clear text passwords in LSASS memory.
  • Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
  • Implement Credential Guard for Windows 10 and Server 2016.
  • Minimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity. Ticket Granting services can be used to obtain hashed credentials that attackers attempt to crack or use in pass-the-hash methods.
Bad things happen

If, despite your best efforts, a ransomware incident occurs at your organization, CISA, the FBI, and NSA say US-based organizations should:

Stay safe, everyone!

The post Protect yourself from BlackMatter ransomware: Advice issued appeared first on Malwarebytes Labs.

Categories: Techie Feeds

REvil ransomware disappears after Tor services hijacked

Malwarebytes - Tue, 10/19/2021 - 13:42

With some pests you hope they never recover from a blow. It’s almost too good to be true, but one can hope. This is one of them. The REvil ransomware group has shut down their operation for the second time this year after losing control over their Tor-based domains.

Shutdown number 1

REvil’s first shutdown was in July 2021, after the gang successfully pulled off a supply chain attack against Managed Service Provider Kaseya. Shortly after this widespread incident all online traces of the gang weirdly seemed to vanish from the internet. In particular, the payment sites and data leak site were taken offline, along with the infrastructure for victims to make Bitcoin payments and get the decryption tools.

A lot of speculation ensued but there were no definite answers. Some said the group had joined forces with the DarkSide group to come back stronger under the name BlackMatter. Others claimed a victory for the good guys, hoping, almost against the odds, that some of the countermeasures taken by governments across the globe were starting to produce results. The Kaseya attack certainly had such an impact worldwide that it brought the full attention of international law enforcement to the group.

The group’s own story is that one of the group’s leaders took down the servers and disappeared with the group’s money, which left them unable to pay many of their affiliates.

The comeback

Unfortunately, a few months later, the REvil ransomware gang made a comeback, attacking new victims and publishing stolen files on a data leak site. The Tor payment and negotiation sites suddenly turned back on as well, with the timers for all prior victims reset to the day the infrastructure went offline.

Shutdown number 2

This time the shutdown looks to be a result of a hostile take-over. This week, the gang’s Tor payment portal and data leak blog were allegedly hijacked, and a spokesperson for the group said the server was compromised. The threat actor’s post on an underground forum said the group’s Tor services were hijacked and replaced to point to a different location.

And again speculation comes into play.

Allegedly, many affiliates were still waiting to be compensated for the losses they suffered when the group last disappeared. On top of that there are rumors that the developers of the ransomware hid a backdoor in their code, so that they can forego their affiliates and provide decryption keys directly to victims.

This doesn’t really make sense, in my view. But it is possible that a key exists that can decrypt the files of multiple, or maybe even all, victims. It wouldn’t be the first time.

Either way, cybercriminals that operate under covert identities rely on a strong base of trust if they want to continue to work together. And that trust in REvil seems to be at a low level, and may be totally gone depending on how this disappearing act turns out.

torcc file

In all the reports about the server takeover there is a mention of the torcc file. This is a text file that holds the configuration details for a Tor instance. The spokesperson for REvil claimed that the path to their hidden service was deleted and the attacker raised their own, hoping that they would go there. Basically, the hidden service in the torcc file is what points visitors of an .onion site to the correct webserver. Being able to alter that file requires a high level of access.

So, who do you think is responsible? Let us know in the comments. I have prepared a few choices, but obviously you can add your own options.

Option 1: An angry affiliate that has had enough.

Option 2: It was an inside job and yet another admin fled the scene with the money.

Option 3: Law enforcement shut down the operation and is now after the people behind it.

Option 4: A white hat hacker that wishes to remain anonymous for safety’s sake.

Option 5: It was just a glitch and they will be back next week, maybe under another name.

Option 6: It was the former group’s leader who was not amused to learn about the comeback.

Wink if you are not guessing, but know for a fact.

The post REvil ransomware disappears after Tor services hijacked appeared first on Malwarebytes Labs.

Categories: Techie Feeds

“Killware”: Is it just as bad as it sounds?

Malwarebytes - Mon, 10/18/2021 - 15:51

On October 12, after interviewing US Secretary of Homeland Security Alejandro Mayorkas, USA TODAY’s editorial board warned its readers about a dangerous new form of cyberattack under this eye-catching headline:

The next big cyberthreat isn’t ransomware. It’s killware. And it’s just as bad as it sounds.”

But while “killware” sounds scary, the term itself is unhelpful when describing the many types of cyberattacks that, like USA TODAY wrote, “can literally end lives,” and that’s because nearly any type of hack, no matter the intention, can result in death. Complicating this is the fact that the known cyberattacks that have allegedly led to deaths already have a category: ransomware. Further, the term “killware” can confuse antivirus customers seeking reassurance that their own vendor is protecting them from this threat, but antivirus vendors do not stop attacks based on intent, they stop attacks based on method.

As an example, Malwarebytes Director of Threat Intelligence Jerome Segura said that Malwarebytes does not have any specific Indicators of Compromise (IOCs) for “killware” and that, instead, “we continue to protect our customers with our different layers of protection.”

“Many of our layers are ‘payload indifferent’ meaning we block the attack regardless of what it is meant to do (it could be to ransom, it could be to destroy MBRs, or anything in between). We don’t focus on that end payload so much as blocking how an attacker might get there.”

Think of it like this: Locksmiths don’t develop one set of locks to prevent robberies and another set of locks to prevent assault—they develop locks to primarily prevent break-ins, no matter what an invader has planned.

“Killware” is too loose a term to be useful

In February, an employee for a water treatment facility in Oldsmar, Florida, saw the mouse on his computer screen moving around without his involvement. The employee, according to Wired, thought this was somewhat normal, as his workplace used a tool that allowed for remote employees and supervisors to take control of computers at the plant itself. But when the employee saw the cursor move around a second time in the same day, he reportedly saw an attempt by an intruder to maliciously increase the chemical levels at the water treatment facility, upping the amount of sodium hydroxide—which can be corrosive in high quantities—to dangerous levels.

In USA TODAY’s article about “killware,” Secretary Mayorkas pointed directly to this cyberattack. It was different than other cyberattacks, Mayorkas said, because it “was not for financial gain but rather purely to do harm.”

But if the attack was truly meant to harm or even kill people—which it very well may have—what good does it do to associate it with this new “killware” category? “Killware,” after all, still has the “ware” suffix in it, meaning that it should have at least some relationship to a piece of software, or a program, or perhaps many lines of code.

The breach at the Oldsmar water plant, however, may have involved no malware at all. No spear-phishing attack against an executive’s personal device. No surreptitious implantation of spyware to collect admin credentials. No initial breach and lateral movement. Instead, there’s a frustratingly simpler theory: Reused passwords across the entire water treatment plant for a crucial, remote access tool.

Following the attack at the Oldsmar facility, the state of Massachusetts issued a cybersecurity advisory notice to public water suppliers, detailing a few basic cybersecurity flaws that may have played a role in the attack. As the state said in its advisory:

“The unidentified actors accessed the water treatment plant’s [supervisory control and data data acquisition (SCADA)] controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”

Further, in testifying about the attack to the House Committee on Homeland Security, former Cybersecurity and Infrastructure Security Agency Director Chris Krebs said that the attack was “very likely” caused by “a disgruntled employee,” wrote Washington Post report Ellen Nakashima.

Florida water hack was "very likely" the work of "a disgruntled employee" @C_C_Krebs says at a House Homeland Security hearing

— Ellen Nakashima (@nakashimae) February 10, 2021

So, the attack may have come from a former employee, who may already have possessed the remote access credentials, which were already the same credentials for every user at the water treatment facility, which also lacked firewall protections.

What part of this attack chain, then, should be labeled “killware”?

Truthfully, none, and that’s because labeling anything as “killware” ignores the basic facts about cybersecurity defenses. Cybersecurity vendors do not categorize or identify attacks based on their final intentions. A reused password is a bad idea, but it isn’t a bad idea that can only be used to harm people. Lacking firewalls protections, similarly, are poor practice, but they aren’t poor practice that can only be used to threaten people’s lives.

In fact, even if cybersecurity vendors wanted to categorize attacks by intention, how could they?

Earlier this year, a bereaved mother filed a lawsuit against a hospital in Alabama that, she claims, failed to provide adequate care to her baby because the hospital was hamstrung by a ransomware attack. The hospital’s inability to properly care for her baby, the lawsuit said, eventually led to her child’s death. Nearly a year prior, a patient’s death during a ransomware attack on a German hospital brought similar allegations—though no lawsuits—but those allegations fell apart in the months following the attack, as the chief public prosecutor tasked with investigating the attack concluded that, even without the treatment delays caused by the ransomware attack, the patient likely would have died.

Neither of these situations involved hackers whose end goal was purely to harm or kill people. The intent, as is clear in almost every single ransomware attack, is to get paid. Ransomware attacks on hospitals, specifically, may use the threat of death as leverage for their end goal, but even the threat of death does not alter the end goal, which is to get paid potentially millions of dollars. If we even tried to use the “killware” term on these attacks, they wouldn’t fit, despite the end result.

Finally, labeling attacks as “killware” does a disservice to both cybersecurity vendors and the public because, if “killware” is a term that requires understanding an attacker’s intent, then “killware” must be applied after an attack has already happened. Good cybersecurity tools don’t just clean up an attack after it’s happened, they actually prevent attacks from happening in the first place. How then, possibly, could a cybersecurity provider prevent an attack that, by its definitional nature, cannot be determined until it’s already happened?

Remember the human

“Killware,” as a term, helps no one and it only increases panic. It conjures up images of hackers gone amok and dark-web-trained serial killers who work with nothing but a laptop—images that might actually be a better fit for over-dramatized procedural cop dramas on TV.

Importantly, “killware” fails to recognize that, already, attacks on computers, machines, devices, and networks have a dramatic impact on the people who use them. Ransomware attacks already cause tremendous emotional and mental harm to the people tasked with cleaning them up. Online scams already ruin people’s lives by emptying their bank accounts.

We do not need a new term that focuses even more on the attacker in cyberthreats. What we need is to remember that cyberattacks, already, are attacks against people, no matter their intent.

The post “Killware”: Is it just as bad as it sounds? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Multiple vulnerabilities in popular WordPress plugin WP Fastest Cache

Malwarebytes - Mon, 10/18/2021 - 13:37

Multiple vulnerabilities have been found in the popular WordPress plugin WP Fastest Cache during an internal audit by the Jetpack Scan team.

Jetpack reports that it found an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue.

WP Fastest Cache

WP Fastest cache is a plugin that is most useful for WordPress-based sites that attract a lot of visitors. To save the RAM and CPU time needed to render a page, the plugin creates caches of static html files, so that the pages do not need to be rendered for every visit separately.

This results in a speed improvement which in turn improves the visitor experience and the SEO ranking of the site. WP Fastest Cache is open source software and comes in free and paid versions.

WP Fastest Cache currently has more than a million active installations according to its WordPress description page.

Authenticated SQL Injection vulnerability

This particular vulnerability can only be exploited on sites where the Classic Editor plugin is both installed and activated.  Classic Editor is an official plugin maintained by the WordPress team that restores the previous (“classic”) WordPress editor and the “Edit Post” screen.

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database, and has become a common issue with database-driven web sites. This bug could grant attackers access to privileged information from the affected site’s database, such as usernames and (hashed) passwords.

Stored XSS issue

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one is listed as CVE-2021-24869 and received a CVSS score of 9.6 out of 10.

Cross-site request forgery (CSRF), also known as one-click attack or session riding, is a type of exploit of a website where unauthorized commands are submitted from a user that the web application trusts. A CSRF attack forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering, an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is an administrative account, CSRF can compromise the entire web application.

Cross-Site Scripting (XSS) is a vulnerability that exploits the client environment within the browser, allowing an attacker to inject arbitrary code onto the target’s instance and environment. Basically the application does not process received information as intended. An attacker can use such a vulnerability to create input that allows them to inject additional code into a website.

In this case it was possible due to a lack of validation during user privilege checks. The plugin allowed a potential attacker to perform any desired action on the target website. Hence, an adversary could even store malicious JavaScript code on the site. Which in case of an online shop could be a web skimmer designed to retrieve customer payment information.

Mitigation

Website owners should download and install the latest version of the WP Fastest Cache plugin (version 0.9.5) in which these vulnerabilities have been fixed. Jetpack recommends users update as soon as possible, as both vulnerabilities have a high technical impact if exploited. At the time of writing 650,000 instances were still on a vulnerable version.

For more general tips on how to secure you CMS, we recommend reading our article on How to secure your content management system.

Stay safe, everyone!

The post Multiple vulnerabilities in popular WordPress plugin WP Fastest Cache appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Oct 11 – Oct 17)

Malwarebytes - Mon, 10/18/2021 - 12:21
Last week on Malwarebytes Labs Other cybersecurity news

Stay safe, everyone!

The post A week in security (Oct 11 – Oct 17) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is an .exe file? Is it the same as an executable?

Malwarebytes - Fri, 10/15/2021 - 10:49

You may often see .exe files but you may not know what they are. Is it the same as an executable file? The short answer is no. So what’s the difference?

What is an .exe file?

Exe in this context is a file extension denoting an executable file for Microsoft Windows. Windows file names have two parts. The file’s name, followed by a period followed by the extension (suffix). The extension is a three- or four-letter abbreviation that signifies the file type.

I hear some advanced users moaning in the back of the class, because there are many exceptions. But as a general rule, everything behind the last period in the filename is the extension. For example, because Windows default settings don’t always show the extension of a file, some malware authors name their files really_trustworthy.doc.exe, hoping that the user’s Windows settings cause it to hide the .exe part and have the user believe this is a document they can safely open.

By using this trick in filenames like YourTickets.pdf.exe, malware like Cryptolocker was mailed to millions of potential victims. The icon was the same as legitimate pdf files so it was hard for some receivers to spot the difference. Usually the mails pretend to be from a worldwide courier service, but they also mask themselves as a travel agency.

Wait, what? Is a .exe file a virus?

An .exe file can be a virus, but that is certainly not true for all of them. In fact, the majority are safe to use or even necessary for your Windows system to run. It all depends on what is in an .exe file. Basically .exe files are programs that have been translated into machine code (compiled). So, whether an .exe file is malicious or not depends on the code that went into it.

Most of the normal .exe file will adhere to the Portable Executable (PE) file format. The name “Portable Executable” refers to the fact that the format is not architecture specific, meaning they can be used in 32-bit and 64-bit versions of Windows operating systems. By this standard format the actual code can be found in the .text section(s) of an executable.

How do I open an .exe file?

This is an ambiguous question that deserves two answers.

To use an .exe file you can usually just double click it. You may get a security prompt before it actually runs, but technically you will have initiated running the program inside the .exe file.

If you want to look what is inside an .exe file then that is a much more complicated question. It depends why you want to look inside. Examining files without running them is called static analysis, whereas dynamic analysis is done by executing the program you want to study. As mentioned before, .exe files have been compiled by machine code, so you need special programs to do static analysis. The most well-known program to do this is IDA Pro, which translates machine code back to assembly code. This makes an .exe more understandable, but it still takes a special skillset to make the step from reading assembly code to understanding what a program does.

Difference to an executable

The definition of an executable file is: “A computer file that contains an encoded sequence of instructions that the system can execute directly when the user clicks the file icon. Executable files commonly have an .exe file extension, but there are hundreds of other executable file formats.

So, every true .exe file is an executable but not every executable file has the .exe extension. We mentioned before that .exe files are commonly intended for use on systems running on a Windows OS . That doesn’t mean you can’t open an .exe file on, say, your Android device, but you will need an emulator or something similar to make that happen. The same is true if you are wondering how to open an .exe file on a system running macOS.

Are .exe files safe to open?

It’s not safe to open any .exe file you encounter.. Just like any other file, it depends on the source of the file as to whether you can trust it or not. If you receive an .exe file from an untrusted source, you should use your anti-malware scanner to scan the file and find out whether it is malicious or not. If you’re still in doubt, get a second opinion by uploading it to VirusTotal to check if any of the participating vendors detects the file.

Can an .exe file run itself?

Any executable file needs a trigger to run. A trigger can be a user double-clicking the file, but it can also be done from the Windows registry, for example when Windows starts up. So the closest an .exe file can come to running itself is by creating a copy in a certain location and then point a startup registry key to that location. Or by dropping the copy or a shortcut in the Startup folder, since all the files in that folder get run when Windows starts.

But there are other triggers. For example, there are Autoplay and Autorun options in Windows that get executed at the connection of, for example, USB devices. Malware can be hidden in the firmware of devices that get executed once the device is connected, etc. Which is one reason not to trust USB sticks you find in a parking lot or that get handed out as swag.  You do not want to be responsible for the next cyber incident in your organization, right?

Other executable files

All the potentially bad stuff I have written about .exe files is just as true for almost all other executable files, so it’s not true that .exe files are bad by nature or that they should be trusted the least. The same dangers can be associated with other executable files. Unfortunately, other operating systems have their own viruses which use their own executable files, but that’s for another day.

Stay safe, everyone!

The post What is an .exe file? Is it the same as an executable? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adblocker promises to blocks ads, injects them instead

Malwarebytes - Thu, 10/14/2021 - 21:40

Researchers at Imperva uncovered a new ad injection campaign based on an adblocker named AllBlock. The AllBlock extension was available at the time of writing for Chrome and Opera in the respective web stores.

While disguising your adware as an adblocker may seem counterintuitive, it is actually a smart thing to do. But let’s have a look at what they did and how, first.

AllBlock

As we mentioned, AllBlock is advertised as an adblocker on its site. It promises to block advertisements on YouTube and Facebook, among others.

When you’re installing the Chrome extension, the permissions it asks for make sense for an adblocker.

Even though that may seem like a lot to allow, and it is almost a carte blanche, any adblocker that you expect to work effectively will need a full set of permissions to at least “read and change all your data on all websites.”

What Imperva found is that the extension replaces all the URLs on the site a user is visiting with URLs that lead to an affiliate. This ad injection technique means that when the user clicks on any of the modified links on the webpage, they will be redirected to an affiliate link. Via this affiliate fraud, the attacker earns money when specific actions like registration or sale of the product take place.

Ad injection

Ad injection is the name for a set of techniques by which ads are inserted in webpages without getting the permission of site owners or paying them. Some of the most commonly seen tactics are:

  • Replacing existing ads with ads provided by the attacker
  • Adding ads to sites that normally have none
  • Adding or changing affiliate codes so the attacker gets paid instead of the affiliate that had permission to advertise on a site

To pull this off, malicious browser extensions, malware, and stored cross-site scripting (XSS) are the most commonly found techniques.

In this case it was a malicious extension that used some interesting methods.

To make the extension look legitimate, the developers actually implemented ad blocking functionality. Further, the code was not obfuscated and nothing immediately screams malware.

All the URLs that are present in a visited website are sent to a remote server. This server replies with a set of URLs to replace them with. The reading and replacing of the URLs is done by the extension which was given permissions to do so.

To avoid detection, the threat actor has taken a few more measures besides looking harmless. The malicious javascript file detects debugging, it clears the debug console every 100 ms, and major search engines (with a special focus on Russian engines) are excluded.

A part of the code in the bg.js script that is part of the extension makes an HTTP request to allblock.net/api/stat/?id=nfofcmcpljmjdningbllljenopcmdhjf and receives a JSON response with two base64 encoded properties “data” and “urls”. The “data” part is the code that gets injected on every site the affected browser opens, and the “urls” part looks like this:

{"youtubeInput":["*:\/\/*.youtube.com\/get_video_info*adunit*","*:\/\/*.g.doubleclick.net\/pagead*","*:\/\/*.youtube.com\/pagead*","*:\/\/*.googlesyndication.com\/pagead*","*:\/\/*.google.com\/pagead*","*:\/\/*.youtube.com\/youtube*ad_break*"],"vkInput":["https:\/\/vk.com\/al_video.php?act=ad_event*","https:\/\/vk.com\/al_video.php?act=ads_stat*","https:\/\/vk.com\/ads_rotate*","https:\/\/ad.mail.ru\/*","https:\/\/ads.adfox.ru\/*"]} Conclusion

The extension the Imperva team found actually blocks ads, but it also runs a background script that injects a snippet of JavaScript code into every new tab that a user opens in the affected browser. The end goal is to make money by replacing legitimate URLs on the website with URLs of their own. These URLs include affiliate codes, so they get paid if you click on one of those links and benefit from any sales that may come out of these clicks.

Ad blockers that are able to block advertisements on popular social media like YouTube and Facebook may seem like the holy grail to some users. To those that are interested in ad blocking and haven’t found the right program yet, please read “How to block ads like a pro.”

And as we have mentioned before, it makes sense to give ad blockers the permissions that they need to do their job. So we feel the need to emphasize that you should only give those permission to extensions that you actually trust, not just because you think “it” needs them.

Ad blocker campaigns

The Imperva team writes on their blog that they believe that there is a larger campaign taking place that may utilize different delivery methods and more extensions.

In our own Malwarebytes’ research we have found a series of adblockers that were pushed out through websites showing fake alerts like this one.


If you keep stumbling over these and when you click on one of them, you might even welcome the offer of an adblocker, right?

We could not find anything wrong with these extensions, and we also found that they were all using the publicly available Adguard blocklist. So we didn’t really follow up on them because, same as the one described above, they looked legitimate. The only thing that really made them look suspicious was that they were promoted through these “fake alert” sites.

For now it is hard to tell whether we have been tracking the same or similar campaigns. Since I haven’t seen the bg.js script before they may be completely different, but I will try and contact the Imperva team and compare notes. If anything interesting comes out of that, we will let you know.

Stay safe, everyone!

The post Adblocker promises to blocks ads, injects them instead appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Inside Apple: How Apple’s attitude impacts security

Malwarebytes - Thu, 10/14/2021 - 12:51

Last week saw the fourth occurrence of the Objective by the Sea (OBTS) security conference, which is the only security conference to focus exclusively on Apple’s ecosystem. As such, it draws many of the top minds in the field. This year, those minds, having been starved of a good security conference for so long, were primed and ready to share all kinds of good information.

Because of the control it exerts over its ecosystem, understanding Apple’s attitude to security—and it’s willingness to act as a security “dance partner”—are crucial to securing Apple systems, and developing Apple security software.

I was at OBTS, and this is what I learned about Apple’s current attitude to privacy, security, and communication.

Apple’s not great at working with security researchers

It’s no great surprise to anyone that Apple has a rocky relationship with many security researchers. Years ago, well-known researcher and co-author of the book “The Mac Hacker’s Handbook”, Charlie Miller, figured out how to get a “malicious” proof-of-concept app into the App Store, and reported this to Apple after having achieved it. His reward? A lifetime ban from Apple’s developer program.

This says a lot about Apple’s relationship with third-party security researchers. Unfortunately, things haven’t changed much over the years, and this is a constant cause of strains in the relationship between Apple and the people trying to tell it about security issues. During the conference, Apple got booed several times by the audience following reports from OBTS speakers of mismanaged bug reports and patches.

What is it that Apple has been accused of doing? There have been multiple offenses, unfortunately. First, a number of security researchers have reported getting significantly lower bug bounties from Apple’s bug bounty program than they should have earned. For example, Cedric Owens (@cedowens) discovered a bug in macOS that would allow an attacker to access sensitive information. Apple’s bug bounty program states that such bugs are worth up to $100,000. They paid Cedric $5,000, quibbling over the definition of “sensitive data.” (For the record: Cedric’s bug absolutely gave access to what any security researcher or IT admin would consider sensitive data… more on this later.)

Other researchers have reported similar issues, with significantly reduced payments for bugs that should have qualified for more. Further, there is often a significant wait for the bounties to be paid, after the bugs have been fixed—sometimes six months or more. Apple also had a tendency to “go silent,” not responding to researchers appropriately during the process of handling bug reports, and has repeatedly failed to properly credit researchers, or even mention important bugs, in its release notes.

All this leaves a sour taste in many researchers’ mouths, and some have decided to either publicly release their vulnerabilities—as in the case of David Tokarev, who published three vulnerabilities after Apple failed to act on them for many months—or to sell those vulnerabilities on the “gray market,” where they can earn more money.

Screenshot of David Tokarev’s blog, disclosing three 0-day vulnerabilities

Keep in mind here that Apple is one of the richest companies in the world. Paying out the highest prices for security bugs would be pennies compared to Apple’s yearly profits.

A patching myth busted

It has long been a rule of thumb that Apple supports the current system, plus the previous two, with security-related patches. Currently, that would mean macOS 11 (Big Sur), plus macOS 10.15 (Catalina) and macOS 10.14 (Mojave).

However, this is not something Apple has ever stated. I honestly couldn’t tell you where this idea came from, but I’ve heard it echoed around the Mac community for nearly two decades. Although researchers and some IT admins have questioned for years whether this “conventional wisdom” is actually true, many believe it. Josh Long (@theJoshMeister) did a lot of research into this, and presented his findings at the conference.

There have been many bugs in the last year that were fixed for only some of the “current three” systems. This was known to a degree, but Josh’s data was eye-opening as to the extent to which it was happening. Folks who were aware of some of these discrepancies theorized that some of these bugs may not have affected all three systems, and that may explain why patches were never released for them.

However, Josh was able to track down security researchers who had found these bugs, and confirmed that, in at least one case, Mojave was affected by a bug that had been patched in Catalina and Big Sur only. Thus, we know now that this rule of thumb is false. This confirmed many people’s suspicions, but there are many others who have continued to believe in the myth. It’s echoing around Apple’s own forums, among other places.

The fact that this speculation persisted for years, and that research was even necessary to prove it false, is a major failing on the part of Apple. Microsoft tells its users whether a system is still supported or not. Why can’t Apple do the same? Staying silent, and allowing people to believe the myth of the “three supported systems,” means that some machines are left vulnerable to attack.

At this point, you should assume that only the most current system—Big Sur at the moment, but soon to be Monterey—is the most secure system, and that there may be known vulnerabilities left unpatched in all others. This means you should feel a bigger sense of urgency at upgrading when a new system like Monterey comes out, rather than waiting for months to upgrade.

Apple loves privacy, but you can still be tracked

Apple is well-known for its strong stance on privacy. (I say that as if Apple isn’t well-known otherwise, and you might say, “What’s the name of that company that really likes privacy?”) However, we heard plenty of talk about data access and tracking despite this. (Or maybe because of Apple’s views on privacy, it’s more interesting when we learn how to violate it?)

Eva Galperin (@evacide) talked about how stalkers can track you on iOS, despite Apple’s protections. From a technical perspective, spyware—defined as software running on the device that surveils and tracks you—is not much of a thing, because of Apple’s restrictions on what apps can do, plus the fact that you can’t hide an app on iOS.

However, Eva showed how spyware companies are nonetheless capable of enabling you to creep on your ex. Many of these companies provide web portals where you enter your stalking victim’s Apple ID and password, which enables tracking via iCloud’s features. iCloud email can be read, as well as notes, reminders, files on iCloud Drive, and more. Find My can provide the victim’s location. Photos synced up to iCloud can be viewed. And so on.

You might say, “But wait! This requires me to know my victim’s Apple ID password, and have access to their two-factor authentication! Therefore, this is a non-issue.”

However, keep in mind that in many domestic abuse situations, the attacker has exactly this kind of information. Further, Apple ID credentials can easily be found in data breaches, for potential victims who have used the same password for Apple ID that they’ve used elsewhere, and there are techniques attackers can use to capture two-factor authentication codes.

Plus, let’s all remember the situation a few years back where someone was able to trick Apple support into helping them gain access to celebrity accounts, in order to steal their nude photos from iCloud.

On a different topic, Sarah Edwards (@iamevltwin) talked about the Apple Wallet. As a forensics expert, Sarah has a deep understanding of data and how to access it, and demonstrated the kind of data that could be obtained with access to iPhone backups. If an attacker could gain access to those backups, there’s a wealth of information about your daily activities, places that you frequent, and many other things to be harvested.

Apple has gone bananas… and who is Keith?

The most amusing part of the conference came during Sarah Edwards’ talk, when she discussed the data found in a particular database for Apple Wallet. This database contained hundreds of tables, and most of them were named after fruit. Yes, you heard me correctly—bananas, oranges, lemons, …durians! These are all the names of tables in a database relating to your wallet.

On first glance, this is quite puzzling. But it does make a certain amount of sense. If you’re trying to extract some data from this database, you’re going to have to put in a lot of work to figure out how to find it. The table names are not going to help you at all. That’s a pretty good thing, although I don’t envy the developers who have to keep all those databases straight. (“Where did we put the data on library cards again? Oh, yeah, in ‘kiwis!'”)

Although many of those tables are still a mystery, Sarah had been able to determine the purpose of some of them, through experimentation and observation. Still, many tables contained only things like identification numbers and timestamps, which by themselves are meaningless.

(As an aside, if the “durians” table doesn’t contain information relating to pay toilet transactions, I’ll be extremely disappointed!)

All privacy-related discussions aside, these table names remind me of Apple’s fun and playful side, which we so rarely get to see these days. Everyone knows Apple’s secretive facade, and security researchers often experience Apple’s sharp edges.

However, long-time Apple users know and love the “fun Apple.” This is the Apple that inscribed the signatures of all the engineers on the inside of the early one-piece Mac cases, where only a few would ever see them. Or the Apple that included a calendar file containing a history of Tolkien’s Middle Earth hidden in every copy of macOS. Or the Apple that used to Rickroll you on their Apple Watch support page!

Especially amusing was the discovery that, buried in the midst of all the fruit, there was a database simply named “keith.” Who is this Keith, and why is he in the wallet? Inquiring minds want to know!

For all of Apple’s flaws that we love to complain about, the discovery of this database brought back memories of the Apple that I love, and reminded me that it’s not just a faceless corporation, but is also a company full of people who also know and love the same Apple that I do.

The post Inside Apple: How Apple’s attitude impacts security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

“Free Steam game” scams on TikTok are Among Us

Malwarebytes - Wed, 10/13/2021 - 16:04

TikTok has long since evolved beyond being thought of as “just” dance clips, also becoming a home for educational and informative content presented in a fun and casual way. There are accounts themed around pretty much any interest you can think of, and one of the biggest is gaming.

It’s not all entirely innocent, however. Sometimes we observe new twists on old scams, or slick videos designed to obscure some sleight of hand. Shall we take a look?

Free Steam game accounts: be careful what you wish for

Games are expensive. Even without the costs of downloadable content (DLC), you also have things like season passes, in-game currency frequently purchased with real money, lootboxes, and more. FOMO (fear of missing out) is a big driver for timed exclusives and must have items, and all of these constant pressures drive gamers to want a bit of a discount. Where it tends to go wrong is with the promise of everything being free. If it’s too good to be true, and so on.

What we sometimes see on TikTok is gaming-themed accounts making many of the same promises you see on other platforms. Free games, free items, free stuff. Everything is definitely free with no strings attached. Would RandomAccountGuy3856 lie to you?

The answer is, of course, “Yes, RandomAccountGuy3856 absolutely would lie to you”.

Taking a walk through free game town


This is a typical free game account which you’ll find on TikTok:

As you can see, it’s pretty minimal and is simply a stack of the same video uploaded repeatedly. The site claims to offer free games and keys.

The site itself appears to have recently been taken offline. Thanks to the magic of cached content, we can still piece things together and figure out the process.

 The front page splash at the start of last month looked as follows:

They’re claiming to offer up free versions of the incredibly popular Among Us game. However, they also claim to have special hacked versions up for grabs. These versions let the player cheat in various ways. There’s also the reassurance you won’t get banned, which is used as further encouragement to download the altered editions.

This process involves selecting which edition you want, and then hitting the download button. They claim to offer Android, PC, and iOS flavours.

No matter what button you hit, you see the below pop-up. You may well be familiar with these from years of surfing:

The text reads as follows:

Before downloading, we need to make sure you are a real user, and not an automated bot. This helps us keep making these kind of hacks and keep them on Google for a long time

Hitting the verify now button opens a new tab, with a new destination. Unfortunately, it’s not a very good one. As our detection page states, we have that particular URL blocked because it is associated with malvertising.

Running down the timer on TikTok fakeouts

These are old tricks, essentially given a fresh lick of paint and an enticing video to go with it. There’s just something a bit more personal about having what looks like real people telling you genuine-sounding things in a short video clip. It all feels very informal and casual, and that’s exactly the kind of ambience a scammer would look to hit you with alongside their dubious websites and offers.

Even when accounts like the above aren’t purged by TikTok, the sites they link to are often here today, gone tomorrow. Everything is purely geared towards driving as much ad/malvertising traffic as possible.

As tempting as the promise of free gaming is, please be on your guard. There are risky games, and then there are risky games.

The post “Free Steam game” scams on TikTok are Among Us appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Patch now! Microsoft fixes 71 Windows vulnerabilities in October Patch Tuesday

Malwarebytes - Wed, 10/13/2021 - 15:41

Yesterday we told you about Apple’s latest patches. Today we turn to Microsoft and its Patch Tuesday.

Microsoft tends to provide a lot of information around its patches and, so, there’s a lot to digest and piece together to give you an overview of the most important ones. In total, Microsoft has fixed 71 Windows vulnerabilities, 81 if you include those for Microsoft Edge.

One of the vulnerabilities immediately jumps out since it was used in the wild as part of the MysterySnail attacks, attributed by the researchers that discovered it to a Chinese speaking APT group called IronHusky.

MysterySnail

Earlier this month, researchers discovered that a zero-day exploit was used in widespread espionage campaigns against IT companies, military contractors, and diplomatic entities. The payload of these MysterySnail attacks is a Remote Access Trojan (RAT). The actively exploited vulnerability allows malware or an attacker to gain elevated privileges on a Windows device. So far, the MysterySnail RAT has only been spotted on Windows Servers, but the vulnerability can also be used against non-server Windows Operating Systems.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one is listed as CVE-2021-40449, a Win32k Elevation of Privilege (EoP) vulnerability, which means the vulnerability allows a user to raise their permissions.

PrintNightmare

I scared you by mentioning PrintNightmare, right? Well, that may not be completely in vain. The same researchers that discovered the PrintNightmare vulnerability have found yet another vulnerability in Microsoft’s Windows Print Spooler. This one is listed as CVE-2021-36970, a Windows Print Spooler spoofing vulnerability. The exploitation is known to be easy, and the attack may be initiated remotely. No form of authentication is needed for a successful exploitation, but it does require some action by the intended target. We may be hearing more about this one.

Exchange again

An Exchange bug that gets a CVSS score of 9.0 out of 10 is enough to make my hair stand on end. Listed as CVE-2021-26427, this one is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. The exploitation appears to be easy and the attack can be initiated remotely. A single authentication is required for exploitation, so the attacker will need to have some kind of access to exploit this one, which may be why Microsoft listed it as “exploitation less likely.” Exchange Servers are an attractive target and so we have seen a lot of attacks. One worrying flaw reveals users’ passwords and might provide attackers with the credentials they need to use this vulnerability.

Critical Microsoft Word vulnerability

One of the three vulnerabilities classified as critical is an RCE vulnerability in Word, listed as CVE-2021-40486. The vulnerability could allow a remote attacker to trick a victim into opening a specially crafted file, executing arbitrary code on their system.

The other two critical vulnerabilities are RCE flaws in Windows Hyper-V, the virtualization component built into Windows. These vulnerabilities are listed as CVE-2021-38672 and CVE-2021-40461.

Windows DNS Server RCE

The last one is only of interest if you are running a server that is configured to act as a DNS server. Listed as CVE-2021-40469, a Windows DNS Server Remote Code Execution vulnerability. The exploitation is known to be easy. The attack may be launched remotely, but the exploitation requires an enhanced level of successful authentication. The vulnerability was disclosed in the form of a Proof-of-Concept (PoC). While it may not be up to you to maintain or patch a DNS server, it’s good to know that this vulnerability exists in case we see weird connection issues as a result of a DNS hijack or denial-of-service.

While many details are still unknown, we have tried to list the ones we can expect to surface as real world problems if they are not patched as soon as possible.

Stay safe, everyone!

The post Patch now! Microsoft fixes 71 Windows vulnerabilities in October Patch Tuesday appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Ransom Disclosure Act would mandate ransomware payment reporting

Malwarebytes - Tue, 10/12/2021 - 20:13

In an effort to better understand and clamp down on the ransomware economy and its related use of cryptocurrencies, US Senator and past presidential hopeful Elizabeth Warren and US House Representative Deborah Ross introduced a new bill last week that would require companies and organizations to report any paid ransomware demands to the Secretary of the Department of Homeland Security.

“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren in a prepared release. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises—and help us go after them.”

If passed, the “Ransom Disclosure Act” would require a broad set of companies, local governments, and nonprofits that actually pay off ransomware demands to report those payments to the government. Companies would need to report this information within 48 hours of paying a ransom.

Specifically, those affected by the bill would need to tell the Secretary of the Department of Homeland Security:

  • The date on which such ransom was demanded
  • The date on which such ransom was paid
  • The amount of such ransom demanded
  • The amount of such ransom paid

Companies would also need to disclose what currency they paid the ransom in, including whether the payment was made with any cryptocurrency. Companies would also have to offer “any known information regarding the identity of the actor demanding such ransom.”

The bill’s focus on cryptocurrencies acknowledges the technology’s core role in ransomware today, as likely not a single big ransomware payment has been made for years in anything other than crypto. But this reliance on cryptocurrency seems to finally be catching up to ransomware criminals, as cryptocurrency, while providing somewhat decent pseudonymity, instead provides incredible records. And international police are now excelling at following those records.  

In June, the US Department of Justice announced that, after following a series of cryptocurrency transactions across cyberspace, it eventually retrieved much of the ransomware payment that Colonial Pipeline paid to recover from its own ransomware attack in May. And earlier in October, Europol said it provided “crypto-tracing support” when the FBI, the French National Gendarmerie, and the Ukrainian National Police seized $375,000 in cash and another $1.3 million in cryptocurrencies during related arrests against “two prolific ransomware operators known for their extortionate ransom demands (between €5 to €70 million).”

This work, while encouraging in the fight against ransomware, largely happens in the dark, though, as ransomware payments made by companies are still kept considerably private. The Ransom Disclosure Act, then, seeks to shine a light on that darkness to better aid the fight. Said US House Representative Ross:

“Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions.”

The Ransom Disclosure Act would also require the Secretary of Homeland Security to develop penalties for non-compliance and to, one year after the passage of the bill, publish a database on a public website that includes ransom payments made in the year prior. That database must be accessible to the public, and it must include the “total dollar amount of ransoms paid” by companies, but the companies’ identifying information must be removed. The information gleaned from the incoming reports must also be packaged into a study by the Secretary of Homeland Security that specifically explores “the extent to which cryptocurrency has facilitated the kinds of attacks that resulted in the payment of ransoms by covered entities,” and the Secretary of Homeland Security must also then present the findings of that study to Congress.

Finally, according to the bill, individuals who make ransomware payments after personally being hit with ransomware must also have a way to voluntarily report their information to the government if they so choose.

The post Ransom Disclosure Act would mandate ransomware payment reporting appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Update now! Apple patches another privilege escalation bug in iOS and iPadOS

Malwarebytes - Tue, 10/12/2021 - 16:07

Apple has released a security update for iOS and iPad that addresses a critical vulnerability reportedly being exploited in the wild.

The update has been made available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one is listed as CVE-2021-30883 and allows an application to execute arbitrary code with kernel privileges. Kernel privileges can be achieved by using a memory corruption issue in the “IOMobileFrameBuffer” component.

Kernel privileges are a serious matter as they offer an attacker more than administrator privileges. In kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system.

Researchers have already found that this vulnerability is exploitable from the browser, which makes it extra worrying.

We can confirm that the recently patched iOS 15.0.2 vulnerability, CVE-2021-30883, is also accessible from the browser: perfect for 1-click & water-holing mobile attacks. This vulnerability is exploited in the wild. Update as soon as possible. https://t.co/dhogxTM6pT

— ZecOps (@ZecOps) October 12, 2021

Watering holes are used as a highly targeted attack strategy. The attacker infects a website where they knows the intended victim(s) visits regularly. Depending on the nature of the infection, the attacker can single out their intended target(s) or just infect anyone that visits the site unprotected.

IOMobileFrameBuffer

IOMobileFramebuffer is a kernel extension for managing the screen framebuffer. An earlier vulnerability in this extension, listed as CVE-2021-30807 was tied to the Pegasus spyware. This vulnerability also allowed an application to execute arbitrary code with kernel privileges. Coincidence? Or did someone take the entire IOMobileFramebuffer extension apart and save up the vulnerabilities for a rainy day?

Another iPhone exploit called FORCEDENTRY was found to be used against Bahraini activists to launch the Pegasus spyware. Researchers at Citizen Lab disclosed this vulnerability and code to Apple, and it was listed as CVE-2021-30860.

Undisclosed

As is usual for Apple, both the researcher that found the vulnerability and the circumstances under which the vulnerability used in the wild are kept secret. Apple didn’t respond to a query about whether the previously found bug was being exploited by NSO Group’s Pegasus surveillance software.

Zero-days for days

Over the last months Apple has had to close quite a few zero-days in iOS, iPadOS,and macOS. Seventeen if I have counted correctly.

  • CVE-2021-1782 – iOS-kernel: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-1870 – WebKit: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-1871 – WebKit: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-1879 – WebKit: Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-30657 – Gatekeeper: A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-30661 – WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-30663 – WebKit: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2021-30665 – WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-30666 – WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-30713 – TCC: A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-30761 – WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-30762 – WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-30807 – IOMobileFrameBuffer: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Tied to Pegasus (see above).
  • CVE-2021-30858 – WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2021-30860 – CoreGraphics: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This is FORCEDENTRY (see above).
  • CVE-2021-30869 – XNU: A malicious application may be able to execute arbitrary code with kernel privileges. Reportedly being actively exploited by attackers in conjunction with a previously known WebKit vulnerability.

And last but not least, the latest addition—CVE-2021-30883—which means that of the 17 zero-days that were fixed over the course of a handful of months, at least 16 were found to be actively exploited.

Update

Apple advises users to update to iOS 15.0.2 and iPadOS 15.0.2 which can be done through the automatic update function or iTunes.

Stay safe, everyone!

The post Update now! Apple patches another privilege escalation bug in iOS and iPadOS appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds