Techie Feeds

ZuoRAT is a sophisticated malware that mainly targets SOHO routers

Malwarebytes - Thu, 06/30/2022 - 15:35

Researchers have analysed a campaign leveraging infected SOHO routers to target predominantly North American and European networks of interest.

The so-called ZuoRAT campaign, which very likely started in 2020, is so sophisticated that the researchers suspect that there is a state sponsored threat actor behind it.

SOHO routers

SOHO is short for small office/home office and SOHO routers are hardware devices that route data from a local area network (LAN) to another network connection. Modern SOHO routers have almost the same functions as home broadband routers, and small businesses tend to use the same models. Some vendors also sell routers with advanced security and manageability features, but most SOHO devices are only monitored in exceptional cases.

Which is probably the reason why the ZuoRAT managed to fly under the radar for so long.

Compromise the router

The first step in the campaign is to take control of the router. The researchers identified infected routers of several manufacturers including popular brands like ASUS, Cisco, DrayTek, and NETGEAR. It is likely that the threat actor used unpatched vulnerabilities to steal credentials from the targeted routers. Although patches for these vulnerabilities exist, it is not uncommon for device administrators never to apply these patches.

This lack of security is often caused by lack of awareness. And the lack of awareness starts by small business owners not knowing which type or model of router they have exactly. So even if they read about a vulnerability in their router, it may not sink in that it applies to them. The rebranding of routers by providers is another contributing factor to the owners’ ignorance.

Drop the RAT

The vulnerability or chain of vulnerabilities allow the threat actor to download a binary, then execute it on the host. Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware.

The ZuoRAT agent framework enables in-depth reconnaissance of target networks, traffic collection and network communication hijacking. Some of the functions will run by default, while others might be intended to be called by additional commands.


ZuoRAT looks like a heavily modified version of the Mirai malware. The authorities may have caught the Mirai creators, but the spirit of their botnet lives on. Numerous groups took advantage of the open-source code to create mini variants. But the command and control infrastructure used in this campaign is intentionally complex in an attempt to conceal what’s happening.


While attribution is always hard, the researchers listed several indications that the group behind this campaign might be of Chinese origin. One set of C2 infrastructure controlled by this threat actor and used to interact with the Windows RATs was found to be hosted on internet services from China-based organizations. Also, some of the program database paths contained Chinese characters, while others referenced “sxiancheng”, a possible name or Chinese locality.

China is a likely candidate even if it seems they have already bitten off more than they can chew. According to an article in the Financial Times Chinese university students have been lured to work as translators to help identify hacking targets, and to analyze stolen material.

DNS hijacking

Using the gathered information about the DNS settings and the internal host in the adjacent LAN, there were several functions designed to perform DNS hijacking. Some functions allowed the threat actor to update DNS hijacking rules specifying which domains to hijack, the malicious IP address resulting from the hijack and the number of times to trigger the rule.

HTTP hijacking

Another noteworthy function enabled the actor to specify which client or subnet to hijack. It hijacked the process so that it could match the traffic pattern. If the pattern matched one of the rules, it displayed a 302 error that redirected the client’s browser to another location where the threat actor could manipulate the connection.


If you fear that your router has been compromised, simply restarting an infected device will remove the initial ZuoRAT exploit. To fully recover, however, a factory reset clears infected devices.

To avoid your router from getting infected, find the most recent firmware and install it so you have all the latest patches.

Systems that used an infected route for their internet access and used no block lists that included the C2 infrastructure of ZuoRAT may be infected. This is not only true for Windows systems. The researchers found samples written in GO, which is a cross-platform language.  

IoCs associated with this campaign for threat hunting can be found on the Black Lotus Labs GitHub page.

Stay safe, everyone!

The post ZuoRAT is a sophisticated malware that mainly targets SOHO routers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Amazon Photos vulnerability could have given attackers access to user files and data

Malwarebytes - Thu, 06/30/2022 - 15:25

Amazon has patched a flaw in the Amazon Photos app which could have allowed an attacker to steal and use a user’s unique access token that verifies their identity across multiple Amazon APIs.

That would give attackers access to a trove of information, since many of these APIs contain personal data, such as names, email addresses, and home addresses.

Amazon Photos, previously known as Prime Photos, is a service related to Amazon Drive, the company’s cloud storage application. To date, it has been downloaded more than 50 million times from the Play Store. The Photos app is geared towards the storing, organizing, and sharing photos and videos.

Due to a misconfiguration of a component in the app, rendering a client’s access token severely unprotected, a third-party malicious app could access and use this token. In a ransomware scenario, threat actors could steal, delete, and encrypt files and leave affected users with no means to restore them.

To put it plainly, it’s like sending a password over to another app in plain text, the researchers who found the bug explained.

The researchers from Checkmarx informed Amazon in November 2021. The following month, the company issued a patch for the vulnerability.

Because this flaw also affects Amazon Drive, threat actors could theoretically modify files while erasing a user’s history, effectively rendering original content irrecoverable.

Erez Yalon, Checkmarx’s vice president of security research, was quoted in an interview with The Record:

“We know there is nothing completely secure in the software world. But seeing that kind of vulnerability in the software of Amazon, one of the leading companies in the world when it comes to security practices, means that it can happen to every software company.”

An Amazon spokesperson also told The Record they found “no evidence that sensitive customer information was exposed as a result of this issue.”

“We appreciate the work of independent security researchers who help bring potential issues to our attention,” the spokesperson said.

The post Amazon Photos vulnerability could have given attackers access to user files and data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Criminals are applying for remote work using deepfake and stolen identities, says FBI

Malwarebytes - Thu, 06/30/2022 - 14:55

The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII (personally identifiable information).

A deepfake is essentially created or modified media (image, video, or audio), often with the help of artificial intelligence (AI) and machine learning (ML). Deepfake creations are designed to appear and sound as authentic as possible. Because of this, they’re difficult to spot unless you know what to look for.

Years of data breaches made millions of Americans’ identities available for anyone with ill intent to gather and use for personal gains. This time, criminals seem confident about pulling off a scheme that fully intends to sabotage or steal from companies that hire them while keeping their true identities intact.

Armed with compelling synthetic images and videos with legitimate PII, we can imagine criminals likely getting the job before pulling the wool over their employer’s eyes.

Most open positions identified in the report were in the technology field, such as IT (information technology), computer programming, database, and software. The FBI has also noted that some positions criminals are trying to fill would grant them access to PII, financial data, corporate databases, and proprietary information.

Fortunately for organizations, there is a glaring flaw to an otherwise masterful execution of deceit: the deepfakes the criminals use suffer from sync issues.

“Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants. In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.”

~ FBI, PSA number I-062822-PSA

Misuse of stolen PII is spotted with a pre-employment background check. So even if an interviewer puts the desyncs in a deepfake video down to a dodgy connection, criminals won’t be able to escape findings from a standard background check.

TechCrunch said the most at-risk businesses from criminals entering the job market this way are startups and SaaS (software as a service) companies. This is because these potentially hold lots of data or access to it “but comparatively little security infrastructure compared with the enterprises they serve or are attempting to displace.”

If you’re worried that your data might be used to get criminals into the same sector as you are, there’s not much to do apart from remaining alert and keeping an eye out for strange emails or phone calls.

Stay safe!

The post Criminals are applying for remote work using deepfake and stolen identities, says FBI appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Immigration organisations targeted by APT group Evilnum

Malwarebytes - Thu, 06/30/2022 - 14:13

Organisations working in the immigration sector are advised to be on high alert for Advanced Persistent Threat (APT) attacks. Bleeping Computer reports that European organisations, specifically, are under threat from the Evilnum hacking group.

Evilnum, on the APT scene since 2018 at the earliest and perhaps most well known for targeting the financial sector, appears to have switched gears.

In times of conflict

The observed attacks seem to have sprung into life on or around the beginning of the invasion of Ukraine. This is quite worrying for several reasons:

  • Immigration organisations in Europe are still impacted by the fallout from COVID-19. Additionally, Government immigration services continue to be non-functional or afflicted with severe delays in processing. The UK, which set up a dedicated visa for Ukrainian refugees, has experienced processing delays for unrelated visas of up to 6 months as a result of this project. Being targeted with malware could impact crucial services still further, putting people at risk.
  • Huge amounts of sensitive data is passing to and from independent immigration organisations related to the invasion of Ukraine. Exfiltration of this data could put people both outside Ukraine and those still there at risk of significant harm.
  • Many volunteer organisations have sprung up to support efforts related to Ukraine. Many of these have little to no funding and are being run by random groups of immigration lawyers with minimal experience of cybersecurity issues. This is, unfortunately, an area of potential rich pickings for attackers.
Important attack details

The APT group targeted an Intergovernmental organisation (IGO), an entity created via treaty which involves two or more nations to work on issues of common interest. This attack, then, is at the highest level in terms of immigration related impact.

It begins, as so many attacks do, with a targeted email containing a rogue attachment. Opening the attached Word document fires up a message which claims that the document was created in a later version of Microsoft Word. It explains how to enable editing in order to view the supposed content, typically called “Compliance” but also “Complaint” or “Proof of ownership”, among others.

Heavily obfuscated JavaScript decrypts and deposits an encrypted binary and a malware loader (which loads up the binary), and creates a scheduled task to keep things constantly ticking over. File system artefacts created during execution are designed to imitate legitimate Windows binary names, to assist in detection avoidance.

The aim here is to create a backdoor on infected systems. Machine snapshots are taken and sent back to base via POST requests, with exfiltrated data in encrypted form.

Cybersecurity, just from a different point of view

Refugees from Ukraine are being assisted by multiple organisations that were set up after the initial invasion. Lawyers helping to run these groups may not be fully immersed in cybersecurity. However, they follow strict rules and regulations with regard to client data by default. As a result, they’re often doing security-centric things to keep client data secure without perhaps noticing the crossover.

For example: Most immigration lawyer/client interactions in the UK currently are remote, partly due to COVID-19 and partly because the UK’s visa system is now almost entirely online. As a result, pretty much everything involving sensitive documentation begins life in the form of an email. This sounds bad at first glance; however, this isn’t the case. Lawyers and clients aren’t emailing important documents in plaintext. Instead, they’re making use of encrypted documents, secure file uploads, and deleting data as and when required.

Tips for immigration orgs

If you’re a small organisation looking to help with visa or refugee processes for Ukrainians fleeing the invasion, here’s some of the things you can make a start on now to help keep things secure:

  • Ensure your website is HTTPs. Most sites I’ve seen in this realm use a combination of contact email and/or web form. You don’t want sensitive information intercepted because of insecure websites. As few people as possible should have admin access to the site, and anything related to publishing. Use as few extensions and plugins as possible. Paying for domain anonymity services is useful if required.
  • Consider using an alias for public facing email addresses. Additionally, lock down all email addresses with multifactor authentication (MFA). The same goes for backup/recovery emails tied to the main account(s).
  • If you have the choice of SMS codes or authentication apps/hardware based security keys for 2FA, choose the latter. SMS won’t work with no signal reception, and fraudsters may divert your SMS codes via SIM swapping.
  • Consider using a password manager for organization-specific passwords. If you need to share logins, use a management tool which allows you to share logins without revealing the password itself. Should you land on a phishing site, your password manager won’t pre-fill your details into the bogus portal.

I’ve spoken to individuals from several UK-based immigration organisations, including those focused on helping Ukrainians. At this point, none of them report having been targeted by attacks similar to the above. However, those organisations are absolutely in the spotlight for anyone potentially up to no good. If you’re in this line of work, or you’re just getting started, consider where and how you can begin to get things locked down right now.

The post Immigration organisations targeted by APT group Evilnum appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Update now! Mozilla fixes security vulnerabilities and introduces a new privacy feature for Firefox

Malwarebytes - Thu, 06/30/2022 - 14:01

Mozilla released version 102.0 of the Firefox browser to Release channel users on June 28, 2022.

The new version fixes 20 security vulnerabilities, five of which are classified as “High”. The new version also comes with a new privacy feature that strips parameters from URLs that track you around the web.


Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs we think you should know:


CVE-2022-34479: A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. This bug only affects Firefox for Linux. It does not apply to other operating systems.

CVE-2022-34470: Use-after-free in nsSHistory. Use after free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Navigations between XML documents may have led to a use-after-free and potentially exploitable crash.

CVE-2022-34468: CSP sandbox header without ‘allow-scripts’ can be bypassed via retargeted javascript: URI. An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11. Some of these bugs showed evidence of JavaScript prototype or memory corruption, and with enough effort some of these could have been exploited to run arbitrary code.


CVE-2022-34482 and CVE-2022-34483: Two separate issues with the same effect. Drag and drop of malicious image could have led to malicious executable and potential code execution. An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension.

CVE-2022-34478: The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild, so in this release Firefox has blocked these protocols from prompting the user to open them.

New privacy feature

Many companies involved in advertising use custom URL query parameters that enable them to track clicks on links. The most well-known example is probably the ?fbclid= parameter that Facebook adds to outbound links.

With the release of Firefox 102, Mozilla has added the new “Query Parameter Stripping” feature that automatically strips some of these query parameters. It does not matter whether you clicked on a link or pasted the URL into the address bar.

To enable Query Parameter Stripping, go into the Firefox Settings, click on Privacy & Security, and then change Enhanced Tracking Protection to Strict.

You will need to click Reload All Tabs to apply the changes. If you find that setting Enhanced Tracking Protection to Strict could causes issues with certain sites, you can use the Manage Exceptions option to add these websites, or use the “Custom” setting to choose which trackers and scripts to block.


Under normal circumstances, updates will be applied without user intervention. You can check for the version number in the products’ menu under Help > About

Should you not be using the latest version for some reason, e.g. automatic updates are disabled, then this screen will inform you that a new version is available and will start downloading it.

When it’s done, you’ll see a prompt to restart the browser. This will apply the update.

Stay safe, everyone!

The post Update now! Mozilla fixes security vulnerabilities and introduces a new privacy feature for Firefox appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Raccoon Stealer returns with a new bag of tricks

Malwarebytes - Thu, 06/30/2022 - 13:33

The popular malware Raccoon stealer, which suspended operations after a developer allegedly died in the Ukraine invasion, has returned.

Raccoon stealer is malware as a service, with the developers selling it to would-be users. The operation is a tightly-run ship, to the extent that customers have digital signatures tied to their executables. If files end up on malware scanning services, the malware authors know exactly who the leak has come from.

So much data, so little time

The popular tool, used for data theft, is ubiquitous where stealing credentials is concerned. Cryptocurrency wallets, cookies, passwords, browser autofill data, and credit card data: pretty much anything is up for grabs.

Since 2019, Raccoon stealer has been lifting data from the unwary. Cheap to purchase and packing a large range of features, it is able to steal from as many as 60 different applications including:

Email: Outlook, Thunderbird, Thunderbird
Browsers: Firefox, Chrome, Microsoft Edge, Internet Explorer, Vivaldi, SeaMonkey, Vivaldi
Cryptocurrency apps: Exodus, Monero, Electrum, Jaxx

Raccoon’s two most popular delivery methods are phishing campaigns (the tried and tested malicious Word document/Macro combination) and exploit kits. Once data is located on the target system, it is eventually placed into a .zip file and sent to the malware Command and Control (C&C) server.

Its operators are constantly innovating, for example making use of Telegram to operate C&C. This is one malware project which wasn’t going to stay gone for long.

An all new raccoon rampage

The new version, Raccoon Stealer 2.0, was claimed as being sold on Telegram and in circulation since May 17. However, these claims related to Telegram have since been shown to be fake.

While functionality appears to be mostly similar to the original version, there are some notable differences. The creators claim to have improved the software and resurrected their malware antics to “honour” the legacy of the teammate who died:

After our teammate loss we made a decision that we can not leave our project and we will continue our work in his honour. Raccoon Stealer 2.0 was totally coded from the very beginning. New back-end, new front-end, absolutely new stealer software.

Smash and grab

Credit card data, autofill, browser passwords, and a big slice of cryptocurrency wallets are once more targets for Raccoon Stealer. The big change up seems to be related to how data is exfiltrated. This new version doesn’t appear to be particularly stealthy.

The name of the game in data exfiltration is to make as few moves as possible to help evade detection. Sneaky malware will collect data as it goes, before eventually sending the whole lot in a zip in one go. If an infection is constantly pinging away, the chances of it being caught by security tools increases dramatically.

Here, Racoon Stealer seems to be throwing a little caution to the wind. The stealer sends data every single time it adds to its exfiltrated data collection. Researchers note that Raccoon Stealer 2.0 possesses no obfuscation or anti-analysis techniques.

I’d love to know if some sort of data driven analysis led developers to the conclusion that smash and grab is ultimately more suited to their business model than waiting it out. Ultimately, this may be the one bright note for embattled IT admins in the wake of everyone’s least favourite raccoon’s re-emergence onto the malware scene.

The post Raccoon Stealer returns with a new bag of tricks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RansomHouse claims to have stolen at least 450GB of AMD’s data

Malwarebytes - Thu, 06/30/2022 - 12:39

AMD is investigating the claim that the RansomHouse extortion group has its hands on more than 450GB of the company’s data.

AMD’s breach revelation came to light after RansomHouse teased on Telegram about selling data belonging to a popular ‘three-letter company that starts with the letter ‘A’. The event crescendoed with the addition of AMD to the group’s data leak site.

RansomHouse’s leak pages for AMD. (Source: Marcelo Rivero | Malwarebytes)

RansomHouse didn’t breach AMD, although it was once linked to such activity. The group revealed to BleepingComputer that its “partners” breached AMD’s network a year ago. Those partners are said to no longer have access to AMD’s network.

The extortion group didn’t bother informing the graphics drive company, thinking it was a “waste of time.”

“[I]t will be more worth it to sell the data rather then wait for AMD representatives to react with a lot of bureaucracy involved.”

The group hasn’t provided any substantial evidence of files belonging to AMD. Still, it claims the stolen data contains research, financial information, a list of 70,000 devices in AMD’s internal network, and alleged employee credentials, showcasing a collection of embarrassingly weak passwords. Some of these are ‘password’, ‘P@ssw0rd’, ‘amd!23’, and ‘Welcome1.’

The use of bad passwords is the reason why AMD got compromised, the extortion group said.

RansomHouse is a group-on-a-mission. As long as businesses have weaknesses in places—may these be passwords or in the software they use—expect a very quiet knock on the door when everyone is paying the slightest attention.

It’s never too late to extinguish weak passwords and tighten up the perimeter around accounts. Companies can start off by:

  • Using a password manager. This tool creates complicated passwords and remembers them for you as well.
  • Requiring two-factor authentication (2FA) for highly sensitive resource repositories and administrator accounts.
  • Stressing the importance of not reusing a password. It’s so easy for an attacker to use a password breached on one site to get in to another, if the login credentials are the same. Stopping password reuse makes things much more difficult for them.

Good luck!

The post RansomHouse claims to have stolen at least 450GB of AMD’s data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Forced Chrome extensions get removed, keep reappearing

Malwarebytes - Wed, 06/29/2022 - 10:38

In the continued saga of annoying search extensions we have a new end-of-level boss.

Victims have been reporting browser extensions that were removed by Malwarebytes, but “magically” came back later. Since the victims also complained about the message saying their browser was “managed”, we had a pretty good idea where to look.

custom search bar is one of the forced extensions Search extensions

The culprits turned out to be search extensions. Which is often the case when we spot potentially unwanted programs (PUPs) that use malware tactics to get installed and gain persistence.

The search hijackers “active search bar” and “custom search bar” were both available in the Chrome web store at the time of writing even though we reported them days ago.

active search bar is also available in the webstore PowerShell

It took some digging to find the origin, since all we had were the extensions. And when the extensions were installed directly from the webstore, nothing happened out of the ordinary. However, some hunting on VirusTotal soon led me to a few recently uploaded PowerShell scripts that included the string “ExtensionInstallForcelist.” I looked for that string because we know from the past that these registry policies account for the “Your browser is managed” warnings.

$CPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist";

$EPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist";

The description in the Chromium documentation about the ExtensionInstallForcelist states:

“Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.”

And to confirm this finding, the victims that provided logs all had one of these PowerShell script listed in their Scheduled Tasks.

The Scheduled Task triggers the PowerShell script

The Scheduled Task was set to run every four hours, which explained why the extensions kept coming back.


But Scheduled Tasks don’t install themselves either and dropping PowerShell scripts in the System32 folder requires Administrator privileges, so we needed to dig a little further to find an installer.

The domain was used as a download location in all the PowerShell scripts so we used that domain as a search parameter in our next stage of VirusTotal hunting. This search eventually returned three installers. What they had in common at first glance was that the filenames all ended with “_x64LTS.exe” and that they were all signed by “Tommy Tech LTD.”

Upon further inspection we noticed that the installers all asked for Administrator privileges twice. The first part installs something that is called “Setup” and the second part installs an application that aligns with the name of the installer. So, it appears that the original installer files were “patched” to add the installer for our browser hijacker. It stands to reason that these installers are offered for download somewhere by the threat actors.

The EULA points to which is unreachable. I was unable to find an installer that actually dropped an extension in Edge, but the “Your browser is managed by your organization” setting does get enforced.

Edge managed by your organization Javascripts

Malwarebytes customers were protected against these extensions as Malwarebytes’ web protection module blocked the domain wincloudservice[.]com. On inspection, this domain hosted several javascripts including heavily obfuscated files called crypto.js and crypto-js.min.js.

Detection and removal

Malwarebytes detects these browser hijackers as PUP.Optional.ActiveSearchBar and PUP.Optional.CustomSearchBar. Included in the removal procedure are the extension, and the Scheduled Task, which is enough to permanently get rid of the extension.

Some Windows registry changes have been made that will take a system administrator to decide what they want to keep or not.

The registry keys to remove the “Your browser is managed” are:



And another change made by the installer was the registry value:


The installer set that to “Unrestricted” which may not be your favorite setting. If you are not sure or you have never actively set that policy, the default is “Restricted”. Please note that in some organizations PowerShell is required to run.












PowerShell scripts:





custom search bar nniikbbaboifhfjjkjekiamnfpkdieng

active search bar pkofdnfadkamabkgjdjcddeopopbdjhg

The post Forced Chrome extensions get removed, keep reappearing appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Internet Safety Month: Everything you need to know about Omegle

Malwarebytes - Wed, 06/29/2022 - 10:19

Omegle reached the heady heights of fame when everyone least expected it. Thanks to TikTok influencers, children flocked to this 13-year-old platform during the pandemic, unaware of the dangers already there.

The concept of talking to strangers online is Omegle’s main selling point, but it’s not new. When you think about it, most of us always engage with strangers on online platforms that promote conversations and debate or inspire reactions.

But unlike other social sites, Omegle has scant security to protect anyone willing to take that risky but exciting dive. Users are, once again, left to fend for themselves as they explore an online world through a platform where the only thing simple is its interface.

Omegle’s front page. It used to sport the message: “Predators have been known to use Omegle, so please be careful.” However, it removed this due to a lawsuit alleging it knowingly pairs minors with child predators.

So what are the things every parent, potential and current user, or school personnel should know about; and what can they do to protect themselves and the children in their care?

What do you need to sign up for Omegle?

Nothing. Unlike other popular social networking sites, users wanting to try out Omegle don’t need to sign up and create a profile. You just need to visit it from your computer or smartphone’s browser to start.

Once a user is signed up and paired with another user, the platform automatically sets the names to “You” and “Stranger”.

What are the risks of using Omegle?

Because people are randomly paired up for a text or video chat, anyone could meet anyone. These include VCH (virtual cam whore) puppets (which are bots), other extortionists, and impersonators (including child predators).

Content in Omegle isn’t guaranteed clean either. Your child might be exposed to nudity, grooming, privacy threats (such as strangers earning your child’s trust so they can get sensitive information from them), scams, and sexual abuse.

There is also the risk of your child being coaxed into exposing themselves and their younger siblings, or performing sexual acts. Child predators and extortionists do this so they can sell the clips, keep them for personal use, or use them in other extortion campaigns to lure more Omegle users into participating in sexual acts. Remember that the majority of these incidents happen in a house where parents and other family members are present.

Lastly, your child could become a target of cyberbullies. One TikTok user documented his experience of racism while using Omegle to TikTok users. Dr. Joanne Meredith, a cyberpsychologist, said the incident is a consequence of people losing their inhibitions online.

“Due to various features of online interaction—including dissociative imagination, or the view that the online world is a kind of game—people become less inhibited and behave in ways that they would not normally.”

Does Omegle have any parental controls?

No, none.

What other features does Omegle have?

Omegle used to have what it called “Spy Mode” (or “Spy (question) mode”), wherein the “spy” becomes the third party in a conversation between two strangers. The “spy” can ask questions for them to answer, or the “spy” could just listen in on the conversation without contributing.

This has now been removed, reportedly because it was being used to sell child pornography.

Another feature is the College Student Chat, where curious college students can enter their student email addresses before getting paired with others enrolled in their school.

Finally, there is the Adult chat function, which is free for kids to access.

Is Omegle safe for kids?

I think you know the answer to that at this point.

If your child looks up to a TikTok influencer who encourages followers to use Omegle, explain that it is not a safe place to meet other people online because it doesn’t have safeguards, unlike other social media platforms.

Staying safe on Omegle

It is better for parents, carers, and other responsible adults to deter their young persons from using Omegle altogether until they are 18. Personally, this is a non-negotiable because of the lack of safeguards and high risk of children being targeted, especially if they are young teen girls.

Any one-on-one stranger video chat platform like Omegle is risky for kids. It is paramount to keep an open and healthy communication with your child regarding this.

If you have found out your child has or continues to use Omegle, it’s time to sit them down for a quiet chat. Never punish them for being curious. Instead, let them know about the risks in order to explain why they need to stop using the platform until they’re at the right age.

Should your young person insist on using stranger video chat apps despite knowing the risks and repeated warnings, then do whatever you can to keep them from reaching these sites. Blacklist them locally using your security solution of choice with a web filter feature on your browser, on Windows via the HOSTS file (but take care not to put a lot of URLs there) or on a Mac.

Good luck!

The post Internet Safety Month: Everything you need to know about Omegle appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Hermit spyware is deployed with the help of a victim’s ISP

Malwarebytes - Wed, 06/29/2022 - 10:03

Google’s Threat Analysis Group (TAG) has revealed a sophisticated spyware activity involving ISPs (internet service providers) aiding in downloading powerful commercial spyware onto users’ mobile devices. The spyware, dubbed Hermit, is reported to have government clients much like Pegasus.

Italian vendor RCS Labs developed Hermit. The spyware was spotted in Kazakhstan (to suppress protests against government policies), Italy (to investigate those involved in an anti-corruption case), and Syria (to monitor its northeastern Kurdish region), all deployed by their respective governments.

Hermit affects Android and iOS devices and is described as a modular spyware. This means it can download pieces of itself (modules) for additional functionalities, making it customizable to suit client needs, from a C2 (command and control) server.

Unlike NSO’s Pegasus, Hermit is not as stealthy. But at its core, it functions like any government-grade spyware. It can read SMS and chat messages, view passwords, intercept calls, record calls and ambient audio, redirect calls, and pinpoint precise locations of victims.

Hermit also roots all infected Android devices, giving itself deeper access to phone features and user data. On iOS, Hermit is packed with six exploits, two of which were targeting zero-day vulnerabilities. According to Google’s report, these are the following exploits:

  • CVE-2018-4344 internally referred to and publicly known as LightSpeed.
  • CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
  • CVE-2020-3837 internally referred to and publicly known as TimeWaste.
  • CVE-2020-9907 internally referred to as AveCesare.
  • CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
  • CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.

A Hermit spyware campaign starts off as a seemingly authentic messaging app users are deceived into downloading. A government actor also poses as a mobile carrier over SMS—sometimes with the help of the target’s ISP—to socially engineer targets into downloading the spyware masquerading as a tool to “fix” their internet connection.

Both Apple and Google have already notified their users regarding this spyware, and then some. Apple revoked the legitimate certificates Hermit abused to reside on iPhone devices, while Google beefed up its Google Play Protect security app to block Hermit from running. Google also pulled the plug on Hermit’s Firebase account, which it uses to communicate with its C2.

When questioned by TechCrunch, RCS Labs provided a statement, which we have replicated in part below:

RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.

Providers of government-grade spyware like Pegasus and Hermit always claim to have legitimate reasons for creating malware. But as we’ve seen and heard from countless reports, they are mainly used to spy on journalists, activists, and human rights defenders.

The post Hermit spyware is deployed with the help of a victim’s ISP appeared first on Malwarebytes Labs.

Categories: Techie Feeds

City worker loses USB stick containing data on every resident after day of drinking

Malwarebytes - Tue, 06/28/2022 - 12:26

A person working in the city of Amagasaki, in Western Japan, has mislaid a USB stick which contained data on the city’s 460,000 residents.

The USB drive was in a bag that went missing during a reported day of drinking and dining at a restaurant last Tuesday. The person reported it to the police the following day.

Data on the USB drive included names, gender, birthdays, and addresses. Other additional personal details were included, though it’s not been revealed what this is. Bank account numbers of households receiving welfare also found themselves on the USB drive.

Safety first pays dividends

The one piece of good news to emerge from this story is that the drive was both encrypted and password protected. So, providing they used a good password, if someone finds the USB drive and plugs it into a computer, they won’t be able to just open up the files and view the contents.

If whoever put this drive together hadn’t bothered with security measures, the first person to find the lost drive would have a data payday on their hands. Perhaps as a result of this cautious approach, there’s been no evidence or reports of the data being leaked so far.

How to safely transfer data

There is the question of why this data was on a USB stick in the first place. According to CBSNews, it was being transferred to a call center in Osaka. There are plenty of alternatives to ferrying data around on easily lost USB sticks. While some industries have strict compliance and regulatory standards, others may simply not be able to use third-party products for a variety of reasons. Even so, anything along these lines is surely better than “I lost a USB stick on a night out”. With this caveat out of the way:

  • Secure File Transfer Protocol (SFTP). This is used in business as a way to securely send files from one device to another. Files sent using this method are done so via an encrypted connection. One potential drawback here is you’ll likely need software installed on all the machines receiving the files. If you need to send data to another organisation, this can quickly become complicated or unfeasible. Additionally, not everyone believes it’s a suitable option for secure file transfer when more custom-built solutions are now available.
  • Data in the cloud. Third party cloud products like Dropbox and Box allow you to store, and share, files. They both have lots to offer, with Box in particular being specifically geared towards business solutions. Multi-factor authentication, malware detection and leak prevention, encryption and compliance: it’s all there. Services like the above are increasingly more popular in business circles where secure, pain-free data transfer is required but the in-house knowledge required to do it yourself isn’t to hand.
  • Encrypting your data and your USB drive. In some situations it may well be “USB drive or nothing at all”. If you’re using Windows 10 Home, you’ll need to use a third-party solution to encrypt files as the option will be greyed out. If you’re on other versions like Pro and Enterprise, the encryption option will be available to you. Right click your file(s), then select Properties -> Advanced -> Encrypt contents to secure data. As for the drive itself, you’ll once again have to rely on third-party tools if you’re running Windows 10 Home. Otherwise, you can secure the drive with Bitlocker. Mac users should select the Encrypt USB stick option from the location entry, then create and verify the encryption password. Be sure to set a password hint, too. Hit Encrypt Disk to complete the process.

The post City worker loses USB stick containing data on every resident after day of drinking appeared first on Malwarebytes Labs.

Categories: Techie Feeds

LGBTQ+ community targeted by extortionists who threaten to publish nudes

Malwarebytes - Tue, 06/28/2022 - 11:15

The FTC (Federal Trade Commission) has warned the LGBTQ+ community about extortionists posing as potential romantic partners on Grindr and Feeld.

The scammers send their targets explicit photos and then ask for them to reciprocate. If they do, targets are then blackmailed into paying a ransom, usually in the form of gift cards, or risk having these photos leaked to family, friends, and employers.

And that’s not all, the scammers are also looking to out people, unless they pay a ransom. According to the FTC:

“Other scammers threaten people who are “closeted” or not yet fully “out” as LGBTQ+. They may pressure you to pay up or be outed, claiming they’ll “ruin your life” by exposing explicit photos or conversations.”

How to protect yourself from extortionists
  • Always check who you’re talking to. Do is a reverse image search of their profile photo to see what shows up. If the name doesn’t match up with the face, end communications promptly, and report the account to the dating app/site.
  • Be careful about sending compromising images of yourself to someone. Trust your gut. Realize that extortionists are after such photos to use them as bargaining chips.
  • Never send your personal information. This includes email addresses, social media profiles, and smartphone numbers.
  • Avoid opening attachments or clicking links. They may contain malware designed to hijack devices or steal your information.
  • Disable your webcam and electronic devices when not in use.
  • Never pay the ransom. Scammers are known for promising one thing and doing the other. Remember that if you pay them, there’s no guarantee they’ll keep their word.
  • Report it to the FBI and FTC. Don’t wait to be in deep with the scammer. Once you smell fraud, cease communications immediately and report.

Grindr and Feeld also have helpful guides for their users.

Stay safe!

The post LGBTQ+ community targeted by extortionists who threaten to publish nudes appeared first on Malwarebytes Labs.

Categories: Techie Feeds

You only have nine months to ditch Exchange Server 2013

Malwarebytes - Mon, 06/27/2022 - 19:51

Microsoft has posted a reminder that Exchange Server 2013 reaches End of Support (EoS) on April 11, 2023.  That’s a little more than 9 months from now. A useful and timely reminder, since we all realize that it takes some time to migrate to a different system.

Every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported. Knowing key dates in this lifecycle helps you make informed decisions about when to update, upgrade, or make other changes to your software.

Exchange Server

Microsoft Exchange Server is a groupware solution platform that provides many organizations with a mail server and calendaring server. It runs exclusively on Windows Server operating systems.

A few weeks ago Microsoft announced that the 2021 subscription model version of Exchange Server was not going to happen. So there may have been some questions whether the EoS for Exchange Server 2013 would go forward as planned. Now we know the answer: Yes.

Since the next on-premise version is not expected until the second half of 2025, your upgrade options are Exchange Server 2016 and Exchange Server 2019. Unless you want to migrate to the Exchange Online version.

End of Support

EoS (also called End-of-Life, or EoL) describes the final stage of a product’s lifecycle. Once a product reaches EoS, developers stop creating updates and patches for the product.

For Exchange Server 2013 this means that Microsoft will no longer provide:

  • Technical support for problems that may occur.
  • Fixes for usability or stability bugs.
  • Time zone updates.
  • Security fixes.

EoS makes the most basic security hygiene practice, “patch now”, impossible, and vulnerabilities discovered after EoS remain an open wound forever.

Immediate threats

Microsoft has chosen to further develop Exchange Server 2019, rather than come out with a completely new version. It mentioned the fact that state sponsored threat actors, like Hafnium, are targeting on-premises Exchange servers as one of the reasons for the cancellation of Exchange Server 2021.

The number and severity of active threats that target Exchange Server is worrying enough. And this will only get worse when one of the versions is no longer eligible for bug and security fixes.

The most prominent threats for Exchange Servers from last year were:

  • ProxyLogon that was used to infect thousands of servers before Microsoft released patches. targets on-premise Exchange servers.
  • ProxyOracle is a bit less numerous since threat actors have to trick users into clicking on a malicious link to steal the user’s password.
  • ProxyToken allows an unauthenticated attacker to perform configuration actions on mailboxes belonging to arbitrary users.
  • ProxyShell another on-premise Exchange Server vulnerability on unpatched servers with Internet access.

By now, all of the above have had patches created for them. Unfortunately that doesn’t mean that all vulnerable Exchange Servers have installed the relevant updates. But new vulnerabilities will be found. And vulnerabilities that work on a server software that no longer receives patches will be critical.


If you don’t want to get stuck with an unpatchable Exchange Server version, it is time to start planning, find the necessary budget, maybe think through what you are going to use next, and when is the best time for the transition.

Stay safe, everyone!

The post You only have nine months to ditch Exchange Server 2013 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Brave Search wants to replace Google’s biased search results with yours

Malwarebytes - Mon, 06/27/2022 - 19:23

Brave Search, Brave Software’s privacy search engine, just turned one. To celebrate, the company says it is moving the search engine out of its beta phase to become the default search engine for all Brave browser users.

Goodbye, Google? Not entirely.

In May 2015, Mozilla alumni Brendan Eich and Brian Bondy launched Brave Software. Its first product was the Brave Browser, a privacy-friendly, Chromium-based internet browser that automatically blocks ads and site trackers. In March 2021, the company launched Brave Search so it could use its own index to generate search results.

In a recent announcement, the company said its search engine had passed 2.5 billion queries since its release a year earlier. That was a staggering increase in a year, from 8.1 million search queries to 411.7M by May 2022. However, as impressive as that is, Brave Search (and the other privacy search engine, DuckDuckGo) are still lightyears away from challenging Google’s hegemony. While Google enjoys a 92% market share, Brave has yet to break out of the search engine ranking’s miniscule “other” category.

Besides a loyal following, one reason for Brave Search’s fast growth is likely that it (mostly) avoids using third-party search indexes, such as Google and Bing. According to Brave’s blog, 92 percent of queries users receive are directly from Brave’s search index. The company admitted, however, that they will be pulling search results from other providers—Google in particular—if their index doesn’t have enough data of its own.

Search engines that depend too much, or exclusively, on Big Tech are subject to their censorship, biases, and editorial decisions. The Web needs multiple search providers—without choice there’s no freedom.

Brave’s blog

Brave Search is currently ad-free, but the company has plans to work on an ad-supported version of Search. This will involve Brave Ads, Brave’s adtech platform. Users who click these ads are rewarded 70 percent of the ad revenue.

While Brave is quick to claim that its query algorithms are unbiased, The Verge pointed out that all algorithms have inherent biases. But Goggles, a new feature, may help to mitigate this.

Going gaga over Goggles

Brave also announced a new Brave Search results curation feature called “Goggles,” which interested users can start testing out right now. The company has already prepared some demos to try.

“Goggles will enable anyone, or any community of people, to create sets of rules and filters to constrain the searchable space and / or alter the ordering of search results,” the browser company explains. “Essentially, Goggles will act as a re-ranking option on top of the Brave Search index.”

Sample of Brave Search query results using Goggle

The search team released a white paper on Goggles, detailing its features and showcasing how these work using examples. In a nutshell, Brave is giving its users access to information filtered by their own explicit biases. This means that users’ preferences take precedence over Brave’s preferences.

Brave presented benefits for both the average user and content creator:

“The benefit for the users is that they would be empowered to explore multiple realities in a straight-forward way. The point is to offer people the freedom to choose their own biases while being conscious of them.”

“The benefit for the content creators is that they have multiple options to expose their content, by increasing their potential audience, which will reduce the need to optimize for the single set of biases implicitly encoded in the search engine’s ranking.”

The only downside to Goggles, so far, is that it’s not as easy to use as you might think. You can’t simply enter keywords or personalize preset filters. There is some coding involved, which might put off users without coding experience.

In addition to Goggles, Brave also released Discussions in April. This is a way to augment Brave Search results with actual conversations pulled from popular sites, all related to the search query.

The post Brave Search wants to replace Google’s biased search results with yours appeared first on Malwarebytes Labs.

Categories: Techie Feeds

CISA Log4Shell warning: Patch VMware Horizon installations immediately

Malwarebytes - Mon, 06/27/2022 - 09:54

CISA and the United States Coast Guard Cyber Command (CGCYBER) are warning that the threat of Log4Shell hasn’t gone away. It’s being actively exploited and used to target organisations using VMware Horizon and Unified Access Gateway servers.

Log4Shell: what is it?

Log4Shell was a zero-day vulnerability in something called Log4j. This open source logging library written in Java is used by millions of applications, many of them incredibly popular. The easy to trigger attack could be used to perform remote code execution (RCE) on vulnerable systems. If successful, attackers could gain full control over a target system. If they managed to have affected apps log a special string, then it was a case of game over. The system(s) at this point would be ripe for exploitation.

Discovered in November 2021, the exploit was estimated to potentially affect hundreds of millions of devices. With so much potential for damage, fixes were quickly developed and released on December 6, three days before the vulnerability was published.

Related bugs and additional vulnerabilities were also discovered and subsequently patched.

Broadening Log4Shell’s horizons

According to CISA and CGCYBER, Log4Shell has been used to exploit unpatched, public-facing VMWare Horizon and UAG servers. Suspected APT threat actors…

…implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.

Attackers not only make use of malware and HTTP, but also PowerShell scripts and Remote Desktop Protocol (RDP). In the latter’s case, this was to further move around the network and other hosts inside the organisation’s production environment.

Compromised administrator accounts were used to run several additional forms of loader malware. Here are some of the samples found by CISA during one investigation:

  • SvcEdge.exe is a malicious Windows loader containing encrypted executable f7_dump_64.exe. When executed, SvcEdge.exe decrypts and loads f7_dump_64.exe into memory.
  • odbccads.exe is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe decrypts and loads the executable into memory.
  • praiser.exe is a Windows loader containing an encrypted executable. When executed, praiser.exe decrypts and loads the executable into memory.
  • fontdrvhosts.exe is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory.
  • winds.exe is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. winds.exe has complex obfuscation, hindering the analysis of its code structures.
Advice for securing installations

CISA/CGCYBER are quite clear about this. Organisations which haven’t applied patches released back in December should treat any and all affected VMware systems as compromised:

  • Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
  • Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.
  • See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
  • Note: Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
  • If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible. 
  • Prior to implementing any temporary solution, ensure appropriate backups have been completed. 
  • Verify successful implementation of mitigations by executing the vendor supplied script without parameters to ensure that no vulnerabilities remain. See KB87073 for details. 

Log4Shell, rated a 10 in the Common Vulnerability Scoring System (CVSS), is not to be trifled with. We advise affected organisations to pay heed to the warnings above and set about patching as soon as possible.

The post CISA Log4Shell warning: Patch VMware Horizon installations immediately appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Instagram introduces new ways for users to verify their age

Malwarebytes - Mon, 06/27/2022 - 09:47

If Instagram suspects you are fibbing about your age, you’ll currently see the following message:

“You must be at least 13 years old to have an Instagram account. We disabled your account because you are not old enough yet. If you believe we made a mistake, please verify your age by submitting a valid photo ID that clearly shows your face and date of birth.”

Now Meta has announced it’s testing new options for people on Instagram to verify their age, starting with people in the US. The new options are uploading a video selfie, and social vouching. The old verification method to upload an ID is still an option for those that prefer it.

Users that are unable to verify their age will have their accounts deleted.


The verification procedure starts when a user attempts to raise their age from under to above 18. This is relevant since Instagram provides users from 13 -17 years old with age-appropriate experiences like defaulting them into private accounts, preventing unwanted contact from adults they don’t know, and limiting the options advertisers have to reach them with ads.

Other reasons Instagram might ask you to verify your age are it receives a report from another Instagram user, or a content reviewers flags your accounts as appearing to be in use by someone underage.

Social vouching

The social vouching option allows you to ask mutual followers to confirm how old you are. You might expect this to be an option that can easily be abused, but Meta says it’s built in additional safeguards. Three people must independently confirm the user is over 18, and they all must be at least 18 years old themselves and not be vouching for anyone else at that time.

Video selfie

Certainly the option that raises some concerns is the video selfie. You can choose to upload a video selfie to verify your age. If you choose this option, you’ll see instructions on your screen to guide you through the process. The age analysis, an estimate of your age based on your facial features, is done by Yoti, and both Meta and Yoti promise to delete the image once the analysis has completed.

You may have heard of Yoti due to its digital ID app. Yoti is a free consumer app that offers you a way of proving who you are online and in person. In the UK, Yoti is a government-approved digital ID provider, which allows UK citizens to prove their identities with an app instead of physical documents when applying for a job or renting a property.

Additional AI usage

In addition to testing the new menu of options to verify people’s ages, Meta uses Artificial Intelligence to estimate people’s ages. This can be very simple indicators, like birthday wishes, or comparing the age of linked accounts, such as your Facebook and Instagram accounts. But it can also look at interactions with other profiles and content. For example, people in the same age group tend to interact similarly with certain types of content. From those signals, the model learns to make calculations about whether someone is an adult or a teen.

The post Instagram introduces new ways for users to verify their age appeared first on Malwarebytes Labs.

Categories: Techie Feeds

5 ways to avoid being catfished

Malwarebytes - Sat, 06/25/2022 - 16:00

Today, many Americans will head out to the water—not to swim, but to catch a catfish in time for National Catfish Day.

But when we talk about catfishing in cybersecurity, we mean something different. Here, catfishing refers to someone who assumes someone else’s identity online in order to harass, troll, or scam someone.

But there are ways to protect yourself:

1. Be suspicious

Catfishes and romance scammers prowl social media sites and dating apps.

Usually, scammers will message potential targets privately first, through DMs. And when the target bites, they immediately ask them to switch to a more private chat option, such as email or text.

If you suspect you are being catfished, ask them questions that only someone with their background would know. If they’re hesitant, slow to answer, or try to avoid your questions, then be wary.

2. Don’t fall too quickly for a pretty face

Scammers know that people are likely to respond positively if they’re using an image of someone who looks good. But you can use that pretty picture for your own benefit. Do a reverse-image search to check if the face matches the name, or if anyone has mentioned scams alongside that image.

Take note, though, that scammers can entirely steal the identity of someone and use it. They can also use create a deepfake image, which wouldn’t be caught in reverse-image searches.

3. Take it slow

If a love interest ticks all your boxes, remind yourself to slow down. Scammers will want to get you moving, so they can go on to target someone else.

And, since scammers talk to multiple targets, they can make big mistakes, such as forgetting your or their name. Taking it slow may not seem to be the most exciting thing you’d do, but it gives you a chance to build up a bigger picture of the person you are talking to.

4. Talk to someone you trust

An outsider perspective is invaluable if you’re about to fall head first for a scammer.

Let’s face it, sometimes we see the red flags but choose to ignore them. A second or third opinion from someone you trust might be the jolt you need before it’s too late.

5. Never send them anything

Scammers are quick about everything regarding love, revealing too much about “their personal life,” professing their love, or asking something from you. That could be money, cryptocurrency, personal information, banking details, or gift card numbers.

Occasionally, they might ask you to move money on their behalf. Never do this, even if it sounds like they are desperate for your help.


If you suspect someone is a scammer, immediately stop contact and report them to the site where you first met, whether that was on social media or a dating app. If you have mistakenly sent someone money, file a report to your bank ASAP. And don’t hesitate to report your experience to your local law enforcement and FBI office.

Stay safe!

The post 5 ways to avoid being catfished appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cybersecurity agencies: You don’t have to delete PowerShell to secure it

Malwarebytes - Fri, 06/24/2022 - 11:34

Microsoft’s PowerShell is a useful, flexible tool that is as popular with criminals as it is with admins. Cybercrooks like it becasue PowerShell is powerful, available almost everywhere, and doesn’t look out of place running on a company network.

In most places it isn’t practical to block PowerShell completely, which raises the question: How do you stop the bad stuff without disrupting the good stuff?

Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell that attempts to answer that question.

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK) hope that “these recommendations will help defenders detect and prevent abuse by threat actors, while enabling legitimate use by administrators and defenders.”


Although it’s closely associated with the world of Windows administration, PowerShell is a cross-platform (Windows, Linux, and macOS) automation and configuration tool which, by design, is optimized for dealing with structured data. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core.

It allows system administrators and power users to perform administrative tasks via a command line—an area where Windows previously lagged behind its Unix-like rivals with their proliferation of *sh shells.

Threat actors are equally fond of it because it allows them to “live off the land”, and for the options it provides to create fileless malware or to gain persistence on a compromised system.

Reduce abuse

The CIS discusses some security features available in PowerShell which can reduce abuse by threat actors.

Remote connections

Remote connections can be used for powerful remote management capabilities, so Windows Firewall rules on endpoints should be configured appropriately to control permitted connections. Access to endpoints with PowerShell remoting requires the requesting user account to have administrative privileges at the destination by default. The permission requirement and Windows Firewall rules are customizable for restricting connections to only trusted endpoints and networks to reduce lateral movement opportunities. Organizations can implement these rules to harden network security where feasible.

Multiple authentication methods in PowerShell permit use on non-Windows devices. PowerShell 7 permits remote connections over Secure Shell (SSH) in addition to supporting Windows Remote Management (WinRM) connections. This allows for public key authentication and makes remote management through PowerShell of machines more convenient and secure.

AMSI integration

The Antimalware Scan Interface (AMSI) feature, first available on Windows 10, is integrated into different Windows components. It supports scanning of in-memory and dynamic file contents using an anti-malware product registered with Windows and exposes an interface for applications to scan potentially malicious content. This feature requires AMSI-aware anti-malware products (such as Malwarebytes). Basically, AMSI works by analyzing scripts before the execution, so the anti-malware product can determine if the script is malicious or not.

Constrained Language Mode

Configuring AppLocker or Windows Defender Application Control (WDAC) to block actions on a Windows host will cause PowerShell to operate in Constrained Language Mode (CLM), restricting PowerShell operations unless allowed by administrator-defined policies.

PowerShell methods to detect abuse

Logging of PowerShell activities can record when cyber threats use PowerShell, and continuous monitoring of PowerShell logs can detect and alert on potential abuses. Deep Script Block Logging, Module Logging, and Over-the-Shoulder transcription are disabled by default. The authors recommend enabling the capabilities where feasible.

Before you start

If you plan on following the advice in the CIS, there are a few things you may want to consider first.

  • Execution Policies do not restrict execution of all PowerShell content.
  • AMSI bypasses are found and remediated in a constant whack-a-mole game, and most anti-malware products have different ways of accomplishing the same, or better, results. Therefor you will find that most AMSI-aware anti-malware products do not rely on AMSI alone.
  • If you are a customer of a Managed Service Provider (MSP) you may need to contact them before taking any of the actions listed above, since doing so may hinder them in their remote management.
  • Windows Remote Management/Remote Shell (WinRM/WinRS) connection limitations can become an obstacle in organizations with numerous administrators performing remote management, or that have multiple monitoring solutions connecting to the environment. By default, Microsoft Server limits the number of concurrent users connected to the WinRM/WinRS session to five and the number of shells per user to five. This can, and has often been modified by using an elevated command prompt.

Disabling PowerShell, if you do not need it, is a lot easier and safer than applying policies to make it safer to use. But looking at the options to make it more secure is certainly a good idea if you do need it.

Stay safe, everyone!

The post Cybersecurity agencies: You don’t have to delete PowerShell to secure it appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Conti ransomware group’s pulse stops, but did it fake its own death?

Malwarebytes - Thu, 06/23/2022 - 16:54

The dark web leak site used by the notorious Conti ransomware gang has disappeared, along with the chat function it used to negotiate ransoms with victims. For as long as this infrastructure is down the group is unable to operate and a significent threat is removed from the pantheon of ransomware threats.

The Conti leak site is down (June 22, 2022)

Ransomware gangs like Conti use the threat of leaking stolen data on their dark web sites to extort enormous ransoms from their victims, making the sites a vital cog in the ransomware machine.

While the cause of the site’s disappearance isn’t known for sure, and criminal dark web sites are notoriously flaky, there is good reason to suspect that Conti has gone permanently.

However, while anything that stops Conti from terrorising businesses, schools, and hospitals is welcome, the disappearance of its leak site is unlikely to make potential ransomware victims any safer, sadly.

As we explained in our May ransomware review, recent research by Advintel suggests that Conti has spent the last few months executing a bizarre plan to fake its own death. If that is what’s happened, then the gang’s members have simply dispersed to other ransomware “brands” that are either operated by the Conti gang or affiliated to it.

Conti—as bad as they come

The gang behind Conti ransomware (called WizardSpider, although rarely referred to by that name) is believed to be based in Russia, and first appeared in 2020. The FBI recently called it “the costliest strain of ransomware ever documented,” and the US Department of State is offering a reward of up to $10 million for “information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group.”

Conti has been used in a number of high profile attacks, including a devastating assault on Ireland’s Health Service executive on May 14, 2021. The attack disrupted healthcare in Ireland for months and the recovery effort could end up costing the country more than $100 million.

The real cost of the attack was measured in human suffering though. Speaking to Malwarebytes Labs, a doctor in one of the affected hospitals described how a 21st-century healthcare system deprived of it’s computers is brought to its knees. The attack caused enormous unnecessary suffering for both patients and healthcare professionals, and triggered hundreds of thousands of appointments to be cancelled.

The doctor’s brutal assessment of the Conti gang? “I think they lost their humanity.”

Faking its own death

According to Advintel, the Conti gang sealed its fate in February when it published a message in support of Russia’s invasion of Ukraine, declaring its “full support of Russian government.” By aligning itself to the Russian state it had made itself the subject of sanctions. Victims were not prepared to run the risk that their ransom payments might be treated as sanctions violations and Conti’s income dried up.

Ransomware gangs often react to trouble by going dark, or with ham-fisted attempts to pretend they’ve retired. These retirements are often quickly followed by the sudden appearance of a brand new ransomware gang that is obviously just the old gang working under a new name.

Advintel’s research suggested that Conti was aware of this pattern and determined to try something different. Instead of disappearing and then popping up a week later under a new name, the group created and operated new brands—Advintel names KaraKurt, BlackByte, and BlackBasta as examples—before retiring the Conti name, to make the transition less obvious. In addition to creating these new brands, it also dispersed parts of its workforce into existing gangs it had a relationship with, such as Hive and ALPHV.

To complete the deception, it maintained a skeleton crew that carried out extremely noisy, headline-grabbing attacks on Cost Rica, and continued to operate the leak site until the last moment.

Malwarebytes Threat Intelligence was able to independently confirm that Conti sent an internal announcement about its retirement to affiliates at the end of May, and that its internal chat servers stopped working around the same time.

The site had been inactive for 28 days before it disappeared, with the last new leak appearing on May 25. As our May ransomware report revealed, despite the noise it generated from its attacks on Costa Rica, Conti’s activity was significantly depressed in May, while the activity of gangs with alleged links to Conti increased, driven largely by the rise of BlackBasta.

Known ransomware attacks in May 2022

The post Conti ransomware group’s pulse stops, but did it fake its own death? appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds