Techie Feeds

A week in security (December 28 – January 3)

Malwarebytes - Mon, 01/04/2021 - 15:52

First off we would like to wish all our readers a happy and secure 2021!

Last week on Malwarebytes Labs we presented an overview of developments in the SearchDimension hijackers, we looked at the most enticing cyberattacks of 2020, and we also looked back at the strangest cybersecurity events of 2020.

Other cybersecurity news:
  • Google patched a bug in its feedback tool that could be exploited by an attacker to potentially steal screenshots of sensitive Google Docs documents. (Source: The Hacker News)
  • Section 230: The social media law that is clogging up stimulus talks. (Source: CNet)
  • Apple has lost its copyright battle against iOS virtualization startup Corellium. (Source: TechSpot)
  • Microsoft confirmed that the suspected Russian hackers behind the SolarWinds security breach also viewed some of the company’s source code. (Source: CNN)
  • Over 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to connected devices. (Source: ZDNet)
  • A data breach broker is selling allegedly stolen user records for 26 companies on a hacker forum. (Source: BleepingComputer)
  • Hackers have livestreamed police raids on innocent households after hijacking their victims’ smart home devices and making a hoax call to the authorities. (Source: BBC News)
  • The US Department of Homeland Security (DHS) has published a guide to the risks that businesses run if they use tech created in China. (Source: The Register)

Stay safe, everyone!

The post A week in security (December 28 – January 3) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The strangest cybersecurity events of 2020: a look back

Malwarebytes - Thu, 12/31/2020 - 16:00

This year is finally coming to an end, and it only took us about eight consecutive months of March to get here. There is a ton to talk about, and that’s without even discussing the literal global pandemic.

You see, 2020’s news stories were the pressure-cooker product of mania, chaos, and the downright absurd. “Murder hornets” made the journey to the US. Mystery seeds from China arrived in US mailboxes. The Pentagon officially released three videos of “unidentified aerial phenomena”—which many interpreted as three videos of alien spacecraft.

Also, a star vanished. Yes. Brighter than our sun, nestled into the same distant galaxy that cradles the constellation of Aquarius, and glinting a pale, cornflower blue onto its neighbors, the massive star simply disappeared one day. No supernova. No stellar collapse. No black hole.

Honestly? Bravo, star.

So, in a year unbridled in strangeness, it only fits that the cybersecurity events we witnessed produced equally head-scratching responses. The following cybersecurity events of 2020 that we’ve collected for you are not the most destructive or the most shocking, or the most attractive, like we covered earlier this week. They are, instead, the mysteries, the embarrassments, and the face-palms.

They are the events that that made us collectively say: “Wait… seriously?”

A digital vaccine for a physical illness

We hate to start our jovial list with coronavirus news, but this was too incredulous to pass up.

In late March, we found threat actors trying to convince unsuspecting victims to install an alleged digital antivirus tool to protect themselves from the physical coronavirus. In the scheme, scam artists built a malicious website that advertised “Corona Antivirus -World’s best protection.”

The website also claimed:

“Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.”


What threat actors were hiding behind the website was an attempt to install the BlackNET Remote Access Trojan, which can deploy DDoS attacks, take screenshots, execute scripts, implement a keylogger, and steal Firefox cookies, passwords, and Bitcoin wallets.

TikTok: an on-again, off-again relationship

Back in December of 2019, the US Army banned its members from downloading the massively popular video sharing app TikTok on government-issued devices. At the time, Army spokesperson Lieutenant Colonel Robin Ochoa described the app to the outlet as “a cyberthreat.”

Fast forward several months to the start of summer, when TikTok then received the worst kind of attention that any up-and-coming app can receive: that from a devoted Reddit user. The Reddit user claimed to have “reverse-engineered the app,” and said that TikTok was nothing more than “a data collection service that is thinly-veiled as a social network.” The app allegedly collected tons of data about users’ phones, the other apps they’ve installed, their network, and some GPS info.

The negative attention piled onto TikTok until, in August, President Donald Trump said he would ban the app from the US market.

With deadlines pressing, TikTok entered a flurry of sales talks, meeting with Microsoft, Oracle, and even Wal-Mart. A deal was initially struck with Oracle and Wal-Mart, with sign-off from the President granted partly in September. But the deal at the time still needed approval from a committee here in the US called the Committee on Foreign Investment in the United States, or CFIUS.

The way TikTok tells the story, that committee ghosted the company for months. As the company told the outlet The Verge:

“In the nearly two months since the President gave his preliminary approval to our proposal to satisfy those concerns, we have offered detailed solutions to finalize that agreement – but have received no substantive feedback on our extensive data privacy and security framework.”

So, did the administration claim a national security threat and then just… forget about it?

Data leakers suffer leaked data

In January, the FBI seized the domain of the website, which claimed to have more than 12 billion records that contained personal information that was pilfered from more than 10,000 data breaches. The website offered a “subscription” service, letting users buy access to the database for months at a time.

It was a pretty nefarious service and after the FBI seized the domain, the saga actually continued in May.

You see, an older database of itself actually leaked online, including information belonging to countless users who bought WeLeakData’s subscription services. Now, the tables had turned—login names, email addresses, hashed passwords, IP addresses, and even private messages between users were being sold and purchased online.

Shade ransomware operators turn to the light

In April, a group that claimed to have developed the Troldesh ransomware—also known as the Shade ransomware—publicly published all of its remaining decryption keys for anyone still suffering from an earlier attack.

Posting on GitHub, the group said:

“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”

The decryption keys were real, and were even used by Kaspersky to help develop a decryption tool, which, in time, would be used by the No More Ransom initiative which helps victims of ransomware retrieve encrypted data without having to pay a ransom.

So, what changed these threat actors into threat solvers? A sudden clarity of the conscience? Or was it that Troldesh wasn’t really paying out anymore, so it wasn’t worth the trouble of keeping it running?

We don’t know, but we’re happy either way.

One password to ruin them all

Earlier this month, Florida police raided the home of former government data scientist Rebekah Jones who, after being fired in May, had continued to post statistics about the state’s COVID-19 cases and deaths. The police said they investigated Jones because she had allegedly gained unauthorized access into the state’s emergency-responder system to send a wide alert to government employees.

But, according to Jones, that’s not true. Jones told CNN that she did not access the state’s emergency-responder system, and that she did not author the widely sent message.

When The Tampa Bay Times followed up with the Florida police to ask what measures they had implemented to safeguard the system, the police were tight-lipped.

According to Ars Technica, that stonewalling might be because the actual truth was far too embarrassing: Every single employee who logs into the system uses the same username and password, both of which are available to the public online.

Source: Ars Technica

Where’s the face-palm emoji?

Of printers and problems

This Fall, we started getting reports about a new type of malware that we were allegedly not detecting, which was instead being reported by the built-in anti-malware features on macOS.

When we investigated further, though, we found that most of these “malware” reports were related to Hewlett-Packard (HP) printing drivers, and that many of the messages that users received generally popped up whenever those users had tried to print something on their HP printers. Curious, no?

The problem, we found, lied within certificates. What’s that? Allow us to explain.

Certificates help keep the Internet running. They are a way to verify that the server you connect to is really owned and operated by the business you’re trying to communicate with, like, say, your online bank. But for years now, Apple has increasingly pushed software developers into using certificates to cryptographically sign and verify their own software. Without developer signoff, software users will have a ton of trouble using that software on Apple devices.

Back to the HP printer problem. It turns out that an HP certificate that was used to sign HP drivers had been revoked. By who, you ask?

By HP! Seriously. As the company told The Register:

“We unintentionally revoked credentials on some older versions of Mac drivers. This caused a temporary disruption for those customers and we are working with Apple to restore the drivers.”

Unfortunately, we’re still getting reports of these problems today, and threat actors are jumping on the opportunities, setting up malicious websites that promise to fix the problem.

Dead eye

This is more of a digital surveillance story than a straight cybersecurity tale, but it deserved a place on our list as an honorable mention. This year, Motherboard revealed that a secretive company had been selling stealthy surveillance products to cops.

The products? Cameras hidden within vacuum cleaners, baby car seats, and gravestones.

Source: Motherboard


To a new year

We’re almost in 2021, but a new day doesn’t magically bring new, improved cybersecurity across the globe. Instead, read the news, install antivirus, and protect yourself online. It’s the most clear-headed advice out there.

The post The strangest cybersecurity events of 2020: a look back appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The most enticing cyberattacks of 2020

Malwarebytes - Wed, 12/30/2020 - 16:00

In 2020, we experienced a major shift. Much of the world pitched in to limit the spread of the coronavirus, with people changing their daily routines to include a mixture of working from home, standing in socially-distanced lines, and awaiting local rules about what they could and could not do with members of different households.

It was a stressful and confusing time, and during it, cybercriminals adapted—sometimes a little too well.  

Today, we’re going to talk about some of the most nefarious and shameful tricks we saw online in 2020. What we’re sharing is not a list of the most destructive attacks or the most serious—as that list would certainly be topped by the recent SolarWinds attack. Instead, this is a list of the cyberattacks and cyberattack techniques that surprised us, whether because of their near-imperceptibility, or because of their severe harshness.

These are the most enticing—or the most impossible-to-ignore—cyberattack lures and cyberattack capabilities of 2020.

Coronavirus, coronavirus, coronavirus

Beginning in February, Malwarebytes and many other cybersecurity researchers had already recorded a significant uptick in coronavirus lures being used to trick people into opening malicious emails and visiting dangerous websites.

First up, we found cybercriminals who impersonated the World Health Organization to distribute a fake coronavirus e-book. That attack vector must have worked, because in the same month, cybercriminals again impersonated the World Health Organization to spread the invasive keylogger Agent Tesla.

Other, similar efforts included impersonations of the non-descript “Department of Health” with pleas for donations, and reported Pakistani state-sponsored threat actors spreading a Remote Administration Tool through a coronavirus-themed spearphishing campaign. In fact, even the operators for the most-wanted cyberthreats Emotet and TrickBot switched up their lure language to focus on coronavirus.

One of the many impersonations found online immediately following the pandemic

We see this story during every major crisis: A panicked and confused public look for answers anywhere, including their inboxes. By taking advantage of this fear, threat actors are able to swindle countless victims who only wanted some guidance and clarity in their lives.

Tupperware credit card skimmer just one of many similar attacks

In the earliest days of responding to the coronavirus pandemic, local and state governments across the world began shutting down non-essential storefronts in an effort to limit the spread of COVID-19. While grocery stores and pharmacies remained open, other retail stores were sometimes forced to shift to an entirely online business model, since foot traffic became non-existent. This meant more stores selling more items online, and more people making their purchases on the Internet.

But where online shopping increased, so did attempts to steal online credit card data.

In March, Malwarebytes uncovered an active cyberattack against the food storage product-maker Tupperware. In the attack, threat actors managed to compromise Tupperware’s primary website by inserting a malicious code within an image file that would trigger a fraudulent payment form during the checkout process.

To unsuspecting users, the cyberheist was nearly undetectable. Upon trying to checkout from Tupperware’s online store, victims would first be shown a fraudulent, convincing payment form that asked for their credit card number, expiration date, and three-digit security code.

The rogue payment form that greeted victims of the attack on Tupperware

After victims confirmed their credit card details, they then received a warning notice that the website had timed out, and that they had to enter their credit card details a second time. Though this second payment form was actually legitimate, it was too late—the cyberthieves already had what they wanted.

The Tupperware attack was just one of many similar attacks in 2020. In fact, in March alone, we recorded a 26 percent increase in credit card skimming attacks compared to the month earlier. And February itself wasn’t a quiet month, as we also found threat actors hiding a credit card skimmer within a fake content delivery network.

Emotet blends into the crowd (of email attachments)

In 2020, one of the most devastating cyberthreats seriously improved its camouflage.

For more than two years, a dangerous malware called Emotet has proved to be one of the biggest threats facing businesses across the world. That’s because Emotet, which began as a banking Trojan, has evolved into a sophisticated threat that often serves as a first step into broader and longer-lasting cyber damage.

For most businesses today, an Emotet attack is no longer just an Emotet attack. Instead, a successful Emotet attack can go undetected for days or even weeks. In the meantime, threat actors can use Emotet to download a separate banking Trojan called Trickbot, and yet another ransomware called Ryuk.

Making matters worse is that, over the years, Emotet has become increasingly hard to spot on first read. The banking Trojan is primarily spread through malspam, which are malicious emails that contain dangerous attachments like macro-enabled documents or other dangerous links. While similar malspam efforts are easy to detect, like the one-off billing invoice from a never-seen email address, Emotet is different.

In roughly one year, Emotet found a way to not only insert itself into active email threads, but to also copy and re-send legitimate email attachments so as to hide its own malicious payload amongst a set of documents that an email user may already recognize.

In tandem with implementing these new techniques, Emotet also came roaring back in the summer. Months later, it also received a superficial facelift, lurking within in a fake Microsoft Office update request.

We don’t know when we’ll finally be rid of Emotet, but we know that day can’t come soon enough.

Ransomware grows fond of extortion  

In November of last year, a security staffing firm based in Pennsylvania faced an impossible deadline. They had just been hit with a ransomware attack, and, in one of the first documented cases at the time, they were given an option: pay the ransom, or your confidential files get leaked online for everyone to see.

This was the work of the so-called “Maze Crew,” operators behind the Maze ransomware.

In Pennsylvania, the clock was ticking, and the Maze Crew began to signal that it wasn’t playing around. Using an email address connected to Maze ransomware attacks, someone from the Maze Crew emailed a reporter at Bleeping Computer and basically bragged about their attack. In their email, they wrote:

“I am writing to you because we have breached Allied Universal security firm (, downloaded data and executed Maze ransomware in their network.

They were asked to pay ransom in order to get decryptor and be safe from data leakage, we have also told them that we would write to you about this situation if they dont pay us, because it is a shame for the security firm to get breached and ransomwared.”

We gave them time to think until this day, but it seems they abandoned payment process.”

The security firm refused to pay Maze Crew’s ransom, and, true to its word, Maze Crew released 700 MB of data and stolen files from the attack.

Interestingly, the operators behind Maze ransomware claimed in November that they were retiring. Whether or not they’re to be believed, the damage they’ve done is everlasting. Following that extortion stint they pulled last year, other threat actors followed suit. In fact, according to one report in August, 30 percent of all ransomware attacks now involves extortion threats. In 22 percent of attacks, threat actors actually take the first step in fulfilling those threats, having exfiltrated data from their targets.

If only threat actors didn’t look to other threat actors for inspiration.

Release the Kraken

In October, our threat intelligence team published its findings on a cyberthreat that is as elusive and as slippery as its name: Kraken.

The attack first came through a malicious document—that was likely spread through spearphishing campaigns—that promised information about obtaining workers’ compensation. Opening the document enabling its content will then allow for a connection to “yourrighttocompensation[.]com” and it will result in a separate, downloaded image. Inside, a malicious macro starts a chain of events that loads and executes a payload from memory.

The payload is a .Net DLL that injects an embedded shellcode into the Windows Error Reporting service, WerFault.exe. But before the attack can actually trigger, the DLL performs a few, sly tricks to avoid detection. First, it checks for the presence of a debugger by measuring the time it takes to complete a certain set of instructions. Then, it checks for the presence of VMware or VirtualBox. It then checks for a processor feature, and the shellcode then also checks for a debugger. After one last, final debugging check, it creates its final shellcode in a new thread.

After all that work, the final shellcode in a set of instructions makes an HTTP request to download a malicious payload.

There is a bit of good news here, though. On further investigation, we found that this sneaky threat was not tied to any active APT group, but instead was the work of red team activities testing security.


Imposter syndrome

In April, our team discovered that a group of threat actors had built a malicious website meant to serve as a gate to the Fallout exploit kit, which can distribute the Raccoon information stealer.

The method itself is nothing new, and threat actors build malicious websites all the time for just these types of attacks. What did surprise us, though, is the organization that the threat actors tried to impersonate: It was us, Malwarebytes.

The malicious domain, at malwarebytes-free[.]com, presented users with much of the same information on our own homepage, as that information was simply swiped and reposted.

Scammers created a convincing copy of our site because they copied everything we wrote

The domain was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and was, at the time, hosted in Russia at 173.192.139[.]27. When we looked closer, we found a short piece of JavaScript on the copycat site that checked a user’s web browser. If the user was visiting the site on Internet Explorer, they would be led to a malicious URL which belonged to the Fallout exploit kit.

If these cyberthieves were trying to flatter us, it didn’t work.

A very long year

In 2020, not only did the coronavirus prove to be one of the most long-running lures to trick people into having their machines infected, but the capabilities of malware increased dramatically.

It isn’t all doom and gloom this year, though. Malwarebytes has done an enormous amount of work to keep you safe, and we’re constantly tracking what goes bump in the night to make sure you’re safe throughout the day.

Also, we shouldn’t get ahead of ourselves and judge all cyberthreats this year by the most alluring ones. In fact, tomorrow, we’re going to take a look at the strangest cyber events of 2020, and, spoiler alert, sometimes threat actors mess up hard.  

The post The most enticing cyberattacks of 2020 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

SearchDimension search hijackers: An overview of developments

Malwarebytes - Tue, 12/29/2020 - 16:05
Background information on SearchDimension

SearchDimension is the name of a family of browser hijackers that makes money from ad clicks and search engine revenues. The family was named after the domain that popped up in 2017, and they still sometimes use the letter combo SD in the names of their browser extensions.

Recent developments in the SearchDimension family

Over the last year we have seen this family evolve and expand into the world of PUPs and adware. Below are some of the latest additions to their arsenal.

  • Web push notifications: together with Adware.Adposhel, SearchDimension was among the first families to make full use of the potential provided by web push notifications for advertising.
  • Your browser is managed: the SearchDimension developers created an installer that not only installed their search hijacking extension but also made the “Remove” button disappear on the extension listing, telling frustrated users their browser was not their own to manage
  • One of their most recent additions is a Chromium-based browser that replaces your default browser when you install it. This new default browser then behaves the same as a normal Chrome browser with one of the search hijacker extensions installed.
  • Another new trick comes with extensions that read your browser history to grab the search term the user looked for. The extension then closes the original search tab and opens a new tab with their own search engine looking for that search term. Basically this comes down to lying about the permissions so users will not notice the extension as a search hijacker.
How can you recognize SearchDimension hijackers?

There are many subfamilies and different versions within those families, but there are some tell-tale signs of the SearchDimension family. First and foremost, they use a few website templates that are very typical. These are the six most common ones.

Depending on the referring websites, you may be asked to accept notifications from the search hijacker’s domain. Every domain I have seen from them recently has this option but the referring URL does not always trigger this behavior. So, anyone directly visiting such a domain will not see the notifications prompt.

Then there is one page that comes up very often after you have installed one of the extensions. It looks like this:

The name of the extension and the “sponsors” will vary but the blue and white fields with the circular logo are very typical for the “Thank you for installing … “ page.

The wording in the entry in the list of installed Chrome extensions also comes from a rather limited set, and will usually have one of these formats:

  • Search by {extension name}. The best way to search. This one is by far the most common.
  • This extension configures your Default Search in Chrome browser to provide these features. Which features remain unsaid.
  • {extension name} is an extension that replaces your default search to Yahoo to provide more features. This one seems very specific for the PUP.Optional.SearchDimension subfamily.

Another weak spot in the development process for new variants seems to be the icon. Although they have come up with a lot of them, there is one that is repeated a lot.

The “A” in a blue field is often used for variants that have a short life span. These variants are often only around for a few days before they get removed from the Webstore.

Some variants, including the WebNavigator browsers, add a table of graphics representing Search Recommendations to the search results. This will look like this:

Different subfamilies of SearchDimension

One could divide this family up into subfamilies, based on their behavior, and at Malwarebytes we detect these subfamilies under different names. Below you will find a short description of the methods these subfamilies use and whether there is a Malwarebytes’ detection name for that subfamily.

  • The web push notifications are a part of all the subfamilies. If the user has accepted web push notifications, Malwarebytes will detect them as PUP.Optional.PushNotifications.Generic.
  • The subfamily that only uses the trick to close and open a new search tab will be detected by Malwarebytes as PUP.Optional.SearchEngineHijack.Generic.
  • The variants that change the default search engine and the ones that show “Search Recommendations” will be detected by Malwarebytes as Adware.SearchEngineHijack.Generic.
  • The subfamily that consists of Chromium-based browsers that replace your default browser is detected by Malwarebytes as PUP.Optional.WebNavigator.

Unfortunately, as some of these subfamilies use more than one method of browser hijacking, it is hard to be consistent. So sometimes detection names do not always completely follow this pattern as it depends on which behavior(s) our engine detects. The big advantage of the generic detections by our engine, however, is that it picks up new variants on their first appearance.

Advice on search hijackers and other adware

Changing your default search provider or installing adware should be done with user consent. Which is something these search hijackers often forget. They try to get installed by making promises they do not intend to keep and “forget to mention” what they actually are up to. We have seen search hijackers promising to be ad blockers, privacy protectors, and even ones that promise to provide antivirus protection. At best, they replaced existing advertisements with their own.

Installing a browser extension just to change your default search provider is something I would advise against. It’s easy enough to change the default search engine in the browser settings, and if the one of your choice is not listed there, I would recommend you only install an extension with a proven track record and one that really adds some value.

It’s an error to think that these search hijackers only bother Windows users. Most of the prevalent search hijackers aim at Chrome/Chromium browsers and sometimes Firefox. As a consequence, most of them can also be installed on macOS systems.

Recommended reading

For those interested in this subject, I have gathered some related links.

Removal methods:

How to remove adware from your PC

Browser push notifications: a feature asking to be abused

Adware the series, part 1


Mac adware is more sophisticated and dangerous than traditional Mac malware

Three million users installed 28 malicious Chrome or Edge extensions

Stay safe, everyone!

The post SearchDimension search hijackers: An overview of developments appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 21- December 27)

Malwarebytes - Mon, 12/28/2020 - 17:04

Last week on Malwarebytes Labs we warned our readers about not so festive social media scams, how Emotet returned just in time for Christmas, we tried out some free online games your kids are playing and here’s what happened, and our VideoBytes episode talked about what penetration testing tools malware gangs love to use and why they are better than what you can get on the black market.

Other cybersecurity news:
  • Cybercriminals issued a fake mobile version of Cyberpunk 2077 that’s actually ransomware. (Source: TechSpot)
  • The Trump administration is pushing to make major adjustments to the Pentagon organizations charged with cybersecurity and intelligence. (Source: CNN)
  • An international takedown of a virtual private network (VPN), dubbed Operation Nova ended an organization engaged in bulletproof hosting. (Source: US DoJ)
  • Europol and the European Commission are launching a new decryption platform to help law enforcement agencies decrypt data that have been obtained as part of a criminal investigation. (Source: GovInfoSecurity)
  • Hacker publishes stolen email and mailing addresses of 270,000 Ledger cryptocurrency wallet users. (Source: Hot for Security)
  • The group behind the SolarWinds hack also tried to compromise security firm CrowdStrike. (Source: engadget)
  • China used stolen data to track CIA operatives in Africa and Europe since around 2013. (Source: Fox Business)
  • Apple, Google, Microsoft, and Mozilla unite to ban Kazakhstan‘s citizen-tracking certificate. (Source: TechSpot)
  • A large scale phishing scam is underway that pretends to be a security notice from Chase stating that fraudulent activity has been detected and caused the recipient’s account to be blocked. (Source: BleepingComputer)
  • SolarWinds releases known attack timeline, new data suggests hackers may have done a dummy run last year. (Source: The Register)

Stay safe, everyone!

The post A week in security (December 21- December 27) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

VideoBytes: Offensive security tools and the bad guys that use them

Malwarebytes - Thu, 12/24/2020 - 16:30

Hello Folks!  In this Videobyte, we’re talking about what penetration testing tools malware gangs love to use and why they are better than what you can get on the black market.

This article describes the VirusBulletin talk of a security researcher from Interzer Labs, Paul Litvak, in which he discusses his effort to identify how often offensive security tools (like Mimikatz) are used by criminal threat actors.

His findings showed an alarming trend, and his observations boiled down to a theory that criminals are reducing their overhead by utilizing (sometimes freely available) offensive security tools, meant to identify weaknesses for network penetration testers, to do much of the heavy lifting they need to infiltrate networks.

For example, in many cases tools used for lateral movement, initial infection and remote access were all created by security researchers. At the same time, tools for information gathering, which are much better in black-hat groups than those used by penetration testers, tended to be more customized for the criminal user.

Another interesting observation was that for tools which had a greater amount of technical complexity to use, the tool was used less often by attackers. Meaning that introducing greater complexity into the use of these tools, may act as a deterrent for some criminals.

Alternatively, developers of these tools should also utilize unique identifiers (symbols, characters, data chunks in the code) to make them easier to identify by scanners.

Either way, the discussion between whether Offensive Security Tools help or hurt more will continue, but this study certainly gives one point toward those who would prefer these tools be better protected.

The post VideoBytes: Offensive security tools and the bad guys that use them appeared first on Malwarebytes Labs.

Categories: Techie Feeds

I played the free online games your kids are playing and here’s what happened

Malwarebytes - Wed, 12/23/2020 - 15:11

“Throat kill! Throat kill!”

“I need a dad.”

These are just some of the things I heard a six-year-old boy shout at his iPad while I was babysitting one evening. I was disturbed, yet compelled to learn more.

Babysitting is always a puzzling experience for me. Why are their hands always sticky? Who eats a dry hamburger (literally just meat and bun)? Most puzzling, as it pertains to this story, what weird video games are children playing and are these games safe?

I asked my young ward for a list of his favorite games and played them all for a week. These games were Among Us, Roblox, and Fortnite. All three games are free, but there are some hidden costs to be aware of, which I’ll go over later. Chances are your kids (tweens and younger) are also playing Minecraft, Overwatch, and maybe even Grand Theft Auto Online. For this piece, I tried to focus on the games you might download for your kids just to get them out of your hair for an hour. Besides being free, each game is available on a handheld device and features a kid-friendly learning curve.

The experiment

To give myself the best chance of experiencing the kinds of dangers your kids might face, I tried to make decisions as a six-year-old would. Typically this meant putting absolute trust in my fellow players and spending money as if it were a limitless resource.

For the record, this reporter has no kids. I was an avid gamer through my twenties and I still play one or two marquee games a year, though I hadn’t played any of the games reported on in this story beforehand. I’m currently playing Cyberpunk 2077 (on Google Stadia).

So, after a week of playing video games, here’s what I found.

Kill animation from Among Us. Among Us

YouTube videos featuring the sci-fi online multiplayer game Among Us were watched four billion times in September. US representatives Alexandria Ocasio-Cortez and Ilhan Omar both played the game with popular streamers on Twitch in the lead up to the 2020 elections. It’s safe to say Among Us is having a cultural moment—and no wonder. It’s free (on iOS and Android), it’s addictive, and it’s all about banding together with your fellow humans to vote out a deranged monster.

In the game, players play randomly as either a crewmate or a shapeshifting alien creature posing as a crewmate (the imposter). As an imposter, your goal is to kill all the crewmates. As a crewmate, your objective is to identify all the imposters on the ship and eject them into space by way of plurality vote.

When an imposter kills a crewmate, a short animation plays showing how the imposter performed the kill. The animations are bloodless and cute, as far as killing goes. One of the kill animations features the imposter producing a fencing sword from its throat and stabbing the victim. My young ward declared the “throat kill” as the “best type of kill” in Among Us and I agreed nervously as a single bead of sweat formed on my brow.

During my time with the game, I found it to be safe overall. There are built-in filters that stop players from swearing and any player can vote to kick another player out of the game for inappropriate behavior.

The game offers in-app purchases for cosmetics that can be used to dress up your player. These cosmetics cost real-life money. If your kids are playing on your personal phone or tablet, be sure to adjust your settings and require a password for every purchase to prevent them from going wild with your credit card.


I stared into the abyss, and the abyss stared back. That about sums up my experience with Roblox.

Roblox isn’t so much a game as it is a massive platform for users to create their own games. As it stands, there are over 40 million games on Roblox. Most of them are terrible. Many are weird. Regardless of what game your kids are playing within the world of Roblox, they’ll need Robux, which is the in-game currency used to purchase clothing, items, upgrades, etc. Unless your enterprising little ones are creating and selling content in the game, they’ll need you to spend real-life money to get Robux for them. Payments are drawn from your Google, Microsoft, or Apple account. Whatever restrictions you have in place for in-app purchases will apply.

A typical Robux Generator scam site. Robux scams

We’ve written about Robux Generator scams before, but here’s a quick rundown. A Google search for “free Robux” produces any number of suspect Robux generator sites. On these sites, you’ll be asked to enter your username and the amount of Robux you want. After some handwaving designed to suggest things are happening in the background you’ll be redirected to a sketchy survey site. I tried several of these sites and I didn’t get any Robux.

There are Robux scams within Roblox itself. I found countless games advertising free Robux. Most of these were just bad, boring games that did nothing. One game asked me to buy a special shirt that would somehow allow me to earn more Robux. I bought the shirt and, no surprise, it did nothing. Another game asked me to click a box on-screen 100 times to win Robux. After a few dozen clicks, the box was discreetly replaced with another box. Clicking this second box bought me another worthless shirt.

Fortunately, avoiding Robux scams like these is easy. Educate your kids. Let them know not to share their username and password with anyone. You should also turn on multi-factor authentication (MFA) within Roblox. Doing so will make it a lot more difficult for a hacker to access your child’s account, even if they have the password.

Settings in Adopt Me! can be used to protect your children from getting scammed in-game. Adopt Me!

Wandering around the cartoonish world of Adopt Me! I was accosted by dozens of tiny little street urchins asking me to be their dad or offering me sketchy deals on exotic pets. And this is the most popular game on Roblox in a nutshell. Players choose to be either a baby or a parent. If you’re a parent, your job is to take care of a baby. If you’re a baby, then you need a parent to take care of you. Most players, however, focus their efforts on acquiring and trading pets. This is where I ran into trouble and your kids may too.

Adopt Me! has a built-in trading system that protects players from getting ripped off. Both players have to put an item into the trade window and accept the trade. As I found out, there are ways to get around these protective measures. I spent a little Robux to quickly acquire a rare and desirable pet to see if I could bait someone into scamming me. Another player offered to trade me a legendary pet, but the catch was that it had to be a surprise. This is called a “trust trade.” I put my pet in the window and accepted the trade. The other player walked away without giving me anything in return.

I was able to report the player and that’s about it. For its part, Roblox says it cannot reverse or return lost items or currency.

I didn’t experience any other scams while playing Adopt Me! There are accounts of sexual predators using Roblox to target children. Though, I never saw anyone say anything untoward during my time with the game. Roblox uses a chat moderation system to filter out offensive, adult, or otherwise inappropriate content. Regardless, you should warn kids not to share personal information and not to use third-party chat apps outside of Roblox. Parents can also turn off online chat, but that does take a lot of the fun out of the game. And if you’re worried about your kid’s Legendary Unicorn being stolen by some tween grifter, you can use the game’s settings to limit who they can trade with.


Think of Jailbreak as Grand Theft Auto for kids. Players can choose to be a criminal and earn money zooming around town robbing banks. Alternately, players can choose to be a cop and earn bounties by arresting criminals. There are Game Passes that your child can purchase to unlock items within the game. Again, they’ll need Robux, which you’ll have to buy for them using real-life money. Players can sell or trade items to other players. Your little ones should proceed with caution whenever trading online with players they don’t know.

The Jailbreak crowd appears to skew older than Adopt Me! While playing Jailbreak, I saw players gently teasing other players and players with vaguely inappropriate usernames. Other than that, Jailbreak is a fun, safe game I wouldn’t mind playing if I had nothing better to do.


Epic Games, the studio behind Fortnite, has been making headlines lately over its legal wrangling with Apple. The complaint stems from Apple’s 30% cut of all in-game purchases—no small sum when you consider Fortnite pulled in $1.8 billion in revenue in 2019. While the game is free to play, you’re really only getting half the game if you don’t spend some of the in-game currency called V-Bucks.

Players have the option to buy a Battle Pass using V-Bucks. Battle Passes, in turn, allow players to unlock items and cosmetics (aka skins) by completing tasks within the game. With the battle pass system, players and parents know exactly what loot they’ll be getting for their money. Like all the other games featured in this story, V-Bucks are purchased using real-life money. If you have reservations about sharing your credit card info, you can buy V-Bucks gift cards at brick and mortar stores, including Target, Walmart, and GameStop.

My time with Fortnite was quite safe. Combat is cartoonish and non-violent with defeated players disappearing into the ether in a flashy show of lights. There was some crap talk, but players can report other players if things get out of hand. Accounts with desirable skins and weapons can be the target of hackers who turn around and sell stolen goods. Warn kids not to share their username and password or any personal information with anyone online.

Play with your kids

We’re at an interesting confluence of events right now. First, many of us are under shelter in place or stay at home orders. Second, kids are bored out of their minds. It’s all too easy to hand kids the Nintendo Switch or the smartphone and let them have at it. While the games covered in this story are relatively harmless, there are still some scams to watch out for. The best way to keep an eye on your kids is to play with them. My young ward and I had a great time playing on the same team in Fortnite. If video games aren’t your thing, at least check your account settings and make sure your kids need permission to make any purchases.

The post I played the free online games your kids are playing and here’s what happened appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Emotet returns just in time for Christmas

Malwarebytes - Tue, 12/22/2020 - 19:02

Emotet is a threat we have been tracking very closely throughout the year thanks to its large email distribution campaigns. Once again, and for about two months, the botnet stopped its malspam activity only to return days before Christmas.

In typical Emotet fashion, the threat actors continue to alternate between different phishing lures in order to social engineer users into enabling macros. However, in this latest iteration the Emotet gang is loading its payload as a DLL along with a fake error message.

Some of the malicious emails we collected used COVID-19 as a lure. This tactic was already seen in the spring but is still being leveraged, perhaps due to the massive second wave observed in the US as well as news about the vaccine rollout.

Christmas campaign repeat?

Emotet is most feared for its alliances with other criminals, especially those in the ransomware business. The Emotet – TrickBot – Ryuk triad wreaked havoc around Christmas time in 2018.

While some threat actors observe holidays, it is also a golden opportunity to launch new attacks when many companies have limited staff available. This year is even more critical in light of the pandemic and the recent SolarWinds debacle.

We urge organizations to be particularly vigilant and continue to take steps to secure their networks, especially around security policies and access control.

Malwarebytes users were already protected against Emotet thanks to our signature-less Anti-Exploit protection.

Indicators of Compromise

You can downloads indicators of compromise related to Emotet’s infrastructure on our GitHub page.

The post Emotet returns just in time for Christmas appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Beware: not so festive social media scams

Malwarebytes - Tue, 12/22/2020 - 14:04

We’re now into the most crucial stage of Christmas festivities, where money and gifts are on the march…and social media is a conduit for both good and bad tidings. This is the absolute best time for social media scammers to make their move. A little confidence trick here, the promise of good cheer there, and someone is going to be out of pocket.

Here’s a roundup of some of the most prevalent social media scams doing the rounds. Please let any friends and family know about these if you think they may be at risk from them.

Likes and shares for chocolate hampers

Got a sweet tooth? People up to no good hope so. Facebook, WhatsApp, and possibly others, are currently experiencing fake Cadburys messages offering up non-existent goodies. Some of the missives are generic; others claim to be from specific managers at certain factory locations. Either way, people are asked to visit URLs to “Click and get yours” or enter a form of completion depending on the message.

These fakeouts have been doing the rounds since 2018, and possibly earlier. There’s no real need to come up with anything particularly sophisticated over the holiday season. People like cool free stuff, and fakers want to (not) give it to them. Sadly, all people will get here are surveys asking them to hand over information to marketers. Don’t waste your time.

Rare tickets for even rarer events

I can’t imagine there are many events taking place now, given the COVID-19 situation. However, that hasn’t prevented scammers from trying to take advantage. Messages on Facebook claim there’s been an accident, or death in the family, and they can’t make it to an event. They offer the tickets for sale on social media portals. The problem: the relatives don’t exist, neither do the tickets, and the event has been cancelled. Despite being offered at a discounted price, it’ll all be for nothing—quite literally—should you pay.

While “going fast, buy now to avoid disappointment” deals are spur of the moment purchases, this is one you’ll want to pass up. It might sound obvious to suggest checking the event is going ahead, but in the real world that isn’t how things pan out up against the clock. So fight the urge to score a last-minute bargain, and at least make sure the thing you’re booking is still actually happening.

Social media based sextortion

A bit of an odd one, as this is more typically the realm of IM/voice and video comms. Scammers encourage people to perform sexual acts on camera, then use the footage to blackmail money from those individuals. The linked article cites social media but doesn’t go into specifics. It’s possible the scammers pick their marks on social media platforms, before moving to IM/video elsewhere. Definitely worth a mention, just in case.

Steer clear of these fake brand ambassador roles

If you’re out there using your skills to promote products and brands on social media, watch out. Companies, bogus or otherwise, are offering fake products and services if you agree to promote their wares. Potential victims are typically offered “free” items, so long as they pay for shipping. As the linked article states, you’re better off avoiding anything where someone wants you to pay upfront for “free” items. Get networking with other influencers and don’t be afraid to ask others if a business doing outreach seems too good to be true.

Social media, down to the wire

With so many people keeping in touch during the pandemic via social media, it’s a veritable playground for scammers. The sheer weight of numbers means potential victims are never far away.

It’s entirely possible to have a good time and remain cautious, and unfortunately there’s just too many bad people out there to give us an alternative. They don’t care about ruining festivities, lives, bank accounts, or anything else, so it’s up to us to make sure confidence tricksters don’t gatecrash our party this Christmas.

The post Beware: not so festive social media scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 14 – December 20)

Malwarebytes - Mon, 12/21/2020 - 11:52

Last week on Malwarebytes Labs we kept you updated on the SolarWinds attack, we warned about the special dangers that come with the Christmas season, published a threat profile for the Egregor ransomware, warned how a lead generation scam was targeting potential Malwarebytes MSP partners, and talked about smart toy security. We also posted a follow-up about the many ways you can be scammed on Facebook.

A VideoBytes episode spoke about the increase in brute force attacks due to more open RDP ports.

SolarWinds related cybersecurity news:

Several publications dealt with different angles and consequences of the SolarWinds attack:

  • Researchers at Prevasio explained how reverse engineering the Domain Generation Algorithm (DGA) revealed the list of victims. (Source: Prevasio blog)
  • Experts have begun pointing to concerns about potentially substandard security protocols, like an update server that was accessible with a simple password. (Source: NewsWeek)
  • Microsoft confirmed it found compromised SolarWinds code in its systems, but denied that its own software was compromised in a supply-chain attack to infect customers. (Source: Engadget)
Other cybersecurity news:
  • The CEO of decentralized finance (DeFi) insurer Nexus Mutual has lost the equivalent of over $8 million in a targeted attack. (Source: Coindesk)
  • Researchers found more than 45 million medical imaging files, including X-rays and CT scans, freely accessible on unprotected servers. (Source: betanews)
  • The Irish Data Protection Commissioner has announced a €450,000 fine on Twitter for data breaches under GDPR. (Source:
  • A threat actor is distributing fake Windows and Android installers for the Cyberpunk 2077 game, which install a ransomware calling itself CoderWare. (Source: BleepingComputer)
  • Five human rights defenders that were victims of NSO Group’s WhatsApp hacking have stepped forward to tell their stories. (Source: AccessNow)
  • Researchers have called for a determined path to cybersecurity because issues surrounding governance and a sense of responsibility are preventing mission success. (Source: SecureList)
  • A company called Capella Space launched a satellite capable of taking clear radar images of anywhere in the world, even through the walls of some buildings. (Source: Futurism)

Stay safe, everyone!

The post A week in security (December 14 – December 20) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The many ways you can be scammed on Facebook, part II

Malwarebytes - Sat, 12/19/2020 - 00:10

In part 1 of this article series, we looked at data mining schemes, scam ad campaigns, concert tickets scams, and PayPal fund transfer scams. Today, we continue to list down the other scams you might encounter on Facebook.

Bitcoin trading scam

Who would have thought that a “simple” phishing scheme would be a front to a global Bitcoin trading scam?

Researchers from vpnMentor uncovered a scam operation with “many complex layers” not so long ago. According to their blog post, it starts off as an attempt to harvest Facebook credentials.

How do the fraudsters get users to hand over their credentials? They lure them in with the promise of revealing details on who has visited their profile.

One of the many phishing pages designed to nudge Facebook users to give away their credentials. (Above and below screenshots courtesy of vpnMentor)

After a Facebook user keys in their username and password, they are shown a purported number of people—32 of them—and a list of who has. viewed their profile. Or not, as some users report.

Complaints about this Facebook app “not working” (Courtesy of vpnMentor)

Fraudsters then use the stolen Facebook credentials to hijack victim accounts and spam comments to their network. The spam contains a link to another batch of scam websites, intending to point people to a Bitcoin scheme that is fraudulent.

Not all spammy post contain a link to the fake Bitcoin sites though. At times, users are deliberately directed to fake and even legitimate news sites, according to vpnMentor researchers. This is to confuse Facebook’s algorithm, thus preventing hijacked accounts from getting blocked. However, the fake sites eventually lead to fake Bitcoin sites, too.

Facebook users who arrive at this point are encouraged to sign up for a free Bitcoin trading account and deposit 250 Euros so they can start trading.

Facebook grant scams

COVID-19-related scams appear to be the scam du jour. And since Facebook began its grants program to small businesses heavily affected by the pandemic, scammers have angled their phishing campaigns to make it sound like Zuck is doling out money to all Facebook users affected by COVID-19.

Kaspersky has reported on one variant of this phishing scam, which started off with a fake CNBC report about Facebook giving grants to users hit by the pandemic and a link to where they can apply for one.

CNBC did cover the Facebook grants story, but this is not it. Also, fbgrantapplication[dot]ga—and probably other URLs–doesn’t really seem legit, does it? (Courtesy of Kaspersky)

Users who visit the URL are taken to a site that resembles the official site of Mercy Corps, an organization offering humanitarian aid, where they are asked for their Facebook username and password. The site also asks for more personally identifiable information (PII), such as physical address, SSN, and even an ID scan, to verify your Facebook account, which the fake site claims is needed to accept a grants application.

At this point, users have not only granted fraudsters access to their Facebook account, but also fed them enough information to enable them to pose as you and attempt to access your other accounts.

The Federal Trade Commission (FTC) has also reported not just on grant scams but also other pandemic-driven money offers, such as food support coupons and giveaways, purportedly being spread by accounts using big-name brands like Target, Walmart, Pepsi, and Whole Foods.

In addition, Facebook users may have received messages on Messenger and WhatsApp, in English or Spanish, from a friend, family member, or contact asking them to click a link where they can claim “free money”. This campaign, the FTC has noted, would lead users to a survey scam phishing page asking for personal information.

Like the PayPal fund transfer scam in part I, fraudsters pose as someone their victim knows in the hope they will let their guard down and freely talk in confidence. Letting the conversation take place in a private space benefits the bad guys because oblivious owners of hacked or mimicked accounts won’t be able to warn anyone about their hacked account or accounts impersonating them.

“Secret sister gift exchange” scam

This is probably one of the most common pyramid schemes seen on Facebook.

Malwarebytes reported on this holiday-specific scam a couple of years ago, but the Secret Sister scam has been going on and off Facebook since 2015. That said, it shouldn’t surprise anyone to see it rear its ugly head once more.

In this scam, a Facebook user tags some contacts in a post with a message along the lines of this: buy an item from a shop worth $10, send to someone, and expect a 6-to-36-fold return of items from others who participate in it.

This is what some samples of the “Secret Sister Gift Exchange” scam looks like this year. The screenshot below shows how one “rebrands” this scheme to “20/21 Winter Wishes”.

This may seem harmless, and one may feel this has merit considering what a terribly difficult year 2020 has been to a lot of us. After all, who doesn’t want to receive gifts from all your friends and family, or random strangers?

But while the act of exchanging gifts among school friends, family, or even colleagues is encouraged and very much allowed, gift chains like the secret sister gift exchange, on the other hand, is not. Participating in it is considered gambling and, thus, you’re actually breaking the US Postal Inspection Service’s gambling and pyramid scheme laws.

As we’ve also pointed out, taking part in the secret sister gift exchange—along with its other variants—could potentially result in data harvesting, especially if the prerequisite to participate is handing over your personal information along with the personal information of friends or family.


Like-farming is an oldie but goodie practice that both legitimate commercial parties and scammers do to raise the popularity of a post via likes and shares.

Liked and shared posts are generally benign. But they suddenly become dangerous when, after accumulating a target amount of likes and shares, scammers edit the original posts to include links to a malicious file download or a phishing website, or to promote spammy products. Facebook pages that have garnered a huge following can also be sold on the underground market, either to be used by other scammers for their campaigns or to harvest follower data that Facebook, by default, provides them.

In June, the Better Business Bureau (BBB) put out an article warning people about a Facebook post advertising a free RV and using the pandemic to lure people in. The post goes like this:

“With a lot of people out of work and Covid-19 keeping them out of work we know money is tighter more now than ever! So by 4 PM Monday someone who shares and also comments will be the new owner of this 2020 Jayco Greyhawk RV, paid off and ready to drive away, keys in hand – Jayco.”

This is reportedly the content of the Facebook post on the fake Jayco RV campaign that made the rounds in June.

The company the scammers were impersonating, Jayco, reported the page to Facebook.

How to stay safe on Facebook
  • Report dubious social media posts. It’s good that Facebook has a feature that enables their users to easily report posts they deem are suspicious, scammy, illegal, or downright harmful to other Facebook users’ wellbeing. You can find this feature by clicking in the upper-righthand corner of the Facebook post in question and picking either “Report post” or “Report photo”.
  • Never give out details about you and others. Don’t let you or any of your Facebook contacts become targets to scams or identity theft. Be wary of anyone or anything that asks for personal information.
  • Like and Share wisely. If a supposed giveaway sounds too good to be true, it probably is. So, hold off liking or sharing that post, and report it instead.
  • Always look for the blue checkmark on pages of popular brands and public personalities. Verifying their legitimacy is an amazingly simple yet often neglected practice. So if you want to like or share something that is legitimate and safe for your contacts to like and share, too, make sure that post is from a verified account.
  • Update your browser regularly. This doesn’t only keep new vulnerabilities at bay, it’s another layer of protection you can depend on.
  • Scrutinize URLs closely. Not every scammy campaign is sophisticated or difficult to spot. Start with the URL – if it’s obviously not for the website in question then step away.
  • Reach out to friends and family outside of Facebook or Instagram. If you’re not sure if a message is from the person it says it’s from, give them a call or send them a text message to check they really did send it.
  • Be wary of “free”. Yes, free things are nice—but it shouldn’t cost you anything, and that includes your personal details or a small amount of money that you must pay first. If you see a supposed government grant doing the rounds on Facebook, go to that agency’s official webpage to verify it or give them a call.
  • Change your login credentials immediately. No one is immune from being sucked into a fraud. If it does happen to you, contact your bank, report it, and consider credit monitoring, too. And if you used the same password on other sites, change them and remind yourself that reusing passwords is always a wrong move.

Facebook scams will always be around, so make sure you stay up to date, keep your eyes open, and lend a helping hand to your friends and family who use Facebook too. Remember that helping one contact stay safe on Facebook also helps you secure your account and others’, too.

Stay safe!

The post The many ways you can be scammed on Facebook, part II appeared first on Malwarebytes Labs.

Categories: Techie Feeds

VideoBytes: Brute force attacks increase due to more open RDP ports

Malwarebytes - Thu, 12/17/2020 - 20:28

Hello Folks! In this Videobyte, we’re talking about why brute force attacks are increasing and why that is a problem for everyone.

The number of RDP ports exposed to the Internet grew from about three million in January 2020 to over four and a half million in March.  The reason for this increase is likely the shift to working from home by many organizations during the pandemic.

Attackers have taken notice of this trend and as a result we’ve seen an increase in criminals targeting vulnerable RDP ports to infiltrate a system or network and manually launch malware. This method of intrusion is less common than the automated approach of sending phishing emails.

This video talks about reasons why we are seeing an increase in RDP port attacks and it also provides tips on how to protect yourself.

An increase in RDP attacks means an increase in manual attacks, where criminals are actively pushing their way onto a network.  Using this approach, attackers could disable security controls that allow additional threats to run on the network, like ransomware or information stealing trojans.


The post VideoBytes: Brute force attacks increase due to more open RDP ports appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Smart toy security: How to keep your kids safe this Christmas

Malwarebytes - Thu, 12/17/2020 - 13:14

Christmas is coming, and so are the smart toys. The ever-present pandemic has meant a lot more staying at home this year. Videogame playing has increased considerably, because why not? Screentime for kids has gone up, because again, it’s bound to. It hasn’t brought about the end of civilisation and the kids are still alright.

You’d expect a big surge in smart/IoT toys all over the place given the current mood. However, there seem to be very few toys like this in the various “top Xmas toy gift” lists currently. I’ve yet to find an internet connected Baby Yoda, or a big brand doll acting as a Wi-Fi hotspot. Having said that, similar toys do exist, will be bought, and at least a few random gifts will be in the news next year for all the wrong reasons.

With this in mind, here’s how to keep smart toy security top of your Christmas list, and keep your kids safe from harm.

How to improve your smart toy security this Christmas
  1. Read product descriptions thoroughly. If they link to EULAs, read them. If they mention internet connectivity, find out what specifically the toy needs it for.
  2. Consider these questions. Does it plug into a database, and if so, for what purpose? Does it do facial recognition, and is it storing your child’s image outside of the device? Is it saving data like name, address, age? Where is the data stored, and is it secure? Does the company purge everything on a regular basis, or does it hang onto it for a while? How long? If the answer is “indefinitely”, is there some sort of data protection law it falls under which allows you to request deletion yourself?
  3. Watch out for “faux” connectivity. There’s a lot of toys which imply internet features, but merely present that as a kind of façade for the kids. Cameras/recorders exist which present themselves as kids making their own social media styled clips, but, everything stays on the device and associated USB cards. It’s just the kids having fun, maaan. If in doubt then, as above, have a dig around for EULAs or additional product information. Worst case scenario: if it has connectivity, you’ll still need to go dig out internet options, punch in your router code, and so on. This is probably beyond your toddler, though mileage will vary depending on how many years use you expect to get from the device.
  4. Security may be an afterthought. We’ve probably all heard the horror stories about cheap devices, knocked out with no security functionality whatsoever. Even with privacy policies and safety assurances, you may wish to limit how much data is exposed either way.
  5. Advertisements and data collection is probably more of a gaming/tablet concern than random physical toys. This is almost certainly somewhere at the bottom of the “Things I should be concerned about” list. You may well take a totally different approach if said ads and tracking are tied to digital games, of course.
  6. What websites/portals are tied to the toy? Often, we see non smart toys promoted with cool rewards and gifts should you sign up to their official website. Treat those sites with caution. There may be questions over what data they’re collecting, how they store it (similar to data beamed to servers by smart toys), whether or not the website is SSL and so on. Kids’ sites could be hot targets for scammers in December, so ensure you visit with your full complement of security software in full operation.
  7. Your smart toy may need software updates, especially to ward off potential security threats. If it gets them, that’s great! However, keep in mind that support for most devices is limited. Even major software is eventually put out to pasture by the biggest corporations. Your child’s cuddly talking robo-toy won’t be supported forever. Once that happens it could be vulnerable to future attacks or old exploits which were missed first time around.
Have fun but be sensible

There is absolutely a risk from smart/IoT toys, and IoT products generally sell well over the holiday period. They’re a big deal. Having said that, there’s no need to panic. If you’re in the market for some fun smart toy action, do your usual fact finding before the purchase. Scour reviews, see what the toy does, check for any server-based antics, and make an informed decision.

Keeping your kids safe from products which spend all their time in their room has to be a priority above everything else.

We wish you a safe and entirely pleasant toy time this Christmas.

The post Smart toy security: How to keep your kids safe this Christmas appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Likely lead generation scam targets potential Malwarebytes MSP partners

Malwarebytes - Wed, 12/16/2020 - 19:42

Recently, Malwarebytes discovered a potential lead generation scam targeting companies that are interested in our Malwarebtyes Managed Service Provider (MSP) Program.

In the scam, an individual who used the name “Jenny” aggressively contacted potential MSP partners claiming to represent Malwarebytes. In one instance in New Zealand, “Jenny” repeatedly called an MSP from the following phone number:

(628) 239-0412

According to one Malwarebytes customer who dealt with this rude scammer, “Jenny” repeatedly called their offices “10 to 20” times a day, each time asking to “speak to executives in our business.”

A quick Google search of the phone number shows that this is far from an isolated incident.

Dating back to last year, multiple individuals have reported difficult run-ins with the aggressive users behind this phone number. According to multiple forum posts of users reporting potential scam behavior from unknown phone numbers, the calls from this number are almost always the same.

The person making the call initially asks to speak to someone at the company—sometimes by name, sometimes by title—and only vaguely mentions the reason for the call. Several calls may take place in the span of one hour, and when asked to identify themselves by name, the caller sometimes gets angry and hangs up, or offers a “garbled” last name. Many forum posters also reported seeing the same caller ID when receiving the call:


Despite the many similarities, the company that the callers claim to represent almost always changes. Forum posters said that the callers have claimed to be from cybersecurity company Proofpoint, IT management and MSP software company ConnectWise, and even Intel.

As of last week, the callers added “Malwarebytes” to their faked personas.  

Let’s be immediately clear. These calls are not coming from Malwarebytes, and our company will not engage with customers or potential customers in such scam-like, suspicious ways.

So, what’s actually going on here?

This is likely what’s called a “lead generation scam.” The first thing to understand about these scams is “lead generation” is a routine part of almost every single company’s marketing and sales operations. Companies often ask visitors to their website to fill out their contact information if they are interested in a certain product or program. As those visitors engage with the company and show a continued interest in a product, they become a “lead.”

A “lead generation scam” is when companies obtain leads through clandestine, untoward methods.

Last year, the US Federal Trade Commission sued a company for allegedly engaging in just this type of behavior. According to a lawsuit announced in April 2019, the company Day Pacer LLC had obtained individuals’ phone numbers from websites that allegedly offered assistance in finding jobs, securing unemployment benefits, gaining healthcare, or signing up for other types of assistance. Once Day Pacer had the information in hand, though, it used it to make “millions of illegal, unsolicited calls about educational programs,” the FTC said.

As for the current scam at hand, we think it’s similar, with an added twist.

While we cannot be sure whether the scammers themselves have already obtained a list of contact information from another resource online, there is a possibility that they are working for themselves to turn a profit. By repeatedly calling multiple businesses, these scammers might be trying to do some low-level corporate intelligence gathering. Once the scammers have called enough times and built up a list of internal leads from one company, they could take that information and try to sell it to that company’s competitors for a high price.

That motivation could also explain the rude, aggressive tactics. The callers don’t care if they strike out 100 times in a row, so long as they get enough people to divulge just enough basic information that they can turn around and try to sell it at a high price.

Be on the lookout for these types of scams, and stay safe out there, everyone.

The post Likely lead generation scam targets potential Malwarebytes MSP partners appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Threat profile: Egregor ransomware is making a name for itself

Malwarebytes - Tue, 12/15/2020 - 13:58
What is Egregor?

Egregor ransomware is a relatively new ransomware (first spotted in September 2020) that seems intent on making its way to the top right now. Egregor is considered a variant of Ransom.Sekhmet based on similarities in obfuscation, API-calls, and the ransom note.

As we’ve reported in the past, affiliates that were using Maze ransomware started moving over to Egregor even before the Maze gang officially announced they were calling it quits. Egregor has already targeted some well-known victims like Barnes & Noble, Kmart and Ubisoft.

How does Egregor spread?

The primary distribution method for Egregor is Cobalt Strike. Targeted environments are initially compromised through various means (RDP probing, phishing) and once the Cobalt Strike beacon payload is established and persistent, it is then used to deliver and launch the Egregor payloads.

First part of the Egregor ransom note

But since Egregor is a ransomware-as-a-service (RaaS) operation with multiple affiliates, the delivery and weaponization tactics can vary. We’ve also seen it being spread via phishing emails recently. The attack typically unfolds in two steps: initial compromise with email lure that drops Qakbot, followed by the actual Egregor ransomware. The latter is deployed manually by the attackers who have previously gained access as a result of the initial compromise.

There have also been some reports of Egregor utilizing CVE-2020-0688 (a remote code execution flaw in Microsoft Exchange). Some sources also report the possible exploitation of CVE-2018-8174 (VBScript Engine), CVE-2018-4878 (Adobe Flash Player), and CVE-2018-15982 (Adobe Flash Player).

The most common attack method seems to entail an initial spray-and-pray tactic, after which the threat actors make a selection of the available openings. They will obviously go for the easiest and most profitable ones based on primary reconnaissance data from the first stage of the attack. They will then try to enlarge their foothold on the breached network and look for the data and servers that are most critical for the victim. This will give the attackers extra leverage and a bigger chance to cash in their ransom demand.

Egregor does not seem to have a geographical preference, even though Sekhmet has seemed to focus on the US in the past 7 weeks.

Sekhmet attacks in the last 7 weeks per country Egregor threatens to leak exfiltrated data

According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, the attackers will announce the breach through mass media so the company’s partners and clients will know that the company was victimized.

Part 2 of the Egregor ransom note

In all three the cases we mentioned earlier, the attackers published information on a leak site showing that they had accessed files during the attack, but didn’t necessarily reveal source code or anything particularly sensitive.

Announcements of leaked data on the Egregor website Education by the hands-on experts

A very typical trait of the Egregor ransomware is that the attackers offer to educate their victims in order to help them escape future attacks.

Part 3 of the Egregor ransom note

Cybersecurity advice is promised to those victims that pay the ransom as an extra bonus. What these recommendations look like is unknown at the time of writing. A truthful explanation about how the victim in question was infected, infiltrated, and how data was exfiltrated would certainly help in a forensic investigation of the incident.

Egregor victim Randstad

One of the latest victims seems to be Netherlands-based Randstad, one of the largest recruitment- and head-hunting agencies in the world. In its press release, Randstad specifically calls out Egregor as the attacker.

“We believe the incident started with a phishing email that initiated malicious software to be installed,” a Randstad spokesperson said in an email.

The listing on the Egregor site confirms the attack

The press release confirms the stolen data but is unclear about the exact content.

“To date, our investigation has revealed that the Egregor group obtained unauthorized and unlawful access to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France. They have now published what is claimed to be a subset of that data.”

Depending on the stolen data, and given the line of business, the content could be very sensitive and confidential. According to Randstad, the company was able to limit the impact, and the stolen data are in particular related to their operations in the US, Poland, Italy and France.

Third party cybersecurity and forensic experts were engaged to assist with the investigation and remediation of the incident.


Tor Onion URLs:


SHA256 hashes:

  • 4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321
  • aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7

Ransom note:

RECOVER-FILES.txt (some parts of the ransom note can be seen in the article)

The post Threat profile: Egregor ransomware is making a name for itself appeared first on Malwarebytes Labs.

Categories: Techie Feeds

NCSC: Be Cyber Aware, especially during the Christmas season

Malwarebytes - Tue, 12/15/2020 - 13:23

In early December, the National Cyber Security Centre, a UK-based cybersecurity body and a part of GCHQ, kicked off the next chapter of its Cyber Aware campaign initiative, focusing on online shopping threats during the Christmas season.

Cyber Aware is the UK government’s “national campaign on cybersecurity” aimed at helping the public and businesses of all sizes understand how they can stay safe online.

According to the National Fraud Intelligence Bureau (NFIB), a police unit that gathers and analyzes intelligence regarding financially motivated cybercrime, 13.5M GBP was lost to shopping fraud between November 2019 and January 2020. That’s an average loss of 775 GBP per reported incident.

“This year we have spent more time online than ever before. Whether it be working or shopping online, criminals and others often see the internet as another means to cause harm,” says Penny Mordaunt, Paymaster General in the Cabinet Office of the United Kingdom. “As we approach the Christmas season, we should all be on our guard and take the practical Cyber Aware actions to keep us safe as we work, shop and socialise online.”

With more and more internet users expected to shop online this festive season, thanks to the current pandemic, it is more important than ever for shoppers to be on the lookout for potentially fraudulent activity and practice the necessary behaviors to protect themselves against it. Cyber Aware has listed six such behaviors, as follows:

  • Use a strong and separate password for your email
  • Create strong passwords using 3 random words
  • Save your passwords in your browser
  • Turn on two-factor authentication (2FA)
  • Update your devices and apps
  • Back up your data

You can read and learn more about these points in depth by visiting this page.

“If you are shopping online this year, spend the time you would have spent wrapping up warm to head out to the shops on checking your online security,” says Sian John, Microsoft UK’s Chief Security Advisor, “Let’s make sure the gifts we give this Christmas go to the people we love, not to the fraudsters who just want to steal your money.”

The announcement of this new Cyber Aware campaign came on the heels of the release of the NCSC’s fourth Annual Review Report [PDF]. In it, the NCSC covers its activities and achievements from September 2019 to August 2020.

Highlights include the launch of its Suspicious Email Reporting Services, wherein 2.3 million reports were submitted by the British public; the publication of multiple guidelines on relevant cybersecurity topics, such as the secure usage of smart security cameras, safe ways to work from home during the coronavirus pandemic, the proper procurement of mobile devices of the workplace, and things to consider before buying cyber insurance; and partnering with other organizations to advocate a cause, such as helping increase female representation in cybersecurity.

Stay safe!

The post NCSC: Be Cyber Aware, especially during the Christmas season appeared first on Malwarebytes Labs.

Categories: Techie Feeds

SolarWinds advanced cyberattack: What happened and what to do now

Malwarebytes - Mon, 12/14/2020 - 19:45

We learned more about the sophisticated attack first disclosed on December 8 when security firm FireEye reported it had been the victim of a state-sponsored adversary that stole Red Team assessment tools.

On December 13 there was a new development when IT company SolarWinds announced it had been hacked and that its compromised software channel was used to push out malicious updates onto 18,000 of its Orion platform customers.

This scenario, referred to as a supply-chain attack, is perhaps the most devious and difficult to detect as it relies on software that has already been trusted and that can be widely distributed at once. Among the victims who received the malicious update are FireEye, Microsoft and the US Treasury and Commerce departments, making this one of the biggest cyber incidents we have witnessed in years.

The Department of Homeland Security has issued an emergency directive to order all federal agencies to take immediate steps in putting affected SolarWinds Orion products offline and reporting back any incident by Monday.

We do know that the threat actors were in for a much bigger prize than the offensive tools stolen from security firm FireEye, although this incident helped to uncover a very advanced operation with deep ramifications. As this story is still unfolding we will keep our customers informed of any newer developments.

Call to action
  • Immediately isolate any systems running the Orion platform versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
  • Scan your premises using Malwarebytes and look for any detection, and in particular Backdoor.Sunburst and Backdoor.WebShell.
  • Use the Indicators of Compromise at the end of this blog to hunt within your logs, telemetry and other SIEM data to give a timeline perspective to any potential intrusion.
  • Perform a comprehensive security sweep to review and harden your physical and cloud infrastructure.
  • Upgrade to Orion Platform version 2020.2.1 HF 2 and restore systems once you feel confident with the previous steps.
Further reading

Indicators of Compromise (IOCs)

This list has been put together from several sources. Kudos to FireEye and Microsoft for sharing IOCs and TTPs so quickly.




Additional DLLs


Network indicators



Additional hunting rules:

The post SolarWinds advanced cyberattack: What happened and what to do now appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 7 – December 13)

Malwarebytes - Mon, 12/14/2020 - 16:54

Last week on Malwarebytes podcast we talked to Doug Levin, founder of the K12 cybersecurity resource center and advisor to the K12 Security Information Exchange, about how schools can plan for a cybersecure 2021.

We also released a Malwarebytes Labs report revealing that 50 percent of schools did not prepare for secure distance learning.

In our blogs we discussed defending against tax scams, the dangers of buying COVID-19 vaccines from the Dark Web, a VideoByte edition talked about why hospitals are being targeted by the Ryuk ransomware, and we reassured our customers that Malwarebytes detects the leaked tools from the FireEye breach.

Other cybersecurity news:
  • A Florida COVID-19 data manager was investigated, and raided for allegedly sending a mass text using a shared password. (Source: ArsTechnica)
  • The European Medicines Agency (EMA) responsible for approving medicines like the COVID-19 vaccine has been the subject of a cyberattack. (Source: EMA website)
  • US cybersecurity firm FireEye disclosed a breach and subsequent theft of hacking tools. (Source: Yahoo! Finance)
  • A team of researchers in Belgium has uncovered one of the world’s largest known online disinformation networks, dubbed Indian Chronicles, which has existed for 15 years. (Source: Intelnews)
  • US agencies have warned K-12 educational institutions are being targeted by malicious actors for extortion, data theft, and general disruption of normal activity. (Source: BleepingComputer)
  • A web skimmer gang have been hiding their malicious code inside websites’ CSS files. (Source: ZDNet)
  • Microsoft warned that there’s an ongoing Adrozek campaign to distribute malware that modifies web browsers. (Source: The Register)
  • Engineers at Cloudflare and Apple say they’ve developed a new internet protocol that will shore up one of the biggest holes in internet privacy. (Source: TechCrunch)
  • Researchers discovered a sharp rise in gift card scams as cybercriminals launch tactics to take advantage of the giving season. (Source: Bolster)
  • The Federal Trade Commission sued Facebook for illegally maintaining its personal social networking monopoly. (Source: FTC website)

Stay safe, everyone!

The post A week in security (December 7 – December 13) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malwarebytes detects leaked tools from FireEye breach

Malwarebytes - Thu, 12/10/2020 - 21:37

Hello folks! If you have not heard yet, the security firm FireEye has had a breach of many red team assessment tools used for identification of vulnerabilities to help protect customers.

While it is not known exactly who was behind this attack, a big concern is the sharing and use of these stolen red team tools by both sophisticated and non-sophisticated actors, similar to what we saw in 2017 with the ShadowBrokers group breach of the NSA’s Equation Group.

As soon as we at Malwarebytes found out, we started investigating. However, FireEye has been incredibly transparent and released detection rules and code for the stolen tools, so that vendors across the world can protect their customers from these tools.

FireEye red team tool detection rules

So, thanks to the diligence of our own threat research team, as well as the transparency and assistance of FireEye, we’ve been able to incorporate these tools into our detection databases so if they show up on your endpoints, we’ll stop them.

Malwarebytes detects these vulnerabilities

Security firms are a huge target for cyber criminals, from FireEye to even us at Malwarebytes.  Often our software is the first, or last line of defense against sophisticated cybercriminal efforts and even state-sponsored attacks.  Being able to compromise one of these organizations has great value for both nation states as well as commercial cybercriminals.

To that end we commend FireEye for their efforts at quickly recovering and reducing the fallout from this breach and support them in protecting both their internal data and customers moving forward, at the end of the day, we are on the same side and have to deal with the same threats.

Thanks for reading, safe surfing.

The post Malwarebytes detects leaked tools from FireEye breach appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Buying COVID-19 vaccines from the Dark Web? No thanks!

Malwarebytes - Thu, 12/10/2020 - 13:02

Even though we hope that this is an unnecessary warning, we do want to put it out there. As soon as there was talk about a vaccine being available against the COVID-19 virus there were vendors on the Dark Web offering Russian and Chinese COVID-19 vaccines for sale. Now that the UK has started its inoculation program, we’ve see the first offers of “tested COVID-19 vaccines” appearing online.

Granted, it didn’t take the genius of Shakespeare to come up with that plot.

In a single day, 645 COVID-19 listings were discovered across 12 dark web markets, a study from the Australian National University found.

One example

Below is a screenshot of a Dark Web vendor selling a “Corona virus vaccine” (sic) developed in Israel. The vendor states it will be ready in a few days, most likely to extend the period before they start getting complaints that could drive other potential buyers away. As you can see, they envisioned a vaccine far before anyone thought it was even feasible.

Image courtesy of CloudSEK Will you receive a real COVID-19 vaccine?

As I see it, there are a few possible scenarios that might play out should you decide to order a “tested COVID-19 vaccine” on the dark web:

  1. You will receive nothing at all. You should be happy, all you lost is some money.
  2. Possibly a shipment will be sent to your address, but it will not be a real vaccine. With any luck it will be a harmless placebo.
  3. The shipment contains a vaccine, but it isn’t the coveted coronavirus vaccine. You have no idea what it really is. Let’s hope you are not allergic to it.
  4. In the very unlikely case you receive an actual COVID-19 vaccine, there’s a good chance that it’s not an FDA approved vaccine. The only approved vaccine to date has to be stored and transported at -94°F (-70’C). Will our Dark Web vendor use the cold chain distribution method?

Seriously, there is a huge demand for the real vaccines, and worldwide logistics experts are working out plans to get these vaccines to those that need them the most, in the safest and fastest way.


At Malwarebytes Labs we have warned in the past against buying illegal drugs on the internet. You can heed the same warnings for medicines.

A researcher at CloudSEK contacted one of these vendors and requested proof of what they were selling. In response they sent a stock image. You can read their back and forth here.

A warning was issued after ‘Pfizer COVID-19 vaccine’ was found for sale on the Dark Web – at around £1,000 a dose. As we pointed out earlier, given the controlled temperature required for this vaccine’s storage and transport, these are highly unlikely claims.

Europol warned in April about the potential harm of offline and online scams offering alleged versions of the COVID-19 vaccine. Then, in October, it discovered a Mexico-based operation pushing fake influenza vaccines on the cybercrime underground. It’s likely that the same actors will see another opportunity with the rollout of a COVID-19 vaccine, Europol said.

It’s a golden opportunity for cybercriminals, who can use fake vaccine offers as bait. Europol said high demand for the vaccine and potential shortages will likely drive consumers online looking for alternatives.

“Some dark web markets feature advertisements for fake COVID-19 vaccines. The number of offers is limited at this stage but will likely increase once a legitimate vaccine becomes available. Criminals advertise their fake vaccines using the brands of genuine pharmaceutical companies that are already in the final stages of testing.”

The Food and Drug Administration said the first Covid-19 vaccine being considered for US distribution “met the prescribed success criteria” in a clinical study, paving the way for the agency to green-light distribution as early as this weekend. It’s likely this will increase the number of fraudulent offers.

Stolen vaccine data

Documents related to the development of one COVID-19 vaccine have been unlawfully accessed in a cyberattack on the European Medicines Agency  (EMA), which is the EU version of the Food and Drug Administration (FDA).

You can expect scammers to use this information to give extra credibility to their lures. For example, by claiming they have fabricated a COVID-19 vaccine using the information that was in the stolen documents. Again, this concerns the vaccine that needs to be handled under cold chain conditions, so any vaccine based on those specifications will require the same treatment.

Don’t let panic control your actions

While we understand the reasons why some people may want to get the vaccine before their government decides it’s their turn, panic – and greed – are always bad advisors. They are the exact basic instincts that scammers thrive on.

Don’t add an unfortunate accident with an unlikely vaccine sold by a shady Dark Web vendor to the list of things that went wrong in 2020.

Stay safe, everyone!

The post Buying COVID-19 vaccines from the Dark Web? No thanks! appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds