Techie Feeds

[updated] You can update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one

Malwarebytes - Wed, 01/12/2022 - 17:02

How time flies sometimes. Microsoft yesterday released the first patch Tuesday security updates of the year 2022. The update includes fixes for six zero-day vulnerabilities and a total of 97 bugs. This includes two Remote Code Execution (RCE) vulnerabilities affecting open source libraries. None of the zero-day flaws are known to have been exploited in the wild, but one of the other vulnerabilities is feared to be a wormable one.

A severe word of warning for those running a network with a domain controller, the side effects this month are extreme. The advice is to hold of on the patch. Microsoft has a technology called Active Directory that allows workstations to authenticate with a “domain controller.” This month’s updates are causing such drastic issues with domain controllers that they can become stuck in a boot loop.

Patches that can cause problems include the following:

It’s unclear if Server 2022 is similarly impacted.

Along with the update comes an announcement of a new security update guide notification system.

Let’s start by taking a closer look at the zero-days. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The first two we listed below have previously been fixed by a third party and are now being incorporated into Microsoft products.

Open Source Curl RCE vulnerability

CVE-2021-22947 is regarding a vulnerability in the curl open source library which is used by Windows. The January 2022 Windows Security Updates includes the most recent version of this library which addresses this vulnerability and others. The listed one can lead to a STARTTLS protocol injection via a Man-In-The-Middle attack.

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. More specifically, when curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple pipelined responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.

Libarchive RCE vulnerability

CVE-2021-36976 is regarding a vulnerability in the libarchive open source library which is used by Windows. The January 2022 Windows Security Updates include the most recent version of this library which addresses the vulnerability and others. This vulnerability is described as libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

Windows Certificate Spoofing vulnerability

CVE-2022-21836 allows an attacker to bypass a security feature. A successful attacker could bypass the Windows Platform Binary Table (WPBT) verification by using a small number of compromised certificates. Microsoft has added those certificates to the Windows kernel driver block list, driver.stl. The Windows Platform Binary Table is a fixed firmware ACPI (Advanced Configuration and Power Interface) table. It was introduced by Microsoft to allow its vendors to execute programs every time a device boots. Certificates on the driver.stl will be blocked even if present in the WPBT.

Windows Event Tracing Discretionary Access Control List Denial of Service vulnerability

CVE-2022-21839 does not provide us with a lot of details. Affected is some unknown processing of the component Event Tracing Discretionary Access Control List. The exploitability is said to be easy, and it is possible to launch the attack remotely. Required for exploitation is an authentication. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or resource, making it inaccessible to its intended users.

Windows Security Center API RCE vulnerability

CVE-2022-21874 is a publicly disclosed RCE vulnerability in the Windows Security Center API that received a CVSS score of 7.8. This vulnerability requires user interaction to exploit, and the attack vector is local.

Windows User Profile Service Elevation of Privilege (EoP) vulnerability

CVE-2022-21919 is a publicly disclosed EoP vulnerability in the Windows User Profile Service API that has received a CVSS score of 7.0. The exploitation is known to be difficult, but the attack may be initiated remotely. The requirement for exploitation is a simple authentication.

HTTP Protocol Stack RCE vulnerability

CVE-2022-21907 is not one of the zero-days, but it stands out because it is a critical vulnerability which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. While this is a vulnerability that would mostly affect servers, the fact that it requires no user interaction, there are no privileges required and it targets an elevated service makes experts believe it is wormable. There are also some questions among experts about which Windows versions are vulnerable.

The new security update guide notification system

Notifications are sent when information is added or changed in the Security Update Guide. Based on feedback, Microsoft has been working to make signing up for and receiving Security Update Guide notifications easier. Starting today, you can sign up with any email address that you want and receive notifications at that email address. There is no longer a requirement that the email be a Live ID.

To start off, you will need to create a Security Update Guide profile by clicking “Sign in” at the top right corner of the Security Update Guide. You can use any email and password here. If this is your first time signing in, a validation email will be sent with steps to verify that you have entered a valid email address.

Other security updates

Don’t forget to look at other security updates that you may need. We have seen updates from:

Update January 18

Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2021 Patch Tuesday. For those that were experiencing problems or holding off on the updates, this update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.

Stay safe, everyone!

The post [updated] You can update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Software engineer hacked webcams to spy on girls—Here’s how to protect yourself

Malwarebytes - Wed, 01/12/2022 - 16:47

A 32 year-old software engineer has been sentenced to two years and two months in prison for remotely accessing chat logs, photos, videos, and webcams of his female victims.

For nine years, between 2010 to 2019, Robert Davies used malware to infiltrate his targets’ devices and access their data without them knowing. In one incident Davies accessed a schoolgirl’s webcam and secretly filmed her undressing and showering.

Davies is not only a voyeur but also a catfish. He is said to have created multiple accounts on Skype to get close to his targets with the end goal of eventually tricking them into performing sex acts for him. While using one of his Skype personas, he befriended an 11 year-old girl and built a relationship with her over the course of two years. He eventually gained access to her computer and switched on her webcam without her realizing.

Andrew Shorrock of the UK’s National Crime Agency (NCA) is quoted saying: “Davies has amassed what can only be described as a cybercriminal’s toolkit. Not only was he using these tools to break in to people’s devices, he was using them to spy on his unsuspecting victims and to steal naked images of them for his own sexual gratification.”

All in all, Davies victimized 25 individuals.

Davies pleaded guilty to all 25 counts of “causing a computer belonging to another to perform a function with intent to secure unauthorized access”, one count of voyuerism, four counts of making sexual photos of children, and one count of owning extreme pornographic media.

“The extent of the damage you have caused is immeasurable and constitutes a total violation of their privacy, ” said Judge Julie Warburton of Nottingham Crown Court as she carried out the sentence.

How to protect yourself from voyeurs and catfishers

Technology has made it possible for anyone with the right know-how and ill intent to access someone else’s device and spy on them. Thankfully, incidents of voyuerism and catfishing can be avoided. Here are some tips:


  • If you use a laptop, make sure you put something over the webcam. A simple piece of tape will do, or you can use a specially made webcam protector.
  • If you have a webcam that’s not built into your computer, then get into the habit of manually disconnecting your webcam when you’re not using it.
  • If your webcam has a password, change it from the default to a long and complicated one

Instant messengers (IMs) and voice-over-IP (VoIP) apps

  • Treat your IM or VoIP app chat of choice as you would your online social media account: lock down your security and privacy settings, and make sure your ID/handle is not searchable just by anyone (if at all), which means random strangers cannot just add you as a contact.
  • Keep chats and video sessions clean as much as possible. It may be fun for you to try something risque every now and then, but remember that the threat of sextortion, revenge porn, and blackmail are real.

General tips

  • It goes without saying that you should make sure you have good security software installed on your device and keep it up to date.
  • And talking of updates, make sure you’re applying them as soon as they’re available, whether that’s your phone, your computer’s OS or your browser. Cybercriminals use known flaws to exploit systems so keeping your system up to date is one way of making things harder for them.

If there is one final takeaway we can get from the Davies case, it’s that cybercriminals can be very patient. And sometimes, all it takes is one person to choose to take advantage of our trust. One can never be too careful, especially online.

Stay safe!

The post Software engineer hacked webcams to spy on girls—Here’s how to protect yourself appeared first on Malwarebytes Labs.

Categories: Techie Feeds

FIFA 22 phishers tackle customer support with social engineering

Malwarebytes - Wed, 01/12/2022 - 16:23

Players of smash hit gaming title FIFA 22 have become the target of a wave of attacks focused on account compromise. Up to 50 “high profile” accounts were hijacked by what may have been the same group.

FIFA games are, traditionally, a big draw for scammers and phishers. Many sports titles offer in-game digital items and benefits, paid for with real money. Sometimes you buy specific items via purchases called microtransactions. Other times, it might be a form of lucky dip, where you spend money on boxes which contain random items. They can be worthless, or incredibly valuable, and you don’t know what you’ll receive till you buy the so-called lootboxes. Games like FIFA frequently draw ire for it, and players who buy a lot of lootboxes are popular targets for phishers. Wherever you have players investing large sums of money, you’ll find the sharks circling in the water.

Someone decided to make a big splash with this particular attack. This isn’t supposed to be a stealthy compromise and a slow burn of stolen and plundered accounts, the attackers took over some of the biggest names in the FIFA game space and fired half a dozen flare guns at the same time. As Bleeping Computer notes, targets included actual players, currency traders, and streamers. Someone wanted attention, and they went about it in a way which guaranteed it.

Setting the scene

The problem was so visible that EA published a statement on the attacks. One may have assumed the first point of entry would be phishing gamers with fake logins and stealing their accounts. This is where additional security measures such as 2FA come in. If the attackers gain login details via bogus websites, they still need to login to the real site as the victim. If 2FA (or similar) is active, they won’t be able to do it without the 2FA code.

This potentially gives victims enough time to realise something isn’t right, and change their login details leaving the phisher with nothing.

However, even with 2FA enabled, things can go wrong. Typically this approach again focuses on the victim. A fake login site will ask for username and password, but then also ask the victim to enter their 2FA code on the phishing site. This code will then be automatically entered onto the real thing, or punched in manually (and with haste!) by the attacker. Sometimes they even ask victims to upload files designed to keep attackers from logging in.

However, on this occasion, they set EA customer support agents in their sights instead.

Going head to head with customer support

The statement reads as follows:

Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques. Utilizing threats and other “social engineering” methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts. 

Attacking victims via customer support isn’t a new technique, but it was used to spectacular effect here. It’s not clear from the statement exactly how this played out. However, phishers often steal logins via fake sites first, then go to customer support pretending to be the victim who is “locked out” or has forgotten their details. They use pieces of the already stolen data to convince customer support they’re the real deal, and then take info from customer support to complete the attack.

The other approach is to talk to customer support with no action taken beforehand, and “simply” social engineer their way into full account control. Tricky, but not impossible, and a lot of it comes down to staff training.

Damage done, and further steps

Here’s the next part of the statement:

At this time, we estimate that less than 50 accounts have been taken over using this method…our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account.

Whether pre-armed with pilfered data or not, the scam involved altering the registered mails associated with accounts. More training definitely seems to be key here, as they go on to say:

All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.

We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.

Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.

All good moves by EA.

A wide world of 2FA protection

A caveat: phishers bypassing you completely and leapfrogging customer support means your 2FA may not help in that situation. On the other hand, keeping accounts locked down with tools like 2FA may contribute to them having to dream up scams like this in the first place. Making them work harder, and going the extra mile, naturally puts up a bit of a fatigue barrier. Many will also simply move on and target less secure accounts.

I can’t think of many gaming platforms or title specific services involving passwords which don’t also offer 2FA. Playstation has it, Xbox has it, as does Steam and Epic. Many platforms and titles offer bonuses for enabling additional security measures.

All of these forms of protection differ, with varying degrees of security. Some are SMS based, which are better than nothing, but ripe for exploitation via SIM swap. Phishers will come up with inventive ways to bypass apps, especially where some crossover to the desktop exists.

The best combination, if available, is probably a password manager and a hardware security key. Some password managers, for example LastPass, will prefill login details for you, but only if you’re on the genuine website. If you’re sent to a bogus site, nothing will happen and you’ll know you’re in the wrong place.

Meanwhile, the physical security key deals with authentication – no text messages or apps required. There’s a few examples of successful attacks on physical sticks, but they’re pretty rare. Again: this won’t help if the attackers haul themselves over the finish line through customer support. That’s out of your hands. Even so, you’ve locked things down at your end and that can only possibly be a benefit to you and a hindrance to those that matter.

The post FIFA 22 phishers tackle customer support with social engineering appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Ransomware targets Edge users

Malwarebytes - Wed, 01/12/2022 - 11:20

Unless you’ve been hiding under a rock for the last twenty years, you’ve probably heard the one about “keeping your software up to date”. Applying software updates promptly is arguably the single most useful thing you can do to keep yourself secure online, and vendors, experts, pundits, and blogs like ours, never let users forget it!

And because it’s good advice that’s easy to follow, cybercriminals like to use fake software updates to con users.

Fake software updates have been a go-to tactic for getting users to download malware for many years. A convincingly-branded message that tells users they need to update their out of date software taps into all the good security messaging users have soaked up, it gives them a reason to install strange software from the Internet, and it carries exactly the right mixture of implied threat and urgency that social engineers like.

For years, fake Flash updates were a fixture of web-based malware campaigns. Flash provided just the right kind of patsy: It was famous for its security holes, and new updates were released almost every month. But with Adobe’s media player a year into its long overdue retirement, criminals have had to look elsewhere for a convincing cover story, and where better than perhaps the most frequently updated software of them all, the web browser? Browsers have an almost frenetic update schedule, and many users understand that installing regular updates is a normal and important part of their everyday use.

Last week, Malwarebytes’ Threat Intelligence worked with nao_sec researchers to investigate a recently-discovered update to the Magnitude Exploit Kit that was duping users with a fake Microsoft Edge browser update.

The Magnitude exploit kit offers users ransomware dressed up as Microsoft Edge

The Magnitude exploit kit uses a grab-bag of social engineering lures and exploits to attack web users and install ransomware on their computers. Although Magnitude has been used to target different geographies and deliver different kinds of ransomware in the past, these days it is strictly focussed on installing Magniber ransomware on targets in South Korea.

The fake Edge update attack flows like this:

  1. A user visits an ad-heavy website and encounters a malicious ad.
  2. The malicious advert redirects them to a “gate”, known as Magnigate.
  3. Magnigate runs IP address and browser checks to determine if the user will be attacked.
  4. If the user fits the attackers’ criteria, Magnigate redirects them to the Magnitude exploit kit landing page.
  5. Based on information from Magnigate, the exploit kit chooses an attack from its collection.
  6. In this case, the exploit determines the best attack is a fake Microsoft Edge update.
  7. The “update” is actually a malicious Windows Application package (.appx) file.
  8. The .appx file downloads Magniber ransomware from the Internet.
  9. Magniber encrypts the user’s files and demands a ransom.
A Magniber ransom demand

Magnitude is regularly updated with fresh attacks, and the fake Edge update appears to have been added in the last few weeks. In the past, Magnitude has made extensive use of Flash and Internet Explorer vulnerabilities, but as the software landscape has changed it has had to adapt. In late 2021, it was seen targeting a sandbox escape vulnerability in the Chrome browser family, for example. That should be no surprise, Chrome is the most popular web browser by far and it suffered from an unprecedented glut of zero-days in 2021.

The number of problems affecting Chrome’s V8 JavaScript engine suggest there may be underlying problems in that part of the browser, and we fully expect that the near-term future of exploit kits will be Chrome exploits. However, that won’t stop exploit kits from taking advantage of other tactics, like fake updates, where they’re more likely to succeed.

Although Edge is based on the same browser as Chrome, uses the same V8 JavaScript engine, and is vulnerable to the same exploits, those exploits will only work on browsers that are out of date. And since browsers are pretty good at installing updates, Magnitude also needs attacks that work against fully updated browsers.

The irony is that the users most likely to run into an attack telling them they need to update their browser are the ones who already have.

If you want to know what version of Edge you’re running and if there are updates available, we suggest you follow the official guidance from Microsoft:

  1. Open Edge, select Settings and more, and then select Settings.
  2. Scroll down and select About Microsoft Edge.

Malwarebytes blocks Magniber ransomware.

Malwarebytes blocks a Magniber ransomware download

The post Ransomware targets Edge users appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Intimate photo hacker spared from jail, said he “liked the detective work”

Malwarebytes - Wed, 01/12/2022 - 11:00

Michael Grime, a British games programmer, has escaped jail after using stolen credentials to access several women’s personal email accounts and social media accounts in order to steal their private and intimate photos.

Grime was caught by the National Crime Agency (NCA) as part of an operation involving several agencies and the FBI. The agencies were able to link his email address to an account in WeLeakInfo[dot]com, a website that sells leaked credentials. Grime is said to have been paying $2 USD a day to access this site before it was taken down by law enforcement in early 2020.

WeLeakInfo[dot]com is marketed as a site that offers access to 12 billion user records collected from more than 10,000 data breaches. These records contain user names, email addresses, IP addresses, passwords, and phone numbers.

This is what WeLeakInfo used to look like, courtesy of the Wayback Machine. This appeared on the WeLeakInfo website from as early as January 2020, courtesy of the Wayback Machine.

In November 2020, law enforcement officers raided Grime’s home and seized a PC tower, three external hard drives, and his mobile phone. Thousands of photos and videos of women either topless or nude were found on his devices, many of which were images that had never been shared publicly.

The NCA primarily identified 11 women in the UK, most of whom went to school with Grime or had known him since childhood. It isn’t specified how many women Grime victimized outside of the UK. Some of his victims are popular figures on YouTube and Only Fans.

During a Preston Crown Court hearing, Grime admitted to having access to “around 50 accounts”. In one incident, Grime, who was described as “geeky, loner, and odd”, hacked the account of one of the women’s boyfriend’s to access private photos shared between the couple.

Lisa Worsley, prosecuting, told the court that his victims “felt betrayed and sad. One woman’s first response was to delete all her social media which she found upsetting.”

“Another said her Snapchat has been unstable and would log her out three or four times a day.” That’s a red flag there.

On the defending side, the lawyer whom outlets only name as “Mr. Forbes” told the court that Grime is “socially awkward” and may be on the autistic spectrum, although Grime has never had an official diagnosis. Forbes also said that his client became obsessed with hacking and “liked the detective work”.

“Many cybercriminals rely on the fact that lots of people use the same password on multiple sites and data breaches create the opportunity for fraudsters to exploit this,” said Detective Inspector Chris McClellan from the North West Regional Organizaed Crime Unit, who carried out the warrant at Grime’s home address in November.

“He knew it was wrong,” Forbes is quoted saying, “He stopped on occassions but [sic] and deleted material and would start again. This was something over which he felt he had little to no control over.” Forbes said Grime’s arrest was a “relief” for the young programmer as Grime didn’t have to rely on his weak will to stop himself from hacking accounts and downloading photos.

Although he wasn’t imprisoned, Michael Grime was given a community order, which orders him to do unpaid community work for 80 hours over two years. He was also ordered to undergo rehabilitation for 30 days and pay £500 as compensation for each of his 11 victims.

DI McClellan advised internet users to check if their credentials and personal data have been part of a data breach by using legitimate websites like If users find one or more of their accounts have been compromised due to breaches, they should make new strong passwords for each account.

“Do not reuse passwords and where possible apply Two Factor Authentication (2FA). This will help you prove you are who you say you are when you are logging into your account. Do not share the 2FA code with anyone.”

Sage words.

The post Intimate photo hacker spared from jail, said he “liked the detective work” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Attackers are mailing USB sticks to drop ransomware on victims’ computers

Malwarebytes - Tue, 01/11/2022 - 11:43

Physical objects as security threats are in the news at the moment. The oft-touched upon tale of rogue USB sticks is a common one. Being wary of random devices found on the floor, or handed out at events is a smart move. You simply don’t know what’s lurking, and it’s hard to find out safely without the right tools available. Even then, something can slip by and cause no end of trouble on your desktop or network.

Sticky situations

Back in 2015, we covered the Dead Drops art project. This involved people hiding their USB stick in public places, and others finding them to join an “anonymous file-sharing network” and see what lurks. Security wise, this is an absolutely terrible idea for most folks.

On the other hand: people absolutely do plug in USB sticks found in the street, and they also happily use freebies at events. Most won’t concern themselves with security worries, but they should. However, it’s one thing to voluntarily grab USB sticks yourself. It’s quite another to be potentially disarmed by someone sending you said device instead.

Postal peril

The FBI has warned that a malware group is sending out infected USB sticks to specific targets. The group is behind major attacks such as the notorious colonial pipeline ransomware incident. Make no mistake, these are heavy hitters (and have been here before, and that time they included gifts such as cuddly toys).

The bogus sticks have been winging their way to potential victims through the post for a number of months. There’s elements of social engineering involved, too. It isn’t just a random stick in an unlabelled baggy, there’s a variety of packaging depending on who the sticks have been sent to. It’s perhaps not quite as visually impressive as rogue teddy bears, but it still gets the job done.

Social engineering their way to USB victory

The attackers use a couple of different postal services to send the USBs into the wide blue yonder: United Parcel Service, and United States Postal Service. The sticks have been sent to “US businesses in the transportation, insurance, and defence industries”. The packages are designed to resemble Amazon gifts, and Covid alerts from the US Department of Health, which are likely to carry a strong pull factor for the unwary.

If the USB stick is inserted into a PC, it launches a BadUSB attack and the malware auto-registers as a keyboard. From there, it uses keystrokes to place malware on the system and, potentially, deposit and fire up additional rogue files. Bleeping Computer notes that the end goal is to deploy ransomware on the compromised network.

Tips for keeping USB access points safe
  • It’s not realistic to suggest disabling all USB ports on workplace machines, considering how many USB devices we use on a daily basis. However, you can ensure that only ones in use are functional. You can also buy physical locks which block use of ports with no software required to do it. Similarly, you can buy devices which lock wires into ports and reveal evidence of tampering if one is somehow pulled out.
  • Dedicated workstations running virtual machines, or a non Windows OS, can be set up for any “stray” USB sticks.
  • Disabling autorun is also helpful should such a thing already be enabled.
  • Restricting access to any and all USB sticks to a handful of trained staff may be thought of as time-intensive, but realistically you likely don’t run into dozens of mysterious USB sticks on a daily basis.

We don’t know how many organisations have been affected, nor do we know how successful this campaign has been. Organisations should be cautious if they’re in one of the sectors targeted by this attack. In fact, we should all be cautious where rogue USB sticks are concerned. Get ahead of the curve and ponder this issue now, instead of waiting to find out if your area of business is on the next FBI release a few months down the line.

The post Attackers are mailing USB sticks to drop ransomware on victims’ computers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Ransomware attacks Finalsite, renders 8,000 school sites unreachable for days

Malwarebytes - Fri, 01/07/2022 - 22:28

Finalsite, a popular platform for creating school websites, appears to have recovered significant functionality after being attacked by a still-unknown ransomware on Tuesday, January 4, 2022. At least 8,000 schools are said to have been affected by the resulting outage.

An important message from Finalsite:

— Finalsite (@Finalsite) January 6, 2022

According to an open letter published on its Twitter account:

On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment.

In the time since the incident, our security, infrastructure, and engineering teams have been working around the clock to restore full backup systems and bring our network back to full performance, in a safe and secure manner.

Internet users who are directly or indirectly affected by this ransomware incident took to Reddit to raise some concerns. User /u/flunky_the_majestic writes: “Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol. The impact of this outage is far greater than the attention it has received.” [1]

Some Reddit users also used this thread to complain about K12 schools continuing to use old technology and the challenges they faced on why it has remained this way. This is a notable one from someone who works in K12:

The first good news is the company says it has found no evidence of data theft.

The second good news is, as of Finalsite’s status entry hours ago, “the vast majority of front-facing websites are online.” As a caveat, it added that some of these sites still lack some functionality and content, such as admin log-in, calendar events, and the directory of constituent groups, which the team is working to restore. While the CMS company continues to restore from backups, investigation is ongoing still as of this writing.

The third and final bit of good news is related to the second: Finalsite got it so right by making and keeping backups of all their most important data. Remember that it’s not a matter of “if” but “when” ransomware—or another cyberthreat—strikes. Sometimes, companies who deem themselves secure can still get hit. And when (not if) they do, organizations need a recovery plan and the right kind of backups.

Companies restoring from backup in just a few days after an attack rather than paying the ransom is, by far, the least worst outcome. This is also quite difficult to pull off because of so many questions to consider first before doing anything. On top of that, there are instances where backups could fail us. Malwarebytes Labs’s podcast, Lock and Code, has covered this very dilemma. Listen to the full podcast below:

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

Finalsite also kept it simple and honest, which we greatly applaud. Some (if not most) organizations leave it at “sophisticated cyberattack”—perhaps for fear of ridicule or criticism over “not doing enough”. While this is understandable, Finalsite admitting they have been ransomware victims but are actually doing something about it is somewhat refreshing to see. We can only hope that other organizations, regardless of size, follow their example.

The post Ransomware attacks Finalsite, renders 8,000 school sites unreachable for days appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Patchwork APT caught in its own web

Malwarebytes - Fri, 01/07/2022 - 18:14

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT).

What is interesting among victims of this latest campaign, is that the actor has for the first time targeted several faculty members whose research focus is on molecular medicine and biological science.

Instead of focusing entirely on victimology, we decided to shade some light on this APT. Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines.


We identified what we believe is a new variant of the BADNEWS RAT called Ragnatela being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT.

Figure 1: Patchwork’s Ragnatela panel

Ragnatela RAT was built sometime in late November as seen in its Program Database (PDB) path “E:\new_ops\jlitest __change_ops -29no – Copy\Release\jlitest.pdb”. It features the following capabilities:

  • Executing commands via cmd
  • Capturing screenshots
  • Logging Keystrokes
  • Collecting list of all the files in victim’s machine
  • Collecting list of the running applications in the victim’s machine at a specific time periods
  • Downing addition payloads
  • Uploading files
Figure 2: Ragnatela commands

In order to distribute the RAT onto victims, Patchwork lures them with documents impersonating Pakistani authorities. For example, a document called EOIForm.rtf was uploaded by the threat actor onto their own server at karachidha[.]org/docs/.

Figure 3: Threat actor is logged into their web control panel

That file contains an exploit (Microsoft Equation Editor) which is meant to compromise the victim’s computer and execute the final payload (RAT).

Figure 4: Malicious document triggers exploit

That payload is stored within the RTF document as an OLE object. We can deduce the file was created on December 9 2021 based on the source path information.

Figure 5: OLE object containing RAT

Ragnatela RAT communicates with the attacker’s infrastructure via a server located at bgre.kozow[.]com. Prior to launching this campaign (in late November), the threat actor tested that their server was up and running properly.

Figure 6: Log of threat actor typing a ping command

The RAT (jli.dll) was also tested in late November before its final compilation on 2021-12-09, along with MicroScMgmt.exe used to side-load it.

Figure 7: DLL for the RAT being compiled

Also in late November, we can see the threat actor testing the side-loading in a typical victim machine.

Figure 8: Threat actor tests RAT Victims and victim

We were able to gain visibility on the victims that were successfully compromised:

  • Ministry of Defense- Government of Pakistan
  • National Defense University of Islam Abad
  • Faculty of Bio-Science, UVAS University, Lahore, Pakistan
  • International center for chemical and biological sciences
  • HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
  • SHU University, Molecular medicine

Another – unintentional – victim is the threat actor himself which appears to have infected is own development machine with the RAT. We can see them running both VirtualBox and VMware to do web development and testing. Their main host has dual keyboard layouts (English and Indian).

Figure 9: Virtual machine running on top of threat actor’s main computer

Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet. On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address.

Figure 10: Threat actor uses VPN-S

Under the VPN they log into their victim’s email and other accounts stolen by the RAT.

Figure 11: Threat actor logs into his victim’s email using CyberGhost VPN Conclusion

This blog gave an overview of the latest campaign from the Patchwork APT. While they continue to use the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers.

Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding about who sits behind the keyboard. The group makes use of virtual machines and VPNs to both develop, push updates and check on their victims. Patchwork, like some other East Asian APTs is not as sophisticated as their Russian and North Korean counterparts.

Indicators of Compromise







The post Patchwork APT caught in its own web appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Sophisticated phishing scheme spent years robbing authors of their unpublished work

Malwarebytes - Fri, 01/07/2022 - 17:23

Three years ago on Quora, someone asked what writers do to keep their manuscripts from being stolen. One of the top answers reads as follows:

You’re joking, right? It’s hard enough to get people to read your novel once it’s out on Amazon, much less reading it before it’s finished…unless you’re George RR Martin, nobody is trying to get your unpublished, unedited manuscript.

That optimistic piece of advice doesn’t really hold true anymore, if it ever did. In a scheme reminiscent of some sort of comic book supervillain, Filippo Bernadini was arrested at JKF International Airport on Wednesday. The reason? He stands accused of allegedly impersonating publishing professionals to obtain unpublished manuscripts. Charges include “wire fraud and aggravated identity theft”. The wire fraud aspect alone carries a potential maximum sentence of 20 years.

Throwing the book at crime

From the FBI indictment:

…an indictment charging FILIPPO BERNARDINI with wire fraud and aggravated identity theft, in connection with a multi-year scheme to impersonate individuals involved in the publishing industry in order to fraudulently obtain hundreds of prepublication manuscripts of novels and other forthcoming books.

This particular scheme had been rumbling along since “at least” 2016, and the accused individual worked in the publishing industry.

According to the FBI, multiple fake email accounts were created, impersonating real people in the publishing space. Not only that, but also publishing houses and talent agencies. Alongside this were “more than 160 internet domains”. The domains copied real entities, with deliberate use of slight typos in email addresses to further replicate the genuine article. These are common phishing tactics used by regular phishers, but here we can see it being deployed in a more targeted fashion.

Nice award. Can I have your next book, please?

There’s at least one example given of a Pulitzer prize-winning author tricked into sending a forthcoming manuscript to an imitation of a real well-known editor and publisher.

“Hundreds” of distinct people were impersonated in order to obtain manuscripts the phisher had no business accessing.

There’s also mention of gaining access to a New York literary scouting company, via bogus mails to employees and a fake domain for them to log into. Once they logged in, credentials were forwarded on to add another string in the “massive scam” bow.

This was all happening up until or around July 2021. It remains to be seen how the case will pan out for the accused, but it doesn’t sound great for him so far. It seems likely that this in-depth account of authors being contacted by fictitious publishers from August of last year is related to the above. If it isn’t, well, I guess we have two separate fake literary agent saboteurs to contend with.

What can writers do to keep their work safe?

A lot of the security issues in this story boil down to phishing, and phishing countermeasures. Most of the tips for authors for keeping their manuscripts safe tend to focus on backing up files. While some do mention security compromise, a few of the tips make me a little nervous. With that in mind:

  • The Nathan Bransford article I’ve linked to above invites that the “technically disinclined” to email themselves a copy of their manuscript, but I’d be wary of emailing documents to myself or others in plain text. I also appreciate that there are some situations where you may be left with “email or nothing”. In those situations, you should make use of a tool which can encrypt your files before you attach them, such as WinZip. Be aware though that some forms of encryption are more secure than others.
  • It also suggests placing documents in cloud storage. This puts a copy of your work in a different geograhpy than you laptop, which is good if there’s a fire, or you’re hit with ransomware, but it also means there’s another place your work can be stolen from. If someone manages to guess your cloud login, and you don’t have 2FA enabled, they have your documents. To prevent this, I suggest you enable two-factor authentication on your cloud accounts, and consider encrypting your files before uploading them.
  • If you really don’t like the idea of leaving documents on your desktop, store them on an external drive. The usual caveats apply: Encrypt, encrypt, encrypt. On the very remote chance someone breaks in and steals it, or more likely, you lose it somewhere, it’ll help keep the files safe from prying eyes.

Again, these tips are really for everyone and all kinds of files. They’re not specific to budding or even professional writers. However, they can still make full use of them. And you don’t even have to be George R.R. Martin to do it.

The post Sophisticated phishing scheme spent years robbing authors of their unpublished work appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Google and Facebook fined $240 million for making cookies hard to refuse

Malwarebytes - Fri, 01/07/2022 - 16:10

French privacy watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL), has hit Google with a 150 million euro fine and Facebook with a 60 million euro fine, because their websites—,, and—don’t make refusing cookies as easy as accepting them.

The CNIL carried out an online investigation after receiving complaints from users about the way cookies were handled on these sites. It found that while the sites offered buttons for allowing immediate acceptance of cookies, the sites didn’t implement an equivalent solution to let users refuse them. Several clicks were required to refuse all cookies, against a single one to accept them.

In addition to the fines, the companies have been given three months to provide Internet users in France with a way to refuse cookies that’s as simple as accepting them. If they don’t, the companies will have to pay a penalty of 100,000 euros for each day they delay.


EU data protection regulators’ powers have increased significantly since the General Data Protection Regulation (GDPR) took effect in May 2018. This EU law allows watchdogs to levy penalties of as much as 4% of a company’s annual global sales.

The restricted committee, the body in charge of sanctions, considered that the process regarding cookies affects the freedom of consent of Internet users and constitutes an infringement of the French Data Protection Act, which demands that it should be as easy to refuse cookies as to accept them.

Since March 31, 2021, when the deadline set for websites and mobile applications to comply with the new rules on cookies expired, the CNIL has adopted nearly 100 corrective measures (orders and sanctions) related to non-compliance with the legislation on cookies.


Google said in a statement that “people trust us to respect their right to privacy and keep them safe” and that the company understands its “responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision”.

Facebook said it’s reviewing the authority’s decision. Here it may be important to note that the CNIL fined Facebook Ireland Limited, rather than Facebook France, since the head office in Ireland presents itself as the data controller of the Facebook service in the European region.

The procedure

As an example we’ll follow the cookie management procedure for YouTube, which was one of the sites the CNIL objected against.

A first time visitor (or more precisely, someone without any cookies from a previous visit) is presented with this consent form:

YouTube’s cookie consent popup

The user’s options are to either accept all the cookies by clicking “I AGREE”, or to click “CUSTOMIZE”, which results in a multitude of choices to be made about search customization, YouTube History, ad personalization, managing cookies in your browser, and managing data Google Analytics collects on sites you visit.

The first three entries are simple On/Off settings.

The first three options in YouTube’s cookie customization screen

The last parts however point to instructions or link to other sites, which in general come down to “You can change your browser settings to reject some or all cookies.”

YouTube’s instructions on managing cookies and data

This explains why the French watchdog objects to the skewed balance between accepting or rejecting cookies from these sites—the path to privacy is long and difficult.

The everlasting battle

Internet giants like Meta (Facebook) and Alphabet (Google) depend on advertising. Advertising represented 98% of Facebook’s $86 billion revenue in 2020, and more than 80% of Alphabet’s revenue comes from Google ads, which generated $147 billion in 2020.

Advertisers can bid on specific words and phrases, and target specific demographics, geographies or interests, and this ensures ads show up to relevant users at relavent times, or so the theory goes. To find out who the “relevant users” are ad companies gather massive amounts of information about users, and that is where our privacy comes into play.

The information is stored in giant databases about us, and the link between us and our database entries are the cookies in our browser. The cookie acts like an ID badge, you show it every time you hit a Google or Facebook page, or any time you hit a page that includes a like button, some Google Analytics code, or anything else loaded from a Google or Facebook domain.

Sometimes that’s useful. Logging in to a website would be impossible without a cookie “ID badge”—you’d have to provide your password on each and every page instead. But sometimes the ID badge is doing someting that’s useful to somebody else rather than you, such as allowing them to silently build a personal profile about you.

Luckily, sites rarely use one cookie for everything and typically use different cookies for different features. This is why YouTube customization options are so convoluted, and why adblockers and privacy plugins work at all. With a decent tool it’s possible to block or refuse the cookies you don’t like and keep the ones you do.

If you want to clear out everything and start again, take a look at our quick guide, How to clear cookies”.

Dark patterns

YouTube’s choice between “I agree” and “Customize” rather than “I agree” and “I don’t agree” is an example of a dark pattern, a desgin that subtely and deliberately nudges you in the direction of a choice that benefits the designer. They are everywhere on the web, and they’re a problem.

In June 2021, Malwarebytes Labs’ David Ruiz spoke to dark patterns expert Carey Parker on the Lock and Code podcast. To learn more about dark patterns and how to spot them, listen below.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post Google and Facebook fined $240 million for making cookies hard to refuse appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New iPhone malware spies via camera when device appears off

Malwarebytes - Thu, 01/06/2022 - 16:51

When removing malware from an iOS device, it is said that users need to restart the device to clear the malware from memory.

That is no longer the case.

Security researchers from ZecOps have created a new proof-of-concept (PoC) iPhone Trojan capable of doing “fun” things. Not only can it fake a device shutting down, it can also let attackers snoop via the device’s built-in microphone and camera, and receive potentially sensitive data due to it still being connected to a live network connection.

Stopping users from manually restarting an infected device by making them believe they have successfully done so is a notable malware persistence technique. On top of that, human deception is involved: Just when you thought it’s gone, it still pretty much there.

The researchers dubbed this overall attack “NoReboot,” and it does not exploit any flaws on the iOS platform. This means Apple cannot patch for it.

How they did it

So how does the malware stop the actual device shutdown from happening while making it look like it did to users? In a nutshell, the researchers hijack the shutdown event on an iOS device. This involves injecting new code to three daemons—programs that run in the background that have their own unique functions: InCallService, SpringBoard, and Backboardd.

The three inherent iOS daemons that the malware has to modify in order to pull a succesful fake out. (Source: ZecOps)

InCallService is responsible for sending the “shutdown” signal to SpringBoard when a user manually turns off the iOS device. The researchers were able to hijack this signal using a hooking process. So instead of InCallService sending the signal to SpringBoard as it’s supposed to, it instead signals SpringBoard and Backboardd to execute the codes injected into them.

The code in SpringBoard tells it to exit, not launch again, and only respond to a long button press. Since SpringBoard responds to user interaction and behavior, the daemon being unresponsive gives the impression that the device is off when, in fact, it’s not.

The code in BackBoardd, on the other hand, tells it to hide the spinning wheel animation, which pops up when SpringBoard ceases to work.

Screenshot of code snippets that are injected into SpringBoard and BackBoardd. (Source: ZecOps)

At this point, the iOS device looks and feels like a brick. But note that it’s still pretty much on, still connected to the internet, and still has functional features readily available for remote exploitation. Note that once an iOS device is infected with NoReboot, it starts its snooping via the camera.

Just as the device shutdown is simulated, NoReboot can also simulate a device to startup. And the BackBoardd daemon plays a huge role in this. Since SpringBoard is no longer functioning, Backboardd takes control of the screen and responds to user inputs, including long button presses. Backboardd is told to show the Apple logo, a known indicator that the iOS device has indeed been turned off, which makes users let go of the button and stop them from truly rebooting the device. Then SpringBoard is relaunched so Backboardd can give back its privilege to control the screen.

You can read more about how NoReboot works in detail in ZecOps’s post here.

Video demonstration of NoReboot. (Source: ZecOps) “Is this thing on?”

Since Apple introduced a feature that allows device owners to track their phones even when they’re turned off, things have never been the same. “On” remains on, while “off” is not-quite-off anymore. And this only gives attackers an opportunity to let their malware persist on affected devices.

NoReboot is a mere PoC at this point, but its code is already public. It’s only a matter of time before iOS attackers start incorporating this into their malware kits. That said, let’s arm ourselves with what we can do as users at this point.

If you suspect that your device is compromised by a NoReboot-like malware, you can keep pressing the force reboot buttons after the the Apple logo appears. Remember that this is a simulated reboot, and keeping the restart buttons depressed would force the infected device to truly reboot. iOS device owners can also use Apple Configurator, which you can download for free.

Stay vigilant!

(Kudos to Thomas Reed for additional helpful insights)

The post New iPhone malware spies via camera when device appears off appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Hackers take over 1.1 million accounts by trying reused passwords

Malwarebytes - Thu, 01/06/2022 - 14:54

The New York State Office of the Attorney General has warned 17 companies that roughly 1.1 million customers have had their user accounts compromised in credential stuffing attacks.

Credential stuffing is the automated injection of stolen username and password pairs in to website login forms, in order to fraudulently gain access to user accounts. Many users reuse the same password and username/email, so if those credentials are stolen from one site—say, in a data breach or phishing attack—attackers can use the same credentials to compromise accounts on other services.

While credential stuffing may seem like a tiresome and long-winded game for attackers, it has proven to be very effective against. And unlike many other types of cyberattacks, credential stuffing attacks often require little technical knowledge.

The consequences

When attackers gain access to an account, they have several options to monetize it, such as:

  • Draining stolen shopping accounts of stored value, or making purchases.
  • Accessing more sensitive information such as credit card numbers, private messages, pictures, or documents which can ultimately lead to identity theft.
  • Using a forum or social media account to send phishing messages or spam.
  • Selling the known-valid credentials to other attackers on underground forums.

Needless to say that avoiding becoming a victim is worth the trouble.

What can users do?

Besides listening to us telling you that you should not reuse passwords across multiple platforms, there are some other thing you can do.

Start using a password manager. They can help you create strong passwords and remember them for you. Some passwords managers can be tricky at first, but once you get the hang of them you will wonder how you ever managed without one.

Then find out which credentials are at risk. You can check for compromised accounts on the website Have I been pwned? You can find information on how to use that site in our article “Have I been pwnd?”– What is it and what to do when you *are* pwned. The credentials shown as pwned there are the first ones you need to change the password for.

When it comes to which steps to take if you suspect there might be identity theft at play, we recommend you read this post we wrote after the Equifax breach some years ago.

What should organizations do?

Something that would make all of our lives easier is if organizations made it impossible, or harder at least, to credential stuff their sites and services.

One effective safeguard is to implement and enforce multi-factor-authentication (MFA). However, this puts a big part of the burden on the customers since they will have to take the extra steps before they are logged in. Another method to protect customers is to prevent them from use compromised credentials. This functionality typically relies on third party vendors that compile credentials from known data breaches.

Other more user-friendly solutions are bot detection methods and application firewalls.

Bot detection methods can distinguish between human and bot traffic even when the bot traffic has been disguised. Bot detection can be event-based and identifies bots using network characteristics, device characteristics, and behavior characteristics. More complex bot detection methods use behavioral analysis and artificial intelligence to detect login attempts that are seen as abnormal.  A less complex method to distinguish between bots and humans are the well-known CAPTCHA challenges.

Web Application Firewalls (WAF) are often the first line of defense against malicious traffic. They can block or throttle multiple attempts from the same source or at the same account. They can also use blocklists based on known IP addresses that have recently engaged in attacks. Sophisticated credential stuffing attacks, however, are often able to circumvent most WAF security measures.

No more passwords

Recently, we’ve seen initiatives that strive towards more password-less authentication. On this site we have discussed alternatives to get rid of passwords for good, along with the possible downside of the bold move Microsoft made towards a password-less future.

As with most things in security, switching to a password-less authentication will have pros and cons. It’s likely to have a different outcome for different organizations, but it seems something that is at least worth thinking through.

Stay safe, everyone!

The post Hackers take over 1.1 million accounts by trying reused passwords appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected

Malwarebytes - Thu, 01/06/2022 - 13:27

Two-factor authentication (2FA) has been around for a while now and for the majority of tech users in the US and UK, it has became a security staple. Indeed, wake up calls brought about by data breaches have stirred others out of their comfort zones into finally adopting 2FA and making it part of their online lives.

But online criminals—quick as they are with anything at this rate—are already one (if not several) step ahead.

As early as 2017, cybercriminals have been incorporating capabilities to defeat 2FA into their kits. With 2FA becoming much more commonplace, such kits are increasing in popularity and are in high demand in the underground market.

Academics from Stony Brook University and Palo Alto Networks—namely Brian Kondracki, Babak Amin Azad, Nick Nikiforakis, and Oleksii Starov—have found at least 1,200 phishing kits online capable of capturing or intercepting 2FA security codes. This, of course, would enable them to bypass any any 2FA procedures their target victims have already set up.

According to their report entitled “Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits” cybercriminals are using Man-in-The-Middle (MiTM) phishing kits which mirror live content to users while at the same time extract credentials and session cookies in transit.

These kits make it easy for the cybercriminals, because the harvesting of 2FA authentication session tokens are automatic. And because victims can browse within the phishing page as if it’s the real thing after they authenticate, users are less likely to notice they’ve been phished.

Illustration of what a MiTM phishing would look like. (Source: Kondracki, et al)

MiTM phishing attacks are perfect for scenarios where cybercriminals don’t want to use malware to steal credentials, and the attack itself doesn’t need human involvement in the process. Perhaps this is why email accounts, social media accounts, and some gaming accounts (as opposed to banking sites) are likely targets of MiTM phishers. These services have a more relaxed approach on how they log in users and keep them logged in until they manually log out.

Some of these services also create authentication sessions that can remain valid for years. Such sessions tokens can be used to abuse the account on a long term basis without the user knowing.

There are currently three widely known MiTM toolkits in popular hacking forums and code repositories: Evilginx, Muraena, and Modlishka. Among these, Modlishka (the Polish word for “mantis”) is the most familiar, and we covered it back in 2019.

A hacking forum post where someone is looking for Evilginx and Modlishka specialists for his phishing campaign. (Source: The Record by Recorded Future)

Using machine learning, the academics created a fingerprinting tool they called PHOCA (Latin word for “seal”, the sea mammal). Per the report, PHOCA “can detect previously-hidden MITM phishing toolkits using features inherent to their nature, as opposed to visual cues.” All one needs to do is feed the tool with a URL or domain name, and then the tool determines if its web server is a MiTM phishing toolkit by using its trained classifier.

Criminals using a 2FA bypass is inevitable. PHOCA seems to be the only tool that can successfully pinpoint and help users thwart MiTM phishing websites. Aside from PHOCA, the academics propose client-side fingerprinting and TLS fingerprinting as form of detection method to greatly help thwart this type of attack.

Seemingly invisible threats like MiTM phishing are real. And we hope that we can protect from it sooner rather than later.

The post Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Purple Fox rootkit now bundled with Telegram installer

Malwarebytes - Tue, 01/04/2022 - 14:02

The Purple Fox rootkit is being spread as an installer for the popular Telegram instant messaging app for Windows, according to researchers.

It’s not clear how the installer in this case was distributed, although it seems like at least some were delivered via email. Common distribution methods for this type of installer are phishing campaigns, forum spam, YouTube posts and comments, as well as untrustworthy software download sites. We’ve also seen the same malicious downloader in a combination with a WhatsApp for Windows installer.

But what makes the newly found Telegram installer special is the fact that the malicious part of the install is done separately in several small files. This makes the malware harder to detect and makes it easier for the malware authors to replace parts that have a high detection rate.

It starts with an installer called “Telegram Desktop.exe” which is an AutoIT script that drops a legitimate Telegram installer and a malicious downloader called “TextInputh.exe”. The legitimate Telegram installer is not executed, but the malicious downloader is immediately used as a downloader for the next stage of the attack.

It downloads and executes more files, which get deleted after they have done their work. Then User Account Control (UAC) is disabled, specific antivirus initiations are blocked, and information about security tools on the affected system are gathered and sent to a hardcoded command and control (C2) address.

The malware checks specifically for the presence of 360 AV software and will shut it down and block initiation.

The final stage of the infection requires a reboot for the new registry settings to take effect, including the disabled UAC. The disabled UAC setting allows the malware to download and deploy the Purple Fox rootkit.

Purple Fox background

Purple Fox is the name given to a malware family that has been in constant development ever since it was discovered in 2018. Back then it was a relatively simple Trojan that relied on exploit kits and phishing emails to spread. By the end of 2020, however, Purple Fox was using brute force attacks over Server Message Block (SMB), a network protocol that allows Windows computer to share files.

Then, in March 2021, researchers discovered that the Purple Fox malware included a rootkit and was wormable. A rootkit allows the attackers to hide the malware on a machine and make it difficult to detect and remove. Wormable malware is capable of spreading from one vulnerable computer to another automatically.

The Purple Fox infrastructure consists mostly of exploited servers that are used to host payloads, act as C2 servers, or serve as worm nodes. This makes it harder to track down the threat actors, but it also makes the infrastructure vulnerable if key servers get cleaned up by their rightful owners.

In September 2021, researchers found a new backdoor written in .NET which is believed to be associated with PurpleFox. This backdoor leverages WebSocket to communicate with its C2 servers, resulting in a more robust and secure means of communication. WebSocket is a communication protocol that allows streams of data to be exchanged between a client and server over a single TCP connection.


The most important advice to avoid this kind of infection is to download software only from trusted sources. Sometimes easier said than done, but trust me, it pays off.

Malwarebytes protects against and detects the malicious downloader by using the Artificial Intelligence module of its real-time protection.

Malwarebytes blocks Purple Fox IOCs

A full list of IOCs can be found on the Minerva blog, but we have listed the most important ones below:





Telegram Desktop.exe



360.tct (which gets renamed to 360.dll)















Stay safe, everyone!

The post Purple Fox rootkit now bundled with Telegram installer appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What angered us most about cybersecurity in 2021: Lock and Code S03E01

Malwarebytes - Mon, 01/03/2022 - 08:09

We are just three days into 2022, which means what better time for a 2021 retrospective? But rather than looking at the biggest cyberattacks of last year—which we already did—or the most surprising—like we did a couple of years ago—we wanted to offer something different for readers and listeners.

On today’s episode of Lock and Code, with host David Ruiz, we spoke with Malwarebytes Labs’ editor-in-chief Anna Brading and Labs’ writer Mark Stockley about what upset them the most about cybersecurity in 2021. These two have seen it all in the past year, helping either assign, write, edit, and publish every single blog that went onto Malwarebytes. That means every ransomware attack, every inadequate backup, every VPN blunder, and every industry-shifting vulnerability, has been reviewed, read, and understood by our guests. And for everything covered on Lock and Code in 2021? Well, host David Ruiz joins the conversation this time, equipped with any information he gleaned about cybersecurity basics, critical infrastructure, and much more.

Interestingly, when you get a trio of news writers into the same (Zoom) room to talk about a certain industry, they also, invariably, begin talking about how that industry was reported on. Like Mark Stockley said in today’s episode, his top complaint about cybersecurity in 2021 wasn’t even about the industry’s failings, but about the way that newspapers and outlets write about the industry.

I think that there’s a sort of dispassionate view of the world that comes through in a lot of cybersecurity news that’s kind of calling balls and strikes, as if computer security is a thing that happens to computers.

Mark Stockley

Tune in to hear all this and more on this week’s Lock and Code podcast—the first episode in our third season—by Malwarebytes Labs.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post What angered us most about cybersecurity in 2021: Lock and Code S03E01 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is IP sniffing?

Malwarebytes - Thu, 12/30/2021 - 17:12

IP sniffers, also known as packet sniffers, network analyzers, or protocol analyzers, are tools which play an essential role in the monitoring of networks, and in troubleshooting network-related issues. In essence, IP sniffing is monitoring traffic over a TCP/IP network.

IP sniffers intercept the traffic flowing in a digital network and log the data, which is then presented in a human-readable form for analysis. Network administrators and hackers of all stripes can use them to understand the state of a network at any time, find network vulnerabilities, and measure network performance.

What is packet sniffing?

When a distinction is made between IP sniffing and packet sniffing, a packer sniffer is a tool that analyzes all the inbound and outbound packets of a network. In addition, it looks at the path taken by each packet and interprets the logs to give users more visibility into their network. Some of these tools can also be used to monitor routers, switches, server traffic, network hardware, and even networks as a whole.

What is a Wi-Fi sniffer?

A Wi-Fi sniffer is a specific type of network analyzer or packet sniffer that is designed to work with wireless networks. Wi-Fi sniffing can be accomplished with a dedicated piece of electronic equipment or a software application.

What is meant by “sniffing attack”?

A sniffing attack involves the illegal extraction of unencrypted data by capturing network traffic through packet sniffers. They are used by cybercriminals to steal customer data and compromise network security. Sniffing attacks, which pose a significant security risk, enable common network threat types such as man-in-the-middle attacks, insider threats, etc.

By placing a hardware or software packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. There are two types of sniffing attacks:

  • Active sniffing

Sniffing in the switch is called active sniffing. A switch is a point-to-point network device. The switch regulates the flow of data between its ports by actively monitoring the MAC address on each port, which helps it pass data only to its intended target. In order to capture the traffic between targets, a sniffer has to actively inject traffic into the LAN to enable sniffing of the traffic.

  • Passive sniffing

Any traffic that is passing through the non-switched or unbridged network segment can be seen by all machines on that segment. Passive sniffers operate at the data link layer of the network. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. This is called “passive” since sniffers placed by the attackers wait for the data to be sent to them and don’t inject any additional network traffic.

IP sniffing vs IP spoofing

Spoofing and sniffing are two very different things. IP spoofing means creating IP packets with a false source IP address. To carry out IP spoofing, attackers need the following:

  • A trusted IP address that the receiving device would permit to enter the network. There are numerous ways to find device IPs. One way is Shodan, a searchable database of IP address-to-device mappings.
  • The ability to intercept the packet and swap out the real IP header for the fraudulent one. A network sniffing tool or an Address Resolution Protocol (ARP) scan can be used to intercept packets on a network and gather IP addresses to spoof.
Is IP sniffing legal?

Port sniffing is a process of reading and interpreting data that is transferred on a specific network communication port. Security analysts typically rely on port sniffing programs to determine software vulnerabilities. These analysts must inspect software applications for proper encryption and unwanted data exposure.

Whether IP sniffing is legal or not depends on a few circumstances.

  • Location and applicable laws

There are about as many, very, different laws as there are legislators. In the US several Federal laws prohibit or restrict network monitoring and the sharing of records of network activity. These laws were drawn up to protect online privacy.

  • Who is doing the monitoring

Ownership of the data is a key differentiator. Certain types of network monitoring and data access are prohibited. People who violate the prohibitions may be sued by the people whose privacy they invade.

  • What they do with the gathered data

Again, if sharing gathered information results in a breach of privacy, it could result in legal consequences.

As a rule of thumb, you are allowed to monitor traffic in a private network that falls under your responsibility for troubleshooting purposes, and as long as you don’t share the gathered data with anyone else.

The post What is IP sniffing? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The three most significant cyberattacks of 2021

Malwarebytes - Wed, 12/29/2021 - 17:12

People that predict tomorrow’s weather by looking at today’s are often right. Cloudy today? It’ll probably be cloudy tomorrow. The same is often true for cybersecurity threats. Looking back at 2021 it looks a lot like 2020: A lot of ransomware attacks.

So, when I was asked to write about the three most significant cyberattacks of 2021, it was no real surprise that my thoughts turned to ransomware attacks.

But what made these three stand out from the other attacks this year, and from many we’ve seen before, were not the direct consequences for the targeted systems, or even the people in the organizations that were attacked, but the consequences for people far beyond those organizations.

The three I’ve chosen are:

  • The Conti ransomware attack on Ireland’s Health Service Executive
  • The REvil ransomware attack on Kaseya VSA
  • The Darkside ransomware attack on the USA’s Colonial Pipeline

Let me explain why I chose these three from the multitude of ransomware attacks we went through in 2021.

The human cost of a ransomware attack

On May 14, Ireland’s Health Service Executive (HSE) was paralyzed by a cyberattack which turned out to be Conti Ransomware. The attack forced the organization to shut down more than 80,000 affected endpoints and plunged it back into the age of pen and paper.

Our colleague, Mark Stockley interviewed a doctor working in one of the affected hospitals.

Because of the ransomware attack, the doctor had to put in hours of extra effort after his day’s work just to determine which of the next day’s appointments he would have to cancel for lack of information. And then he could expect to deal with those anguished, sometimes angry patients, when he told them their appointment cannot go ahead.

“Imagine the scenario,” he said. “Patients will wait literally two years to see us. After two years they get a call saying ‘I’m sorry I can’t see you and I have to reschedule you and I can’t say when, because of the ransomware’. They know it’s not my fault but they are upset and very annoyed.” The doctor’s understatement kicks in. “They teach us ways to speak to angry patients, but it’s not nice.”

Asked what he would say to the attackers if he could speak to them , he responded with:

“If your loved one was sick. Would you do this? If you had somebody you cared about, would you do this to them. That’s what I’d ask them.”

“I think they lost their humanity.”

Four months later, after drafting in the army to help restore its systems, and after cancelling tens of thousands of appointments, HSE was still not fully recovered.

The ultimate supply-chain attack

On July 2, a severe ransomware attack against the popular remote monitoring and management software tool Kaseya VSA forced Kaseya into offering this urgent advice to its customers: Shutdown VSA servers immediately.

Members of the REvil ransomware gang had managed to push out a malicious Kaseya VSA update that encrypted machines and networks running the highly privileged software. The impact of the attack was enormous. Kaseya VSA is one of the more popular remote monitoring and management tools used by Managed Service Providers (MSPs) to administer their customers’ systems. The MSPs that were hit by the attack saw not only their own systems encrypted, but also the systems of their customers too.

An attack on one organization quickly became an attack on thousands.

The attack hit at a painful point in time for the Dutch Institute for Vulnerability Disclosure (DIVD), a volunteer-run organization that found a remote code execution flaw in Kaseya VSA on April 1, 2021. It was working with Kaseya to patch the VSA vulnerabilities for months prior to the attack. It took Kaseya quite a lot of effort and time, and more and more expertise to get the right patch out—to get it tested, to get it through quality assurance. And then, disaster struck just before the patches went out.

Only rarely do companies allow us a look inside their organization while they are recovering from a ransomware attack. Many find it more convenient to keep a low profile or to be secretive. We went over the work that had to be done by a Dutch MSP to repair the damage done by this attack. Doing this provided us with some valuable insights.

And our colleague David Ruiz talked to Victor Gevers, chair of the DIVD, on an episode of Malwarebytes’ Lock and Code podcast, about the ransomware attack that his organization was racing to prevent.

Gevers’ damning verdict on the current state of software: “The quality of products that are online and are exposed to the Internet are not up to par for the current situation that we are in and this is going to screw us over in the long term.”

Vital infrastructure is called vital for a reason

On May 10 the FBI confirmed that the Colonial Pipeline had been attacked by Darkside ransomware. The pipeline exists to supply gasoline and other products across the southern and eastern United States. It is the largest of its kind in the US, reportedly transporting almost half of the fuel consumed by the east coast. The US government declared an emergency and brought in emergency powers to ensure people would still be supplied with fuel.

The attack spurred new rules for critical infrastructure that represent a tidal shift in how the Transportation Security Administration (TSA) has protected pipeline security in the country for more than a decade. But it also made clear that the federal government is no longer satisfied with private industry’s lagging cybersecurity protections. President Joe Biden signed an Executive Order to place new restrictions on software companies that sell their products to the federal government.

A spokeswoman for the National Security Council explained at the time the importance of a requirement, that contractors would only gain access to federal systems on a “need-to-know” basis. Further, contractors would also have to notify government customers of any breach, bringing new transparency to the government about ongoing and increasingly frequent cybercrimes.

One other remarkable aspect of this attack that led to an 11-day shutdown and gas shortages in the eastern US, is that the US Department of Justice recovered much of the ransomware payment.

Ransom payments are the fuel that propels the digital extortion engine, and the recovery of the payment marked something of a turning point in the year. Ransomware attacks continued, but life became more uncomfortable for the gangs involved.

In August, we welcomed Lesley Carhart to the Lock and Code podcast to talk about critical infrastructure cybersecurity. Surprisingly, she managed to reassure us that while there are improvements to be made to critical infrastructure security, it’s not nearly as bad as some people think.

Have a safe 2022, everyone!

The post The three most significant cyberattacks of 2021 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Dridex affiliate dresses up as Scrooge

Malwarebytes - Thu, 12/23/2021 - 23:36

Threat actors are hoping to catch a few more victims before they leave work for the Christmas holidays. The recent malicious spam campaigns (malspam) we and others have observed appear to have been created by someone who wants to play Scrooge and add onto people’s already heightened state of anxiety.

The lures are particularly mean playing on people’s fears for job security and Covid infections. Unsuspecting users will open those attachments and get infected with Dridex a multi-purpose loader that can drop additional payloads, including ransomware.

Dark lures

An email captured by TheAnalyst shows fake termination letters being sent out by a Dridex affiliate. What kind of employer would terminate someone on Christmas eve?

We’ve also seen similar morbid subjects using the latest Covid variant, Omicron, likely from the same threat actor.

The email claims that 80% of the company’s employees have tested positive for Omicron and that you were a close contact. Opening at the so-called test results in the attached document delivers malware.

Maldoc leads to Dridex

The Excel document is password protected in order to prevent sandboxes from analyzing and flagging it as malicious. In fact, it also requires user interaction to click on a pop-up dialog in order to run the macro.

It drops a .rtf file into %programdata% and executes via mshta.exe:

This is used to download the actual payload, hosted on a Discord server.

This binary belongs to the Dridex malware family:

Malwarebytes customers are protected against this attack thanks to our Anti-Exploit layer which automatically closes the malicious attachment before it can deliver its payload.

As always, we recommend users to stay particularly vigilant when opening emails, especially if those sound urgent and require immediate attention. When in doubt, it is best to contact your IT or HR department to ask for more information and confirm whether the email is legitimate.

Indicators of compromise

Malicious documents









Dridex payloads



Network IOCs


The post Dridex affiliate dresses up as Scrooge appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds