Malwarebytes

Subscribe to Malwarebytes feed
The Security Blog From Malwarebytes
Updated: 2 weeks 3 days ago

Don’t post it! Six social media safety sins to say goodbye to

Fri, 03/26/2021 - 13:50

If you or anyone you know is committing the below social media sins, it’s time to change that habit of an online lifetime. Even the most innocuous of things can cause trouble down the line, because everyone’s threat model is different. Unfortunately, people tend to realise what their threat model is when it’s already too late.

With this handy list, you’ll hopefully avoid the most common mistakes which are served up to social media with a dash of eternal regret.

Don’t post: credit card information

Yes, people do this. Someone is issued a new credit card. Perhaps it’s their first and they’re really excited. They want to tell the world…and they do it by posting up un-redacted shots of the front and back of the card. If they’re really unlucky, they’ve left bits and pieces of personal information on the same profile or elsewhere. I’m not sure why, but these posts often stay online long after hundreds of people have replied with “Delete this!”

It’s a mystery we may never get to the bottom of.

Don’t post: medical information

This is quite a timely one. Various forms of medical data are very popular on social media right now, especially due to the pandemic. Got a nice health and wellbeing story? Off it goes into Twitter or Facebook. This can bring problems, however. Back in 2017 we looked at the trend of posting X-Rays to social media. Even where people thought they’d redacted everything, some details still slipped through the net.

Wind forward to 2021, and we have people posting vaccination selfies. Those are fine. However, close ups of the sheets / slips detailing patient info in relation to their vaccine are not. There’s plenty of folks posting these images up from all over the world, which is to be expected. We beg you to ask yourself if you really need to post it and, if you do, please redact most if not all the information on these cards. You really don’t need it online.

Don’t post: visas and passport photos

Many immigration advice firms post to social media whenever they manage to obtain visas for their clients. That’s great! Well done. What’s not so great? Posting images of the client’s passport to social media, usually along with the visa, or other entry document.

Occasionally they’ll redact some of the data…but not all of the time. And even when name / address / D.O.B. is obscured, other elements are left visible. That could be their biometric residence permit number, or something else specific to their identity in their new country of residence. Given these are Government issued documents, it’s best not to post any of it online at all. There’s often steep fees for replacement documents, and I’m not sure if it’s any better if they need replacing due to negligence as opposed loss.

Let’s say “It’s probably worse” and resolve to never do it again.

If you’re a customer of organisations helping arrange visas and you know they have social media accounts? Feel free to keep an eye on their feeds, especially if you see they already do this. You’ll probably find yourself posted online at some point, and even with redactions applied this feels like a very uncomfortable practice.

Don’t post: personal information in customer service chats

Interacting with customer service reps on Twitter is something people do 24/7. It’s often one of the fastest ways to resolve an issue, but trouble beckons when people post the inner workings of their problem. Something wrong with an order? Missing screws for your DIY table? Milk expired 3 weeks ago?

Okay, but you don’t need to post everything to go with it. Order numbers tied to public accounts, screenshots of your order summary complete with home address listed, telephone numbers, we’ve seen them all down the years.

Is your delivery driver disputing that someone was in when they rang the doorbell? It happens, but you don’t need to post up a shot of the GPS indicator from their website showing exactly where you live.

All of this information is usable to some degree by people up to no good. It could be phishing, it could be doxxing, it might be stalking. Bottom line: start from a position of total redaction and only show what you absolutely need to.

If you’re taking the conversation to direct messages? Don’t post anything sensitive in there either, and that includes things like passwords.

Don’t post: vacations in real-time

Given it’s an age since anyone likely went on holiday, it’s worth dusting off one more golden oldie. If and when we’re all able to go on vacation, remember to control your travel experience ruthlessly.

We strongly suggest you post about your trip after you get back home. It may be appealing to get everything online as it takes place, but “I’m hundreds of miles away from my empty home” seems a bit dangerous to us.

This is especially the case if any of your profiles make use of geolocation, or you happily tag your home address in any geolocation service. You may as well hire someone to fly a plane over your house with a big banner that says “We’re empty for 14 days, come on in”. This isn’t a very catchy marketing slogan, but people up for a bit of burglary will love it.

Don’t post: the TMI selfie

This probably isn’t what you’re expecting it to be. However.

Something we regularly see on social media is the TMI selfie. This is an entirely boring and normal photo, with one major exception lurking. That pic of your nice new sofa in the front room? There’s a letter on the shelf with your bank statement on it. The Instagram-worthy snap of your meal? You can see a reflection of confidential work information on your laptop in the mirror. Finally received that delivery you’ve been waiting on and Tweeted it out? You left the label with your address on the box.

We let out guard down in places we trust. This often proves disastrous for people who prefer to remain a little bit anonymous on social media. The TMI selfie is usually brought to light by helpful followers of whoever happens to post it. Interestingly, unlike the credit card snaps, these usually get deleted swiftly. That’s definitely a good thing.

Keeping it safe on social

These are the social media sins which frequently have a negative impact on people’s lives when they least expect it. By avoiding them, you’re encouraging solid security and safety practices in all aspects of your life both offline and on. If you can think of others, we’d love for you to add some of your own in the comments.

The post Don’t post it! Six social media safety sins to say goodbye to appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Perkiler malware turns to SMB brute force to spread

Thu, 03/25/2021 - 20:52

Researchers at Guardicore have identified a new infection vector being used by the Perkiler malware where internet-facing Windows machines are breached through SMB password brute force.

Perkiler is a complex Windows malware with rootkit components that is dropped by the Purple Fox exploit kit (EK) and was spread by phishing campaigns.

What is SMB?

Server Message Block (SMB), aka Common Internet File System (CIFS), is the network-protocol that enables file exchanges between Microsoft Windows computers. You will find it wherever Windows computers are sharing printers, files, and sometimes remote control. By default, SMB is configured to use the ports 139 and 445.

SMB vulnerability history

SMB has a history of being used by malware (coupled with a history of being enabled by mistake and exposed to the Internet by accident). The most famous example of SMB-exploiting malware is WannaCry. This worm-like outbreak spread via an operation that hunted down vulnerable public facing SMB ports and then used the EternalBlue exploit to get on the network, chained with the DoublePulsar exploit to establish persistence, and allow for the installation of the WannaCry ransomware.

What are brute force attacks?

A brute-force password attack is a relentless attempt to guess the username and password of one or more systems. As it sounds, a brute-force attack relies on force rather than cunning or skill: It is the digital equivalent of throwing everything and the kitchen sink at something. Some attacks will try endless combinations of usernames and passwords until finding a combination that works, others will try a small number of usernames and passwords on as many systems as possible.

Brute force attacks are usually automated, so they don’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system-specific property, an attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and wait to get notified when one of the systems has swallowed the hook.

Not a new infection method

The fact that the researchers found the Perkiler malware attacking Windows machines through SMB password brute force came as something of a surprise. Not because of the SMB brute force per se. SMB has always been brute forced, but why would you bother when you have:

  • EternalBlue that allows you to own every single unpatched SMB server without going through the brute force routine.
  • A few million RDP ports you can brute force with a potentially bigger gain. Remote desktop is exactly what the name implies, an option to remotely control a computer system. Which is much more interesting to an attacker than just being able to drop a file on an SMB server.

The answer to this question remains a mystery for now. Maybe they are planning ahead for when the number of vulnerable RDP servers dries up.

Using compromised machines

Perkiler uses a large network of compromised servers to host its dropper and the payloads. These servers appear to be compromised Microsoft IIS 7.5 servers. Most of these Windows Servers are running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels.

The rootkit

Once a machine is infected with the new variant of Perkiler, it reboots to load the rootkit that’s hidden inside the encrypted payload. The purpose of this rootkit is to hide various registry keys and values, files, etc. Ironically enough, the hidden rootkit was developed by a security researcher to conduct various malware analysis tasks and to keep the research tasks hidden from the malware.

Infected machines

Once the machine is restarted, the malware will be executed as well. After its execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine responds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords, or by trying to establish a null session.

One interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the malware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets.

Mitigation

In theory, brute force password attacks conducted over the Internet can be defeated by even moderately strong passwords (six characters should be enough). However, even the threat of big-game ransomware using RDP brute force attacks hasn’t been enough to get people using stronger passwords. And if the prospect of facing a $50 million ransom isn’t enough motivation, it’s hard to see anything else working.

Luckily there are other, easier ways to blunt brute force attacks. The best defence of all is to remove the SMB (or RDP, or anything else) service from the Internet entirely, if possible, or to put it behind a VPN protected by two-factor authentication if it isn’t possible.

The post Perkiler malware turns to SMB brute force to spread appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Slack hurries to fix direct message flaw that allowed harassment

Thu, 03/25/2021 - 18:37

The enormous work messaging platform Slack quickly reversed course yesterday, promising to revise a brand-new direct message feature that could have been misused for harassment.

Added to the company’s “Slack Connect” product—which lets enterprise users share messages with contract workers and third-party partners outside their company—the new “direct message” feature allowed paying Slack users to message anyone outside of their company or organization, so long as they had another person’s email address. The messages came attached to an invite, but as many tech news outlets and concerned online users noted, there was no way for recipients to block the invites, or to block the content of the messages that came attached to the invites.

As Twitter product employee Menotti Minutillo said on Twitter, the implementation of Slack Connect DMs meant that malicious users could send repeated DM invites with harassing language, and that Slack would also email the DM’s recipient with the invite, including the harassing language. DM recipients would also have trouble blocking those emails as they came from a generic email address, too, Minutillo said.

well that was easy as shit to abuse

– send invite with nasty language
– slack emails you w/ the full content of the invite
– can't block the emails because they come from a generic slack address that informs you of invites
– abuser can keep inviting w/ abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO

— Menotti Minutillo (@44) March 24, 2021

Further, according to TechCrunch, the Slack Connect DM feature is opt-in at the organizational level, meaning that individual employees could not, alone, overwrite their company’s decision, should it choose to enable the feature.  

Less than 24 hours after Slack Connect DM’s full release, Slack realigned. According to Slack Vice President of Communications and Policy Jonathan Prince, the company will disable the capability to customize messages that are attached to Slack Connect DM invites.

Prince’s full statement is as follows:  

 “After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages. We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs. Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”

Slack’s quick work to fix the problem is appreciated, but it is curious that the company did not catch the problem before the full rollout. The company has already faced complaints about the limited features in the free version of its platform, which allows users to visibly show harassing language without even having to actually write and send messages. This is because Slack automatically sends notifications when new users join a thread, so if those new users stylize their username to be an insult, then the users in that thread will receive a notification that includes that language.

Further, the problem of harassment on messaging platforms is far from new. On the Lock and Code podcast, when we spoke with Electronic Frontier Foundation’s Director of Cybersecurity Eva Galperin, Galperin warned about this very issue.

“Primarily, the onus for making safe platforms, is on the makers of the platforms,” Galperin said. “And so, if there are people who are listening to this podcast, who are developing software or who are developing platforms or services for commercial use, I encourage them to think about how their tool will be used for harassment.”

Galperin provided specific guidance for any platform with messaging capabilities. She said that those platforms should make it possible for users to not use their real names, and for users to block other users or to mute certain keywords. This setup, Galperin said, is beneficial for both the user and the company.

“If you give the power to the users, then they can decide what is harassment and what is abuse, and it really takes the onus off the platform to be judge, jury, and executioner for every communication that somebody has online.”

Unfortunately, Slack users could not block users—and in fact the company has pushed back against such a feature for years—or mute keywords, and users would have trouble filtering out emails from Slack’s generic email addresses that included the DM invites and the accompanying messages.

These may sound like high-level discussions that are difficult to forecast, but there is actually a far simpler way to look at the problem. To borrow the words of Twitter user @geekgalgroks, a developer and accessibility advocate:

“Seriously with every new messaging system and feature ask yourself if people can send unsolicited dick pics and if those receiving them can block the sender.

Because it will happen.”

The post Slack hurries to fix direct message flaw that allowed harassment appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Software renewal scammers unmasked

Wed, 03/24/2021 - 16:01

We’ve been tracking a fraudulent scheme involving renewal notifications for several months now. It came to our attention because the Malwarebytes brand as well as other popular names were being used to send fake invoices via email.

The concept is simple but effective. You receive an invoice for a product you may or may not have used in the past for an usually high amount. Feeling upset or annoyed you call the phone number provided to dispute the charge and ask for your money back.

That was your first mistake. The second is letting strangers access your computer remotely for them to uninstall the product in order to avoid the charge. Before you know it your computer is locked and displaying random popups.

In this blog, we follow the trail from victim to scammer and identify one group running this shady business practice.

Fake renewal notifications

We’ve received a number of similar reports from people that have been scammed or simply wanted to alert us. It starts from an email using branding from a number of security companies, although in this blog we will focus on those that impersonate Malwarebytes.

The email includes an invoice renewal for the product stating that it has already been processed via credit card. The amount usually is in the $300 to $500 range, which is a lot more than what we normally charge.

The scammers are hoping victims will call them to dispute the automatic renewal. In the heat of the moment, most people would not think to check their bank or credit card statement instead.

This scheme is essentially a lead generation mechanism, just like what we see with fake browser alerts (browlocks). It just happens to use a different delivery vector (email) and is perhaps just as, if not more effective.

Remote access and sales pitch

Victims are instructed to visit a website to give the ‘technician’ access to their computer. The reason given is that the service needs to be uninstalled first before a refund can be granted.

In this instance, the scammers asked us to visit zfix[.]tech, a website linking to a number of remote access programs. They asked us to download TeamViewer and share the ID and password so they could connect.

They also quietly downloaded and installed another program (SupRemo) to maintain unattended access. This means that even if you shutdown TeamViewer, the scammers can still connect to your computer when they feel like it.

The next part of the scheme is interesting because it shows how the fraudsters are able to extort money from their victims. Since the renewal email is fake they have to find a way to trick you into paying them even if you refuse to.

The scammers take to their favorite tool, notepad, to start typing away about the risks of not renewing the service. They particularly insist on the fact that the computer may not work anymore if they proceed.

Locking up the machine

Scammers have been known to lock victims’ machines on numerous occasions. They typically use the SysKey Windows utility to put a password that only they know.

In this case, they used a different technique. Working behind the scenes, they downloaded a VBS script onto the machine which they placed into the Startup folder.

The Startup folder location is a loading point that can be abused easily because it can trigger code to run when the system loads Windows. Unsurprisingly, before parting ways, the scammers asked us to restart the machine to complete the uninstallation process.

After a restart, we see an alert dialog about the Windows license being out of date. This message keeps on showing despite clicking the OK button and also starts to open a number of browser windows to mimic some kind of malware infection.

At this point, you might be tempted to call the number for help but this would end in paying hundreds of dollars to fraudsters. There is a way to restore your computer safely which we cover in the next section.

Disabling the locking script

The first thing to do is disconnect your machine from the Internet. If it’s using a wired cord to the modem unplug it, otherwise simply turn off the modem or your WiFi access point.

Then proceed to disable the script:

  • Ctrl+Alt+Delete
  • Select Task Manager
  • Select Microsoft Windows Based Script Host
  • Click ‘End task’

Then delete the script:

  • Click ‘More details’ (if needed) in Task Manager
  • Choose ‘Run new task’
  • Type explorer in the box

Your Desktop will be visible again, allowing you to browse to:

C:\Users\[your username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

From there, delete the WIN LICENSE.vbs file

Identifying the scammers

We don’t always get too many details from scammers that could help us to identify who they are, but sometimes with luck, skill and tools like HYAS Insight we can shed light on adversary infrastructure. Here the scammers left a few trails with the VBS script but more importantly the first website we visited to download remote access software.

We were able to identify the registrant behind the zfix[.]tech domain as being Aman Deep Singh Sethi using the aman.techsquadonline@gmail[.]com email address. Pivoting on the associated phone number [+9]19810996265 we uncovered a larger piece of their scamming infrastructure as well as an associate named Swinder Singh.

Both individuals are registered as directors of a company in New Delhi called Lucro Soft pvt located at 14/28, F/F SUBHASH NAGAR NEW DELHI West Delhi DL 110027.

Although this company was incorporated in 2018, the scammers have been active since at least 2015 and used several different domain names and identities. We are blocking this infrastructure and reporting it for takedown as well. If you would like more information about this group, please get in touch with us.

An active scheme

This particular scheme has been very active for the past few months and it is difficult to estimate how many people fell victim to it.

Tech support scams have been around for many years and continue to be a huge problem in part because of the lack of action on the field where they are known to take place.

However, there is also a strong community out there that is pursuing scammers and giving back to victims. The likes of Jim Browning who made headlines for his hacking into the CCTV of a call centre are doing a tireless job. For this investigation, we used a Virtual Machine that was made by @NeeP that mimics a normal user desktop.

If you are a Malwarebytes customer and have any questions about your renewal, please visit our official page here.

Indicators of Compromise

Phone numbers:

1[-]833[-]966[-]2310
1[-]954[-]800[-]4124
1[-]909[-]443[-]4478 
1[-]877[-]373[-]2393
1[-]800[-]460[-]9661
1[-]325[-]221[-]2377
1[-]800[-]674[-]5706
1[-]855[-]966[-]6888
1[-]877[-]373[-]2393
1[-]866[-]504[-]0802

Emails:

aman.techsquadonline@gmail[.]com
aman.bigrock1@gmail[.]com
aman.bigrock2@gmail[.]com
aman.bigrock3@gmail[.]com

Domain names:

help-live[.]us
live-support[.]us
quick-help[.]us
network-security-alerts[.]com
cyberonservices[.]com
zfix[.]tech
2fix[.]tech
cybersmart[.]xyz
live-support[.]us
safebanking[.]biz
classifiedlookup[.]com
quickhelpdesk[.]in
cyberonservices[.]com
support247live[.]us
help-live[.]us
2fix[.]tech
cmdscan[.]info
rrlivehelp[.]com
delvelogic[.]us
quickhelpdeskk[.]us
quick-help[.]us
quickhelpdeskk[.]us
amazondevicesupports[.]xyz
live-online-support[.]info
help365[.]us
cyberonservices[.]com
rightassists[.]com
yahoomailhelplinenumber[.]com
hotmailhelplinenumber[.]com
webroot-support-number[.]com

The post Software renewal scammers unmasked appeared first on Malwarebytes Labs.

Categories: Techie Feeds

When contractors attack: two years in jail for vengeful IT admin

Tue, 03/23/2021 - 20:26

An IT contractor working for an IT consultancy company took it upon himself to perform an act of revenge against the firm he worked at, after they complained about his performance. The charge he faced was breaking into the network of a company in Carlsbad, California. And it got him two years in prison.

What happened?

Deepanshu Kher was helping a client to transition to a Microsoft Office 365 environment. But apparently the client company was so displeased with Kher’s performance that they complained about it to the consultancy company that despatched him. As a consequence, Kher got laid off and went back to India.

Some two months later, once he was outside of the US, Kher decided to infiltrate the California firm’s servers and deleted over 80% of employee Microsoft Office 365 accounts.

The aftermath

As employees were suddenly unable to access emails, contacts, calendars, stored documents, as well as Microsoft’s Virtual Teams remote management platform, they were unable to do their jobs. It took the company two days to get back in full swing. But all kinds of IT-related issues persisted for three more months after the cyberattack.

The arrest

The company informed the FBI about the incident and it wasn’t all that hard to figure out who the culprit was. Unaware of the outstanding warrant for his arrest, Kher was arrested while flying from India to the US. US District Court Judge Marilyn Huff charged Kher with intentional damage to a protected computer, a crime which can lead to up to 10 years in prison and a $250,000 fine.

Insider threat

The CERT Definition of an insider threat is:

 “Insider Threat – the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

Kher did have credentialed access to the network and the Office 365 environment as part of his job, and he certainly acted in a way that negatively affected the company. So we see this as an insider threat, even though he was no longer working for the victim.

Controlling insider incidents

While cybersecurity education and awareness are initiatives that every organization must invest in, there are times when these are simply not enough. Such initiatives may decrease the likelihood of accidental insider incidents, but not for negligence-based incidents, professional insiders, or other sophisticated attack campaigns. Organizations must implement controls and use software to minimize insider threat incidents.

The controls

Controls keep an organization’s system, network, and assets safe. They also minimize the risk of insider threats. Below are some controls organizations may want to consider adopting:

  • Block harmful activity. This includes preventing access to particular websites, or stopping employees from downloading and installing certain programs.
  • “Allow list” applications so that everything is blocked until and unless it is specifically allowed. This includes the file types of email attachments employees can open.
  • Use the principle of least privilege and give employee accounts the access they need, and nothing more.
  • Apply the same principle to data access, so data is only available to people whose job requires it—organizations should focus on this, too, when it comes to their telework or remote workers.
  • Put flags on old credentials. Former employees may attempt to use the credentials they used when they were still employed.
  • Create an employee termination process.

The last two points in particular could have helped prevent this incident. Both the consultancy company, and the victim, could have looked at this, or taken steps when they realised that Kher was unhappy about being laid off. But often when two entities are supposed to do something, they expect the other to do it. With the end result that neither did.

Worst case scenario

This was not a worst-case scenario. The contractor had access to one specific, albeit vital, part of the organization. I’m sure you can imagine someone in your organization that can do a lot more harm than that if they wanted to. Remember that when your roads part in the future. If they no longer work for you, they should not have access to your network.

Stay safe, everyone!

The post When contractors attack: two years in jail for vengeful IT admin appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The human impact of a Royal Mail phishing scam

Tue, 03/23/2021 - 18:34

Last week, we looked at a Royal Mail themed scam which has very quickly become the weapon of choice for phishers. It’s pretty much everywhere at this point. Even one of my relatives with a semi-mystical ability to never experience a scam ever, received a fake SMS at the weekend.

The problem with common attacks is we grow complacent, or assume it isn’t really a big deal. Sadly, they’re always going to be a problem for someone. It doesn’t matter how tech-savvy you are, nothing is bulletproof. Anybody, including myself, can be caught out by a momentary lapse in concentration.

People who lose out to internet fakery often feel guilty, or assume that they messed up somehow. Nobody wants to be laughed at via internet shenanigans. I’d like to think most folks are sympathetic when people are brave enough to speak out.

“Surely people don’t fall for these things” is a well worn refrain. Sadly they do, and one such person spelt out the awful cost last Sunday. They had indeed received a bogus Royal Mail text, and entered their payment details into the phishing page. How bad could things get?

We’re about to find out.

Things have gotten: very bad

The victim was asked for a bogus £2.99 postage fee last Friday, having not seen the scam warnings circulating online. Below is an example of the scam that Malwarebytes Labs received:

The text of the Royal Mail scam

Royal Mail: Your package Has A £2.99 shipping Fee, to pay this now please visit www[dot]royalmail-shippingupdate[dot]com. Your package will be returned if fee is unpaid

In our last post about it, we pointed out that these scams work because with so much online ordering going on during this cardboard-laden pandemic, people aren’t 100% sure what’s due to arrive. And that means speculative messages about fake parcels have a good chance of success.

A similar thing happened here. If the target wasn’t due a birthday, the scam may not have worked on them. But the message will have gone to lots of people, and one of them, perhaps many, will have been expecting a delivery. As it was, they were expecting “a couple of packages” and so “thought nothing else of it”.

This is absolutely the key moment where the battle was already lost.

The scam asks recipients to pay a £2.99 GBP fee, but of course the scammers are after much more. To pay the fee, the victim has to enter their personal details, and credit card details.

Scammers get to work

The victim’s bank accounts were compromised very quickly, and the phishers wasting no time at all in going for gold. A day or so after they paid the bogus fee, the bank contacted the victim to let them know what had gone wrong. As it turns out, quite a lot:

  • Multiple direct debits (recurring billing) for mobile phone companies and technology stores
  • Transactions of £300 for the Argos store
  • Debit cards for banking cancelled, with new ones issued as replacements
  • Brand new sort code / account numbers for her bank account, as those had been given to the phishers too

This is really bad news for the victim, and a massive inconvenience. Don’t forget the pandemic impact here, either. At a time when the ideal option is cashless / card payments only, this person now has no cards and no easy way to withdraw money either.

If this had been where it ended, that would be bad enough. However, things were sadly about to get worse.

Phished by phone

The bank phoned the victim asking them to transfer their money into their “replacement” account. I’m sure you can already see where this is going wrong. No bank is going to cold call a scam victim, and also ask them to start transferring money. Why can’t the bank do it?

The answer, unfortunately, is that the bank can do it. This cold caller was a scammer armed with details gathered from the scam page a day or so prior. The follow up strike gave the individual, who was already reeling from rapidly losing lots of money, no time to regain some balance or get their game face on. If this call had come a week or so after the initial phish, the next few paragraphs would possibly look quite different.

From bad to worse

Good news: the victim asked the person on the call to verify their bank credentials. Bad news: they forgot the phisher already had access to everything in their account. As a result, they listed account balances and other information to keep everything nice and convincing.

Two smaller transactions were sent to the “new” account, at which point the victim realised they were being scammed all over again. Every penny they had to their name was gone.

Having wool pulled over your eyes once is bad enough. To then hand over cash to the scammers by telephone is the icing on a very bitter cake. So-called safe account scams are quite the pain, and this is what caught them out second time around.

A simple phish, a massive problem

There is no real happy ending to this tale currently, outside some reassurance the victim will probably get most or all of their money back. Consider that this person’s nightmare scenario began with a simple, believable, SMS message claiming a package was being held.

A few keystrokes, some brief personal information entered on a phishing site with Royal Mail branding, and they’ve been plunged into a situation which could take weeks or more to resolve. All that stress, in the middle of the never-ending pandemic. It’s an awful story, and a chilling insight into how much is at stake every single time a throwaway phish lands in your mailbox or SMS tray.

We wish Emmeline all the best in recovering her money and commend her for her courage in coming forward and showing the true cost of these scams.

The post The human impact of a Royal Mail phishing scam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Safe Connections Act could help domestic abuse survivors take control of their digital lives

Mon, 03/22/2021 - 23:30

A bill introduced in the US Senate could help domestic abuse and sex trafficking survivors—including those tracked by stalkerware-type applications—regain digital independence through swift, shared phone plan termination and the extension of mobile phone plan subsidies.

Titled the Safe Connections Act, the bill targets the significant problem of shared mobile phone contracts between abuse survivors and their abusers. For survivors in these situations, a shared mobile phone plan could reveal who the survivor has called and when. Shared mobile phone plans also complicate matters for survivors who hope to physically escape their abusers, as abusers could report phones owned in their name as stolen, weaponizing law enforcement to locate a survivor.

Democratic US Senator Brian Schatz, who is one of the sponsors of the bill, said that he hopes the Safe Connections Act will give control back to survivors.

“Giving domestic violence abusers control over their victims’ cell phones is a terrifying reality for many survivors,” Schatz said in a press release. “Right now there is no easy way out for these victims – they’re trapped in by contracts and hefty fees. Our bill helps survivors get out of these shared plans and tries to find more ways to help victims stay connected with their families and support networks.”

Importantly, the bill would also extend easier access to government-subsidized mobile phone programs, which means that survivors being tracked through stalkerware-type applications could more easily toss their compromised device and start anew.

What does the Safe Connections Act do?

The Safe Connections Act—which you can read in full here—was introduced earlier this year by a bipartisan slate of US Senators, including Sens. Schatz of Hawaii, Deb Fischer of Nebraska, Richard Blumenthal of Connecticut, Rick Scott of Florida, and Jacky Rosen of Nevada.

The bill has three core components to aid “survivors,” which the bill defines as anyone over the age of 18 who has suffered from domestic violence, dating violence, sexual assault, stalking, or sex trafficking.

First, if passed, the bill would place new requirements on mobile service providers—such as Verizon, AT&T, T-Mobile, and Mint Mobile—to more rapidly help survivors who request to remove either themselves or an abuser from a shared phone plan, whether the survivor is the primary account holder or not. Wireless phone companies will have to honor those requests within 48 hours, and in doing so, they cannot charge a penalty fee, increase plan rates, require a new phone contract under a separate line, require approval from the primary account holder if that account holder is not the survivor, or prevent the portability of the survivor’s phone number so long as that portability is technically feasible.

Also, in severing a shared phone contract, companies must also sever a contract for any children who are in the care of a survivor.

The bill specifies, though, that survivors who make these requests will have to show proof of an abuser’s behavior by submitting one of two categories of information. Survivors can submit “a copy of a signed affidavit” from licensed social workers, victim service providers, and medical and mental health care providers—including those in the military—or a survivor can submit a copy of a police report, statements provided by police to magistrates or judges, charging documents, and protective or restraining orders.

The second core component of the bill would require phone providers to hide any records of phone calls or text messages made to domestic violence hotlines. As the bill states, those providers must “omit from consumer-facing logs of calls or text messages any records of calls or text messages to covered hotlines, while maintaining internal records of those calls and messages.”

This provision would not come into effect until 18 months after the bill passes, and it would require the US Federal Communications Commission to create a database of those hotlines, providing updates every quarter. This section would also apply to providers of both wireless and wired phone services.

A possible stalkerware intersection

The third component of the Safe Connections Act could help survivors who are also facing the threat of stalkerware. The bill would enroll survivors who have severed their contract under the new powers of the bill into the government’s Lifeline phone assistance program “as quickly as feasible,” with a period of coverage in the program for a maximum of six months.

The Lifeline program, run by the FCC, attempts to provide subsidized phones and phone services to low-income communities. Extending program eligibility to survivors could help them physically escape their situations while offering them a quick opportunity to regain digital independence.

In fact, in Malwarebytes’ continued work to protect users from the threat of stalkerware, it has learned that many of those who suffer from stalkerware tracking often have to leave their cell phones behind and start with entirely new devices.

As Chris Cox, founder of Operation Safe Escape, told Malwarebytes Labs last year when discussing how to help survivors of domestic abuse who have encountered stalkerware on their devices:

“What we always advise, consistently, if an abuser ever had access to the device, leave it behind. Never touch it. Get a burner,” Cox said, using the term “burner” to refer to a prepaid phone, purchased with cash. “You have to assume the device and the accounts are compromised.”

With access to the Lifeline program, that purchase of a new device could become more feasible.

Unfortunately, the benefits of the Lifeline program must be looked at comprehensively. Last year, Malwarebytes Labs discovered that two Android devices offered through the Lifeline program actually came with pre-installed malware. The devices are no longer available through Assurance Wireless, which was the supplier contracted with the Lifeline program, but the broader point remains: No one should have to suffer lowered cybersecurity because of their income. With the Safe Connections Act, we hope that the Lifeline program’s unfortunate mishap does not repeat, harming even more communities.

The post Safe Connections Act could help domestic abuse survivors take control of their digital lives appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to enable Facebook’s hardware key authentication for iOS and Android

Mon, 03/22/2021 - 21:33

Since 2017 desktop users have had the opportunity to use physical security keys to log in to their Facebook accounts. Now iOS and Android users have the same option too. Physical security keys are a more secure option for two-factor authentication (2FA) than SMS (which is vulnerable to SIM swap attacks and phishing), and apps that generate codes or push notifications (which are also vulnerable to phishing).

Two-factor authentication (2FA)

2FA is the least complex version of multi-factor authorization (MFA) and was invented to add an extra layer of security to the—now considered old-fashioned and insecure—simple login procedure of using a username and password. By definition, 2FA depends on two different methods of identifying a user.

Authentication factors are commonly divided into three groups:

  • Something you know, such as a password.
  • Something you have, such as a code sent by SMS, or a hardware key.
  • Something you are, such as your face or fingerprints.

Different 2FA schemes typically rely on users providing a password and one of the other factors. If you are an Android or iOS user, Facebook will now let you authenticate yourself with a password (something you know) and a hardware security key (something you have).

Hardware security keys

Hardware keys, also known as physical security keys, connect to your device via USB-A, USB-C, Lightning, NFC, or Bluetooth, and are portable enough to be carried on a keychain.

Most of them use an open authentication standard, called FIDO U2F. U2F enables internet users to securely access any number of online services with one single security key, with no drivers or client software needed. 

FIDO2 is the latest generation of the U2F protocol and it allows devices other than hardware keys, such as fingerprint sensors or laptops and phones with face recognition, to act as hardware keys.

How do security keys work?

You can use a hardware security key for as many accounts as you like. Once the key has been set up to work with a service, logging in is as simple as inserting the security key into your device (or wirelessly connecting it) and pressing a button on the key itself.

Behind the scenes, the security key is presented with a challenge by your web browser or app. It then cryptographically signs the challenge, verifying your identity.

Setting up Facebook for physical security keys

To add a physical security key as a 2FA factor for Facebook, open Facebook on your device and open the menu.

In the Menu click on Settings under Settings and Privacy.

You will see the Account Settings menu. Click on Security and Login under Security.

You will see the Security and Login menu. Click on Use two-factor authentication under Two-Factor Authentication.

In the Two-Factor Authentication menu select the Security Key option and click on Continue.

From there, follow the instructions that are device and key-specific to add your security key as an extra factor of authentication.

Privacy and security

Imagine all the information an attacker might find out about you if they should get hold of your Facebook credentials. It’s not just all your public, and private posts, but your Messenger conversations as well. The first thing a successful attacker will do is enable 2FA to lock you out. So get ahead in the game and enable it yourself. Any 2FA is better than none, but a security key is the most secure form of 2FA.

Stay safe, everyone!

The post How to enable Facebook’s hardware key authentication for iOS and Android appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Report goes “behind enemy lines” to reveal SilverFish cyber-espionage group

Mon, 03/22/2021 - 11:42

The PRODAFT Threat Intelligence Team has published a report (pdf) that gives an unusually clear look at the size and structure of organized cybercrime.

It uncovered a global cybercrime campaign that uses modern management methods, sophisticated tools—including its own malware testing sandbox—and has strong ties with the SolarWinds attack, the EvilCorp group, and some other well-known malware campaigns.

SilverFish uncovered

The research team managed to do a full investigation of one of the SilverFish group’s Command and Control (C2) servers, after detecting an online domain (databasegalore[.]com) from previously published Identifiers of Compromise (IOCs).

It was possible for researchers to create a unique fingerprint of one of the online servers by using multiple metrics, such as installed software. After 12 hours of global scans of the IP4 range, they identified more than 200 other hosts with a very similar setup.

According to the report this “enabled the PTI Team to access the management infrastructure” of the group and learn significant information about how the group worked, who it had attacked, and how.

Sophisticated organization

What the researchers found was a highly sophisticated group of cybercriminals targeting large corporations and public institutions worldwide, with a focus on the EU and the US. They named this organization the SilverFish group.

By linking together the C2 servers they found, and comparing them to known IOCs, the researchers were able to connect the SilverFish group to the infamous SolarWinds attacks.

A large subset of the servers the researchers identified were also used by the infamous EvilCorp group, which modified the TrickBot infrastructure for the purpose of a large-scale cyber espionage campaign.

Links to SolarWinds

The report describes a “significant overlap” between the 4,700 victims identified during the investigation and organizations affected by the SolarWinds attacks. A significant part of the large infrastructure was found to have strong connections with the SolarWinds IOCs shared by three different security companies. The conclusion being that these servers most likely took part in the SolarWinds campaign.

Links to Trickbot

By looking at the group’s tactics, techniques, and procedures (TTP), combined with the technical complexity of the SilverFish group’s attacks, PRODAFT was able to detect similar findings in the c2 server, command statistics, infection dates, targeted sectors and countries, tools used during the attacks, executed commands, and other information that was very similar to those used by TrickBot.

So, is this group related with TrickBot? Not likely, but the research shows that the SilverFish group is using a similar version of the TrickBot infrastructure and codebase. It also found evidence of WastedLocker malware and other TTPs that matched with both EvilCorp and SolarWinds.

Links to EvilCorp

EvilCorp is the name of a vast, international cybercrime network. The alleged leaders of this network are very high on the FBI’s wanted list. In 2019, US authorities filed charges against EvilCorp’s alleged leaders, Maksim Yakubets and Igor Turashev, accusing them of using malware to steal millions of dollars from groups, including schools and religious organizations, in over 40 countries. EvilCorp is held responsible for the development and distribution of the Dridex and WastedLocker malware.

Malwarebytes’ Threat Intel Team commented:

Prodaft also mentions ties with the WastedLocker ransomware thought to be operated by EvilCorp, likely from the Traffic Distribution System analysis. One of the hostnames in particular is related to the SocGholish social engineering toolkit and is used to fingerprint victims before distribution of the final payload.

Management

According to PRODAFT, the main dashboard of the SilverFish C2 control panel features a section named “Active Teams”. SilverFish uses a team-based workflow model and a triage system similar to modern project management applications. Each user can write comments about each victim. Based on these (mainly Russian) comments, the researchers gained a better understanding of the motivation of the group and the prioritization of the victims—operations were prioritized based on these comments.

A hierarchy was also found to be present in the comments on the C2 server, enabling management of different targets, assignment of these targets to different groups and triage of incoming victims.

Targets

The main areas of focus for the SilverFish group appear to be the US and Europe, with each region serviced by different teams. They also seem to primarily target critical infrastructure. Successfully compromised victims were found in nearly all critical infrastructures (as defined in the NIST Cyber Security Framework).

The SilverFish group predominantly targets critical entities like energy, defense, and government or Fortune 500 enterprises. Second, the researchers found comments in the C2 servers that indicate ignoring victims like universities, small companies, and other systems which they consider worthless.

Approximately half of the victims were found to be corporations which have a market value of more than $100 million USD, as per their public financial statements.

WordPress

In contrast to traditional attacks that use a domain name purchased via means of anonymous payments, SilverFish is using hacked domains for redirecting traffic to their C2 control panel.

To avoid disrupting the legitimate traffic of the hacked website, the SilverFish group creates new subdomains, which makes it almost impossible for a website owner to understand that their domain is being exploited in an attack. The frequency in which they change domains would imply that the SilverFish group has more than 1,000 already compromised websites, which are rotated almost every other day.

A significant number of these compromised websites were using WordPress. The report notes that while it is possible to buy login credentials from underground markets, “the amount of compromised websites with the same software shows us that the SilverFish group might also be leveraging 0-day or N-day exploits.” WordPress is, by far, the world’s most commonly used web Content Management System, and out-of-date installations and vulnerable plugins provide no shortage of targets.

Post-exploitation

Perhaps unsurprisingly, the SilverFish group was found to make extensive use of publicly available “red teaming” tools such as Empire, Cobalt Strike and Mimikatz, as well as Powershell, BAT, CSPROJ, JavaScript and HTA files used for enumeration and data exfiltration.

Executed Cobalt Strike beacons use domain fronting for communicating to the C2 server. Domain fronting obscures the eventual destination of HTTP traffic by relaying it from the server listed in the publicly-readable SNI portion of a request, to a different server listed in the private (encrypted) Host header.

The main goals of the SilverFish group are likely to be covert reconnaissance and data exfiltration. According to PRODAFT, the commands and scripts the SilverFish group use “strongly indicates sophistication and an advanced post-exploitation skillset”.

Remote sandboxing

The most astounding find the researchers uncovered was that the SilverFish group has designed an unprecedented malware detection sandbox, formed by actual enterprise victims, which enables the adversaries to test their malicious payloads on live systems with different enterprise AV and EDR solutions (enterprise systems can be hard for criminals to acquire).

Malwarebytes Threat Intel Team commented:

Machines are profiled and used as a testing ground, a sort of live antivirus testing platform featuring many different EDR products.

The SilverFish attackers were using this system to periodically test their malicious payloads on more than 6,000 victim devices, scripts, and implants. According to the report, the SilverFish group members appear to be tracking the detection rate of their payloads in real time.

Level of sophistication

PRODAFT says “we believe this case to be an important cornerstone in terms of understanding capabilities of organized threat actors”, and it is hard to disagree.

Although ransomware groups can be well organised, they are mostly engaged in noisy smash-and-grab raids. The SilverFish group is something different. According to PRODAFT it is an “organization that operates in an organized and disciplined manner in a hierarchical environment, one that is even highly compartmentalized,” that takes a “structured approach to covert cyber-espionage.”

Attribution

The Prodaft researchers refrain from attribution, but there are some strong pointers which can be found in their extensive report.

  • Russian comments and use of Russian slang words on the C2 servers.
  • Indications that the group is sparing countries that were part of the former USSR and still have strong ties with Russia.
  • The group is active during European work hours, with most of its activity recorded between 08:00 and 20:00 (UTC).
  • The attention to critical infrastructure, and major companies in the US and Europe.

Attribution is hard and sometimes the conclusion you come to is the one the threat-actors want you to reach. But if it walks like a duck and quacks like a duck….

The post Report goes “behind enemy lines” to reveal SilverFish cyber-espionage group appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (March 15 – 21)

Mon, 03/22/2021 - 10:00

Last week on Malwarebytes Labs, our podcast featured Adam Kujawa, who talked us through our 2021 State of Malware report.

We cover our own research on: Other Cybersecurity news

Stay safe, everyone!

The post A week in security (March 15 – 21) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Resident Evil 8 just the latest game plagued by fake demos and early access scams

Sat, 03/20/2021 - 10:38

There’s been a number of scams targeting fans of major upcoming video game releases over the last week or two. Why is this happening, and what can you do to ensure both you and your children avoid such fakeouts?

Preview power: the 80s and 90s

Back in the 80s, games reviews were only really found in dedicated gaming magazines like ZZap!64 or Amstrad Action. A couple of magazine publishers had the idea to distribute full games and demos on cassette tapes mounted to the cover. This led to some spectacular covertape related magazine warfare, distribution of games without permission, and copyright breach extravaganzas.

Downloadable demos: 2000s and beyond

When net-connected consoles blasted their way into homes from around the time of the original Xbox onward, this granted a second life to the old cover tapes and discs. Consoles came with demos pre-loaded, you could download demos or full games, and update purchased titles on the fly.

Consoles going digital slowly came with its own problems. Even so, the digital download revolution encouraged new funding models and ways to play games. Early access, where players are granted first look at a title by paying or for free, is where our latest scam lies.

What are the scammers doing?

Scammers are using demos and early access promises as bait for phishing and other forms of attack. The upcoming Resident Evil title, Village, currently has a spin-off demo version called “Maiden” on the Playstation 5 with other versions to follow. Enterprising phishers are distributing fake mails offering “Early access invitations” to play Village itself, which is the full game, set after the events of Maiden.

In this way, they’re trying to ride the wave of popularity for Maiden by encouraging people to get their hands on the rest of the content. The game developers, Capcom, also mention avoiding any files offered up by the phish. This sounds very much like the phishers were also dabbling in malware distribution.

We bring tidings. Bad tidings.

The full Capcom message sent to press reads as follows:

We’re sending this message as we’ve been made aware that there are currently emails circulating that pretend to contain “Early Access invitations” to Resident Evil Village. The sender address is being displayed as “no-reply(at)capcom(dot)com”.

We want to inform you that these messages are NOT from Capcom and appear to be phishing attempts by an unauthorized third party. If you have received such a message, please DO NOT download any files or reply, and delete the message immediately.

If you are unsure of the authenticity of correspondence from Capcom, please contact us directly to verify.

This is perfect bait for younger gamers who may not be aware of this type of scam attempt. No doubt it’ll have caught out many an adult gamer, too. That’s the most recent attempt at tricking people with fake early access. Shall we take a look at a slightly earlier effort?

Fake Beta build scammers come for Far Cry

Far Cry 6 is the soon to be released entry into Ubisoft’s unstoppable game series. Last month, a supposed “beta” build of the game was mentioned in emails to various influencers / content creators in the gaming space. The mail, flagged as being under embargo, comes complete with an access password. When the password is entered, and we’re not sure if they mean to open a zip or on a fake website, an infection is downloaded to the PC. According to potential victims, it “watches your screen and records everything you do”.

That’s bad enough. This is by no means the end of the wave of fake beta/early access/demo invites though.

Gaming a wide audience

In January, THQ Nordic warned of scam mails related to their game Biomutant. As with the other missives, it seems to focus on content creators / developers. Seeing developers state that no early builds of games are being mailed to people is bad news. Could one group specifically be trying this early access build gimmick? Or is everyone at it? Quite often, a new way to go on the offensive is posted to underground forums and then people go off and try it. That could be what is happening with these attacks, or it could just be coincidence.

As far as fake betas go, those have been around for a long time. A good example of this is Cyberpunk 2077, back in July of last year. How about a Fortnite Android beta scam from 2018? We can certainly round things out with a Valorant themed, malware laden closed beta key generator from last April.

Some tips to avoid fake beta/access scams
  1. At least some of these attacks are targeted towards gaming influencers or people with big platforms. As a result, this means you may not encounter a few of them. If you do fall into this category, basic security hygiene applies. Check the security of all your accounts and enable two-factor authentication if it’s available. Run up to date security software, and ensure all your devices are patched and up to date.
  2. Begin locking down your gaming accounts if you haven’t already. It might not just be your PC at risk from attacks. They could be after your console logins / details too. All major gaming consoles have plenty of security features. It’s well worth digging out their security documentation and shoring up any gaps in your defence.
  3. If a games developer emails you out of the blue, it’s fairly easy to figure out what’s real and what isn’t. Major titles announce betas, and early access programs clearly on websites, social media, and gaming portals. It isn’t left to random mail shots and mysterious attachments. If there’s no evidence of whatever you’ve been sent in some sort of official capacity, steer clear. Worst case scenario, you can always contact most developers on social media. They will likely be happy to help if what you’re showing them is a scam.
Press X to continue?

We recommend telling younger gamers in your household about these scams, and also the security solutions used to address them. The “exclusive preview build” technique aimed at influencers probably won’t remain aimed at them exclusively for very long, so watch out for that. You may as well get ahead of the game now before the inevitable next wave of beta invite scams land in mailboxes near you. There’s always something to think about in video game land.

The post Resident Evil 8 just the latest game plagued by fake demos and early access scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Report reveals the staggering scale of Business Email Compromise losses

Fri, 03/19/2021 - 20:40

Internet crime is ever present, and with the ongoing pandemic, levels of scams and fraud were exceptionally high in 2020. Opportunistic fraudsters didn’t give a second thought to riding the COVID-19 wave and preying upon those who are truly in need of help, or those who truly want to help.

The Internet Crime Complaint Center (IC3), an arm of the FBI where internet users can report online fraud crimes, recently released the 2020 Internet Crime Report, an annual report that contains high-level information on suspected fraud cases reported to them and their losses. A state-by-state statistical breakdown of these cases were included in an accompanying report, 2020 State Reports, that you can browse through here.

The IC3 has found that the three biggest complaints they received in 2020 are phishing scams, which garnered the highest number of complaints (241,342), ransomware (2,474), and, perhaps the most striking of these, Business Email Compromise (BEC) (19,369). It’s striking, not because of the number of complaints but because BEC scams recorded the highest total losses by victims, at roughly $1.8 billion USD. Although phishing led to the highest number of complaints, victims “only” lost $54 million USD, a fraction of the money lost to BEC scams.

According to IC3, BEC can also be called Email Account Compromise (EAC). It may or may not involve a layered attack, depending on how a threat actor can better mimic the person they’re spoofing, and how much their target employee would be able to buy into the overall deception.

It starts off with an email, either from a compromised account or spoofed address, to make it look like it originated from a particular sender. The threat actor, usually posing as a higher-up within a company, contacts a more junior employee in the company who is cleared to perform funds transfers. The attacker gives the junior employee a plausible but urgent instruction to make a large, confidential transfer of money to a fake supplier.

“In 2020, the IC3 observed an increase in the number of BEC/EAC complaints related to the use of identity theft and funds being converted to cryptocurrency,” according to the report. “In these variations, we saw an initial victim being scammed in non-BEC/EAC situations to include Extortion, Tech Support, Romance scams, etc., that involved a victim providing a form of ID to a bad actor. That identifying information was then used to establish a bank account to receive stolen BEC/EAC funds and then transferred to a cryptocurrency account.”

We remind businesses, regardless of sector, to be aware of BEC attack trends and be very vigilant in combatting it. BEC scams rely, in part, on the pressure that junior employees feel when asked to comply with demands from senior employees, and told not to alert anyone else. Employees should be empowered to seek advice and take the time they need.

Also, if your company doesn’t have an extra layer or two of authentication before the request to transfer money is green-lit, put one in place now. A phone or video call is ideal.

True, these steps introduce a bit of friction into your company processes, but a little inconvenience and delay could your company millions of dollars.

Good luck!

Other post(s) on the subject of business email compromise:

The post Report reveals the staggering scale of Business Email Compromise losses appeared first on Malwarebytes Labs.

Categories: Techie Feeds

NFTs explained: daylight robbery on the blockchain

Thu, 03/18/2021 - 16:34

Did you hear about the JPG file that sold for $69 million?

I’ll give you some more detail, the JPG file is a piece of digital art made by Mike Winkelmann, the artist known as Beeple. The file was sold on Thursday by Christie’s in an online auction for $69.3 million. This set a record for artwork that exists only digitally. Which for many people raised the question: what’s to stop me from copying it and becoming an owner as well? After all, digital files can be copied ad infinitum, with no loss of quality.

Which is where non-fungible tokens (NFTs or “nifities”) come in. NFTs are the latest, most eyebrow-raising use of blockchain technology.

Non-fungible means the token has unique properties so it cannot be interchanged with something else. Money, for example, is fungible. You can break down a dollar or a bitcoin into change and it will still have the same value. An artwork is more like a house, each one is unique and can’t be broken into useful fractions. (Although for houses sometimes it is only the location that makes it different from its neighbors.)

But I made the analogy because for houses we have a ledger to keep track of who owns the house. If you want to know who owns a house, you look it up in the ledger. You can think of an NFT as a certificate of ownership for a unique object, virtual or tangible.

Art and technology

While the combination of art and technology may have sounded strange a century ago, nowadays they are no longer a rare combination. The first use of the term digital art was in the early 1980s when computer engineers devised a paint program which was used by the pioneering digital artist Harold Cohen. This became known as AARON, a robotic machine designed to make large drawings on sheets of paper placed on the floor.

Andy Warhol or David Hockney may be more familiar names, even for those that are not that into art. Andy Warhol created digital art using a Commodore Amiga where the computer was publicly introduced at the Lincoln Center, New York in July 1985. Hockney is huge fan of the iPad.

Art and NFTs

The maintenance of the digital ledger to keep track of who owns a digital work of art is done using blockchain technology. Blockchains make it almost impossible to forge records.

Copies of the blockchain are kept on thousands of computers and each item in the blockchain is cryptographically linked to every item that comes after it. Forging a record in a blockchain ledger means re-doing the transaction you want to forge, and every subsequent transaction, on a majority of all the copies in existence, at the same time.

Unlike bitcoins, each NFT is unique and can contain details like the identity of its owner or other metadata. NFTs also include smart contracts. Smart contracts store code instead of data in a blockchain, and execute when particular conditions are met. An example of an NFT smart contract might give an artist a percentage of future sales of their work.

But to answer the original question, this doesn’t stop anyone from copying a digital masterpiece and enjoying it at home. The NFT ledger only shows who the owner of the original is.

Stolen NFTs

Even though the blockchain technology itself is secure, the applications that are built on or around it, such as websites or smart contracts, don’t inherit that security, and that can cause problems.

Users of the digital art marketplace Nifty Gateway reported hackers had taken over their accounts and stolen artwork worth thousands of dollars over the weekend.

Someone stole my NFTSs today on @niftygateway and purchased $10K++ worth of today’s drop without my knowledge. NFTs were then transferred to another account.

Some victims reported that the digital assets stolen from their accounts were then sold on the chat application Discord or on Twitter. The underlying problem, according to many claims, was that the thieves hacked the owner’s accounts. They then used the accounts to sell, buy, and re-sell NFTs.

This is possible because blockchain security is designed to prevent forgery, not theft. If somebody steals your NFT and sells it, the blockchain will faithfully record the sale, irreversibly.

Art turned into NFT without the artist’s knowledge

Some artists are reporting their work has been stolen and sold on NFT sites without their knowledge or permission. In some cases, the artist only learned about the theft weeks or even years later, having stumbled upon their work on an auction site. The people creating the NFT had no ownership and probably just copied the artwork from the artist’s website.

Identifying the original file

The way NFTs are set up now they depend too much on URLs that might end up broken at some point in time. Or get hijacked by some clever threat actor. Jonty Wareing did an analysis on how Nifty references the original and was not impressed. He expressed his concerns on Twitter. He found the fact that both the NFT token for the json metadata file as well as the IPFS gateway are defined by URLs set up by the seller. IPFS is a distributed system for storing and accessing files, websites, applications, and data.

The NFT token you bought either points to a URL on the internet, or an IPFS hash. In most circumstances it references an IPFS gateway on the internet run by the startup you bought the NFT from.

Which means when the startup who sold you the NFT goes bust, the files will probably vanish from IPFS too

Problems with art and NFTs

The reported crimes are made possible by three apparent flaws in the way the system was set up.

  • It is possible to create more than one NFT for the same work of art. This creates separate chains of ownership for the same work of art.
  • If no NFT exists for a certain work of art, creating one does not require you to be the owner. This creates false chains of ownership.
  • The references defining the original depend too heavily on URLs that are vulnerable and could vanish at some point.

To circle back to our analogy with real estate, the only way a ledger can be expected to give an accurate account of ownership is by having one central ledger that checks whether the first owner did buy the object directly from the creator. The creation of such a new ledger should also include a check whether there is not an existing registration for the same object to avoid creating a duplicate. And for digital files we need a better way to define them. Storing URLs in the blockchain will protect the URL and not the underlying file.

The post NFTs explained: daylight robbery on the blockchain appeared first on Malwarebytes Labs.

Categories: Techie Feeds

HelloKitty: When Cyberpunk met cy-purr-crime

Thu, 03/18/2021 - 12:01

On February 9, after discovering a compromise, CD Projekt Red (CDPR) announced to its 1+ million followers on Twitter that it was the victim of a ransomware attack against its systems (and made it clear they would not yield to the demands of the threat actors, nor negotiate).

Cyberpunk 2077, the latest game released by CD Projekt Red and once hailed as the “most anticipated game of the decade”, was released in December 2020 with many calling it an “unplayable mess”.

No surprise then that some people suspected that enraged gamers were hitting back at the company for releasing the game in that state. But infamous ransomware hunter Fabian Wosar (@fwosar), of Emsisoft begged to differ.

The amount of people that are thinking this was done by a disgruntled gamer is laughable. Judging by the ransom note that was shared, this was done by a ransomware group we track as "HelloKitty". This has nothing to do with disgruntled gamers and is just your average ransomware. https://t.co/RYJOxWc5mZ

— Fabian Wosar (@fwosar) February 9, 2021

Although what he said was an informed claim, we cannot say for sure what hit CDPR until a ransomware sample is retrieved and analyzed. Nevertheless, the name-check was enough to put the HelloKitty ransomware family in the headlines.

HelloKitty ransomware

The HelloKitty ransomware, also known as Kitty ransomware, was first seen in November 2020, a few months after the first variants of Egregor were spotted in the wild.

CEMIG (Companhia Energética de Minas Gerais), a Brazilian electric power company, revealed on Facebook in late December 2020 that it was a victim of a cyberattack. Succeeding reports revealed that HelloKitty was the ransomware behind it, and that this ransomware strain was used to steal a large amount of data about the company. The attack didn’t cause any damage, however, but it caused the company to suspend its WhatsApp and SMS channels, and its online app service.

This ransomware family was named after a mutex it used called “HelloKittyMutex.”

Some researchers refer to HelloKitty as DeathRansom—a ransomware family that, based on its earlier variants, merely renames target files and doesn’t encrypt them. We speculate, however, that HelloKitty was built from DeathRansom. As such, Malwarebytes detects this ransomware as Ransom.DeathRansom.

The threat actors behind HelloKitty ransomware aren’t as active as some other threat groups, so there is little information about it. Below is what we know so far.

Infection vector

According to SentinelLabs, current intelligence suggests that HelloKitty arrives via phishing emails or via secondary infection from an initial malware attack.

Symptoms HelloKitty ransom note

Systems affected by HelloKitty ransomware display the following symptoms:

1. Terminated processes and Windows services. Once it reaches an affected system and executes, HelloKitty terminates processes and Windows services that may interfere with its operation. These processes are generally associated with security software, backup software, accounting software, email servers, and database servers (to name a few). Overall, it can target and terminate over 1,400 processes and services.

It performs the termination process using taskkill.exe and net.exe, two legitimate Microsoft Windows programs.

SentinelLabs also notes that if there are processes HelloKitty cannot terminate using these executables, it then taps into Windows’s Restart Manager to perform the termination.

2. Encrypted files with .KITTY or .CRYPTED file extensions. On Windows systems, HelloKitty ransomware uses a combination of AES-128 + NTRU encryption. On Linux systems, it uses the combination AES-256 + ECDH. These encryption recipes are not known to have any weaknesses, making decryption impossible without a key.

Encrypted files will have the .kitty or .crypted file extension appended to the file names. For example, an encrypted sample.mdb file will either have the sample.mdb.kitty or sample.mdb.crypted file names.

3. Targeted ransom note. The HelloKitty ransom note is usually a plain text file bearing either the name read_me_lkdtt.txt or read_me_unlock.txt that references its target and/or its environment. For a sample content of the note, below is a portion of the CEMIG ransom note as follows:

Hello CEMIG!

All your fileservers, HyperV infrastructure and backups have been encrypted!

Trying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss of data!

The only way to recover your files is by cooperating with us.

To prove our seriousness, we can decrypt 1 non-critical file for free as proof. We have over 10 TB data of your private files, databases, personal data… etc, you have 24 hours to contact us, another way we publish this information in public channels, and this site will be unavailable.

The ransom note also includes a .onion URL that victims can open using the Tor browser. URLs are different for each victim.

4. Deleted shadow copies. Similar to other well-known ransomware families like Phobos and Sodinokibi, HelloKitty deletes shadow copies of encrypted files on affected systems to prevent victims from restoring them.

Indicators of Compromise (IOCs)

Tor Onion URLs:

  • 6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion
  • x6gjpqs4jjvgpfvhghdz2dk7be34emyzluimticj5s5fexf4wa65ngad.onion

SHA256 hashes:

  • 78afe88dbfa9f7794037432db3975fa057eae3e4dc0f39bf19f2f04fa6e5c07c
  • fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb
  • c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e
  • 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
  • 38d9a71dc7b3c257e4bd0a536067ff91a500a49ece7036f9594b042dd0409339

The post HelloKitty: When Cyberpunk met cy-purr-crime appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mother charged with using deepfakes to shame daughter’s cheerleading rivals

Thu, 03/18/2021 - 09:11

A Pennsylvania woman reportedly sent doctored photos and videos of her daughter’s cheerleader rivals to their coaches, in an attempt to embarrass them and get them kicked off the team. She’s alleged to have used deepfake technology to create photo and video depictions of the girls naked, drinking, and vaping, law enforcement officials said.

The woman—50-year-old Raffaela Spone—was arrested in early March and charged with multiple misdemeanor counts of cyberbullying, after targeting three teen girls in Victory Vipers, her daughter’s cheerleading squad, and three counts of harassment. However, she was later released on the condition that she attends her preliminary hearing on March 30.

A deepfake, is a realistic fake image or video that uses machine learning to replace the original subject with somebody else’s likeness. The usual recipe needed to create one is a deepfake tool, which are becoming widely accessible online, the original image or video, and a photo or photos of the person being added to it.

According to reports, Spone likely used images from the girls’ social media accounts to create the fake media. She also anonymously sent harassing text messages from multiple fake phone numbers to the girls, their parents, and the owners of the gym where the cheerleading squad practiced. Some messages contained deepfakes, and some messages urged them to kill themselves, according to The Philadelphia Inquirer.

Police were able to identify that the fake numbers Spone used belonged to an app called Pinger. This allowed them to acquire the IP address messages were coming from, and then use the IP to acquire Spone’s home address and phone carrier. Further searches on Spone’s phone revealed evidence tying her to the deepfakes.

Per court records, there was no indication that her daughter knew what her mother was doing.

“Here are some of my concerns in this case,” said Bucks County District Attorney Matt Weintraub during a news conference Monday, “[deepfake] tech is now available to anyone with a smartphone. Your neighbor down the street, somebody who holds a grudge—you’ll just have no way of knowing. This is prevalent.”

He continued, “This is also another way for an adult to now prey on children, as is the case of the allegations in this instance.”

Crimes committed by Spone was something Henry Ajder, a deepfake researcher, saw coming. Speaking to The New York Times, Ajder, who anticipates that deepfake depictions will become more realistic in the next five years, is concerned they could be used to “attack individuals, create political disinformation … conduct fraud and manipulate stock markets”.

Robert Birch, Spone’s attorney, revealed to WPVI-TV, a local network, that his client has received death threats after reports about the deepfakes appeared in the press.

Victory Vipers apologized to all individuals involved in this case. “Victory Vipers has always promoted a family environment and we are sorry for all individuals involved. We have very well-established policies, and a very strict anti-bullying policy in our program.” said Mark McTague and Kelly Cramer in a statement.

“When this incident came to our attention last year we immediately initiated our own internal investigation and took the appropriate action at the time. This incident happened outside of our gym. When the criminal investigation ensued, we fully cooperated with law enforcement. All athletes involved, are no longer a part of our program.”

Other posts on the subject of deepfake:

The post Mother charged with using deepfakes to shame daughter’s cheerleading rivals appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Apple shines and buffs Mac security—Is it enough to stop today’s malware?

Wed, 03/17/2021 - 15:26

There’s a lot going on in the Mac security world lately.

Over the last few months, Apple has ramped up security efforts across its platforms. From an endpoint security framework overhaul of macOS Catalina to phasing out kernel extensions, the tech giant has been battening down the hatches—especially of macOS and Mac computer hardware.

Despite Apple’s best efforts—or perhaps as a result of them—the Mac threat landscape has become even more dangerous. But instead of welcoming allied assistance via third-party security vendors, Apple is closing the gate. And cybercriminals are closing the gap.

A crack in the Mac door

It seems like only yesterday there weren’t many breaking news stories on Mac security threats to bite into. In fact, news on Apple cyberthreats wasn’t just infrequent—it was inconsequential. But over the last few years, credible threats, exploits, and hacks of Apple products have become more persistent. There was KeRanger ransomware in 2016. Several effective Mac-facing miners joined the crypto-rush in 2018. The iOS vulnerability exploited by checkm8 rattled quite a few cages in late 2019.

However, from the start of 2020 onward, the malicious momentum has been building. In the 2020 State of Malware Report, Malwarebytes researchers found that Mac malware—primarily backdoors, data stealers, and cryptominers—had risen by 61 percent over the previous year.

2020 served Apple users with a number of targeted attacks using RATs and APTs developed by nation-state actors from China, North Korea, and Vietnam. Some of these made their way into the wild; others appeared on journalists’ iPhones. ThiefQuest, a Mac malware masquerading as ransomware, was discovered in mid-2020.

Despite having the most locked-down security system of Apple’s platforms, iOS was particularly pummelled in the last year. A zero-click exploit remained unpatched for six months of 2020, leaving innocent iPhone users unaware that anyone nearby could completely take over their device without touching it. In November 2020, Apple released patches for three zero-day vulnerabilities in iOS and iPadOS that were being actively exploited in the wild.

Unfortunately, 2021 is proving to be similarly rotten for Apple. Just last week, the company released a patch for iPhone, iPad, and MacBook for a bug that could allow code execution through websites hosting malicious code. Reading between the lines, this means its browsers were vulnerable to exploits that could be launched from malicious website content, including images and ads.

While Apple didn’t comment on whether this particular vulnerability had been discovered by cybercriminals, the company released patches for three separate security bugs that were being actively exploited in January 2021. (Note: These are a different three vulnerabilities than the zero-days found in November.) And just a couple weeks ago, there was Silver Sparrow.

Silver Sparrow is a new Mac malware that swooped in on February 18 and was found on nearly 40,000 endpoints by Malwarebytes detection engines. At first considered a reasonably dangerous threat (researchers now believe it’s a form of adware), Silver Sparrow is nevertheless a malware family of intrigue for showcasing “mature” capabilities, such as the ability to remove itself, which is usually reserved for stealth operations.

One of Silver Sparrow’s more advanced features is the ability to run natively on the M1 chip, which Apple introduced to macOS in November. The M1 chip is central to Apple’s latest security features for Mac computers, and that makes it central to the apparent security paradigm shift happening within the company’s walls.

Apple security paradigm shift

And what paradigm shift is that? Macs running the M1 chip now support the same degree of robust security Apple consumers expect from their iOS devices, which means features like Kernel Integrity Protection, Fast Permission Restrictions (which help mitigate web-based or runtime attacks), and Pointer Authentication Codes. There are also several data protections and a built-in Secure Enclave. Put plainly: Apple have baked security directly into the hardware of their Macs.

But the security changes aren’t limited to the M1 chip or even macOS. On February 18, the company released its Platform Security Guide, which details the changes in iOS 14, iPadOS 14, macOS Big Sur, tvOS 14, and more—and there are many. From an optional password manager feature in Safari that looks out for saved passwords involved in data breaches to new digital security for car keys on Apple Watches and the iPhone, the security sweep appears to be comprehensive. In the guide preamble, Apple touts:

“Apple continues to push the boundaries of what’s possible in security and privacy. Apple silicon forms the foundation for…system integrity features never before featured on the Mac. These integrity features help prevent common attack techniques that target memory, manipulate instructions, and use JavaScript on the web. They combine to help make sure that even if attacker code somehow executes, the damage it can do is dramatically reduced.”

Looking at the collective security improvements made to Macs over the last several months—the M1 chips, changes to system extensions, an entirely new endpoint security framework—it appears Apple is making great strides against the recent uptick in cyberattacks. In fact, they should be commended for developing many beneficial technologies that help Mac (and iPhone) users stay more secure. However, not all of the changes are for the better.

Securing themselves in the foot

Unlike their Microsoft counterparts, Apple have been historically far more reticent about working with others—and that extends to third-party antivirus programs and security researchers alike. Their recent security upgrades for macOS and MacBook hardware are, unfortunately, right on brand.

The security components of M1-based Macs are harder to analyze and verify for those looking in from the outside. Security researchers and the tools they use may be thwarted by a less-than-transparent environment. Essentially, the new developments have hidden Mac defenses behind castle walls, which could make it more difficult for users, businesses, or analysts to know whether their devices have been compromised.

In a recent article in the MIT Technology Review, journalist Patrick Howell O’Neill said that Apple’s security succeeds in keeping almost all of the usual bad guys out, but when the most advanced hackers do break in, “Apple’s extraordinary defenses end up protecting the attackers themselves.” Those threat actors with the resources to develop or pay for a zero-day exploit can pole jump over the Apple security wall and, once inside, move around fairly undetected because of its locked-down, secretive nature.

Mac system extensions and the endpoint security framework introduced in Catalina are similarly problematic. Third-party software developers must apply to Apple for system extensions, and they aren’t just handing them out like masks and sanitizer. Once a developer gets a system extension approval from Apple, though, that developer’s software is protected by System Integrity Protection—and it’s nearly impossible to remove the extension unless you’re the owner of the software.

That’s great for legitimate third-party software programs, like Malwarebytes for Mac, especially in protecting against outside threats that might try to disable security software during an attack. But not every company that applies for system extensions is legitimate.

There have already been a few examples of developers known for cranking out potentially unwanted programs (PUPs) getting extensions from Apple. Because of this, some PUPs can no longer be fully removed by Malwarebytes (or any other security vendor) from Mac computers running Catalina or Big Sur. And while there are some ways that users can manually remove these programs, they are by no means straight-forward or intuitive.

No matter the malware

There’s been much fuss made about “actual” Mac malware in the press (and in this very article), but PUPs and adware are a significant issue for Mac computers. Cue the classic rebuttal: “But it’s only PUPs!” While many like to trivialize them, PUPs and adware open the door for more vulnerabilities, making an attack by malicious software even easier. Adware, for example, can host malicious advertising (malvertising), which can push exploits or redirects to malicious websites. If the most recent vulnerability patched by Apple wasn’t already being exploited, that would have been a perfect opportunity for cybercriminals to penetrate the almighty Apple defenses.

As discovered in the State of Malware Report, PUPs represented more than 76 percent of Mac detections in 2020. Adware accounted for another 22 percent. Actual malware designed for Macs is but a small slice of the apple. But it’s a growing slice for businesses with Mac endpoints.

In 2020, Mac threat actors decided to take a page out of the Windows cybercriminal book and turn their attention toward larger organizations instead of individuals. To that end, Mac malware increased on business endpoints by 31 percent in 2020—remote work and all. There may not be as many “actual” malware attacks on Mac endpoints as on Windows, but the share of Macs in business environments has been increasing, especially since the start of the pandemic.

Apple has developed some impressive armor for its Macs, but it doesn’t protect against the full scope of what’s out there. Further, Apple only uses static rules definitions for its anti-malware protection, which means it won’t stop malware it doesn’t already recognize. A security program that uses behavioral detection methods (heuristic analysis), like Malwarebytes Endpoint Detection and Response, has the potential to catch a lot of bad apples that Apple hasn’t seen yet.

As time goes on, we’re increasingly in danger of a major attack waged against Macs. There are still a myriad of Mac users who don’t install any third-party security. Fundamentally, Macs still aren’t all that difficult to infect—even with all the bells and whistles. And by closing their systems, Apple is limiting the capabilities of additional third-party security layers to assist in stopping that major attack from doing major damage.

Apple’s days of sitting on the security fence are certainly over. Time will tell if their fortress-like defenses win out, or if they’ll eventually need to depend on their allies for assistance.

The post Apple shines and buffs Mac security—Is it enough to stop today’s malware? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

FBI warns of increase in PYSA ransomware attacks targeting education

Wed, 03/17/2021 - 11:39

On March 16, the Federal Bureau of Investigation (FBI) issued a “Flash” alert on PYSA ransomware after an uptick on attacks this month against institutions in the education sector, particularly higher ed, K-12, and seminaries. According to the alert [PDF], the United Kingdom and 12 states in the US have already affected by this ransomware family.

#FBI reporting notes a recent increase in PYSA ransomware targeting education institutions in 12 US states and the UK. PYSA, aka Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. https://t.co/FxoYZZKo7V pic.twitter.com/NOPAcEFxM8

— FBI Buffalo (@FBIBuffalo) March 16, 2021

PYSA, also known as Mespinoza, was first spotted in the wild in October 2019 where it was initially used against large corporate networks.

CERT France issued an alert a year ago about PYSA widening its reach to include French government organizations, and other governments and institutions outside of France. PYSA was categorized as one of the big-game hunters, joining the ranks of Ryuk, Maze, and Sodinokibi (REvil). “Big-game” ransomware attacks target entire organizations, with threat actors operating their ransomware manually, after spending time breaking into and an organization’s networks and conducting reconnaissance.

PYSA/Mespinoza can arrive on victims’ networks either via phishing campaigns or by brute-forcing Remote Desktop Protocol (RDP) credentials to gain access.

Before downloading and detonating the ransomware payload, threat actors behind this ransomware were also found to conduct network reconnaissance using open-source tools like Advanced Port Scanner and Advanced IP Scanner. They also install other such tools, such as Mimikatz, Koadic, and PowerShell Empire (to name a few), to escalate privileges and move laterally.

The threat actors deactivate security protection on the network, exfiltrate files, and upload the stolen data to Mega.nz, a cloud-storage and file-sharing service. After this, PYSA is then deployed and executed. All encrypted files in Windows and Linux, the two platforms this ransomware primarily targets, will have the .pysa suffix.

The FBI report also reveals a possible double extortion tactic that might occur against victims: “In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort
victims to pay a ransom.”

In the last six months, the FBI and other law enforcement organizations have been warning the education sector about increased threat activity against them. And this isn’t just limited to ransomware attacks. Phishing campaigns and domain typosquatting also come into play.

The FBI’s “Flash” alert includes these recommended mitigations for potential targets.

To prevent attacks:

  • Install security updates for operating systems, software, and firmware as soon as they are released.
  • Use multi-factor authentication wherever possible.
  • Avoid reusing passwords for different accounts and implement the shortest acceptable timeframe for password changes.
  • Disable unused RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the lowest privileges you can.
  • Use up-to-date anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organization.
  • Disable hyperlinks in received emails.
  • Provide users with training on information security principles and techniques as well as emerging cybersecurity risks.

To mitigate the effects of an attack:

  • Back up data and use air gaps and passwords to make them inaccessible to attackers.
  • Use network segmentation to make lateral movement harder.
  • Implement a recovery plan and keep multiple copies of sensitive or proprietary data in physically separate, segmented, secure locations.

The post FBI warns of increase in PYSA ransomware attacks targeting education appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Teen behind 2020 Twitter hack pleads guilty

Wed, 03/17/2021 - 10:00

The so-called “mastermind” behind the 2020 Twitter hack that compromised the accounts of several celebrities and public figures—including President Barack Obama, Bill Gates, and Elon Musk—pleaded guilty to several charges on Tuesday in a Florida court.

As part of an agreed-upon plea deal with prosecutors, Graham Clark will serve three years in juvenile prison, with an additional three years spent under probation.

First reported by 10 Tampa Bay WTSP-TV, Clark’s plea deal will include restrictions to “electronic devices,” with access only permitted by the Florida Department of Law Enforcement and by those supervising Clark during his eventual probation. According to 10 Tampa Bay, at 18 years old, Clark will also be sentenced as a “youthful offender,” which could allow him to serve some of his prison time in a “boot camp.” He will also earn credit for the 229 days that he has already spent in jail.

Clark’s plea deal represents a reversal of his earlier position on August 4, 2020, when he pleaded not guilty to 30 charges of fraud brought against him by state prosecutors in Florida for allegedly stealing Bitcoin payments from countless victims. According to Hillsborough State Attorney Andrew Warren at the time, the charges filed against Clark were for “scamming people across America.”

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.” 

Last year, Clark allegedly worked with two other individuals to compromise the accounts of about 130 Twitter users in a broader scheme to steal Bitcoin payments from unsuspecting victims. On July 15, the Twitter accounts of several celebrities and industry leaders began tweeting nearly the exact same message: Sparked by sudden gratitude, anyone who donated payments to a specific Bitcoin address would receive double those payments in return.

According to the public bitcoin ledger, at the time, the hackers conned people out of more than $100,000.

Nearly two weeks later, Clark was arrested at his apartment in Tampa. Two other men—Mason Shepperd from the UK and Nima Fazeli of Orlando—were also charged in connection with the hack. Shepperd was charged with wire fraud and money laundering, while Fazeli was charged with aiding and abetting.

At the time of the attack, many asked how such a small operation—led by a teenager—could have successfully breached the security of a major technology company. According to an investigation by The New York Times, Clark’s Twitter hack was not the work of an experienced hacker, but of a tried-and-true fraudster. Having bilked victims out of small sums of about $50 for years, Clark is alleged to have eventually worked his way into a scam that involved the theft of $856,000 worth of Bitcoin, at the age of 16.

After the theft, Clark posted photos of himself on Instagram wearing a Rolex watch.

To compromise Twitter, Clark used his practiced social engineering skills to gain access to an employee control panel. From there he was able to change users’ email addresses, and to use those new email addresses to reset passwords and disable two-factor authentication, giving him access to numerous user accounts, and their millions of followers.

The post Teen behind 2020 Twitter hack pleads guilty appeared first on Malwarebytes Labs.

Categories: Techie Feeds

ProxyLogon PoCs trigger a game of whack-a-mole

Tue, 03/16/2021 - 18:15

As we reported recently, the use of the Microsoft Exchange Server ProxyLogon vulnerabilities has gone from “limited and targeted attacks” to a full-size panic in no time.

Criminal activities, ranging in severity from planting crypto-miners to deploying ransomware, and conducted by numerous groups, have quickly followed the original exploitation by APT groups to spy on organizations.

With the focus of many security and IT professionals now firmly fixed on the world’s vulnerable Exchange servers, proof-of-concept exploits (PoCs) have surfaced left and right.

Some argue that since some attackers already possess exploit code, it’s only right for defenders to have it too, so they can test their systems by simulating what those attackers might do. Others say that PoC code doesn’t redress the balance because it’s a leg up for everyone, including criminals who haven’t created their own exploits yet.

And while most researchers deliberately omit specific components of a PoC, others feel compelled to publish full working exploits, enabling even the most technically challenged script-kiddies to use them maliciously.

All of which explains some people in the computer security community are busy tying to publish ProxyLogon PoCs, others are trying to stop them.

Purposely broken exploit

Bleeping Computer reports that a security researcher has released a proof-of-concept exploit that requires slight modification to install web shells on Microsoft Exchange servers vulnerable to the actively exploited ProxyLogon vulnerabilities.

“Firstly, the PoC I gave can not run correctly. It will be crashed with many of errors. Just for trolling the reader,” Jang told BleepingComputer.

Soon after the PoC was published, the publication reports that Jang received an email from Microsoft-owned GitHub stating that the PoC was being taken down as it violated the site’s Acceptable Use Policies.

GitHub under fire

GitHub received a ton of criticism for removing the proof-of-concept exploit. In a statement, the site said it took down the PoC to protect devices that are being actively exploited.

“We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe. In accordance with our Acceptable Use Policies, GitHub disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”

The main reason for criticism was that the vulnerability has a patch, so Microsoft had no reason to have the PoC removed. Some researchers also claimed GitHub has a double standard, since it has allowed PoC code for patched vulnerabilities affecting other organizations’ software in the past.

We have some sympathy with Microsoft here: a patch may be available but that doesn’t mean everyone is protected. A patch is only useful once it has been applied, and tens of thousands of servers are still unpatched.

Reverse engineering an exploit

To demonstrate how researchers go about turning a vulnerability into an exploit, Praetorian posted their methodology for a ProxyLogon attack chain.

By examining the differences (diffing) between a pre-patch binary and post-patch binary they were able to identify exactly what changes were made. These changes were then reverse engineered to assist in reproducing the original bug.

Cat is out of the bag

The problem with removing PoCs from a platform like GitHub is that the code will just re-surface elsewhere. It is very hard to make the Internet, as a collective brain, forget something.

Even if the author doesn’t post it somewhere else, there will always be that individual that has already copied the content before it was removed. Or another who is inspired to try to create their own.

For Malwarebytes Labs, one size doesn’t fit all. Sometimes a PoC can help to improve security, and sometimes some restraint is needed. Each situation needs to be judged on its merits.

The current situation is a crisis, and despite efforts to take down the emerging ProxyLogon PoCs, or neuter them by making them less than fully functional, you can bet they will be put to use by criminals. This while the owners of the remaining unpatched systems are scrambling to save what they can.

Other Malwarebytes posts on the ProxyLogon vulnerability:

Stay safe, everyone!

The post ProxyLogon PoCs trigger a game of whack-a-mole appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Careers in cybersecurity: Malwarebytes talks to teachers and students

Tue, 03/16/2021 - 17:40

Every year, I take part in talks for universities and schools. The theme is often breaking into infosec. I give advice to teens considering pursuing tech as a further area of study. I explain a typical working day for degree undergraduates. Sometimes I’m asked to give examples of conference talks. I get to dust off some oldies and give a snapshot of security research circa [insert year of choice here].

I’ve been doing this for about five years now, and it’s incredibly helpful for me and (hopefully) students too. I see real concerns from people who’ll end up being the next wave of researchers, writers, and communicators.

Get involved: benefits for the education space

If you work in security research and are considering doing something similar, you should! It’s helpful for many reasons:

  • It gives you a solid idea of what the next generation find interesting, research-wise. Which bits of tech do they love? What do they think will be an issue down the line? Maybe they prefer virtual machines to bare metal. Perhaps we’ll have an hour-long debate over the rights and wrongs of paying malware authors. You won’t know until you try it!
  • If you do any amount of public speaking, interviews, talks, whatever: it keeps you from going rusty. The Pandemic has shut down many conferences and sent more than a few online. If you’re unsure about doing online talks when your background is “real world only”, it’s helpful practice. Want to know what works in virtual spaces? This will definitely help.
  • Schools and universities really get a lot from these events. It’s usually quite difficult for them to get people booked in to speak about things. From experience, educators will absolutely appreciate any outreach or help you can give their students. It’s a win-win for everybody.
“I thought it was all code”

Something I emphasise is that information security has a huge number of different backgrounds in its overall makeup. I’ve met many despondent students who felt their coding skills weren’t up to scratch. The students’ impression is that everything is 100% coding or programming.

It’s true, coding and programming can be incredibly difficult things to understand. Skills like reverse engineering malware can take years to perfect. There’s no guarantee of being able to keep pace with malware developments in the meantime, either.

Well, there’s lots of fun ways issues like that can be addressed.

Even so, “I thought you had to be a qualified coder / programmer” is something I hear all the time. If not that, they often feel a lack of skills in one area negates everything else they’re good at.

It’s quite a relief for them to find out this doesn’t have to be the case.

The myth of the “expert at everything”

In media, security researchers are often presented as experts on all topics imaginable. The reality is people excel in their own little niche field and have a variable skillset for everything else. Experienced security pros know when to ask for help, and there’s absolutely nothing wrong with it. You really don’t have to know everything, all the time. This is another concern relayed to me by many students over the last few years.

The many paths to the security industry

When doing these sessions, a few key talking points come up time and again. Quite a few students have to be convinced that lots of security folk don’t necessarily even have technology qualifications. There’s also many roles which don’t involve any coding whatsoever. However, these are roles students haven’t considered, because they didn’t necessarily have any idea they existed.

Some of the deepest hardware knowledge I’ve come across is from people in sales teams. Do you like the idea of public-facing research? There’s blog and press opportunities for that. Is the idea of promoting your company’s research to a wide audience an exciting one? There’s probably a spot in marketing for you. At the furthest reaches of “no tech involvement whatsoever”, security organisations need people to design things. Maybe it’s time to dust off that design degree and start sending in your resume?

Whatever your skillset as a student, there is absolutely something you can do. That talent of yours will be a benefit to an organisation in the security space.

Thinking outside the box

One of the most interesting things about fresh talent is watching it pull apart new technology and highlight unforeseen dangers.

Look at some of the things we dig into on our very own blog. Web beacons, virtual/augmented reality, the Internet of Things, deepfakes, malign influence campaigns, securing accounts after someone’s died, and much more. The industry as a whole is more open to new / different research than it’s ever been. It has to be, or bad people will be getting away with virtual murder while everyone twiddles their thumbs.

In the last few days we’ve seen a run on art related NFT theft. Try telling someone that 12 months ago and see what the reaction would be. Someone out there has an idea for a solution to this kind of problem. They just don’t know it yet. It’s up to us to encourage them and see what kind of cool solutions they can come up with.

Talking with teachers: Holly Smylie

Computer Science teacher Holly Smylie, who sat in one of our talks, has given some insight into how the industry can help students:

Open days and talks are great in terms of giving students access to positive role models from the industry such as yourself. It essentially gives them an exposure to experiences of infosec that they may otherwise not have had from their environment, meaning that it can make a massive difference in terms of their future career aspirations and later life chances. 

I think that one of the greatest take away from your talk for my students was that although qualifications are obviously important, they aren’t the be all and end all. There are still other routes into the sector without the “usual qualifications”. It allows them to think beyond an exact route into something they want to know more about. Also, I think that there is more that our industry could do in terms of addressing the gender imbalance – whether this is providing talks or networking between students and female experts in the industry.

Again, these role models for students at school and even uni-level via talks, open days, visiting companies, etc can often be the tipping point for female students who do not believe that they would succeed in this industry (as it is still very male dominated). Again, I think this just fits in with broadening female students’ horizons to the world of infosec and giving them confidence that they will be just as valued as our male colleagues.

Closing thoughts

According to some predictions, there’s a huge number of jobs which will go unfilled into the next year. I’m not convinced the numbers will be as big as that. Even so, helping students of all ages with paths into the security industry can only be a good thing. The pandemic hasn’t made technology learning easy over the last year. I’m glad we at Malwarebytes have been able to pitch in and give students some possible careers to think about.

Special thanks to Holly, and the schools and Universities we’ve run these sessions for. We wish your students success in the years to come.

The post Careers in cybersecurity: Malwarebytes talks to teachers and students appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages