Techie Feeds

A week in security (Oct 4 – Oct 10)

Malwarebytes - Mon, 10/11/2021 - 11:02
Last week on Malwarebytes Labs Other cybersecurity news

The post A week in security (Oct 4 – Oct 10) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Firefox reveals sponsored ad “suggestions” in search and address bar

Malwarebytes - Fri, 10/08/2021 - 21:54

Mozilla is trying a novel experiment into striking a balance between ad revenue generation and privacy protection by implementing a new way to deliver ads in its Firefox web browser—presenting them as “suggestions” whenever users type into the dual-use search and URL address bar.

The advertising experiment lies within a feature called “Firefox Suggest,” which was announced in September. According to Mozilla, Firefox Suggest “serves as a trustworthy guide to the better web, finding relevant information and sites to help you accomplish your goals.”

Much like other browsers, Firefox already offers users a bevy of suggestions depending on what they type into the search and address bar. That has included suggestions based on users’ bookmarks, browser histories, and their open tabs. But with the new Firefox Suggest feature, users will also receive suggestions from, according to Mozilla, “other sources of information such as Wikipedia, Pocket articles, reviews, and credible content from sponsored, vetted partners and trusted organizations.”

Though the explanation seems simple, the implementation is not.

That’s because there appear to be two different levels of suggestions for Firefox Suggest, which are only referred to by Mozilla as “Contextual suggestions,” and “improved results for Contextual Suggestions.”

On its support page for Firefox Suggest, Mozilla explicitly said that “contextual suggestions are enabled by default, but improved results through data sharing is only enabled when you opt-in.” That data sharing, covered in more detail below, broadly includes user “location, search queries, and visited sites,” Mozilla said.

How that additional data produces separate results, however, is unclear, because Mozilla remains frustratingly vague about the experience that users can expect if they have the default “contextual suggestions” enabled compared to users who have opted-in to “improved results for Contextual Suggestions.”

Under the heading “What’s on by default,” Mozilla said that, starting with Firefox version 92, users “will also receive new, relevant suggestions from our trusted partners based on what you’re searching for. No new types of data are collected, stored, or shared to make these new recommendations.”

Under the heading, “Opt-in Suggestions,” however, Mozilla only said that a “new type of even smarter” suggestion is being presented for some users that the company hopes will “enhance and speed up your searching experience.” Mozilla said that it “source[s] and partner[s] with trusted providers to serve up contextual suggestions related to your query from across the web,” which sounds confusingly similar to the default contextual suggestions that come from the company’s “trusted partners” and are “based on what you’re searching for.”

Fortunately, Mozilla offered a way for users to check if they’ve opted-in to the data sharing required for improved contextual suggestions. Unfortunately, when Malwarebytes Labs installed the latest version of Firefox (93.0 for MacOS), we could not find the exact language described in Mozilla’s support page.

Mozilla said that, for those who go into Firefox’s preferences:

“If you see ‘Contextual suggestions’ checked with the string ‘Firefox will have access to your location, search queries, and visited sites’, you have opted in. If you do not see that label then the default experience is enabled with no new kinds of data sharing.”

As shown in the image below, though we did find this setting in Firefox’s preferences, we did not find the exact language about “location, search queries, and visited sites.”

When Malwarebytes Labs tested Firefox Suggest, we could not produce any sponsored content results. We did, however, receive a Wikipedia suggestion on our search of “Germany” and a Firefox Pocket suggestion on our search of “chicken soup,” as shown below.

During our testing, we also could not find a way to opt-in to improved contextual suggestions. According to Mozilla, opting-in seems to currently rely on a notification message from Firefox asking users to specifically agree to sharing additional data. During our testing of Firefox Suggest, we did not receive such a message.

New model, new data

Firefox’s experiment represents a sort of double-edged sword of success.

In 2019, Mozilla decided to turn off third-party tracking cookies by default in its then-latest version of Firefox. It was a bold move at the time, but just months later, the privacy-forward browser Brave launched out of beta with similar anti-tracking settings turned on by default, and in 2020, Safari joined the anti-tracking effort, providing full third-party cookie blocking.

The anti-tracking campaign seems to have largely worked, as even Google has contemplated life after the third-party cookie, but this has put privacy-forward browsers in a difficult position. Advertising revenue can be vital to browser development, but online advertising is still rooted firmly in surreptitious data collection and sharing—the very thing these browsers fight against.

For its part, Brave has responded to this problem with its own advertising model, offering “tokens” to users who opt-into advertisements that show up as notifications when using the browser. The tokens can be used to tip websites and content creators. Similar to Mozilla, Brave also vets the companies who use its advertising platform.

As to the role of advertising partners in Firefox Suggest, Mozilla said it attempts to limit data sharing as much as possible. “The data we share with partners does not include personally identifying information and is only shared when you see or click on a suggestion,” Mozilla said.

To run improved suggestions, Mozilla does need to collect new types of data, though. According to the company’s page explaining that data collection:

“Mozilla collects the following information to power Firefox Suggest when users have opted in to contextual suggestions.

  • Search queries and suggest impressions: Firefox Suggest sends Mozilla search terms and information about engagement with Firefox Suggest, some of which may be shared with partners to provide and improve the suggested content.
  • Clicks on suggestions: When a user clicks on a suggestion, Mozilla receives notice that suggested links were clicked.
  • Location: Mozilla collects city-level location data along with searches, in order to properly serve location-sensitive queries.”

Based on the types of data Mozilla collects for improved contextual suggestions, we might assume that users who opt-in will see, at the very least, suggestions that have some connection to their location, like perhaps sponsored content for an auto shop in their city when they’re looking up oil changes. The data on a user’s suggestion clicks might also help Mozilla deliver other suggestions that are similar to the clicked suggestions, as they may have a higher success rate with a user.

As to whether the entire experiment works? It’s obviously too early to tell, but in the meantime, Mozilla isn’t waiting around to generate some cash. Just this year, the company released a standalone VPN product. It is the only product that Mozilla makes that has a price tag.

The post Firefox reveals sponsored ad “suggestions” in search and address bar appeared first on Malwarebytes Labs.

Categories: Techie Feeds

At long last, Microsoft is disabling Excel 4.0 macros by default

Malwarebytes - Fri, 10/08/2021 - 14:02

Sometimes good news in the security world comes unexpectedly. This is one of those times. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is going disable Excel 4.0 macros for everyone. Better late than never, right?

Talk about a big sigh of relief.

Excel 4.0 macros, aka XLM macros, were first added to Excel in 1992. They allowed users to add commands into spreadsheet cells that were then executed to perform a task. Unfortunately, we soon learned that (like any code) macros could be made to perform malicious tasks. Office documents have been a favorite hiding place of malicious code ever since.

For backward compatibility reasons the feature was never removed, despite being superseded by Visual Basic for Applications (VBA) just one year after it was introduced.

I understand the argument in favor of keeping it back then, but why keep it enabled by default for so long after, when so few people use it? Microsoft could have made it so that those that needed Excel 4.0 macros had to turn the feature on, and the rest of us (the overwhelming majority of Excel users) could have been more secure without having to remember to turn it off.

Good news? What happened?

Microsoft announced plans to disable Excel 4.0 macros in an email sent to customers. It will be disabled for all Microsoft 365 users by the end of the year, but the exact schedule depends on which kind of customer you are:

  • Insiders-Slow: Complete in early November.
  • Current Channel: Complete by mid-November.
  • Monthly Enterprise Channel: Complete by mid-December.

Trust me, it’s not easy to make all security professionals happy at once. Most feel this should have been done long ago. For some the glass is half full, while others are asking “why has this glass been half empty for so long?”

Oh my god. Will take a while to reach enterprises and needs Office 365 client but eventually this will reach lots of people and really help defenders.

— Kevin Beaumont (@GossiTheDog) October 7, 2021 Will you miss it?

It is very, very unlikely you will miss Excel 4.0 macros. XLM was the default macro language for Excel through Excel 4.0, but beginning with version 5.0, Excel recorded macros in VBA by default, although XLM recording was still allowed as an option. After version 5.0 that option was discontinued. All versions of Excel are capable of running XLM macros, though Microsoft discourages their use.

Now—almost 30 years after they were made obsolete—it’s fair to stay that the biggest users of Excel 4.0 macros are probably malicious threat actors.

Abuse cases

Attackers have always liked Office macros because they provide a simple and reliable method to spread malware using legitimate features, and without relying on any vulnerability or exploit. XLM macros have been used to drop many well known malware families, including ZLoader, TrickBot, BitRat, QBot, Dridex, FormBook and StrRat, among others.

And in just the last month, Malwarebytes Labs has seen XLM macros weaponized to deliver threat-actor-favorite Cobalt Strike, and a malware campaign using XLM macros to deliver a .NET payload under the cover an Excel spreadsheet full of stats about US airstrikes on the Taliban regime.

Another #maldoc associated to this campagin:
This time the actor has used XLM macro to inject the same payload into the memory.#EXCELntDonut has been used to generate the XLM macro.


— Jazi (@h2jazi) September 24, 2021 Disable manually

Should you feel the need to disable this feature right now, you can do so in the Trust Center. In July Microsoft added a new checkbox setting, “Enable Excel 4.0 macros when VBA macros are enabled”, which allows users to individually configure the behavior of XLM macros without impacting VBA macros.

Image courtesy of Microsoft Security over backward compatibility

Despite the shared joy about this security enhancing roll-out, it raises the question of when does security overrule backward compatibility? Microsoft must have better things to do than fix obsolete features from the past century. Wouldn’t it have been preferable if the step up to VBA in 1993 had been less steep, so we could all forget about 4.0 and move on to the latest version without having to look over our shoulder? Or perhaps Microsoft could have disabled this potentially dangerous feature decades ago and left it to those who actually wanted it to turn it back on?

If history has taught us anything, it’s that the incentive to enable something you need is a lot stronger than the incentive to disable something that might be potentially dangerous.

Stay safe, everyone!

The post At long last, Microsoft is disabling Excel 4.0 macros by default appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Making better cybersecurity training: Q&A with Malwarebytes expert Kelsey Prichard

Malwarebytes - Fri, 10/08/2021 - 10:57

If you hadn’t noticed by now, we are in the first week of National Cybersecurity Awareness Month, which, according to the Cybersecurity Infrastructure and Security Agency in the United States, means that we should all consider how people, organizations, and businesses can “be cyber smart” this year and ahead.

While there are countless ways to interpret exactly how to “be cyber smart”—like adopting cybersecurity best practices around strong password use, two-factor authentication, and remote desktop protocol ports—we at Malwarebytes Labs wanted to take a step back and consider: How do you train people to be cyber smart in the first place?

After all, cybersecurity training is likely the first and most important step in cybersecurity awareness, whether at home or in the office. But developing engaging, actionable cybersecurity training programs can be a difficult endeavor, as those who develop the training have to potentially meet their organization’s compliance requirements while considering their audience’s interests, needs, awareness level, and time available to actually complete training programs.

To better understand how to make smart, engaging cybersecurity training, and to help businesses everywhere roll out their own, we asked Kelsey Prichard, security awareness program manager at Malwarebytes, to share her insights. At Malwarebytes, Prichard develops the security awareness programs and compliance training for the company’s employees—which are sometimes affectionately called “Malwarenauts.” She has developed seven “microlearning modules” and one security compliance training course—with another soon to come—and she has organized multiple in-house security webinars.

Prichard’s programs have also taken advantage of what she described as a “playful culture” at Malwarebytes, as each October, she has structured the annual security training to be “based around a different popular sci-fi movie.” The themed training programs have found a perfect home at the company, as its Star Wars-themed Santa Clara headquarters includes multiple conference rooms named after popular characters and its hallways are adorned with plenty of movie art.

The following Q&A with Prichard has been edited for clarity and length.

When you first joined Malwarebytes, you were tasked with something quite intimidating: Developing a cybersecurity training program for hundreds of company employees. Where do you even start with a task this large? 

This was quite the challenge, as this role was my first formal introduction to the world of security. My background’s in learning and development, and I used to work for Tesla developing their body repair training. So much of the material was new to me. Luckily, the security team here is fantastic and gave me a lot of the security frameworks I needed to get started. I think being a “beginner” in security helped give me a clarity I’m not sure I would’ve had otherwise. The first few months consisted of a lot of Googling, online training courses, and trial and error. As I learned, I developed courses and wrote down ideas. It was extremely important to me that I didn’t start a program that people didn’t want, nor were interested in, so a huge aspect of that was learning how to make it fun. Malwarebytes has a lot of very smart individuals, and this is a security company, so I had to develop content that was interesting and yet also met compliance requirements, so everyone took training in a timely manner

How did you measure the cybersecurity familiarity of Malwarebytes employees to ensure that the training programs you built would fit their level of understanding? 

We have a huge range of security knowledge here at Malwarebytes, so we’ve tried to incorporate variability in the content we upload. Some formats, like our training modules, are catered to Malwarenauts who may have less security understanding, while others, like our monthly webinars, are more technical. We also have a Security Champions program where our security experts in the company come together to learn from each other and our security team so that they can help educate their fellow Malwarenauts. There are some things, however, like our compliance training that we need to roll out to everyone, so this needs to cover a broad spectrum of security knowledge.

How did developing these training programs specifically for employees at a cybersecurity company influence, if at all, the development process? 

Lucky for me, working at a cybersecurity company has meant more engagement in security training than you’d see at other companies. However, it also makes our mandatory trainings more difficult since we have such a broad level of security knowledge and it’s odd knowing that you may be training someone with more security knowledge than yourself. That being said, I really love that there are so many people around me that are knowledgeable and excited about cybersecurity. It means I have a lot of people to learn from and I get a lot of support from upper management, but it was definitely intimidating at first! 

When deciding what topics to prioritize, I imagine you had an enormous list. Can you describe what was on that early list? 

Yes! The first thing I needed to do was set up our first annual security training, which was easy to prioritize for compliance reasons. Cybersecurity Awareness Month was also a big priority because I used it as the launch of our security awareness program and it’s the optimal time to make a big deal of cybersecurity. Creating a plan for the year on topics to be covered was also very helpful, as it allowed for getting the expert speakers for those topics. It requires a lot of coordination.

How did you narrow down the first few topics you developed training programs for? Why did you choose those topics? 

My security teammates were hugely valuable. They were aware of the biggest threats to our organization, so I initially developed training to highlight and help our employees prevent these threats from occurring. From there, we really wanted to cover the “cybersecurity basics” to set a knowledge groundwork for all employees.  

In developing the training programs, was there any practice you knew you wanted to avoid? 

I am very aware that “learning fatigue” is easy to succumb to with mandatory training modules. Because of this, I wanted to ensure that all training programs were split up to take no longer than 15 minutes at a time. This is why you’ll see our mandatory training is 30 minutes in total, but is split into three separate courses that are combined into one learning plan. This gives learners the option to complete a course and return to the learning plan as needed.

I also aim for story-based training, where it makes sense, to simplify otherwise complex content and make it relatable. 

Finally, what is your top tip for other cybersecurity trainers who want to make smart training progrmas for their organizations? 

Keep it engaging. I think as cybersecurity trainers we tend to get wrapped up in what the content is and forget how crucial it is to make the learning entertaining. If your audience doesn’t engage in the training you create, all it’s doing is checking a compliance box. 

The post Making better cybersecurity training: Q&A with Malwarebytes expert Kelsey Prichard appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Discord scammers lure victims with promise of free Nitro subscriptions

Malwarebytes - Fri, 10/08/2021 - 09:27

A number of bogus offers are doing the rounds in Discord land at the moment. Discord, a group text chat/VoiP app of choice for many gaming communities, is having a bit of trouble with phishing links.

You may recall we’ve covered a lot of Discord scams previously. Service users can create bots, those bots can be invited into channels, and then they get to work spamming. The messages run the range of free games, discount sign-ups for services, or just plain old fake login screens.

You’ll also frequently see bots pushing offers for things which simply don’t exist anymore. Their purpose is to hit the channels and drift forever, spamming all and sundry until they get a few hits. This week it’ll be a bot promoting a “red hot” offer from 2018. Next week it’ll be promoting crossover deals with a service which went out of business a year ago.

While many gamers who know their stuff won’t fall for those kinds of things, plenty of others will. They could stand to lose their gaming accounts, their logins for other services, some money, or perhaps a combination of all 3. Depending on the scam, they could also be used to send spam messages to an even bigger audience. You definitely don’t want any of this clogging up the channels you use on a daily basis.

What’s happening?

Spam messages are sent to other Discord users. As is common with this kind of attack, they’re themed around “Nitro”. This is a paid Discord service which offers added functionality in the servers along with some other features. At one point, games were included in some of these deals, and those were a big target for scammers even after the games were no longer available. The scammers are just banking on nobody checking before clicking the links.

Here’s what some of the current messages going around look like:

@discord this is getting out of hand. All from friend accounts, all the same stupid language none of them use, all the same fake scam links. Gonna dk something about this? Getting as bad as the bots on @Twitch

— That Vaxx'd Wolf From Hyrule (@HylianEchoWolf) October 3, 2021

Note that this isn’t being sent from bots (as in, chatbots specifically coded to send spam links). As the Tweeter points out, this is all being sent by friends. Those friends have likely been compromised earlier in the chain, and are now being used for malicious purposes.

As for the messages themselves? They’re a mixed bunch. One claims a friend has sent the recipient a Nitro subscription. The others claim the recipient “has some Nitro left over”, tied to a URL which mentions billing and promotions.

When sneaky sites go phishing…

The sites here use a common trick. This is where they switch out the letter i, for an L in the URL. As a result, you’re not visiting Discord, you’re visiting something along the lines of dLscord instead (we’re using the uppercase L here purely for visual clarity).

Hunting for phish If it seems too good to be true…

From there, it’s a case of phishing the victim’s logins.

Tackling the Discord phishers

Sometimes these sites already have multiple red flags thrown up along the way:


Other times, you’re reliant on the site being taken down or your security tools stopping the scam in its tracks. Either way, if you’ve entered your details into one of these sites (or similar!), then change your login as soon as possible.

How to protect your Discord account

Discord offers some tips on how to keep your account safe:

  1. Use a strong password, and one that is unique to your Discord account. A password manager can help generate and store strong passwords for you, because it’s very very difficult to remember them yourself
  2. Set up two-factor authentication (2FA) on your account
  3. Set up message scanning, which automatically scans and deletes any explicit content. You can choose to do this for all messages or just those from people not on your Friends List
  4. Block users if you need to. Discord offers more information on how to do that in tip 4.

Stay safe out there!

The post Discord scammers lure victims with promise of free Nitro subscriptions appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What special needs kids need to stay safe online

Malwarebytes - Wed, 10/06/2021 - 14:35

Online safety is hard enough for most adults. We reuse weak passwords, we click on suspicious links, and we love to share sensitive information that should be kept private and secure. (Just go back a few months to watch adults gleefully sharing photos of their vaccine cards.) The consequences of these failures are predictable and, for the most part, proportional—a hacked account, a visit to a scam website, maybe some suspicious texts asking for money.

But for an often-ignored segment of the population, online safety is more about discerning lies from truth and defending against predatory behavior. These are the threats posed specifically to children with special needs, who, depending on their disabilities, can have trouble understanding emotional cues and self-regulating their emotions and their relationship with technology.

This year, for National Cybersecurity Awareness Month, Malwarebytes Labs spoke with Alana Robinson, a special education technology and computer science teacher for K–8, to learn about the specific online risks posed to special needs children, how parents can help protect their children with every step, and how teachers can best educate special needs children through constant reinforcement, “gamification,” and tailored lessons built around their students’ interests.

Importantly, Robinson said that special needs education for online safety is not about a handful of best practices or tips and tricks, but rather a holistic approach to equipping children with the broad set of skills they will need to safely navigate any variety of risks online.

“Digital citizenship, information literacy, media literacy—these are all topics that need to be explicitly taught [to children with special needs],” Robinson said. “The different is, as adults, we think that you should know this; you should know that this doesn’t make sense.”

Whether adults actually know those things, however, can be disputed.

“I mean, as I said,” Robinson added, “it is also challenging for adults.”

Our full conversation with Robinson, which took place on our podcast Lock and Code, with host David Ruiz, can be listened to in full below.

The large risk of disinformation and misinformation

The risks posed to children online are often similar and overlapping, no matter a child’s disability. Cyberbullying, encountering predatory behavior, interacting with strangers, and posting too much information on social media platforms are all legitimate concerns.

But for children with behavioral challenges, processing challenges, and speech and language challenges in particular, Robinson warned about one enormous risk above all: The risk of not being able to discern fact from fiction online.

“Misinformation and disinformation online [are] a great threat to our students,” Robinson said. “There were many times [my students] would come in and say ‘I saw this online’ and we would get into discussions because they were pretty adamant that what they saw is correct.”

Those discussions have increased dramatically in frequency, Robinson said, as her students—and children all over the world—watch videos at an impossibly fast rate on platforms like YouTube, which, according to the company’s 2017 statistics, streams more than one billion hours of video a day. That video streaming firehose becomes a problem when those same platforms have to consistently play catch-up to stop the wildfire-like spread of disinformation and conspiracy theories online, as YouTube just did last week when it implemented new bans on vaccine misinformation.

“I have students pushing back and telling me, no, we never landed on the moon, that’s fake,” Robinson said. “These are the things they’re consuming on these platforms.”

To help her students understand how misinformation can spread so easily, Robinson said she shows them how it can be daylight outside her classroom, but at the same time, if she wanted, she could easily post a video online saying that it is instead nighttime outside her classroom.

Robinson said she also encourages her students to ask if they’re seeing these claims made elsewhere, and she steers them to what are called “norm-based reputable sources”—trustworthy websites that can provide fact-checks while also removing her students from the progression of recommended online videos that are fed to them through algorithms that prioritize engagement above all else.

“This is what we call building digital habits,” Robinson said, emphasizing the importance of digital literacy in today’s world.

Constant reinforcement

The promise of a “solution” to misinformation and disinformation online almost feels too good to be true, whether that solution equips special needs children with the tools necessary to investigate online sources or whether it helps adults without special needs defend against hateful content that is allegedly prioritized by one enormous technology company to boost its own profits.

So, when Robinson was asked directly as to whether these teaching models work, she said yes, but that the models require constant reinforcement from many other people in a child’s life.

Comparing digital literacy education to math education, Robinson said that every single year, students revisit the topics they learned the year before. She called this return to past topics “spiraling.”

“Part of developing digital students into really successful, smart, discernible, digital adults is the ongoing, constant spiraling and teaching of these concepts,” Robinson said. “If you can collaborate with other content area educators in your building, you’re infusing these topics through subject areas.”

Essentially, Robinson said, teaching online safety and cybersecurity to special needs children needs to be the responsibility of more than just a single technology teacher. It needs to be taken on by several subject matter educators and by parents at home.

For parents who want to know how they can help out, Robinson suggested finding teaching moments in everyday, common mistakes. If a parent themselves falls for a phishing scam, Robinson said those same parents can take that as an opportunity to teach their children about spotting online scams.

“It’s an ongoing work and it never stops,” Robinson said.

Teach kids about what they like using

To help special needs children understand and take interest in online safety education, Robinson said she always pays attention to what her students are using and what they’re interested in. This simple premise makes lessons both applicable and interesting to all students—not just those with special needs—and it provides a way for children to immediately understand what they’re learning, why they’re learning it, and how it can be applied.

As an example, since so many of her students watch videos on TikTok, Robinson spoke to her students last year about the US government’s reported plans to ban the enormously popular app.

“The federal government was thinking of not allowing TikTok to be used here because it might’ve been a safety risk, and so we had that discussion, and I said ‘What happens if you couldn’t use TikTok anymore?’” Robinson said.

Robinson said this tailored approach also gives teachers and parents an opportunity to help kids not just stay safe online, but also learn about the tools they use every day to view online content. The tools themselves, Robinson said, can greatly impact how a child with special needs feels on any given day—sad, happy, worried, scared, anything goes—and that children with special needs can often use guidance in self-regulating and understanding their own emotions.

Robinson added that many of her lessons about online tools and platforms have a similar message: If a game or website or tool makes her students feels uncomfortable, they should tell an adult.

It’s a rule that could likely help even adults when they find themselves gearing up to get into an online argument for little legitimate reason.

Embrace the game

Finally, Robinson said that many of her students enjoy using online games to learn about online safety, and she specifically mentioned Google’s Internet safety game called “Interland,” which parents can find here.

Google’s Interland leads kids through several short “games” on online safety, with lessons centered around the topics of “Share with Care,” “It’s Cool to Be Kind,” and “Don’t Fall for Fake.” The browser-based games ask kids to go through a series of questions with real scenarios, and each correct answer earns them points while their digital character jumps from platform to platform. The website works with most browsers, but Malwarebytes Labs found that it ran most smoothly on Google Chrome and Safari.

Interestingly, when it comes to lessons that Robinson’s special needs students excel at, she said they are excellent at creating strong passwords—and at calling people out for using weak ones.

“I teach 100 students, 10 classes, [and] I used not a very strong password for every student in this one class … and I said ‘By the way, everyone has this [password],’ and they’re like, when I said everyone has this same password, they’re like ‘Oh no no! That’s not a strong password, oooh,’” Robinson said, laughing. “They literally let me have it.”

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post What special needs kids need to stay safe online appeared first on Malwarebytes Labs.

Categories: Techie Feeds

[update]Patch now! Apache fixes zero-day vulnerability in HTTP Server

Malwarebytes - Wed, 10/06/2021 - 14:23

The Apache HTTP Server 2.4.49 is vulnerable to a flaw that allows attackers to use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. This issue is known to be exploited in the wild.

The vulnerability

The Apache HTTP Server Project started out as an effort to develop and maintain an open-source HTTP server for modern operating systems, including UNIX and Windows. It provides a secure, efficient, and extensible server that provides HTTP services in sync with the current HTTP standards.

The flaw (listed as CVE-2021-41773) was introduced by a change made to path normalization in Apache HTTP Server 2.4.49. So, earlier versions are not vulnerable, nor are servers that are configured to “require all denied”.

Unfortunately, “require all denied” is off in the default configuration. This is the setting that typically shows an error that looks like this:

“Forbidden. You don’t have permission to access {path}.”

Path traversal attack

Path traversal attacks are done by sending requests to access backend or sensitive server directories that should be out of reach for unauthorized users. While normally these requests are blocked, the vulnerability allows an attacker to bypass the filters by using encoded characters (ASCII) for the URLs.

Using this method an attacker could gain access to files like cgi scripts that are active on the server, which could potentially reveal configuration details that could be used in further attacks.


The Apache HTTP Server Project was launched in 1995, and it’s been the most popular web server on the Internet since April 1996. In August 2021 there were some 49 million active sites running on Apache server. Obviously we do not know which server every domain is using, but of the sites where we can identify the web server, Apache is used by 30.9%.

A Shodan search by Bleeping Computer showed that there are over a hundred thousand Apache HTTP Server 2.4.49 deployments online, many of which could be vulnerable to exploitation.

Security researchers have warned that admins should patch immediately.

If you use Apache HTTP Server 2.4.49 (only that version), you should update to 2.4.50 now due to CVE-2021-41773, a nasty 0-day path traversal vulnerability

— Mark J Cox (@iamamoose) October 5, 2021 Another vulnerability

There’s a second vulnerability tackled by this patch—CVE-2021-41524—a null pointer dereference detected during HTTP/2 request processing. This flaw allows an attacker to perform a denial of service (DoS) attack on the server. This requires a specially crafted request.

This flaw also only exists in Apache Server version 2.4.49, but is different to the first vulnerability in that, as far as we know, it is not under active exploitation. It was discovered three weeks ago, fixed late last month, and incorporated now in version 2.4.50.


All users should install the latest version as soon as possible, but:

  • Users that have not installed 2.4.49 yet should skip this version in their update cycle and go straight to 2.4.50.
  • Users that have 2.4.49 installed should configure “require all denied” if they do not plan to patch quickly, since this blocks the attack that has been seen in the wild.

A full list of vulnerabilities in Apache HTTP Server 2.4 can be found here.

Update October 8

Apache issued a new patch. It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. The new part of the vulnerability is listed under CVE-2021-42013. The “require all denied” setting blocks attacks using this vulnerability as well.

Stay safe, everyone!

The post [update]Patch now! Apache fixes zero-day vulnerability in HTTP Server appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Twitch compromised: What we know so far, and what you need to do

Malwarebytes - Wed, 10/06/2021 - 11:57

Update, 7th October: Twitch has now confirmed the breach. The company’s statement is as follows:

We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.

At this time, we have no indication that login credentials have been exposed. We are continuing to investigate.

Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.

Original post:

Big, breaking news going around at the moment. If you have a Twitch account, you may wish to perform some security due diligence. There are multiple reports of the site being compromised. And they absolutely do mean compromised: got leaked. Like, the entire website; Source code with comments for the website and various console/phone versions, refrences to an unreleased steam competitor, payouts, encrypted passwords that kinda thing.
Might wana change your passwords.

— Sinoc (@Sinoc229) October 6, 2021

There’s still no independent verification from Twitch itself yet. However, multiple people have confirmed that the leak details, which include streamer revenue numbers, match what they have in fact generated.

What has happened?

A 128GB torrent was released on the 4chan message board. The poster claims it incorporates all of Twitch including

  • Source code for desktop, mobile, and console clients
  • 3 years of creator payouts
  • Some form of unreleased Steam competitor
  • Various bits of data on several Twitch properties
  • Internal security tools

The leak is marked as “part 1”. The current data appears to contain nothing in the way of passwords or related data, but that potentially may be included in whatever comes next. This is something we may well find out from Twitch if and when it makes a statement.

In the meantime, we’d strongly suggest taking some proactive steps.

What should Twitch users do?

Log into your Twitch account and change your password to something else. If you’ve used the password on other services then you need to change them there too. Then enable two-factor authentication on Twitch, if you’re not already using it.

One small possibility against the leaking of passwords is there’s not been any visible “strange” activity from big name accounts. One would assume all sorts of dubious message shenanigans would follow in the wake of such a data grab. However, it’s possible that stolen passwords are being kept under lock and key until any such “Part 2” arrives.

This makes it all the more crucial to take some action now and start locking things down.

We’ll be updating this post with more information as we get it, so if you’re a Twitch user please feel free to check back every so often.

The post Twitch compromised: What we know so far, and what you need to do appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Facebook shoots own foot, hits Instagram and WhatsApp too

Malwarebytes - Tue, 10/05/2021 - 16:21

Mark Zuckerberg was left counting the personal cost of bad PR yesterday (about $6 billion, according to Bloomberg) on a day when his company couldn’t get out of the news headlines, for all the wrong reasons.

The billionaire Facebook CEO’s bad day at the office started with whistleblower Frances Haugen finally revealing her identity in a round of interviews that looked set to lay siege to the Monday headlines. Anonymous revelations by the former Facebook product manager had fuelled an entire Wall Street Journal series about the harm inflicted or ignored by Instagram and Facebook, and her unmasking was its denouement. It was supposed to be big news, and for a while it was.

But then something even bigger happened.

Facebook, Instagram, and WhatsApp completely disappeared. For six hours.

Despite losing access to the world’s favourite confirmation bias apparatus, conspiracy theorists didn’t miss a beat. Putting two and two together to make five, they decided that it was all too convenient and that Facebook was using the dead cat strategy to rob Haugen of the spotlight!

It was a convenient theory, but there is no evidence for it besides an interesting coincidence, and it ignores the fact that Facebook taking itself out to silence a whistleblower is a far more interesting story than Facebook simply taking itself out by accident. I’m afraid that in the absence of more compelling information, Hanlon’s Razor will have to suffice: “Never attribute to malice that which is adequately explained by stupidity”.


What we can say for sure, is that Facebook took itself and its stablemates out with a spectacular self-inflicted wound, in the form of a toxic Border Gateway Protocol (BGP) update.

The Internet is a patchwork of hundreds of thousands of separate networks, called Autonomous Systems, that are stitched together with BGP. To route data across the Internet, Autonomous Systems need to know which IP addresses other Autonomous Systems either control or can route traffic to. They share this information with each other using BGP.

According to Cloudflare—which has published an excellent explanation of what it saw—Facebook’s trouble started when its Autonomous System issued a BGP update withdrawing routes to its own DNS servers. Without DNS servers, the address stopped working. In Cloudflare’s words: “With those withdrawals, Facebook and its sites had effectively disconnected themselves from the Internet.”

Cloudflare appears to have noticed the problem almost straight away, so we can assume that Facebook did too. So why did it take six more hours to fix it? The social media scuttlebutt, later confirmed in Facebook’s own terse explanation, was that the outage disabled the very tools Facebook’s enormous number of remote workers would normally rely on to both communicate with each other and to fix the problem.

The underlying cause of this outage also impacted many of the internal tools and systems we use in our day-to-day operations, complicating our attempts to quickly diagnose and resolve the problem.

The unconfirmed part of the same scuttlebutt is that Facebook is so 21st century that folks were locked out of offices, and even a server room, which had to be entered forcibly in order to fix the configuration issue locally.

Of course that could just be another conspiracy theory, but as somebody who has themselves been stranded outside a building, forced to look through a glass door at the very computer that controls that door attempting and failing to boot from the broken network I had come to investigate, let me assure you that it’s not an outrageous suggestion.

The Facebook Empire withdrawing itself from the Internet didn’t stop people looking for it though. In fact, it made them look much, much harder (just imagine everyone, everywhere, frustrated, hitting “refresh” or reinstalling Instagram until they’re bored, and you get the idea). Unanswered DNS requests spiked, and DNS resolvers groaned, as computers groped around in the dark looking for the now non-existent domains.

When they weren’t pummelling DNS resolvers, the rest of the Facebook diaspora was forced to find other forms of entertainment or other means of communication. Some local mobile phone operators reported being overwhelmed, and encrypted messaging app Signal said it welcomed “millions” of new users as people looked for alternatives to WhatsApp.

And let’s not forget that there are companies that rely on Facebook, Instagram, and WhatsApp to drive business, and there are services that use Facebook logins for authentication. And then there’s the influencers. All of them had to stop. For six hours. Won’t somebody think of the influencers?

When it finally sank in that nobody could use Facebook, Instagram, or WhatsApp, it started to dawn on us all just how much so many of us have put Facebook and its products at the centre of our lives.

And then we all went to Twitter to tell everyone else how good or bad it all was. Thankfully, it withstood the onslaught.

hello literally everyone

— Twitter (@Twitter) October 4, 2021

Which leads us to the “so what?” part of our story. This is a security blog after all, and if this wasn’t a cyberattack you may be wondering what all of this has to do with security. Where’s the lesson in all of this?

Single points of failure people.

That’s it. That’s the tweet.

The post Facebook shoots own foot, hits Instagram and WhatsApp too appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Criminals were inside Syniverse for 5 years before anyone noticed

Malwarebytes - Tue, 10/05/2021 - 14:22

“A global privacy disaster”, “espionage gold”, and “a state-sponsored wet dream” are just some of the comments one can read regarding the breach at Syniverse, a key player in the tech/telecommunications industry that calls itself the “center of the connected world.”

In a filing with the US Security and Exchange Commission, Syniverse said the breach affected more than 200 of its clients who have an accumulated number of cellphone users by the billions worldwide. Syniverse’s clients include Verizon, AT&T, T-Mobile, Vodafone, China Mobile, Telefonica, and America Movil, to name a few.

The company revealed that it first noticed the breach in May 2021, but that the access had begun in May 2016—a whole five years before.

According to Motherboard, who first wrote about this story, Syniverse receives, processes, stores, and transmits electronic customer information, which includes billing information among carriers globally, records about calls and data usage, and other potentially sensitive data. It processes more than 740 billion SMS messages alone per year, routing text messages between users of two different carriers (both in the US and abroad).

The filing said that “Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers.”

In an email interview with Motherboard, Karsten Nohl, a security researcher is quoted saying, “Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of Internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once.”

A telecomm industry insider, who spoke to Motherboard said: “With all that information, I could build a profile on you. I’ll know exactly what you’re doing, who you’re calling, what’s going on. I’ll know when you get a voicemail notification. I’ll know who left the voicemail. I’ll know how long that voicemail was left for. When you make a phone call, I’ll know exactly where you made that phone call from.”

“I’ll know more about you than your doctor.”

Motherboard asked Syniverse whether the hackers had accessed or stolen personal data on cellphone users, but Syniverse declined to answer. 

Syniverse said all EDT customers have had their credentials reset or inactivated, whether they were part of the breach or not. The company says no further action is required on behalf of those customers.

“We have communicated directly with our customers regarding this matter and have concluded that no additional action is required. In addition to resetting customer credentials, we have implemented substantial additional measures to provide increased protection to our systems and customers.” 

The post Criminals were inside Syniverse for 5 years before anyone noticed appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Windows 11 is out. Is it any good for security?

Malwarebytes - Tue, 10/05/2021 - 09:00

Windows 11, the latest operating system (OS) from Microsoft, launches today, and organizations have begun asking themselves when and if they should upgrade from Windows 10 or older versions. The requirements and considerations of each organization will be different, and many things will inform the decisions they make about whether to stick or twist. One of those things will be whether or not Windows 11 makes them safer and more secure.

I spoke to Malwarebytes’ Windows experts Alex Smith and Charles Oppermann to understand what’s changed in Windows 11 and what impact it could have on security.

A higher bar for hardware

If you’ve read anything about Windows 11 it’s probably that it will only run on “new” computers. Microsoft’s latest OS sets a high bar for hardware, with the aim of creating a secure platform for all that’s layered on top of it. In effect, Microsoft is making its existing Secured-core PC standards the new baseline, so that a range of technologies that are optional in Windows 10 are mandatory, or on by default, in Windows 11.

In reality the hardware requirements will only seem exacting for a short period. Moore’s Law and the enormous Windows install base mean that yesterday’s stringent hardware requirements will rapidly turn into today’s minimum spec.

Three of the new OS’s hardware requirements play major, interlocking roles in security:

All hail the hypervisor

At a minimum, Windows 11 requires a 64-bit, 1 GHz processor with virtualization extensions and at least two cores, and HVCI-compatible drivers. In practice that means it requires an 8th generation Intel processor, an AMD Zen 2, or a Qualcomm Snapdragon 8180.

This is because Virtualization Based Security (VBS) has become a keystone concept in Microsoft’s approach to security. VBS runs Windows on top of a hypervisor, which can then use the same techniques that keep guest operating systems apart to create secure spaces that are isolated from the main OS. Doing that requires hardware-based virtualization features, and enough horsepower that you won’t notice the drag on performance.

Noteworthy security features that rely on VBS include:

  • Kernel Data Protection, which uses VBS to mark some kernel memory as read only, to protect the Windows kernel and its drivers from being tampered with.
  • Memory Integrity (a more digestible name for HVCI), which runs code integrity checks in an isolated environment, which should provide stronger protection against kernel viruses and malware.
  • Application Guard, a protective sandbox for Edge and Microsoft Office that uses virtualization to isolate untrusted websites and office documents, limiting the damage they can cause.
  • Credential Guard runs the Local Security Authority Subsystem Service in a virtual container, which stops attackers dumping credentials and using them in pass-the-hash attacks.
  • Windows Hello Enhanced Sign-In uses VBS to isolate biometric software, and to create secure pathways to external components like the camera and TPM.
United Extensible Firmware Interface (UEFI)

UEFI is a specification for the firmware that controls the first stages of booting up a computer, before the operating system is loaded. (It’s a replacement for the more widely-known BIOS.) From a security standpoint, UEFI’s key feature is Secure Boot, which checks the digital signatures of the software used in the boot process. It protects against bootkits that load before the operating system, and rootkits that modify the operating system.

Trusted Platform Module 2.0 (TPM 2.0)

TMP is tamper-resistant technology that performs cryptographic operations, such as creating and storing cryptographic keys, where they can’t be interfered with. It’s probably best known for its role in Secure Boot, that ensures computers only load trusted boot loaders, and in BitLocker disk encryption. In Windows 11 it forms the secure underpinning for a host of security features, including Secure Boot’s big brother, Measured Boot; BitLocker (Device Encryption on Windows Home); Windows Defender System Guard; Device Health Attestation; Windows Hello; and more.

New in Windows 11

Windows 11 has some new tricks up its sleeve too.

Hardware-enforced Stack Protection

Windows 11 extends the Hardware-enforced Stack Protection introduced in Windows 10 so that it protects code running in kernel mode as well as in user mode. It’s designed to prevent control-flow hijacking by creating a “shadow stack” that mirrors the call stack’s list of return addresses. When control is transferred to a return address on the call stack it’s checked against the shadow stack to ensure it hasn’t changed. If it has, something untoward has happened and an error is raised.


Windows 11 comes ready to embrace the impressively-named Pluton TPM architecture. It’s been a feature of the Xbox One gaming console since 2013, but doesn’t exit in PCs… yet.

Pluton sees the security chip built directly into the CPU, which prevents physical attacks that target the communication channel between the CPU and the TPM. And while Pluton is backwards-compatible with existing TPMs, it’ll do more if you let it. According to Microsoft, “Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself”.

Microsoft Azure Attestation (MAA)

No discussion about security in 2021 would be complete without somebody mentioning Zero Trust, so here it is. Windows 11 comes with out-of-the-box support for MAA, which can verify the integrity of a system’s hardware and software remotely. Microsoft says this will allow organizations to “enforce Zero Trust policies when accessing sensitive resources in the cloud”.

Evolution, not revolution

For several years, Microsoft’s approach to Windows security has been to create a chain of trust that ensures the integrity of the entire hardware and software stack, from the ground up. The latest version of Windows seeks to make that approach the default, and demands the hardware necessary to make it work. With Windows 11, Microsoft is making an aggressive attempt to raise the security floor of the PC platform, and that’s a good thing for everyone’s security.

Make no mistake that threat actors will adapt, as they have done before. Advanced Persistent Threat (APT) groups are well-funded enough to find a way through tough defences, ransomware gangs are notoriously good at finding the lowest-hanging fruit, and lucrative forms of social engineering like BEC are notoriously resistant to technology solutions.

And you can add to that the interlocking problems of increasing complexity, backwards compatibility, and technical debt. Operating systems and the applications they must support are a behemoth, and while Microsoft pursues its laudable aim of eliminating entire classes of vulnerabilities, new bugs will appear and a lot of legacy code will inevitably come along for the ride.

Decisions about whether to adopt Windows 11 will doubtless be impacted by the fact it won’t run on a lot of otherwise perfectly good computers. We expect this to have a chilling effect on organizations’ willingness to migrate away from Windows 10.

And there are other headwinds too. These days, new Windows operating systems are rarely greeted with great enthusiasm unless they’re putting right the wrongs of a particularly disliked predecessor. The bottom line is that Windows 10 works and OS upgrades are painful, so it is difficult to imagine that anyone will conclude they need Windows 11.

Migration away from older versions of Windows is inevitable eventually, and by the time mainstream support for Windows 10 ends in October 2025, users will undoubtedly be more secure. But we expect organizations to move away from Windows 10 slowly, which will delay the undoubted security benefits that will follow from wide-scale adoption of Windows 11.

The post Windows 11 is out. Is it any good for security? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Neiman Marcus data breach affects millions

Malwarebytes - Mon, 10/04/2021 - 19:24

Millions of Neiman Marcus customers have had their personal and financial information exposed in a data breach. In a press release the company confirmed unauthorized access to customer online accounts.

According to the press release 4.6 million customers of Neiman Marcus Group stores, specifically Neiman Marcus and Last Call, are being notified about the data breach by email.

What information was stolen?

For affected customers, it’s always important to know what information the threat actor may have gotten hold off. The personal information for affected Neiman Marcus customers varied and may have included:

  • Names and contact information
  • Payment card numbers and expiration dates (without CVV numbers)
  • Neiman Marcus virtual gift card numbers (without PINs)
  • Usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts.
What has Neiman Marcus done?

To investigate the matter Neiman Marcus has engaged Mandiant, an American cybersecurity firm, and notified law enforcement. The investigation is ongoing.

Neiman Marcus has also informed the affected customers, and forced an online account password reset for affected customers who haven’t changed their password since May 2020. Neiman Marcus promised to continue to take actions to enhance its system security, and safeguard information.

The company has set up a phone number—(866) 571-9725—and web page for concerned customers, although at the time of publishing the website is not currently working.

What you can do

If you know or suspect you may have been affected by this data breach there are a few things you can do.

The most important one is to change your password and make sure you have not re-used the same login credentials elsewhere online. If you have, you’ll need to change that too. The same is true for any security questions.

Scammers like to make the most of data breaches like this by sending out fake emails trying to trick you into giving them your login credentials, so make sure you go directly to the website to change your password.

Unlike Neiman Marcus, other companies have offered free credit and identity monitoring services as a conciliatory measure after a data breach. In this case you would have to pay for that yourself. Credit monitoring services can’t actually stop cybercriminals from stealing your identity, but they can alert you if someone opens up a line of credit under your name.

Think about it this way, these services alert you to changes on your credit report if you can’t be bothered to check your own credit report. If that’s the case, then you may want to consider signing up and paying someone else to monitor your credit file for you, but the bottom line is that these credit monitoring services are just that—monitoring services, not protection.

If you find any unauthorized transactions involving your payment cards then immediately contact the relevant payment card company or financial institution.

Customers are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order a free credit report, you can visit or call 1-877-322-8228.


As this is an ongoing investigation, there is not much information to be had about any details that may point to a certain threat actor. The stolen data may at some point surface for sale on underground forum or dark web marketplace.

If you are wondering if the login credentials have been made publicly available, you may be able to find them at the website Have I been pwned? The same is true for other credentials. In fact, it doesn’t hurt to check your email address there every so often.

There’s no reason to be ashamed if you find your email address there, as long as you don’t use it in combination with the same password anymore. If you do, then make sure you change it as soon as you can. You can use a password manager or password book to keep track of all your different passwords.

Stay safe, everyone!

The post Neiman Marcus data breach affects millions appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Police take a piece out of a ransomware gang, but won’t say which one

Malwarebytes - Mon, 10/04/2021 - 18:11

One of the world’s ransomware groups appears to be a couple of members short today—and about two million dollars less rich—but nobody is sure which one. Police are staying tight-lipped about who’s short-handed following the arrest of two individuals in Kyiv, Ukraine. The arrests are part of a joint operation by the FBI, the French National Gendarmerie, and the Ukrainian National Police.

What little we do know comes by way of a terse Europol press release—which says that police seized $375,000 in cash, a further $1.3 million in cryptocurrencies and two “luxury vehicles”—and a press release and video by Ukrainian police.

The video shows police searching a surprisingly clean and tidy apartment. Among the usual ransomware gang paraphernalia of mobile phones, laptops, a fancy-pants computer “rig”, gaming chairs, and wads of cash, we also get a peak at some of the more surprising and mundane aspects of life as (or perhaps with) a modern day digital criminal. The video reveals enough flowers and little gift boxes to suggest it was a special day for somebody, as well as the occupants’ fondness for both Capri Sun, and brands like Louis Vuitton and Senso.

The police video suggests somebody’s special day didn’t go as well as they’d hoped

Of course what we really want to know is which ransomware group has taken a hit. There, we’re getting only crumbs from the police and guesswork from Twitter sleuths. Europol has divulged that the people arrested belong to an organised crime group “suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards.” It says the criminals “would deploy malware and steal sensitive data from these companies, before encrypting their files”, a fairly vanilla description of modern-day ransomware. It describes the people arrested as “two prolific ransomware operators known for their extortionate ransom demands (between €5 to €70 million)”.

The individuals could belong to one of the well known ransomware groups, but it’s worth remembering that lots of ransomware is operated “as a service”, by affiliates. In either case, it’s fair to say that others will be along shortly to fill the void they leave, should those arrested be required to occupy a jail cell.

Europol says it helped the joint operation with analytical, malware, forensic, and crypto-tracing support. The last item is the least surprising on the list. The modern ransomware phenomenon is entirely reliant on cryptocurrencies like Bitcoin, and many observers have identified it as ransomware’s Achilles heel.

Why? Because cryptocurrency payments are very public. While the identities of payers and payees are hidden behind pseudonymous IDs, the actual payments happen in broad daylight and are recorded forever in giant distributed databases called blockchains. If real people can be linked to those IDs, then their role in ransomware transactions can be revealed.

A few years ago, we were all fond of describing the analysis of relationships in very large databases as Big Data, and the Bitcoin blockchain is the biggest of Big Data. It contains every transaction ever made with the cryptocurrency, nothing can ever be removed from it, anyone can own a copy, and law enforcement’s ability to analyse the patterns within it improve with time, and every additional payment.

The US government has been turning up the heat on ransomware gangs this year and has been quite open about its intention to follow the money. So it won’t surprise you to learn that one of the people arrested in this recent raid is believed to be involved in money laundering. And no surprise that a similar raid against the Clop ransomware gang earlier this year that was also carried out by police in Ukraine, also in the area of Kyiv, also targeted the gang’s money laundering operation.

The post Police take a piece out of a ransomware gang, but won’t say which one appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Does Cybersecurity Awareness Month actually improve security?

Malwarebytes - Mon, 10/04/2021 - 11:04

October is Cybersecurity Awareness Month, formerly known as National Cybersecurity Awareness Month. The idea is to raise awareness about cybersecurity, and provide resources for people to feel safer and more secure online.

The month is a collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) and it focusses on four themes, in turn: “Be Cyber Smart”, “Phight the Phish”, “Explore. Experience. Share”, and “Cybersecurity First”. Some of these are perhaps a little interchangeable or vague, but it’s certainly a dedicated effort. The questions is, is anybody listening?

Cybersecurity Awareness Month is a fixture of the calendar now, as are Data Privacy Day, World Password Day, and a host of other well-intentioned privacy and security themed events. There are so many of them now, and they come around so often, that some of the Malwarebytes Labs team were feeling a little jaded about this month’s event.

So, in the spirit of the event’s first theme, “Be Cyber Smart”, we asked two of our Malwarebytes Labs blog team, Chris and Jovi, whether the smart thing to do was forgot about it altogether.

The pros and cons of awareness campaigns

Jovi: I don’t see that anyone can have a problem with events such as this. It’s good to have regular reminders about our responsibility to keep ourselves and our families safe. It’s also a good opportunity to learn something new about security and privacy.

Chris: I mean, are they really learning something new? From experience, the content in these events doesn’t tend to differ much from year to year. A lot of it is the same basic information you see on mainstream news reports, or blogs. I’ve been involved with events like this since 2005, and one time at a panel with reps from the FTC and the NYAG…

(several minutes of completely unrelated factoids from the dawn of time follow)

Jovi: …I’m surprised that didn’t end with you tying an onion to your belt.

Chris, oblivious to onions: If it was worthwhile, you’d think there’d be some tangible, visible improvement in security by this point. Or at least a bunch of people saying “Wow, that ‘event-name-goes-here’ really helped me with this one problem I had. Hooray for ‘event-name-goes-here’.

Jovi: True, but then again, not everyone sees every relevant news report or even reads blogs. Some people get a lot of their security information from sources like Twitter, direct from infosec pros. Who then end up directing them to events like this anyway. There’s always a churn of new people who haven’t seen any of this before, so I don’t think it’s a problem to repeat some of the basics every year. Not everything has to be groundbreaking. If it’s easy to understand and helpful, that’s okay too.

Chris: Possible, but I also think many people have burnout from this kind of thing. How many times can you hear a major event, backed by Homeland Security, say “watch out for suspicious links” before you start to demand something a bit more involved? Admittedly, we don’t know what specifically is going to be covered during the month itself yet. It might be a mix of basic information and more complicated processes, which would be great! Another major event saying “don’t run unknown files”, though? Do we really need that? Or is there still a place for it?

Jovi: I once again direct you to “a churn of new people who haven’t seen any of this before”.

Chris: Ouch.

Jovi: You may be right about the fatigue aspect, though. I imagine it’s likely very difficult for anyone to really care that much about a month-long event. If you’re directly involved in some way, then fine. If you’re one of the many random people it’s aimed at? I think it’s probable they simply won’t care very much by week 3.

Chris: It may also be exacerbated if the thing they really want to do or look at happens during the final week. Will they even remember to go back by the tail-end of October to check it out?

Jovi: This is where the web resources for the event will be crucial, alongside lots of activity on social media. Handy little reminders to go back and check it out will work wonders.

Chris: Might work wonders.

Jovi: Ouch.

Chris: One novel thing I’ll definitely highlight is that they’re doing a whole bit about careers in tech. This is good. Not every event does this. There’s a lot of resources available and the opportunity for security companies, researchers, and anyone else to give tips on how to break into the industry. This will be particularly helpful for students about to graduate, and people thinking about a change in career.

Jovi: I’m mostly interested in the phishing week. You can’t go wrong with phish advice, especially when so many people are still working from home and potentially isolated from their security teams.

Chris: Is that any better than any other event doing a phish week though?

Jovi: It certainly doesn’t hurt to have them. I reckon big organisations and governments saying “we’re interested in this and you should be too” ultimately helps more than it hurts. We’d definitely feel their absence.

Chris: I’ll give you that. I’m not 100% convinced these events are making as much impact as some may think. This is what, the 18th one of these now? I’d be interested to know what the organisers think about how successful they are, what difference they’ve made. Even so, you’re likely right that we’re better served by having them than not at all.

Jovi: Amazing—did we finally agree?

Chris: Yes, please inform the DHS I’ve given permission for the event to go ahead.

Jovi: I’m sure they’ll be relieved.

Chris: This somehow feels like sarcasm.

Jovi: Definitely not.

Winding down

Whether you think events like this are a big boon to security discourse or too much like repeating ourselves for diminishing returns, they’re here to stay. We can all play a part in ensuring these annual reminders stay relevant. Whether you’re flying solo at home, an organisation, a security vendor, an SME, or a collection of interested students? Get involved!

Let the organisers know what you’d most like to see—if not at this event, then perhaps the next one. If these awareness campaigns exist in a vacuum, they’ll assume they’re getting everything right. Let’s help them along to fix the bits we’re not sure about and make it work for everyone.

The post Does Cybersecurity Awareness Month actually improve security? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Sept 27 – Oct 3)

Malwarebytes - Mon, 10/04/2021 - 09:15
Last week on Malwarebytes Labs

Malwarebytes released the Demographics of Cybercrime Report.

Other cybersecurity news
  • Cambodia’s prime minister is Zoombombing opposition meetings. (Source: Rest Of World)
  • Apple ignored 3 Zero-Day iPhone attacks for months, claims researcher. (Source: Forbes)
  • When you ‘Ask app not to track,’ some iPhone apps keep snooping anyway. (Source: The Washington Post)
  • Microsoft was warned about the Autodiscover flaw five years ago. (Source: The Register)
  • Mission accomplished: Security plugin HTTPS Everywhere to be deprecated in 2022. (Source: The Daily Swig)
  • Fake Amnesty International Pegasus scanner used to infect Windows. (Source: BleepingComputer)
  • Google pushes emergency update for Chrome zero-days, the latest in a hectic year for vulnerabilities. (Source: CyberScoop)
  • Mozilla rolls out fission to a fraction of users on the release channel. (Source: Mozilla blog)
  • Paying hackers’ ransom demands is getting harder. (Source: DataCenter Knowledge)
  • Hackers bypass Coinbase 2FA to steal customer funds. (Source: The Record)

Stay safe, everyone!

The post A week in security (Sept 27 – Oct 3) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The FCC moves to curb SIM swap attacks

Malwarebytes - Fri, 10/01/2021 - 16:15

The Federal Communications Commission (FCC) is going to set new rules to curb the rising threat of SIM swapping, also known as SIMjacking.

SIM swapping (and the very similar port-out fraud) is the unlawful use of someone’s personal information to steal their phone number and swap or transfer it to another device. Once this happens, the scammer can use the device to receive calls and messages intended for the victim. SIM swapping is often used to intercept codes sent by SMS that are used in some forms of two-factor authentication (2FA).

SIM swapping is difficult to scale up into large attacks against lots of people at the same time, but it is often used to target specific, high-value individuals.

Early last year, US senators wrote a letter to the FCC urging it to do something about the rising problem of SIM swapping:

The impact of this type of fraud is large and rising. According to the Federal Trade Commission, the number of complaints about SIM swaps has increased dramatically, from 215 in 2016 to 728 through November 2019, and consumer complaints usually only reflect a small fraction of the actual number of incidents.

It went on to say that SIM swapping “may also endanger national security”:

SIM swap fraud may also endanger national security. For example, if a cyber criminal or foreign government uses a SIM swap to hack into the email account of a local public safety official, they could then leverage that access to issue emergency alerts using the federal alert and warning system operated by the Federal Emergency Management Agency.

According to its recent release, the FCC “has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud. In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks.”

Currently, the proposals boil down to requiring better checks, and quicker notifications:

[The FCC] proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.”

Many are already happy upon receiving this news, vague as it is.

Great to see anti sim-swapping rules proposed. However, orgs must be given direction about secure methods of verifying identity in support — we typically see knowledge based authentication (easy to bypass, find, solicit, etc). Orgs must move to MFA instead to verify identity 1st.

— Rachel Tobac (@RachelTobac) September 30, 2021

Of course, specifics need to be laid out as so to how carriers can help potential SIM swap victims and how they generally safeguard all their users.

The post The FCC moves to curb SIM swap attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Apple Pay vulnerable to wireless pickpockets

Malwarebytes - Fri, 10/01/2021 - 14:19

Researchers have shown that it is possible for attackers to bypass an Apple iPhone’s lock screen to access payment services and make contactless transactions. The issue, which only applies to Apple Pay and Visa, is caused by the use of so-called magic bytes, a unique code used to unlock Apple Pay.

In the full paper, researchers from two UK universities—the University of Birmingham and the University of Surrey—show how this feature makes it possible to wirelessly pickpocket money.

The underlying issue

What happens often is that a feature designed to make our lives easier, also makes it easier for clever attackers to use that same feature against us. The vulnerability identified by the researchers is only present when Visa cards are set up using Express mode in an iPhone’s wallet. Express mode allows iPhone owners to use transit or payment cards, passes, a student ID, a car key, and more, without waking or unlocking their device, or authenticating with Face ID, Touch ID, or a passcode. The user may even be able to use their card, pass, or key when their device needs to be charged.

Transport mode

Contactless Europay, Mastercard, and Visa (EMV) payments are a fast and easy way to make payments, particularly at a time when we’re all much more wary about the hygiene of the surfaces we touch.

Normally, payments via smart-phone apps need to be confirmed by the user via a fingerprint, PIN code, or Face ID. Apple Pay elevated the EMV standard for usability, by introducing a feature that allows it to be used at a ticketing barriers (like those used to access the London underground railway network) without unlocking the phone. And Apple is not alone. Samsung has introduced the same “transport mode” feature as well.

The researchers found that Transport for London (TfL) ticket barriers broadcast a non-standard sequence of bytes—so-called “magic bytes”—which bypass the Apple Pay lock screen. Apple Pay then checks that its other requirements are met (which are different for Visa and Mastercard) and if they are it allows a payment to be performed with no user interaction. In this way it allows underground passengers to move through the barriers without stopping, in the same as they do with Oyster cards.

Taking payments

For Apple Pay Visa, the researchers were able to craft messages that resulted in fraudulent payments from a locked iPhone to any EMV shop reader, for any amount. The tests were made for payments up to £1,000 (roughly US$ 1,350). Mastercard is stricter, requiring readers to have a transit merchant code before allowing this functionality.

The researchers also found that Samsung Pay does not use magic bytes, but it was always possible to perform an EMV transaction with a locked Samsung phone. However, they also found that locked Samsung Pay would only allow a zero-value payment. Transport providers (which is only TfL right now) must have an arrangement with their banks to make good the value of the tickets. According to the researchers, “this makes it impossible to relay Samsung Pay to shop readers to buy goods, but it is still possible to relay Samsung Pay to other transport readers”.

Pointing fingers

When the attack was disclosed to Apple and Visa, Apple reportedly said that the problem was with Visa (stop us if you’ve heard this one before), and Visa said it was with Apple. Apple insisted it was up to Visa to implement additional fraud detection checks. Visa pointed out that the same problem did not exist in the Samsung Pay and Visa combination.

For now, as the academics stated, while the problems are acknowledged by both parties, who have been spoken to extensively, the issue remains unfixed. Apparently, when two industry parties each have partial blame, neither are willing to accept full responsibility. Needless to say, while nobody fixes the problem, all users are vulnerable.

It seems unlikely that transport modes will be removed from phones, so the researchers have proposed an EMV relay-resistant protocol.

Where does that leave you?

The attack has only been demonstrated in a lab and there is no evidence that criminals are currently exploiting the vulnerability.

However, if you are worried about falling victim to this type of attack, you should disable the Express Mode if you don’t need it. When you add an eligible transit card to an Apple Wallet, Express Mode is turned on by default.

Should you lose your phone or have it stolen, there is now—in theory at least—a way for thieves to extract funds from it without having to guess your passcode. To avoid that, we suggest that you inform your bank or payment provider if your phone is stolen so they can block your cards.

Stay safe, everyone!

The post Apple Pay vulnerable to wireless pickpockets appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Android Trojan GriftHorse, the gift horse you definitely should look in the mouth

Malwarebytes - Thu, 09/30/2021 - 16:01

Researchers at Zimperium have discovered an aggressive mobile premium services campaign with over 10 million victims all over the world. The stolen amount could amass hundreds of millions of Euros.

The scam was hidden behind malicious Android apps, and the researchers have named the Trojan GriftHorse. They estimate the group has been active since November 2020.


These malicious Android apps were initially distributed through both Google Play and third-party application stores. After the researchers reported the findings to Google, the malicious applications were removed from the Google Play store. However, the malicious applications are still available on third-party app stores, once again proving the potential dangers involved in sideloading applications to mobiles.

To enhance the effectiveness of the campaign, the group showed pages to users based on the geolocation of their IP address and addressed them in the local language. This social engineering trick is very successful, since users are always more comfortable sharing information on a website in their local language.

How it works

The GriftHorse Trojan subscribes unsuspecting users to paid services, charging a premium amounting to around 36 dollars per month.

Immediately after installing the malicious app, the user is bombarded with popups telling them they have won a prize and need to claim it straight away or they will miss the opportunity. When the user accepts the offer, the malware redirects them to a geo-specific website where they have to submit their phone number for “verification”.

Instead of any verification taking place, the user is actually signed up for a premium SMS service that starts charging their phone bill over €30 per month.

Applications of this kind are often referred to as fleeceware. By definition, fleeceware is a type of malware for mobile devices that comes with hidden, excessive subscription fees. These applications take advantage of users who do not know how to cancel a subscription by charging them long after they have deleted the application.


The threat actors use a few different methods to avoid detection. While some users may get suspicious by an extra charge on their phone bill, it may take others months to notice. If and when they notice they need to find out how to cancel the subscription, and there is no chance of getting their money back.

The threat actors are also very careful to avoid hard-coding URLs in the malicious apps. To create the apps they used the mobile application development framework Apache Cordova. The application displays as a web page that references HTML, CSS, JavaScript, and images. This enables developers to deploy updates to apps without requiring the user to update manually. Using this option the actors were able to let the app fetch the currently active URL that acted as a C&C server.

The criminals used over 200 different Trojan applications in the campaign which, besides avoiding detection, also allowed them to spread the distribution of the applications across multiple, varied categories, increasing the range of potential victims.

The programmers of the malicious apps follow a strict no-reuse policy to avoid detection of all the apps by vendors, who often introduce mass or generic detections by using strings that are typical for a certain malware family.


By using the geo-specific sites and the spread across multiple categories of apps, the campaign was able to ensnare mobile users from more than 70 countries. Based on the intel collected by the researchers, GriftHorse has infected over 10 million devices in the last few months.


A full list of applications and hashes can be found in the blog published by the researchers.

Malwarebytes for Android detects these apps as Android/Trojan.Spy.Joker.gfth.

Stay safe, everyone!

The post Android Trojan GriftHorse, the gift horse you definitely should look in the mouth appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Telegram-powered bots circumvent 2FA

Malwarebytes - Thu, 09/30/2021 - 11:11

Two-factor authentication is a great way to protect your online accounts, and we always recommend you turn it on. But where users put up walls, you can be sure there are cybercriminals trying to break them down.

Yesterday, security intelligence firm, Intel 147, revealed it had noticed an uptick of activity in threat actors providing access to services in Telegram that circumvent two-factor authentication (2FA) methods. These services include calling their target victims, appearing to be from their bank, and socially engineering them into handing over a one-time password (OTP)—or other verification code—to the bot operators.

Other services target “other popular social media platforms or financial services, providing email phishing and SIM swapping capabilities.”

Intel 147 has been observing these activities since June when services like these started operating.

“[They] either operate via a Telegram bot or provide support for customers via a Telegram channel,” Intel 147 wrote, “In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts.”

The two bots that are becoming criminal favorites are SMSRanger and BloodOTPbot, according to Intel 147. Another bot, SMS Buster, was mentioned, but the researchers said operating it requires more effort on the part of the threat actor.

Threat actors show off their gainz from using the SMSRanger bot in a Telegram channel (Source: Intel 147 blog) The commands threat actors can key in to use SMSRanger, which is noted to be “extremely easy to use” and has an efficiency rate of 80 percent.
(Source: Intel 147 blog)

Those looking to operate these bots are expected to shell out $300 USD monthly. For additional services on top of the bot, they need to hand over an extra $20-$100 USD more.

2FA isn’t foolproof

These 2FA threats only further highlight the problem we already know about SMS-based and phone-call-based authentication OTP methods: they have weaknesses that can be easily exploited by threat actors.

Make no mistake: using 2FA is still better than not using it. But if companies start using better authentication methods, such as Time-Based One-Time Password (TOTP) codes—e.g. Google Authenticator and Authy—or push notifications—e.g. Okta or Duo—then such bots wouldn’t be much of a problem.

What to do

If you have sent your OTP to what you now believe is a scammer, call your bank and report it. Note that this might be a new scheme that banks have never heard of, so please do your best in explaining what happened. Remember that the more people report of the same or similar instances, the more aware banks will be of the fraud attempts.

Share your experience with friends and family to raise awareness on the matter, in order to prevent them falling for the same trick.

Remember that your bank won’t call you to ask for your OTP—ever—so if you receive similar requests in the future, just hang up.

Trust us: they won’t think you’re being rude.

Stay safe!

The post Telegram-powered bots circumvent 2FA appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Vaccine passport app leaks users’ personal data

Malwarebytes - Wed, 09/29/2021 - 16:28

Security and privacy advocates may have cause to worry after all: Portpass, a vaccine passport app in Canada, has been found to have been exposing the personal data of its users for an unknown length of time.

On Monday, Canadian Broadcasting Corporation (CBC) received a tip that “the user profiles on the app’s website could be accessed by members of the public.”

CBC won’t say how or where the data was found but does say it was unencrypted and could be viewed in plain text.

The data it found included email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver’s licences and passports.

Some of the data found online (Source: CBC)

Portpass has a registered user base of 650,000 across Canada. CBC says that Portpass CEO Zakir Hussein denied the app had security issues and “accused those who raised concerns about it of breaking the law.”

CBC said Hussein repeatedly claimed the breach only lasted for minutes, even when CBC pointed out to him that it was able view the data for more than an hour. It’s unclear how long the data was exposed to the public.

“Someone that’s out there is trying to destroy us here, and we’re trying to build something good for people,” said Hussein, who seemed generally unsure of what to say. He was quoted as saying, “There’s holes, and what I’m realizing is I think there are some things that we need to fix here. And you know, we’re trying to play catch-up, I guess, and trying to figure out where these holes are.”

Portpass is easy to manipulate

Days before Portpass was notified of the breach, web developer Conrad Yeung tried Portpass out of curiosity. He said he quickly found an issue when he tried to upload not his photo ID but a photo of a random mayoral candidate in Calgary, Canada “just to see if the app would let me”.

Sure enough, Portpass allowed the upload. “It let me upload a random photo for my driver’s licence,” Yeung said.

He was able to create a fake vaccination record using an actor’s name, and Portpass verified this record to be legitimate.

Looking deeper, Yeung found that the website didn’t appear to validate security certificates, with a backend that the public can access. He also found discrepancies in Portpass’s marketing statements from what he was seeing. For example, the app claimed that it uses artificial intelligence (AI) and blockchain to verify records and keep them safe. However, Yeung said he didn’t see any traces of these at the site’s backend.

What worried Yeung more, he said, was that companies endorse the use of apps like Portpass without exercising due diligence. “You have somebody in a place of authority promoting something that is potentially unsafe and has privacy issues,” he said.

There is hesitancy in using vaccine passports

Vaccine passports—sometimes called COVID passports—are mobile apps that have been created to confirm the phone owner has received their COVID-19 vaccine. This, of course, opens doors for them to attend public events and visit other countries. While many think that this could lead to social problems like discrimination, there are also security and privacy risks, such as getting one’s data exposed. Such apps must be secure by design.

In the US, there is no government mandate on whether one should be using a vaccine app or not. But many private companies and airlines have started encouraging people to use these apps.

However, many users, especially in the US, have expressed concerns over the security of their health data when using such third-party apps. According to a survey conducted by cybersecuity firm, Panda Security, 56 percent of Americans do not trust vaccine passports. Those concerned question what type of information these apps would likely collect from them.

“Based on our survey results, we can clearly see the hesitancy many Americans have to make those records accessible to private companies, airlines and other corporations.” the report says.

I’m one of those afraid of using apps. What should I do?

Hold on to your vaccine cards and keep them safe all the time. Right now, this is your only true proof to let establishments know of your vaccine status. Don’t bring them with you every time you go out, as you would a credit card, especially when there is no need to verify your status.

A paper pass may not be the coolest thing to whip out as its not on your phone, but unless the government has endorsed an app everyone can use, you might want to rethink your plans of trying out one.

Stay safe!

The post Vaccine passport app leaks users’ personal data appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds