Feed aggregator

Apple holds the keys to nearly all recent Mac software. This is a story of those keys, and how a Hewlett Packard (HP) error caused problems for a lot of people.

Code signing and certificates

First, it’s important to understand that when I say “keys,” what I really mean is “certificates.” These certificates are similar to the ones that are the basis for secure communication between a web server and your browser. With web traffic, these certificates are used to encrypt the data, but they support more than just encryption.

Certificates also allow for validation. For example, when you try to connect to your bank site, the site’s certificate will verify that the site really does belong to your bank. Not many people actually look at these certificates, of course, but doing so is a sure-fire way to avoid a phishing site.

How does this relate to Apple and HP, you ask? Good question. For quite a few years now, Apple has supported what is called “code signing” on macOS. Code signing involves using a certificate to cryptographically sign a piece of software. This allows the system, and the user, to verify which developer created the software, and check that it hasn’t been modified since it was created.

In recent years, Apple has done more than just support code signing… it’s come as close as is reasonably possible to requiring code signing. As a developer, if you don’t sign your Mac software, your users will have trouble running it, and you (or your support staff) will get countless help inquiries. Your software will also probably just get deleted by many people.

This obviously applies to apps you download from the Internet or the App Store, but it also applies to more prosaic software, such as print drivers. HP makes printers, and thus makes print drivers, and of course those drivers are signed, as they should be.

The certificates used to sign software on macOS (and iOS, for that matter) are provided and managed by Apple. The certificates used by HP are no exception.

So, what happened?

Last Thursday evening (October 22), we started seeing an influx of support requests from people complaining about some new malware that we weren’t detecting. At least, that’s what they were saying. As we dug into the issue, however, we saw that there was a pattern in the screenshots we were seeing.

The “malware” was being reported by the built-in anti-malware features in macOS, and there were a dozen or more different processes that macOS claimed “will damage your computer,” with a check box reading “Report malware to Apple to protect other users.” Sounds pretty scary, right?

However, we noticed that this “malware” was all (mostly*) related to HP printing drivers. The messages generally appeared when people were trying to print to their HP printers. Samples of the software that we obtained appeared to be legitimate, with no signs of malicious behavior.

Why did macOS think it was malicious?

Initially, there was a lot of finger pointing at a recent XProtect update. (XProtect is a basic form of anti-malware protection built into macOS, which aims to prevent malicious software from running.) The thought was that this was a false positive; in other words, XProtect was erroneously detecting legitimate files as malicious.

However, the timing of the last XProtect update didn’t line up with the very sudden and widespread emergence of the issue. With some digging, we found that the source of the issue was that the developer certificate used to sign these HP drivers had been revoked.

Revoking a certificate is usually done by Apple when a piece of malware is discovered to be signed using that certificate. It was initially assumed that Apple had erroneously revoked the certificate. However, it turned out, according to a statement from HP given to The Register, that HP itself had erroneously requested that the certificate be revoked.

We unintentionally revoked credentials on some older versions of Mac drivers. This caused a temporary disruption for those customers and we are working with Apple to restore the drivers. In the meantime, we recommend users experiencing this problem to uninstall the HP driver and use the native AirPrint driver to print to their printer.

Apple was able to reinstate the revoked certificate, which fixed the problem for some people, but not everyone. We’re still seeing new cases reported days later.

The impact of false positives

This isn’t the first time that certificates have been revoked in error. As an example, there was a case back in August where a developer named Charlie Monroe reported that his entire Apple developer account was deleted, and his code signing certificate was revoked. All his apps suffered the same issue as HP’s print drivers.

With any security software, false positives are always a potential problem. Mistakes happen, and Apple isn’t always to blame in cases like this. However, when there’s a certificate issue with a piece of Mac software, it affects everyone, everywhere, who is using that software.

The fallout of these events can hit the developers hard. I don’t know how Charlie Monroe is doing, but I suspect that a significant number of people who were using his software probably deleted it, and may never trust his software again.

At companies like Malwarebytes, these events have the potential to result in hundreds or thousands of support tickets from customers asking why we didn’t detect this “malware,” or even why we’re blocking something legitimate (on the mistaken belief that this message is being shown by Malwarebytes). Some folks may never have contacted our support teams, and simply uninstalled our software, thinking they’d gotten infected while under our protection.

Perfect conditions for scams

One of the most unfortunate aspects of events like these is that they provide incredibly fertile ground for scams. There has been an explosion in scam videos and web pages claiming to help you “remove” this “malware.” These scams work by taking advantage of common things people are searching for that they think are malware.

For example, if you search for “will damage your computer” on Google right now, you will get a number of results offering to help you “remove will damage your computer” (yes, in exactly that nonsensical language). Within hours on Friday, some of these sites – and fake YouTube videos referring to those sites – were already taking advantage of this chaos.

The goal of these sites is to trick you into thinking you’re infected, so that you will download the software they recommend to remove the “virus.” In reality, there often is no actual malware, and the site gets paid an affiliate fee for every referral to the software in question. Often, the software being recommended itself is a scam.

It’s very important to be skeptical in your use of Google (and other search engines). Don’t automatically believe that something is malware just because you Googled it and found sites calling it malware.

How to fix the Mac/HP printer issue

If you are among those who are still having the problem, here are some possible fixes that have worked for our customers:

1) Restart your computer, ensuring it’s on the network when it restarts

2) Check for HP software updates via the Software Update pane in System Preferences

3) Remove the HP printer from System Preferences -> Printers & Scanners, then try adding it again.

4) Check for newer HP software for your printer on the HP support site:

https://support.hp.com

5) If all else fails, contact HP via its support site for assistance.

*Addendum

Earlier, we said that the issue was mostly related to HP printer drivers. There was another issue with a couple Amazon apps – Amazon Music and Amazon Workspaces – where users were seeing the same behavior. This led to a lot of speculation and finger pointing at Apple (in which yours truly regretfully participated), but this appears to have been an unrelated and coincidentally timed issue. Apple was not to blame, as was initially thought, and actually acted quite quickly to help HP rectify the error.

The post HP printer issue on Mac: What happened? appeared first on Malwarebytes Labs.

Emotet, one of cybersecurity’s most-feared malware threats, got a superficial facelift this week, hiding itself within a fake Microsoft Office request that asks users to update Microsoft Word so that they can take advantage of new features.

This revamped presentation could point to internal efforts by threat actors to increase Emotet’s hit rate—a possibility supported by Malwarebytes telemetry measured in the last few months.

Emotet spikes amid downward trend

Since August 1, Malwarebytes has detected repeated weekly spikes in Emotet detections, with an August peak of roughly 1,800 detections in just one day. Those frequent spikes betray the malware’s broader activity though—a slow and steady trend downwards, from an average of about 800 detections in early August to an average of about 600 detections by mid-October.

Recent detection activity for Emotet from early August to mid-October

Caught by Malwarebytes on October 19, Emotet’s new delivery method attempts to trick victims into thinking that they’ve received an update to Microsoft Word. The new template, shown below, includes the following text:

“Upgrade your edition of Microsoft Word

Upgrading your edition will add new features to Microsoft Word.

Please, click Enable Editing and then click Enable Content.”

If users follow these dangerous instructions, they will actually enable the malicious macros that are embedded into the “update request” itself, which will then be used as the primary vector to infect the machine with Emotet.

Emotet’s latest delivery mechanism is a fraudulent Microsoft Word update request

Malwarebytes protects users from Emotet and its latest trick, as shown below.

Malwarebytes recognizes and protects users from Emotet

For those without cybersecurity protection, this new delivery method may appear frightening, and in a way, yes, it is. But when compared to Emotet’s stealthy developments in recent years, this latest switch-up is rather ordinary.

In 2018, the cybersecurity industry spotted Emotet being spread through enormous volumes of email spam, in which potential victims received malicious email attachments supposedly containing information about “outstanding payments” and other invoices. In 2019, we spotted a botnet coming back to life to push out Emotet, this time utilizing refined spearphishing techniques. Just weeks later, we found that threat actors were luring victims through the release of former NSA defense contractor Edward Snowden’s book. And this year, Bleeping Computer reported that threat actors had managed to train the Emotet botnet to steal legitimate email attachments and to then include those attachments amongst other, malicious attachments as a way to legitimize them.

Threat actors have gone to such great lengths to deliver Emotet because of its destructive capabilities. Though the malware began as a simple banking Trojan to steal sensitive and private information, today it is often used in tandem to deliver other banking Trojans, like TrickBot, that can steal financial information and banking logins. This attack chain doesn’t stop here, though, as threat actors also use Emotet and Trickbot to deliver the ransomware Ryuk.

Compounding the danger to an organization is Emotet’s ability to spread itself through a network. Once this malware has taken root inside a network, it has derailed countless consumers, businesses, and even entire cities. In fact, according to the US Cybersecurity and Infrastructure Security Agency, governments have paid up to $1 million to remediate an Emotet attack.

How to protect your business from Emotet

Our advice to protect against Emotet remains the same. Users should look out for phishing emails, spam emails, and anything that includes attachments—even emails that appear to come from known contacts or colleagues.

For users who do make that risky click, the best defense is a cybersecurity solution that you’ve already got running. Remember, the best defense to an Emotet infection is to make sure it never happens in the first place. That requires constant protection, not just after-the-fact response.

The post New Emotet delivery method spotted during downward detection trend appeared first on Malwarebytes Labs.

This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.

In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the University of British Columbia (UBC) with a fake COVID-19 survey.

However, this attack and motives are different than the ones previously documented. The survey is a malicious Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.

On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was not successful due to the rapid response of the UBC cybersecurity team.

Mandatory COVID-19 survey distributed to targeted recipients

The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto Box and DropBox and used the share functionality from these platforms to distribute it.

This was probably done to evade spam and phishing filters that would have blocked messages coming from a newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from file sharing services without creating a number of false positives.

The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with us by UBC):

Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a mandatory survey with you that must be completed by Monday. It asks a few questions about how you believe our company responded to the pandemic regarding remote working and much more. Please fill it out ASAP!

You will also find a form at the end that you can fill out if you need any necessities! Necessities include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees who fill out the form for free! Simply sign your initials and put what you need as well as the quantity! In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be difficult!

Figure 1: The phishing document targeting UBC staff

According to UBC, less than a hundred people within a specific department received the link to access the shared document. A Box or Dropbox account was required in order to download the file since it was shared privately, instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target organization to already be using one of these two sharing services.

Phishing document analysis

The phishing document uses template injection to download and execute a remote template (template.dotm) weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).

Figure 2: Template injection and a view of the macro

When the macro is executed, it does the following:

• Gets the %APPDATA% directory
• Creates the Byxor directory in %APPDATA%
• Downloads a file from the following url and writes it as Polisen.exe
• notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
• Downloads a file from the following url and writes it as Killar.exe
• notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
• Calls shell function to execute killar.exe
• Checks the output of shell function and whether it was successful (return value would be task Id of executed application)
  • If successful, it sends a GET http request to:
    canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
  • If it isn’t successful, it sends a GET http request to:
    canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html

Figure 3: Code repository containing ransomware payloads

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the language.

Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use this type of service to get alerted for a particular event.

This can be very useful as an early warning notification system that an intruder has had access to a network. In this case, the attacker is probably interested in how many people opened the document and perhaps where they are from.

Vaggen ransomware

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment equivalent to 80 USD to be paid in Bitcoin.

Figure 4: Ransom note

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go which starts with the function denoted as ‘main_main’.

Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG, main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.

main_LAMNARDETTA -> main_enumDir main_ELDBJORT -> main_encryptFile main_SPRINGA -> main_encryptAndRename main_FOLOJVAG -> main_runCommands main_DUVETVAD -> main_dropFile main_HIDDENBERRIES -> main_xteaDecryptAndWriteToFile

A full list of the functions, along with their RVAs can be found here.

Figure 5: File enumeration

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.

Encrypting and renaming of the files is deployed as the callback of the standard Golang function: path.filepath.Walk.

Figure 6: Callback function to encrypt and rename

Files are encrypted with AES-256 (32 byte long key) in GCM mode.

Figure 7: AES-256 cipher

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce, generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.

Figure 8: Encryption routine

The content of the output file (with .VAGGEN extension) contains:

• the 12 bytes long nonce
• the encrypted content
• the 16 byte long GCM Tag

Figure 9: Highlighted part contains encrypted content

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take my heart my money”. Using this key, we can easily decrypt the content.

Figure 10: Encryption key found inside the code

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that the malware author has not received any payment so far at this Bitcoin address.

Figure 11: Bitcoin address showing no payment Unusually low ransom amount

Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this attack can be recovered from fairly easy.

However, the phishing attack was well conceived and the template looks well designed, with a nice touch of adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.

Crawling additional repositories created by the threat actor, we found other Word template files that have used a very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing attack.

We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint a better picture of this attack and understand who the targets were.

Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.

Figure 12: Phishing document blocked by Malwarebytes Endpoint Protection IOCs

Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe

Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f

Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp

Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe

Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a

The post Fake COVID-19 survey hides ransomware in Canadian university attack appeared first on Malwarebytes Labs.

It can be a very convincing trick…

“You can check the number in your display online sir. You’ll see I’m really calling from your bank.”

That is, of course, if you are unaware that phone numbers can be spoofed. Then again, they wouldn’t be successful scammers if they weren’t convincing. If you suggest calling them back, they’ll tell you it’s impossible to call their extension directly and you would have to go through the operator in the head office. Which could take a while and because of the urgency that is not really an option now, is it?

What is spoofing?

The definition of spoofing is: to display characteristics that do not belong to you, in order to assume a false identity. We’ve talked about email spoofing in the past, but in this case we’re talking about caller ID spoofing. Caller ID spoofing is when someone calling your phone deliberately falsifies the information transmitted to your caller ID display to disguise their identity.

Normally your display indicates the phone number and name associated with the line used to call you. But there are services that allow you to display any spoofed caller ID. Some Voice over IP (VoIP) providers simply allow the user to configure their displayed number as part of the configuration page on the provider’s web interface.

How does this scam pan out?

The scammer calls the victim while spoofing a phone number that belongs to the bank. And the scammer comes prepared with enough knowledge about the victim’s bank account to take away the last shreds of doubt. They tell the victim that they have noticed unusual activity on the victim’s bank account and urgently advise them to put their money in a different account.

If the victim indicates that they only have the one account, the scammer offers them a so-called “vault account” of the bank. The scammer explains that such an account is a safe place for their funds. Their money may be unavailable in such an account for a few days, but that is better than getting robbed blind isn’t it? If the victim starts asking a lot of questions, the scammer will say that there is no time to waste because of the danger of losing everything to an unknown entity. Of course, the “vault account” belongs to the scammer and the whole theatrics are designed to get the victim to transfer their belongings into that account.

Extra information from phishing

What makes this extra successful is that the scammers really come to the call prepared. They can tell you how much you have in your account and who received your latest payments. There are a few theories about how the scammers can obtain that information. Some even go as far to claim that they must have someone on the inside. This would explain a lot, but some victims admitted having received a phishing mail not too far before the call.

If the victims have clicked the link in that mail and have logged in to the phisher’s fake bank website, this not only explains how the scammers obtained the information, it also adds credibility to the story of the scammer on the phone. After all, the phishing attempt could have resulted in unauthorized access. What gives the “insider” scenario some extra credibility is the fact that some victims had recently raised their transaction limits because they needed to make some large payments.

Phishing sites mirror the bank site, and the phisher can follow the input of the victim into the real bank site. This allows them to have a look at the account details after getting logged in and equips them with the information they can use during the phone call.

Banking security measures

If the information the scammer has about the victim’s account stems from a phishing attempt and the bank uses a 2FA login method, then the login information will grow stale rather quickly. A successful phish allows the scammer to log in, but usually only once. They can look around and gather intel to prepare their call. Any subsequent action like making a payment or changing the 2FA settings would have to be authorized separately, and such a request would likely make the victim suspicious.

What investigators from a Dutch consumer television show found out is that some banks are more likely than others to be targeted. The investigators suspect that customers of banks that use a card reader to scan QR codes to authorize logins and payments are less vulnerable than those that send text messages. This could be because it is more difficult to mimic the QR codes on the bank phishing site than it is to create an input field for the verification code.

Another fail-safe that the scammer will try to circumvent, if necessary, are the transaction limits that are in place by default for some banks. These are often limited to rather small amounts and customers will have to raise the limit if they want to make larger payments. When the bank asks you to raise this limit instead of the other way around that should be a red flag. Remember that they can do it for you in case of a real emergency.

The aftermath of a spoofing attack

The scammers will try and make sure that the victim will not immediately realize that they have been had, so the scammers can make the money disappear from the target account in order to stop the payments being reversed.

With some banks you will have insurance against banking fraud, but other banks will say the victim transferred the funds themselves and will accept no responsibility for the loss. In most countries you are protected by law against fraudulent payments under certain conditions. One of these conditions can generally be described as “the customer should not be careless”, and a customer could be seen as careless if they gave away their login credentials. Whether entering those credentials on a bank phishing site that looks exactly like the one that belongs to the bank is a careless act is up for debate it seems.

So, in a worst case scenario you would not only feel embarrassed because you fell for the scam, you could also be labelled careless and lose the money in your account.

The future of caller ID spoofing

Caller ID spoofing has been causing problems since 2004 when a service was opened to allow spoofed calls to be placed from a web interface. In 2018, we mentioned one method of caller ID spoofing called “neighbor spoofing”. Neighbor spoofing was a popular method among cold callers using the same area code and telephone prefix of the person being called. Caller ID spoofing is generally legal in the United States unless done “with the intent to defraud, cause harm, or wrongfully obtain anything of value”. In 2019 the TRACED Act, the first federal law designed to curb unwanted robocalls was signed.

SEC. 7. PROTECTIONS FROM SPOOFED CALLS.

IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, and consistent with the call authentication frameworks under section 4, the Com15 mission shall initiate a rulemaking to help protect a subscriber from receiving unwanted calls or text messages from a caller using an unauthenticated number.

Stirred, not shaken

One helpful tool in setting up such protection is the STIR/SHAKEN framework which is a caller ID authentication and verification measure. STIR and SHAKEN are acronyms for the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards. STIR/SHAKEN digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is in fact from the number displayed on Caller ID. The Federal Communications Commission (FCC) is leading the push for industry adoption of these standards to help consumers as quickly as possible.

If and when other countries decide to do more than just make caller ID spoofing illegal, preferably by implementing and adhering to the STIR/SHAKEN framework, this will make consumers around the world just that bit safer and make the scam we discussed a lot harder to pull off.

In the meanwhile, stay safe everyone!

The post Scammers are spoofing bank phone numbers to rob victims appeared first on Malwarebytes Labs.

 Deep in the post apocalyptic wastelands are wonders that defy rational explanation that heroes and adventurers run across. Some of these can alter lives, heal the sick or perform miracles that call down 'divine explanations'; some of these objects, locations, items, and more demand worship of those who live nearby. Here are a few of those weird and strange pieces of the landscape that demand theNeedleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

A ransomware gang has made headlines for donating a big chunk of stolen funds to two charities. Two separate donations given to Children International and The Water Project rang tills to the tune of $10,000 each. Their reason was that they’re targeting “only large profitable corporations, we think it’s fair that some of the money they’ve paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.”

This has raised several questions outside the usual “Is it morally right to pay a ransom” debate. It’s a whole new world of “Is it morally acceptable for ransomware authors to donate ill-gotten gains to charities, Robin Hood style?”

“Steals from the rich, gives to the poor?”

In theory it sounds sort of nice. As the malware slingers suggest, some good is coming from it somewhere along the line.

However, the reality outside the theory is rather different. Replace “stolen funds donated from ransomware authors” with “stolen funds donated from criminal gangs”. It suddenly sounds a lot less abstract and cyberpunk and a lot more like somebody is going to jail.

This isn’t “just” a risk to charities, either – any organisation could get into trouble from similar dealings. If malware authors are splashing the cash, it’s a danger to everyone. People and organisations drop links to their Venmo accounts, or their tip jars, all the time. With so many ways to donate, it’s never been more difficult to ensure your funding is legit. Phone, text, online, money in an envelope. Perhaps from your own country, or international donations, a speedy online processor, or even Bitcoin. The possibilities are endless.

When the Robin Hood mindset spreads…

Are the ransomware authors genuine in their desire to help people less fortunate than themselves? Or is it a bad cover story to justify breaking into servers and make off with some cash? It doesn’t help the recipients at all. We’re talking serious ramifications for the charity trustees with potential criminal charges waiting in the wings. The charity itself could suddenly discover it sits on very perilous ground indeed.

There are few things more damaging to a business than losing trust from the general public. That’s especially the case where your business model is asking them for money.

If stolen cash donations to assuage guilt takes hold, we could find ransomware authors passing cash outside the charity realm. Is your business an SME with no chance of going head to head with the big players? No worries, your friendly neighbourhood ransomware author is here to help. Perhaps they start playing favourites. Suddenly, the boss of that struggling firm is now asking the ransomware authors for a cut.

In a few short steps, we’re moving from “Giving some money to charities is okay even if it’s stolen because they need it” to “Oh no, Uncle Paul’s set up a money laundering syndicate and he’s supposed to be selling fax machines”.

Many pieces of advice for UK charities are good suggestions for businesses generally. To steer clear of dubious payments, you could stand to pick up a few tips from their selection of guidance. By showing how regulated funds are in the charity industry, you’ll see how serious it is everywhere else as well.

Charitable basics

In the UK, the Charity Commision is a non-ministerial Government department. Those departments typically make things work by regulation, theoretically free of politicisation. Government with a small “g”, perhaps.

They regulate charities in England and Wales, advise on scams, provide a list of registered charities, and much more. They also provide a significant volume of advice on ensuring charity activities are above board. There’s lots of ways your charity (and, by extension, unrelated business) can get into trouble where bogus donations are concerned.

Remember what I said about ransomware Robin Hood donations spreading from charities to lots of other donation/tipping mechanisms? It’s time to take a trip to the cleaners, because money laundering is the big threat here. It means little whether it’s done via traditional means or malware shenanigans.

Laundering for fun and profit

“Laundering” cash means taking unclean, dirty money and rinsing the badness out. If I turn up at the bank with a mysterious haul of one million dollars, it’s going to look odd. If I scatter it across multiple banks, it looks much better. Coming up with ways to ensure the banks can’t spot all the bills came from heist X or Y, evading whatever technology/system is in place, is where we’re cooking with gas.

There are all sorts of laundering techniques, and all businesses need to be careful. Charities are particularly at risk, because they’re essentially a large bowl with a “please deposit money” sign above it. If you’re an individual with a Gofundme, do you know where all your donations are coming from? That everyone donating is legit? Of course you don’t. Now consider that you’re a large, international organisation with many ways to donate. Consider your daily transaction volumes. Your own business almost certainly has the same problems facing it, even if you haven’t considered until now in terms quite so stark. Scary, right?

Ransomware authors are potentially doing the charities a favour by being vocal. Otherwise, they’d have ten grand rattling around in their coffers sourced from an unwilling company struck by a criminal attack.

“That’s not laundering though, is it?”

Not yet, but giving the money to a charity could be the first step. Money doesn’t have to go to banks. It can be dropped into shell organisations, thrown into the gambling area, placed into businesses known as “fronts”. You could also give it to a legitimate charity, who receives large donations regularly, and then try to reclaim the cash. Perhaps the fraudsters begin a phishing campaign for financial details and the cycle begins again.

Maybe they have someone working on the inside at their chosen charity, or (worse) perhaps the charity itself is bogus. They could even claim they’d donated too much money, or the entire donation was an accident and would like their money back.

However you stack it up, this should be a major concern for any organisation. Normalising the movement of stolen money can only end poorly.

Freedom fighter or terrorist?

Even without the laundering aspect, simply receiving money from a malware group with ties to terrorism will likely end up being disastrous. To stress how serious this is [PDF], involvement in laundering in the UK is an offence prohibited under various Acts of Parliament and terrorism is also a massive no-no [PDF, Page 15]:

• Proceeds of Crime Act 2002
• Terrorism act 2000
• Anti-Terrorist crime and security act 2001
• Counter-Terrorism Act 2008

You don’t need to be a charity to want to avoid getting caught up in one of those potential headaches.

Strategies for dealing with fraud and financial crime

The previously mentioned Charity Commision documents for dealing with monetary fraud [PDF] are, as has been mentioned, very good [PDF] and almost certainly usable at your current organisation. In no particular order, here are some of the best. Regular readers will note many of these are staple pieces of advice on the Labs Blog, and there are many more on the linked documents. Not all of them will be applicable to your business, but they’re good things to keep in mind.

1. Design appropriate internal financial controls, ensuring funds are properly accounted for, based on risks related to type, size, and activities.
2. Perform regular audits of security protocols, make multiple people responsible for various stages of fund transfers/authorisation, and deploy 2FA for online components.
3. Keep financial records for receipt/use of funds, check and verify both domestic and international transactions.
4. Never pre-sign blank cheques, it’s a clear in-road to fraud.
5. Consider what level of due diligence, monitoring, and verification of use of funds if required to meet your legal duties regarding safe flow of funds.

There’s also guidance on moving/receiving funds internationally [PDF] with useful information on types of banking, transfer, how to report incidents, and a checklist of potential concerns [PDF] when receiving money from overseas. Given the likelihood of ransomware authors donating from a country outside of your own, these are useful things to be aware of. Many online payment processors will flag potential fraud without you having to do anything, and it’s worth digging into the nitty-gritty before signing up to a merchant system.

A deal you’ll want no part of

As you may have gathered, one of the biggest issues here is that of the insider threat. Whether you’re a charity or a seller of hardware and software, the danger inside your walls can be fatal. Security is a multi-layered entity. Checks and balances required at digital, financial, and real-world levels keep things running smoothly. That’s why we have to do things like lock down printers, or restrict access to papers used for money transfers, or secure fax machines behind ID accessed security doors.

There’s always another problem to consider and then address, and securing your real world assets is just as crucial as your online security. When ransomware authors shift parts of their model from online to off, so too do we need to think about more ways to keep ourselves out of harm’s way.

In my opinion, there’s nothing helpful about handing stolen money to charities or anyone else. The moral arguments which exist are eclipsed by the legal ramifications. Malware authors are better served “helping” organisations by keeping their profits far, far away from legitimate businesses.

The post Keeping ransomware cash away from your business appeared first on Malwarebytes Labs.

 I sat down with an old VHS horror classic with Jeffery Combs ! Not the Reanimator series but the seldom mentioned but often rented Necronomicon. Its one of those films that came out in the Nineties.  H.P. Lovecraft's: Necronomicon, always seems to have been out at the back alley hole in the wall video rental place I worked in. Its a weird beastie of an anthology film with an 'R' rating meaning Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

 'The process of delving into the black abyss is to me the keenest form of fascination.'H. P. LovecraftThere are ruins that travel between dimensions and planes, sliding between in  places, time, &  space. Those who encounter such places are sure they are haunted and the lives of many adventurers have been changed over a visit to one of these places.                                               Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

 So on Sunday it was get together with friends over beer & discussing our  varsious campaigns over one of my player's houses. Things have been pretty chaotic in Connecticut with the Pandemic & the rise in cases. But not so much that we didn't get together but half our players were missing so it was a beer night. And things turned as they do to past games & one of which was TPK romp through Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

***ANNOUNCEMENT***
Parents! Please have a conversation with your students on the importance of following provincial guidelines at youth group! We’re doing our best to encourage our group to obide by the rules, but we still need your help! Let’s tag-team to make our events as safe as they can be!

This week!

Halloween Crowd Charades
October 30th – Friday 7:11 – 10 pm**
With a fresh batch of candy prizes we are ready to play Crowd Charades – where the crowd tells you the word on the screen! We will be finishing our Squad Up series.
**YOU CAN ZOOM INTO THIS MEETING! CLICK HERE!**

PLEASE SIGN UP IF YOU PLAN TO COME IN PERSON BY…
CLICKING HERE!

The week after that…

Mars Dash Tournament!
From 7:30pm – 10:00pm
November 6th Friday
We’ve found a way to get this fun game on the Big Screen! We’ll play to see who is the best! Bring your smart phones! Download the app Bunch!
**YOU CAN ZOOM INTO THIS MEETING! CLICK HERE!**

PLEASE SIGN UP IF YOU PLAN TO COME IN PERSON BY…
CLICKING HERE!

Questions? Email Mathew back!

MONTHLY CALENDAR

 
Click here for the church calendar

The post High School Ministry – Oct 30th – Halloween Crowd Charades! appeared first on Church of The Rock.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Jamie Court, president of the non-profit advocacy group Consumer Watchdog, about the consumer value in Cybersecurity Awareness Month.

Launched initially as a joint effort between government and industry, this once-a-year awareness campaign is meant to give the American public simple tips to stay cybersecure, almost like a modern version of telling folks to replace the batteries in their smoke alarms.

Over time, participation in Cybersecurity Awareness Month has grown. Every October, employers now roll out renewed cybersecurity trainings for employees. Maybe, this month, your employer has deployed a phishing email test. Maybe they’ve developed a training session on two factor authentication. Or maybe you’ve gone through exercises about creating strong passwords.

But what about all the consumers out there who don’t work for an employer that takes Cybersecurity Awareness Month seriously? Where is the value in this month for them?

Tune in to hear about the consumer value of Cybersecurity Awareness Month, including who is going to bat for the consumer, what kind of information gets released every year, and what consumers should know about, specifically, smart cars on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Brute force attacks, the many ways of doing it, and how users can protect themselves from it.
• Tech support scammers (TSS) were found exploiting cross-site scripting (XSS) vulnerabilities to make their targets believe they’re legitimate until a browser locker is triggered.
• MSPs and the importance of cybersecurity integration.

Other cybersecurity news:

• US intelligence officials have pinned Iran as the culprit behind threatening emails sent to voters. (Source: AP News)
• Pharmaceutical giant Pfizer has suffered a huge data breach after exposing client data in unprotected Google Cloud bucket. (Source: Threatpost)
• CrowdStrike claims that China is behind attacks against COVID-19 vaccine laboratories in Japan. (Source: Emergency Live)
• Security researchers from Sensity found a “deepfake ecosystem” within the Telegram messaging app network where bots generate fake nudes upon request. (Source: The Verge)
• The NSA has publicized a list of 25 vulnerabilities that hackers in China are looking to exploit. (Source: ZDNet)

Stay safe, everyone!

The post Lock and Code S1Ep18: Finding consumer value in Cybersecurity Awareness Month with Jamie Court appeared first on Malwarebytes Labs.

***ANNOUNCEMENT***
Parents! Please have a conversation with your students on the importance of following provincial guidelines at youth group! We’re doing our best to encourage our group to obide by the rules, but we still need your help! Let’s tag-team to make our events as safe as they can be!

This week!

Halloween Crowd Charades
October 21st – Wednesday 7-9 pm**
With a fresh batch of candy prizes we are ready to play Crowd Charades – where the crowd tells you the word on the screen! We will be finishing our Squad Up Series!
To join our Zoom service CLICK HERE.
PLEASE SIGN UP IF YOU PLAN TO COME IN PERSON BY…
CLICKING HERE!

Next week!

Catch Phrase!
November 4th – Wednesday 7-9 pm**
This is one of our favourite games to play and this time it will be no exception. Get your friend to say the word on the screen before the buzzer goes off! We will be starting our Greater Passion Series!
To join our Zoom service CLICK HERE.
PLEASE SIGN UP IF YOU PLAN TO COME IN PERSON BY…
CLICKING HERE!

 MONTHLY CALENDAR

  Click here for this month’s calendar

The post Threshold Jr – Oct 28th – Halloween Crowd Charades! appeared first on Church of The Rock.

Our Lord’s walking on water in the middle of a storm was one of the miracles he performed while he lived among us in human form. The miracle spoke to his disciples of his power, and it says the same to us today when we are beset and besieged by life’s storms.

Before this event, Jesus had taken his disciples to a solitary place to rest from a time of strenuous ministry. But the eager multitudes followed them.

As the day drew toward evening, Jesus miraculously fed five thousand men by multiplying five loaves and two fish to provide more than enough to satisfy the hunger of the throng (Mark 6:35-44).

He then immediately directed his disciples to board their boat and leave for the other side of the lake. At the same time, he left them and went up on a mountainside to pray.

As darkness settled, the disciples were already three or more miles from shore (John 6:19). A fierce wind suddenly buffeted them, forcing them to pull at full strength on the oars. They were in disaster mode, and they understood the risk of death on this lake whenever the winds whipped it with a sudden fury.

Mark tells us that, from his place of prayer, Jesus saw the disciples straining at their oars. It appears that he let them struggle for a time, because not until about three in the morning did he go out to them walking on the water.

When they saw him walking through the thrashing waves and spray he appeared to them to be a ghost. They cried out in fear.

Jesus called out to calm their fears. “Take courage,” he said. “It is I. Do not be afraid” (Mark 6: 50b). Then he climbed into the boat and the wind died down.

There are things about this story that could be baffling. We gain some insight by comparing the report of this same miracle in three of the four Gospel accounts.

For example, Mark tells us that while they were on land together after the feeding of the five thousand, immediately Jesus made his disciples get into the boat (Mark 6:45). This was not a suggestion, but a command. We wonder, therefore, if Jesus intended them to experience this dangerous windstorm.

The Apostle John may provide the answer. He notes that the miraculous feeding had prompted the crowds to say: “Surely this is the Prophet who is to come into the world” (John 6:14). And subsequently, he tells us: “Jesus, knowing that [the throng] intended to come and make him king by force, withdrew again to a mountain by himself” (6:15).

It was apparently a dangerous moment for the disciples. They had on occasion revealed their carnal desire to be officials in an earthly kingdom. If the idea the people were pondering should succeed — to make Jesus their king — this might bring about the destruction of Israel by Roman rulers. And it didn’t fit with Jesus’ plan to lay down his life for humankind. Could it be that their peril in a storm was safer than their safety on dry land?

One wonders if there are times when, in his sovereign wisdom, God sees we would be safer facing a tempest than being in an unthreatening, comfortable place where strong temptations might overcome us.

When it comes to our Lord’s watching over us there may be a lesson in all this for every committed believer. Caught on the stormy seas of life, we are under his watchful care even when we are not aware of it.

We might say, “Our Lord always has the ability to see us, whatever the circumstance. Neither darkness, nor storm, nor passing of time, nor even the passing of two thousand years, have done anything to reduce his power.”

Jesus has told us as much in his own words: “Surely,” he says to his followers down through the ages, “I am with you always, even to the very end of the age” (Matthew 28:20b).

What greater assurance do we need than that?

Photo credit: Ben Salter (via flickr.com)

Episode 2 (part 2): "THE CLARITY OF CRYSTAL"Player Characters: The Crew of the USS Endeavour, NCC-1895, Constitution Class Starship (refit):
Andrea as Lt. Ona Greer, Chief Engineer Officer and Lt. Taryn Loy, Geologist
Bob as Capt. Robert Locke
Gina as Cmdr. Isabella Hale, Helm Chief
Eric As Lt.Cmdr. Tavek, Science Officer
Tug as Dr. Azala Vex, Trill Chief Medical Officer
Synposis: The mystery of the Erebus III research station and its alien crystals becomes clear after Tavek attempts a dangerous mind meld with a mentally unbalanced Vulcan.
Commentary: This is the continuation of the STA adaptation of an adventure I wrote for a Star Trek Starships & Spacemen game back in 2013. 
It ended with a firefight at in the Crystal Colonnade, one the PCs were at a disadvantage at due to a lack of weapons and the absence of their security chief.
We (both the players and myself) probably still are taking advantage of the STA combat options. There is probably a bit too much "stand and deliver" D&D style play, which leads to essentially a battle of attrition.

Google has recently released Chrome version 86.0.4240.111 to patch several holes. One is for a zero-day flaw – that means a vulnerability that is being actively exploited in the wild.

The flaw, which is officially designated as CVE-2020-15999, occurs in the way FreeType handles PNG images embedded in fonts using the Load_SBit_Png function. FreeType is a popular text rendering library that Chrome uses. According to the bug report filed by Sergei Glazunov, a security researcher from Google’s very own Project Zero team, the function has the following tasks:

1) Obtains the image width and height from the header as 32-bit integers.
2) Truncates the obtained values to 16 bit and stores them in a ‘TT_SBit_Metrics’ structure.
3) Uses the truncated values to calculate the bitmap size.
4) Allocates the backing store of that size. 5) Passes ‘png_struct’ and the backing store to a libpng function.

Glazunov further explains that since the libpng function uses 32-bit values instead of the truncated 16-bit values, a heap buffer overflow in FreeType could occur if the PNG’s width and/or height exceeds 65535, the highest possible allocated buffer or memory for this type of data. This would result in certain pieces of data being overwritten or corrupted and, overall, the program behaving differently. So, anyone who successfully exploits this bug could either allow remote execution of malicious code in the context of the browser or a complete compromise of the affected system.

Google didn’t further elaborate on how CVE-2020-15999 is being exploited to target its users, or who is possibly behind the exploitation.

Update your Chrome now

Chrome users are advised to update to the current browser version, 86.0.4240.111, to protect themselves from getting exploited. Development teams who use the same FreeType libraries should update to FreeType 2.10.4.

The post Google patches actively exploited zero-day bug that affects Chrome users appeared first on Malwarebytes Labs.

Join us as we worship together!

Elevate Worship Night
Sunday, October 625
Youth Room
7:00 PM

There’s nothing better than being able to join together as a community to worship our Lord. This is our first Elevate of the new season and our worship band and tech team have been working hard to prepare. We also have one of our very own young adult leaders share a message on community and how being a part of a community has been impacted by COVID – yet it’s so important!

We can’t wait to see you tonight!

The post Elevate Worship Night appeared first on Church of The Rock.

 Drawing by Rodolfo Nogueira. - http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0097138The swamps and waterways along the coast of  the former country of Lemuria hide some of the most dangerous of monsters. Lemuria is a now cracked,broken seething serpent men haunted shell of itself. Dark occult forces haunt the waterways and moss haunted forests. But adventurers and outlaws ofNeedleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

Hi Parents,

You can use the below activities to engage in fun and conversation with your kids over the week.

Preschool
Elementary
Salvation Guide
Kidz Rock Spotify

Check out our ongoing resources for each age group:

• Preschool
• Elementary 
• Collide 
• Parents

The post Parent Cue Cards – October 25th appeared first on Church of The Rock.

ACTIVITIES FOR THIS LESSON

Worship Video

 

Check out our ongoing resources for each age group:

• Preschool
• Elementary 
• Collide 
• Parents

And don’t forget to follow Kidz Rock on Facebook and Instagram!

   

The post Elementary – October 25th appeared first on Church of The Rock.

ACTIVITY PAGES TO DOWNLOAD
SPOTIFY PLAYLIST

Worship Video

 

Check out our ongoing resources for each age group:

• Preschool
• Elementary 
• Collide 
• Parents

And don’t forget to follow Kidz Rock on Facebook and Instagram!

   

The post Preschool – October 25th appeared first on Church of The Rock.