Malwarebytes

Subscribe to Malwarebytes feed
The Security Blog From Malwarebytes
Updated: 1 week 2 days ago

Task Force delivers strategic plan to address global ransomware problem

Fri, 04/30/2021 - 19:52

The Ransomware Task Force (RTF), a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments, has recently pushed out a comprehensive and strategic plan for tackling the increasing threat and evolution of ransomware.

The report, entitled “Combating Ransomware – A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force”, which you can read here [PDF]  advocates for “a unified, aggressive, comprehensive, public-private anti-ransomware campaign.”

The purpose of creating the document seems to be threefold: first, to educate the targeted reader—in this case, policy makers and industry leaders—about the dangers of ransomware; second, to call for unification amongst organizations to collectively beat the ransomware enterprise; and third, to guide organizations and governments on action items (48 in total) they can pursue to disrupt the ransomware-as-a-service (RaaS) model and extensively lessen the impact of current and future attacks.

“This is great news and sorely needed,” says Jerome Segura, Director of Threat Intelligence at Malwarebytes, in an email. “One key aspect is, of course, international cooperation (or the lack thereof) which has proven to be a key reason why many criminals from Eastern Europe can continue their business without real fear of prosecution.”

Ransomware: a threat to national security

Ransomware attacks had been popping up left and right, even before the COVID-19 pandemic threw a wrench into cybersecurity efforts of many already challenged companies and industries. Ransom demands inflated steeply through the pandemic, and the money raised appears to be being reflected in increasing innovation and sophistication.

The report quantifies the impact of a ransomware attacks with some startling statistics. According to the RTF the average ransom payment in 2020 was $312,493, an increase of 171% over the previous year. Perhaps even more costly and damaging, it puts the average time it takes to fully recover from a ransomware attack at just over nine months.

Ransomware statistics collated by the task force (Source: The RTF Report 2020)

Note that these are average numbers, which means that there are cases when organizations have dealt with much longer downtimes and paid far higher ransoms (demands go into the tens of millions) to get their businesses back up and running as quickly as possible.

Gone are the days when threat actors behind ransomware campaigns targeted organizations they thought had the means to readily cough up money to meet their demands. These past few years, ransomware gangs have become more opportunistic, perhaps comforted by the wide availability of ransom insurance. They have deliberately targeted networks and breached systems of vital infrastructure, such as hospitals, schools, local governments, and nuclear plants, knowing full well that they may be putting lives at risk.

Organizations who refuse to pay the ransom have then to deal with the data leaking that will inevitably follow; the delays caused by identifying and fixing the problems that allowed the ransomware gang into its systems; and the cost to undergo crisis management efforts and generally getting back on track as quickly as possible, while also increasing their overall cybersecurity posture. On the other hand, organizations who do pay the ransom get to spend millions of dollars, too, on top of the ransom payment and still aren’t guaranteed to get their data back, or a speedy recovery.

Ransom payments may then used to fund criminal enterprises that, for example, engage in human trafficking, terrorism, and “the proliferation of mass destruction”. But perhaps the most damaging of all is that ransomware attacks can sow doubt in the minds of the public towards public institutions.

To add salt to the wound, ransomware threat actors do this from within countries that are turning a blind eye to, or even encouraging, these cybercrime campaigns. They are safe havens where gangs know they won’t be charged, prosecuted or extradited for their actions. It is not difficult then to see why the RTF urged its audience to “raise the priority of ransomware within the intelligence community, and designate it as a national security threat” while advocating the use of “criminal prosecution and other tactics”.

Core actions organizations and governments must take

Although there are multiple steps recommended in the report, the RTF prescribes that these steps should be viewed and considered part of a bigger whole as they were each designed to complement and build on each other.

According to the report:

“The strategic framework is organized around four primary goals: to deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; to disrupt the business model and reduce criminal profits; to help organizations prepare for ransomware attacks; and to respond to ransomware attacks more effectively.”

To see the necessary impact against the ransomware enterprise, the task force stresses the importance of adopting these steps as soon as possible, with continuous coordination among the involved parties at a national and international level. (The RTF has proposed that the US government take charge in international coordination efforts with its partners.)

Among its priority recommendations, the RTF proposes that greater prioritization be given to an intelligence-driven anti-ransomware efforts; mandatory reporting of ransomware attacks and the creation of Cyber Response and Recovery funds; the development of a framework to help organizations prepare for, and respond to, ransomware attacks; and greater regulation of the cryptocurrency sector.

Among the action items to be done, these are the five most urgent, according to the Ransomware Task Force. The rest are supporting actions that strengthen or lead to the fulfillment of these five. (Source: The RTF Report 2020) About the RTF and other anti-ransomware efforts

The Institute of Security and Technology (IST) is the host organization that launched the Ransomware Task Force four months ago in December 2020. Before this, significant efforts have been made by organizations within or associated with the cybersecurity industry in combating ransomware.

In January this year, the Cybersecurity and Infrastructure Security Agency (CISA) launched the Reduce the Risk of Ransomware Campaign where it focused on educating the public and private sectors on anti-ransomware best practices and what tools and resources to use to mitigate attacks. CISA’s one-stop page for everything one needs to know about ransomware can be found on this CISA ransomware page.

In July 2016, Europol’s European Cybercrime Centre joined forces with other law enforcement bodies and IT security companies to launch No More Ransom (NMR). Similar to the above mentioned efforts, NMR also aims to help victims recover their data without shelling out money. They do this by collating decryption tools for ransomware families, created by cybersecurity volunteers. You can learn more about No More Ransom by visiting its official website.

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malwarebytes Labs.

Categories: Techie Feeds

IoT riddled with BadAlloc vulnerabilities

Fri, 04/30/2021 - 12:05

The Cybersecurity and Infrastructure Security Agency (CISA) has published advisory ICSA-21-119-04 about vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. Those operating systems and libraries are widely used in smart, Internet-connected “things”. The number of affected devices could be enormous.

As is the fashion these days, the collection of vulnerabilities has been given a name: BadAlloc. CISA has assigned a vulnerability score of 9.8 out of a maximum of 10 for the BadAlloc vulnerabilities and has urged organizations to address these issues as soon as possible.

The vulnerabilities included in BadAlloc

BadAlloc is a large set of remote code execution (RCE) vulnerabilities found by Microsoft’s Section 52:

These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.

Section 52 is Microsoft’s Azure Defender for IoT security research group consisting of IoT/OT/ICS domain experts that reverse-engineer malware, and track ICS-specific zero-days, campaigns, and adversaries.

Where does the name BadAlloc come from?

The researchers found that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.

Heap is the name for a region of a process’ memory which is used to store dynamic variables. If these get written to the wrong place, an attacker could input malicious data, which if it is not validated, could allow an attacker to perform remote code execution, or crash the affected system.

In the programming language C++, bad_alloc is the type of the object thrown as exceptions by the allocation functions to report failure to allocate storage. So, this may have been the inspiration for the name.

Which devices are affected?

This is a long list and some of these, in turn, represent a lot of different devices:

  • Amazon FreeRTOS, Version 10.4.1
  • Apache Nuttx OS, Version 9.1.0 
  • ARM CMSIS-RTOS2, versions prior to 2.1.3
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-uallaoc, Version 1.3.0
  • Cesanta Software Mongoose OS, v2.17.0
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Linux Zephyr RTOS, versions prior to 2.4.0
  • Media Tek LinkIt SDK, versions prior to 4.6.1
  • Micrium OS, Versions 5.10.1 and prior
  • Micrium uCOS II/uCOS III Versions 1.39.0 and prior
  • NXP MCUXpresso SDK, versions prior to 2.8.2
  • NXP MQX, Versions 5.1 and prior
  • Redhat newlib, versions prior to 4.0.0
  • RIOT OS, Version 2020.01.1 
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB
  • TencentOS-tiny, Version 3.1.0
  • Texas Instruments CC32XX, versions prior to 4.40.00.07
  • Texas Instruments SimpleLink MSP432E4XX
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
  • Uclibc-NG, versions prior to 1.0.36 
  • Windriver VxWorks, prior to 7.0

Microsoft worked with all the affected vendors in collaboration with the US Department of Homeland Security (DHS) to coordinate the investigation and release of updates.

Mitigation

For now, we have not seen any indications of these vulnerabilities being exploited, but given the amount of available targets, you can be sure exploits are being sought. Unlike computers, Internet-connected devices can be difficult, or even impossible to update. Because of that, mitigating against these issues could be extremely important for years to come.

In the CISA advisory you can find a list (under 4. Mitigations) which shows the updates that are available. The agency advises users to take the following defensive measures, to minimize the risk of exploitation:

  • Apply available vendor updates.
  • Ensure that affected devices are not accessible from the Internet.
  • Minimize network exposure for all control system devices and/or systems.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required.

Microsoft provides the following mitigation advice:

…we recognize that patching IoT/OT devices can be complex. For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets, as described in the mitigations section at the end of this blog post.

Stay safe, everyone!

The post IoT riddled with BadAlloc vulnerabilities appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is an IP address? Do I need one?

Fri, 04/30/2021 - 10:52

An IP address tells computers how to find a certain device within a computer network. An IP address is like an address label for information packets. For each network your computer is connected to, it has a unique IP address on that network. So, one device can have several IP addresses at the same time. In most home computers you may see traffic on these IP addresses:

  • 127.0.0.1 is the loopback address which is used if something on your device needs to talk to another service on the same device.
  • A home network address which is usually in a range reserved for private networks. Well known ranges for this purpose start with 10. and 192.168. which are often pre-programmed in routers whose job it is, among others, to assign IP addresses to connected devices.
  • Your IP address on the Internet, which is in most cases is assigned to you by your Internet Service Provider (ISP), and changes from time to time. You can learn your current Internet IP address by looking at this site.
What does IP stand for?

IP is short for Internet Protocol and is part of TCP/IP which is the networking software that makes it possible for your device to interact with other devices on a computer network, including the Internet. TCP/IP is actually a stack of protocols that make it possible for computers around the world to communicate without differences between languages and hardware. For a device to be able to use the Internet protocol it needs to have IP software and an IP address.

How are IP addresses written?

Most IP addresses that you see will be Internet Protocol version 4 (IPv4) addresses. These have 32 bits of information and are written in four octets of eight bits. Since we are used to working with decimal numbers, you will usually see the four octets written as four decimal numbers between 0 and 255, separated by dots. For example, at the time of writing, the computer running this website had an IP address of 130.211.198.3.

Decimal vs octal

In some cases, it might be beneficial to know the difference between the different notations.

Decimal means a number expressed in the base-ten system which is the system that we use every day that uses the ten digits 0-9, whereas octal means the number system that uses the eight digits 0-7.

Since an IP address is a 32-bit number, sometimes it makes sense to use the octal number system instead of decimal. The decimal IP address 127.0.0.1 looks like 0177.0000.0000.0001 in octal. A computer will recognize both of them as different, equally valid ways of writing the same address. Here’s why:

In decimal, numbers are written according to how many ones they have, how many tens, how many hundreds, and so on. So, the number 127 is 1 * 100, 2 * 10 and 7 * 1.

In octal, numbers are written according to how many ones they have, how many eights, how many 64s, and so on. So, the number 127 is represented as 0177, which is 0 * 128, 1 * 64, 7 * 8 and 7 * 1.

Running out of IP addresses

There are only 4,294,967,296 different combinations of four numbers between 0-255, so that is the theoretical maximum number of IPv4 addresses you could have on any one network (in reality it’s less than this because some IP address ranges are reserved).

In November 2019, the RIPE NCC (the regional Internet registry for Europe, West Asia, and the former USSR) announced that it had exhausted its pool of IPv4 addresses. This did not come as a surprise, and it didn’t mean that suddenly nobody could have an IP address—sometimes addresses can be recovered, and networks can be extended using Network Address Translation—but it demonstrated the need to implement the successor of IPv4. RIPE warned that “Without wide-scale IPv6 deployment, we risk heading into a future where the growth of our Internet is unnecessarily limited. “

IPv4 and IPv6

What is Internet protocol version 6 (IPv6) and what makes it different from IPv4? Obviously, since one of the reasons to deign IPv6 was the shortage of IPv4 addresses, there are more IPv6 addresses available. As we pointed out earlier an IPv4 address is a 32 bit number, whereas IPv6 address is a 128 bit number. IPv4 is a numeric addressing method whereas IPv6 is an alphanumeric addressing method. And where IPv4 binary bits are separated by a dot(.), the IPv6 binary bits are separated by a colon(:).

The difference in bits allows for IPv6 to multiply the number of possible IP addresses by 1028, which may not sound like much, but it gives us 340 trillion trillion trillion possible addresses!

There are technical differences between the protocols as well. We will not handle them in detail as that is outside the scope of this post, but it’s good to be aware of them:

  • IPv6 has built-in quality of service (QoS).
  • IPv6 has a built-in security layer (IPsec).
  • IPv6 eliminates the need for Network Address Translation (NAT).
  • IPv6 enables multicasting by default which means the same packet can be sent to several addresses.
IP addresses and geolocation

IP addresses are allocated on a geographic basis, so they can be used for a crude form of geolocation. An important thing to remember though, especially for all the Internet detectives out there, is that finding out an IP address does not provide you with a physical location. The result you get from looking up an IP address’s location can be wrong by hundreds of miles. The location of an IP address on a map can be very misleading as it will often point to the location of the ISP that assigned the address, or to the center of an area where similar IP addresses reside. Innocent people have been harassed, even by the police, based on misunderstanding these “maps”.

IP-based geolocation is useful for website geotargeting (showing users content based on their country or region) but it is not suitable if you want to pay someone a visit.

Aside from geolocation, there is another way to connect an IP address into a physical address: Your Internet IP address is typically allocated by your ISP, and your ISP typically knows your physical address. Anyone who can convince your ISP to give up that information, either by buying it, issuing a subpoena or by social engineering, can learn your address.

How to hide your IP address

Many people don’t like their IP address to be known or visible to the websites or services they are interacting with. There are various possible reasons for wanting to hide your IP address. As awareness of corporate surveillance and criminal hacking has grown, so have concerns about personal privacy. Many people believe that it should be their choice when and how they give up some of their privacy, and don’t want prying eyes on their normal, legitimate behavior.

A Virtual Private Network (VPN) gives you more control over the IP address and other information that is visible on the Internet. Of course, you still need an IP address when using an online service or website, or the packets will not know where to go, but the outside world can only see your VPN provider’s IP address, not the one given to you by your ISP.

By using a VPN, your packets are taking a detour. Compare it to a PO box where you can have your mail sent without providing your physical address to the sender. With the difference that you don’t have to go out and fetch it, it still gets delivered to your home by the one thing that knows your real IP address: The VPN provider that you have decided to trust.

The post What is an IP address? Do I need one? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Signal app insists it’s so private it can’t provide subpoenaed call data

Fri, 04/30/2021 - 09:29

Signal—the private, end-to-end encrypted messaging app that surged in popularity in recent months—once again reminded criminal investigators that it could not fully comply with a legal request for user records and communications because of what it asserts as a simple, unchanging fact: The records do not exist on Signal’s servers.

This is at least the second request of this kind that Signal has received in the last five years, and in the same time period, similar government demands to pry apart end-to-end encrypted communications have become commonplace. Every single time the government has tried this—from the FBI’s insistence in 2016 that Apple create new software to grant access to a device, to the introduction of the EARN IT Act in Congress last year—cybersecurity experts have pushed back.

The legal request to Signal came from the US Attorney’s Office in the Central District in California in the form of a federal grand jury subpoena. According to the subpoena, investigators sought “all subscriber information” belonging to what appeared to be six Signal users. The requested information included “user’s name, address, and date and time of account creation,” the date and time that the users downloaded Signal and when they last accessed Signal, along with the content of the messages sent and received by the accounts, described in the request as “all correspondence with users associated with the above phone numbers.”

Signal responded to the subpoena with help from lawyers from American Civil Liberties Union. According to the company’s response, Signal could only comply with two categories of information requested by the US Attorney’s Office.

“The only information Signal maintains that is responsive to the subpoena’s inquiries about particular user accounts is the time of account creation and the time of the account’s last connection to Signal servers,” wrote ACLU attorneys Brett Kauffman and Jennifer Granick. Kauffman and Granick also addressed some of the US Attorney’s Office’s questions about the physical locations of Signal’s servers and whether the technical processes of account creation and communication for Signal users in California ever leave the state of California itself.  

In a blog published this week, Signal said why it again could not comply with a subpoena for user information, explaining that, because of the app’s design, such user information never reaches their hands.

“It’s impossible to turn over data that we never had access to in the first place,” the company wrote. “Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for.”

This lacking access, while excellent for user privacy, has frustrated law enforcement for years. It is a problem that is often referred to as “going dark,” in that the communications of criminals using end-to-end encrypted messaging apps are inaccessible to any third parties, including government investigators. Former Deputy Attorney General Rod Rosenstein has referenced the “going dark” problem, as has current FBI Director Christopher Wray. Many other representatives have, as well, and each time their refrain has stayed the same: End-to-end encrypted messaging apps provide a level of security that is too extreme to allow without a way for law enforcement to break through it.

But it’s magical thinking on the government’s part.

As many cybersecurity experts have explained over literal decades, allowing third parties to access secure, end-to-end encrypted communications will, by definition, make them less secure, functioning in effect as a backdoor. And a backdoor, in and of itself, is a security vulnerability.

Signal’s efforts to publicize its grand jury subpoena are notable—these requests often come with an instruction that the recipient not disclose any details of the request, else they risk jeopardizing an ongoing criminal investigation. These are valid concerns, but so are the concerns raised by Signal, which are that, even after all this time, government agents still believe that evidence can be conjured out of thin air.

The post Signal app insists it’s so private it can’t provide subpoenaed call data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is Smishing? The 101 guide

Thu, 04/29/2021 - 18:51

Smishing is a valuable tool in the scammer’s armoury. You’ve likely run into it, even if you didn’t know that is its name. It doesn’t arrive by email or social media direct message, instead choosing a route directly aimed at what may be your most personal device: the mobile phone. So, what is Smishing? We’re glad you asked.

Defining a Smish

Smishing is a combination of the words “phishing” and “SMS”, to indicate phishing sent across your mobile network in the form of a text. It’s often thought of as the latest scam on the block, but it’s been popular for a few years now. The Pandemic combined with a rise in home deliveries has only increased its popularity still further.

What is a Smishing attack?

It’s a fake message sent to mobile devices, using social engineering to encourage the recipient to click a link. The difference between Smishing and Vishing, is that Vishing is fraudulent voice messages as opposed to text and links.

Common Smish attempts focus on everyday needs or requirements. Late payments, missed deliveries, bank notifications, fines, and urgent notices are prime vehicles for a smishing attack.

COVID-19 has ensured that bogus vaccination messaging is also a common Smishing technique.

Most smishing text messages attempt to direct victims to fake login screens, with the possibility of asking for payment details further on. They may use URL shortening services in an attempt to conceal overtly fake login links. Potential victims may have never seen a Smish before, and so assume anything sent via SMS is legitimate. It may also be more difficult to view the full URL on a mobile browser, which is to the phisher’s advantage.

Smishing attack examples

Offering fake discounts on bills is a popular method of smishing attack. The drawback here is that these messages aren’t typically targeted. As a result, large numbers of people without the relevant accounts will simply disregard the message. This isn’t necessarily a problem for the smisher, however. These messages are sent in bulk, and the scammer expects a small number of responses from casting a wide net. The combined ill-gotten gains from the people who do fall for it, likely more than makes up for initial outlay.

Late / delayed parcels are a huge prospect for Smishers. If you wanted to define Smishing, this would be the current-day quintessential Smish attack. With so many people at home, and so many daily purchases made online, we’re awash with cardboard. It’s very difficult to keep track of everything coming into the house. Combining well-known delivery services with fake “delivery fee” notifications is a recipe for Smishing success.

A Smishing message asking for a “shipping fee” to be paid at a bogus website

In both examples, you can see the potential for success. Pinning these two attacks around what people can gain (or indeed, lose) gives them added credibility by playing on the hopes and fears of victims.

Can we stop these attacks?

The reality of this situation is, nobody can stop Smishing 100%. However, we can certainly take some steps to significantly reduce it:

  • If it sounds too good (or too bad) to be true, it probably is. Having said that, many Smish messages sound totally innocent and aren’t trying too hard to bribe or threaten. What we’re trying to say here, is don’t assume any message from services or organisations are the real deal. If you’re being asked to do something, the very best thing you can do is contact them directly via a known method you trust. When it turns out to be a fake, you should be able to report it to them, there and then.
  • Those living somewhere with Do Not Call lists or spam reporting services, should make full use of them. Report, report, report those bogus messages and numbers. Your mobile device may already have some form of “safe” message ID enabled without you knowing. It’s tricky to give specific advice here because of the sheer difference of options available on models of phone, but the Options / Safety / Security / Privacy menus are a good place to start.
  • Never click the links, and don’t enter personal information on the websites the Smisher sends you. Avoid replying to the scam SMS too. Best case scenario, it’s not a real number and your message bounces. Worst case, you’ve confirmed you exist and they add you to spam lists and / or start harassing you further. Report, block, and move on.
Anti-Smishing efforts

It’s not just phone owners doing their bit to tackle Smishing. Organisations have been taking steps to lock this threat down for some time now. Last year, the SMS SenderID Protection Registry gave companies the ability to register and protect message headers. We have Attorney Generals warning of the dangers, and the sheer saturation by fake Royal Mail delivery fee messages has made the issue go mainstream in the UK. We can only hope Smishing’s sudden rise to fame during the pandemic leads to an equally speedy demise.

For the time being, keep a watchful eye on those text messages and treat them with the same suspicion you’d give to a random missive in your email inbox.

The post What is Smishing? The 101 guide appeared first on Malwarebytes Labs.

Categories: Techie Feeds

City fined for tracking its citizens via their phones

Thu, 04/29/2021 - 15:00

The Dutch information watchdog—the Autoriteit Persoonsgegevens (AP)—has fined the city of Enschede for € 600,000 for tracking its citizens’ movements without permission. It is the first time that a Dutch government body has been fined by the AP. The investigation was set in motion after it received a complaint about tracking.

The Autoriteit Peroonsgegevens is the Dutch supervisor that has been commissioned to keep an eye on how companies and governments process Personally Identifiable Information (PII) in the Netherlands. In other words, it guards privacy-sensitive information, and how it is handled.

What did Enschede do wrong?

The city of Enschede hired a company to keep track of how crowded its city center was. The company they hired used Wi-Fi-tracking to measure how many people were present at one time. The Wi-Fi-tracking system assigned a unique ID to each passing phone that had Wi-Fi enabled (based on each phone’s unique MAC-address), so it could count the number of these phones. Which gave them a pretty accurate idea of the number of people.

However, because this method of measurement was used over a period of years (2017-2020) which overlapped with the period that the EU’s General Data Protection Regulation (GDPR) came into effect, the AP ruled that the method that was intended for counting, had turned into something that could be used for tracking.

The AP mentioned in its ruling that since a MAC-address is a unique identifier for a device, and since mobile devices like phones and tablets are mostly personal items, they can be used to identify a person. The system in Enschede used pseudonymization for the MAC addresses, but the AP ruled that was not enough to make the data truly anonymous, as they could still be combined with other data.

The AP ruled that the privacy of regular visitors and inhabitants of the city was compromised because they could be tracked without a real necessity. This was never the intention, but the fact that Wi-Fi-tracking over a prolonged period made this possible was reason enough for the steep fine.

In its ruling, the AP was adamant about the distinction between counting and tracking and emphasized how important it is that citizens should not be followed around, intentionally or not.

Tracking data can be turned into PII

If you find the same phone often enough, data intended for counting can be turned into data suitable for tracking. And if you put in enough effort and have enough data points you can establish patterns that can be used to identify a person (when this approach is used deliberately and legitimately, it’s called “Big Data”, for good reason). For example, if the same phone checks in at a certain point at 9 AM in the morning and leaves around 5 PM in the afternoon, you can make the assumption that the owner of that phone probably works in or near that location.

And even if none of the companies collecting or accessing that data intend to use it for that purpose, they or anyone buying or stealing the data, could.

The AP has strict rules about using Wi-Fi and Bluetooth-tracking and makes it clear that it is forbidden in most cases. It describes the large numbers of data points that can be collected by such tracking as “indirectly identifiable data” because while it is pseudonymous, it can be used to track people, and can be combined with other data to unmask individuals and render PII. For example, combining Wi-Fi-tracking with CCTV footage or payment data.

Who had access to the data?

The city and two companies that were involved in the measurements had access to the raw data. One of the companies carried out the order from the city and the other maintained the hardware and processed the data. The AP held the city responsible since it was the commissioning party. The city has filed an appeal against the ruling because they do not consider the data to be PII and their sole objective was counting, not tracking.

100 other cities

The company that operated the sensors in Enschede has 100 other cities and townships among its customers. But, when asked, it stated that the data gathered with Wi-Fi-tracking was no longer saved for more than 24 hours. Which, given the original goal for gathering the data makes perfect sense.

The post City fined for tracking its citizens via their phones appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Bitcoin scammers phish for wallet recovery codes on Twitter

Wed, 04/28/2021 - 17:38

We’re no strangers to the Twitter customer support DM slide scam. This is where someone watches an organisation perform customer support on Twitter, and injects themselves into the conversation at opportune moments hoping potential victims don’t notice. This is aided by imitation accounts modelled to look like the genuine organisation’s account. The victim is typically sent to a phishing page where accounts, payment details, identities, or other things can be stolen.

We first observed the technique used on gamers back in 2014, and it eventually branched out into bank phishing. This time around, it’s being used to bag bitcoin. Shall we take a look?

Emptying your wallet

Trust Wallet is an app used to send, receive, and store Bitcoin along with other cryptocurrencies, including NFTs. With cryptocurrency being so very mainstream at the moment, it’s only natural lots of people are jumping on the bandwagon. Even those who know what they’re doing often run into trouble. I suspect the newcomers to the field are experiencing all manner of issues daily. This is a perfect storm of confused users and scammers lying in wait.

Take note of what the official TrustWalletApp account says, in relation to keeping your coins safe:

First rule of Crypto:
"Never give out your Recovery Phrase"

Second rule of Crypto:
"Never give out your Recovery Phrase."

Third rule of Crypto:
"Someone asks for your Recovery Phrase, remember the first and second rule."

Read on:https://t.co/yAroWY8Y00 pic.twitter.com/CHHizixhxL

— Trust – Crypto Wallet (@TrustWalletApp) April 22, 2021

They are emphatic about keeping the recovery phrase safe. This is a method to regain access to a wallet, made up of 12 words. Whoever possesses the phrase, holds the keys to the kingdom (or at least, your wallet). If your coins have a lot of value attached, it would clearly be disastrous to lose access.

This is where our tale begins in earnest, in the replies to that tweet.

Oh no, my coins!

An individual claims they had their coins stolen, but managed to regain them.

Thank God I finally got all my stolen coin and money back!

I can now rest my head.

So far, so good. Further down, however, it all goes a bit wrong. Just a few replies down, they say this:

I lost all my money and coins my wallet last week, until I contacted their support page and they helped me rectify and resolved it, I think if you have any of this problem you should write to them too at [URL removed]

The link (powered by a DIY survey creator, where anybody can make whatever batch of questions they want) does exactly what TrustWalletApp says not to do: asks for the 12 word recovery phrase.

A fake support form on a popular survey site asks users to break “The first rule of Crypto” A fake support form in a Google Doc asks users to break “The first rule of Crypto” A swarm of bad tidings

The scam isn’t being spread by just one account, nor is there just one bogus support form. Multiple Twitter profiles lurk in the replies of anyone having a bad cryptocoin experience. One even claims to be the “Trust Wallet Team”, and does nothing but spam links to a Google Doc. The accounts are most likely set up to autorespond to anybody sending messages to the TrustWalletApp account, especially if it looks like they need assistance. No fewer than 19 responses were sent in one day from one account, and given the ever-fluctuating cryptocurrency values, just one bite could result in a decently-sized payday for the scammers.

Scammers attempt to lure struggling cryptocoin owners into breaking the “First rule of Crypto”

This is a low maintenance attack, which brings potentially high gains. It’s very common, to the extent that one of the accounts sending bogus Google Doc links does so to the person, or bot, we originally saw firing out bad links!

What can you do to keep your coins secure?

This isn’t just imitation organisation accounts dropping themselves into support chats. We also have lots of random, non-imitation accounts trying the same tactic. As a result, “regular account” doesn’t necessarily mean they’re being helpful. The kindness of strangers is often very helpful, but never take anything for granted. Cryptocurrency is in a bit of a modern-day gold rush at the moment, and people will do absolutely anything to get their hands on it.

Legitimate companies are unlikely to be performing technical support via Google Docs or survey sites, so avoid links that attempt to do that. Most importantly though, as per the Trust Wallet team themselves: never send anybody your 12 word recovery phrase. Not even Trust Wallet. Ever.

Passwords, pass codes, pass phrases, pass-whatevers are meant to be secrets, and they aren’t secrets if you tell somebody else. No company worth bothering with will ever ask for your password so don’t give them out. It’s the surest way imaginable to lose control of an account. And, because of the way that cryptocurrencies work, once the scammers have your wallet, it’s theirs. You almost certainly won’t be able to recover it.

That’s one promise you can take to the crypto-bank.

The post Bitcoin scammers phish for wallet recovery codes on Twitter appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Watch out! Android Flubot spyware is spreading fast

Wed, 04/28/2021 - 17:06

Using a proven method of text messages about missed deliveries, an old player on the Android malware stage has returned for an encore. This time it seems to be very active, especially in the UK where Android users are being targeted by text messages containing a link to a particularly nasty piece of spyware called Flubot.

Warning from the National Cyber Security Centre

On its website, the National Cyber Security Centre (NCSC) warns about the spyware that is installed after a victim receives a text message that asks them to install a tracking app, because of a missed package delivery. The tracking app is in fact spyware that steals passwords and other sensitive data. It will also access contact details and send out additional text messages in order to further the spread of the spyware.

Network providers join in

Apparently, the problem is so massive that even network providers have noticed the problem and some of them, including Three and Vodafone have also issued warnings to users over the text message attacks.

Three urges victims that have installed the spyware:

You should be advised that your contacts, SMS messages and online banking details (if present) may have been accessed and that these may now be under the control of the fraudster.

It goes on to tell victims that a factory reset is needed or you will run the risk of exposure to a fraudster accessing your personal data.

Branding of the text messages

Most of the reported messages pretend to be coming from DHL.

DHL example

But users have also reported Royal Mail and Amazon as the “senders.” Readers should be aware that it isn’t enough to simply watch out for messages from one or two senders though. If the campaign proves successful for the criminals running it, it will evolve and change over time and they will likely try other tactics.

History of Flubot

These types of smishing (SMS phishing) attacks are on the rise the last few years. Previously, Flubot has been noticed operating a fake FedEx website targeting Android users in Germany, Poland, and Hungary in basically the same way. By sending text messages with a parcel tracking URL that led to malware downloads. Initially they operated in Spain (with Correos Express as the sender), until some arrests were made there which slowed the operation down for a while. It would not come as a surprise if the continued success will lead the Flubot operators to target the US next.

Infection details

Malwarebytes for Android detects the several Flubot variants as Android/Trojan.Bank.Acecard, Android/Trojan.BankBot, or Android/Trojan.Spy.Agent.

As we pointed out the initial attack vector is a text message with a link that downloads the malware. The package names often include com.tencent and have the delivery service’s logo as the icon. During the install the malware will show you misleading prompts to get installed and acquire the permissions it needs to perform the actions it needs. These permissions allow it to:

  • Send messages to your contacts
  • Act as spyware and steal information

Depending on the variant, Flubot can also:

Don’t click!

Unless you know exactly what to look for to determine whether a message is actually coming from the claimed sender, it is better not to click on links in unsolicited text messages. Which is always solid advice, but when you are actually expecting a parcel, the message may not count as unsolicited in your mind.

Our first impulse is often to click and find out what’s up. At the very least, we should stop and ask if the message and the URL stand up to scrutiny. If you think the message is genuine, it is still best not to click on the link, but instead search for the vendor’s website and look for its parcel tracker.

If you did not click the link, simply remove the message from your device so you do not click it by accident in the future.

If you have clicked the link but then stopped because you were suspicious of the fact that it initiated a download, well done. You stopped in time.

If you did download the malware, scan your device with a legitimate Android anti-malware app. If it can’t disinfect your phone, you will need to perform a factory reset to remove it. If you do this, there is a possibility you will lose more than just the malware, unless you have made backups.

You should also change any passwords you stored on the device, and any you entered on the device after the infection began, because they may have been compromised by the spyware.

Finally, if you used the device for online banking, check your bank balances and contact your bank so that they can stop or correct any fraud that results.

Stay safe, everyone!

The post Watch out! Android Flubot spyware is spreading fast appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Ransomware group threatens to leak information about police informants

Wed, 04/28/2021 - 10:16

UPDATE 12:12 PM Pacific Time, April 28: As of at least 9:40 AM Pacific Time, the Babuk ransomware gang removed any reference to the allegedly stolen DC Police Department data from its data leak website. This does not indicate with any certainty that the DC Police Department paid Babuk, but it is rare for a ransomware group to remove data without first receiving payment.

A screenshot captured by a Malwarebytes researcher is shown below, with no reference to the DC Police Department hack.

The Babuk ransomware group’s data leak website no longer shows any reference to the DC Police Department data hack. Credit: Malwarebytes

Original story below:

One day after a ransomware group shared hacked data that allegedly belonged to the Washington, D.C. Police Department online, the police force for the nation’s capital confirmed it had been breached.

“We are aware of unauthorized access on our server,” the Metropolitan Police Department—the official title of the DC police—said on Tuesday. “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”

But as the DC police sort out the attack, they’re working against the clock—the cyberattackers threatened to share information on police informants with criminal gangs in just three days, threatening the safety of those informants and the stability of related criminal investigations.

The attack represents the latest example in two growing trends, in which cybercriminals have increasingly targeted government agencies since the start of 2021, and in which ransomware operators are exchanging their bread-and-butter tactics—which include encrypting a victim’s files and then demanding a payment to unlock those files—with new threats to publish sensitive data.

Claiming responsibility for the DC police cyberattack is the ransomware gang Babuk. On Monday, the group said on a dark web data leak site that it had stolen 250 GB of data from the DC police, and it posted several screenshots as proof. According to Bleeping Computer, which viewed the images, the screenshots included folder names that related to “operations, disciplinary records, and files related to gang members and ‘crews’ operating in DC.”  

Bleeping Computer also shared Babuk’s threat that was made to the DC police:

“Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon.” 

The ransomware group also warned that one of the files in its possession could be related to arrests made following the January 6 insurrection against the US Capitol.

The attack, while severe, is part of an increasingly commonplace trend. According to the New York Times, this is the third police department hit by cybercriminals in just three weeks. Further, since the start of 2021, 26 government agencies have been victims of ransomware attacks, and 16 of those agencies were specifically hit with threats to publish sensitive data.

These attacks follow what Malwarebytes has called a “double extortion” model, in which ransomware operators hit the same target two times over—not only locking a victim’s files, which will cost money to decrypt, but also stealing sensitive data, which will also cost money to keep private.

The double extortion model is relatively new, but it is already popular.

According to a March analysis from the cybersecurity company F-Secure, nearly 40 percent of the ransomware families discovered in 2020, as well as several older families, demonstrated data exfiltration capabilities by year’s end. And almost half of those families used those capabilities in the wild. Further, as we learned in the Malwarebytes State of Malware 2021 report, the double extortion model has proved to be surprisingly lucrative: One ransomware group pulled in $100 million in 2019 without pressing victims to unlock encrypted files.

That Babuk—which was discovered by Bleeping Computer just months ago—has already incorporated the double extortion model likely means that this threat will not be going away any time soon.

The post Ransomware group threatens to leak information about police informants appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Password manager hijacked to deliver malware in supply chain attack

Tue, 04/27/2021 - 09:36

In the latest example of a supply chain attack, cybercriminals delivered malware to customers of the business password manager Passwordstate by breaching its developer’s networks and then deploying a fraudulent update last week, said Passwordstate’s maker, Click Studios.

Though the number of infected computers is currently unknown, Click Studios said in an April 24 advisory that the victim count “appears to be very low.” That estimate may increase though, said Click Studios, as it continues to investigate. According to the company, its password manager is used by more than 29,000 customers across the industries of banking, retail, manufacturing, education, healthcare, government, aerospace, and more.

The attack lasted just 28 hours, Click Studios said, from April 20, 8:33 PM UTC to April 22, 0:30 AM UTC. Only the customers who initiated an update between those hours are at risk.

As to how the cybercriminals breached the company, Click Studios only said that “a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality.” Click Studios said the “initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au,” which regularly points Passwordstate’s in-place upgrade function to approved software versions loaded onto Click Studios’ Content Distribution Network, or CDN. By compromising the in-place upgrade functionality, the cybercriminals were able to point users to their own CDN, which carried the malware.

The malware—currently referred to as Moserpass—stole system information and Passwordstate data and then delivered it back to the servers that were controlled by the cybercriminals responsible for the attack.  

That data included computer name, username, domain name, current process name, current process ID, and several fields from a customer’s Passwordstate account, including title, username, description, notes, URL, and password. Data for certain “generic field” entries was also delivered, but Click Studios said that users who chose to encrypt that data averted the malware’s data harvesting and delivery capabilities.

Click Studios also clarified in its April 24 advisory that, “although the encryption key and database connection string are used to process data via hooking into the Passwordstate Service process, there is no evidence of encryption keys or database connection strings being posted to the bad actor CDN.”

According to Bleeping Computer, the CDN servers used in the attack are no longer active.

The Passwordstate attack is the latest example of a re-emerging cyberthreat that saw great attention back in 2013 when the US retailer Target suffered an enormous data breach that compromised the payment information of 41 million customers. That attack, which resulted in an $18.5 million settlement, began with an attack on the company’s HVAC vendor. Four years later, cybercriminals again relied on a supply chain attack to breach Equifax, and just two years after that, the SolarWinds supply chain attack rattled the entire cybersecurity industry.

These attacks are difficult to catch, and for an attack like the one that targeted Passwordstate, they pose a significant threat to cybersecurity overall, as users and businesses could begin to question the legitimacy of regular software updates.

For Passwordstate’s customers who did install the fraudulent update, Click Studios advised to contact the company’s customer support, and, following specific instructions, to begin resetting all passwords saved in Passwordstate.

The post Password manager hijacked to deliver malware in supply chain attack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Zoom deepfaker fools politicians…twice

Mon, 04/26/2021 - 17:21

We recently said deepfakes “remain the weapon of choice for malign interference campaigns, troll farms, revenge porn, and occasionally humorous celebrity face-swaps”. Skepticism that these techniques would work on a grand scale such as an election, remains in place. In the realm of malign interference and smaller scale antics, however, deepfakes continue to forge new ground.

It’s one thing to pretend to be anonymous law enforcement operatives at the other end of a web call, with no deepfake involvement. It’s quite another to deepfake the aide of a jailed Russian opposition leader.

Zooming into deepfake territory

Multiple groups of MPs were recently tricked into thinking they were talking to Leonid Volkov, a Russian politician and chief of staff to Alexei Navalny’s 2018 presidential election campaign. Instead, Dutch and Estonian MPs at different meetings were presented with an entirely fictitious entity forged in the deepfake fires. From looking at the various reports on these incidents, we’re not entirely sure if fake Leonid responded to questions or stuck to a pre-written script. We also don’t know if the culprits faked his voice, or spliced real snippets to form sentences. Based on this report, it appears the Zoom call was conversational, but details are sparse. The aim of the game was most likely to have MPs say they want to support Russian opposition with lots of money. 

How did this happen?

It appears basic security practices were not followed. Nobody verified it was him beforehand. His email wasn’t pinged, nobody said “Hey there…” on social media. This is rather incredible, considering people doing an Ask Me Anything on Reddit will hold up a “Hi Reddit, it’s me” note as a bare minimum. With such a non-existent security procedure in place, disaster is sure to follow.

One wonders, given the absence of contact with the real Leonid, how fake Leonid had the Zoom sessions arranged in the first place. Can anyone arrange a call with a room of MPs if they claim to be somebody else? Do online meetings regularly take place with no effort to ensure everyone involved is legitimate? This all seems a little bit peculiar and faintly worrying.

Locking down deepfakes: in it for the long haul

Outside the realm of verification-free Zoom calls with parliamentarians, more moves are afoot to detect deepfakes. SONY has stepped into a battleground already populated by DIY tools and researchers trying to fight fakery online. Elsewhere, we have AI generated maps. While this sounds scary, it’s not something we should be panicking over just yet.

Deepfakes continue to become more embedded in public consciousness which can only help raise awareness of the subject. You want some Young Adult fiction about deepfakes? Sure you do! Actors helping to popularise the concept of fake video as something to be expected? Absolutely. Wherever you turn…there it is.

Low-level noise and quiet misdirection

For now, malign interference campaigns and small-scale shenanigans are the continued order of the day. It’s never been more important to take some steps to verify your web-based conversationalists. Whether an AI-generated deepfake or someone with a really convincing wig and fake voice, politicians need to enact some basic verification routines.

The real worry here is that if they fell for this, who knows what else slipped by them via email, social media, or even plain old phonecalls. We have to hope that whatever verification systems are in place for alternate methods of communication among politicians are significantly better than the above.

The post Zoom deepfaker fools politicians…twice appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Breaking free from the VirusTotal silo: Lock and Code S02E07

Mon, 04/26/2021 - 14:51

This week on Lock and Code, we speak to Malwarebytes Chief Information Security Officer John Donovan about the flaws in using VirusTotal as the one source of truth when evaluating whether or not a cybersecurity tool actually works. It’s a practice that is surprisingly common.

Weeks ago, Malwarebytes Labs released the SMB Cybersecurity Trust & Confidence Report, which revealed that the majority of small- to medium-sized businesses that we surveyed were taking proactive measures to test whether their endpoint protection was catching all the right—or wrong—stuff. We found that of those who did evaluate their endpoint protection tools, a hefty 58 percent did so strictly by using VirusTotal.

Now, VirusTotal is a massive online resource that countless cybersecurity researchers likely rely on every day. But it shouldn’t be the only tool that security teams rely on, because VirusTotal has some gaps. In fact, all the evaluation methods that respondents told us about in our survey are far from perfect, and they might lead to uninformed conclusions.

If endpoint detection tools are supposed to stop an attack before it happens, what good is evaluating it with an incomplete tool? It puts too much at risk. And that isn’t even mentioning the potential privacy threats involved.

“If you get a file that says ‘This looks like there’s a virus in it,’ be careful with what you’re uploading,” Donovan said. “If you take something that is a confidential memo that flagged your antivirus, you may want to figure out how to look at that somewhere differently rather than putting that up in VirusTotal”

Tune in to learn about the smartest ways to test and implement endpoint protection into your small- to medium-sized business, and how to finally break free from the VirusTotal silo, on the latest episode of Lock and Code, with host David Ruiz.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Breaking free from the VirusTotal silo: Lock and Code S02E07 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

11-13 year old girls most likely to be targeted by online predators

Mon, 04/26/2021 - 11:35

The Internet Watch Foundation (IWF), a not-for-profit organization in England whose mission is “to eliminate child sexual abuse imagery online”, has recently released its analysis of online predator victimology and the nature of sexual abuse media that is currently prevalent online. The scope of the report covered the whole of 2020.

IWF annual report: what the numbers reveal

The IWF assessed nearly 300,000 reports in 2020, wherein a little more than half of these—153,383—were confirmed pages containing material depicting child sexual abuse. Compared to their 2019 numbers, there was a 16 percent increase of pages hosting such imagery or being used to share.

From these confirmed reports, the IWF were able to establish the following trends:

The majority of child victims are female. There has been an increase in the number of female child victims since 2019. In 2020, the IWF has noted that 93 percent of the child sexual abuse material (CSAM) they assessed involved at least one (1) female child. That’s a 15 percent increase compared to numbers in 2019.

Females dominate the victimization type in online child abuse imagery. On the other hand, imagery involving males has significantly decreased since 2019, from 17 percent to 3 percent. (Source: IWF Annual Report 2020)

Online predators are after children ages 11-13. The IWF counted a total of 245,280 hashes—unique codes representing different pictures, videos or other CSAM—the majority of which involve females, where a child victim is 11-13 years of age. This is followed by children aged 7 to 10 years of age.

These hash statistics show a clear trend: a great majority of predators are after imagery of children aged 7 to 13. (Source: IWF Annual Report 2020)

To learn more about the IWF Hash List, watch this YouTube video.

Tink Palmer, CEO of the Marie Collins Foundation, a charity group that helps child victims and their families to recover from sexual abuse involving technology, told the IWF why online predators gravitate within these age groups.

“In many cases it is pre-pubescent children who are being targeted. They are less accomplished in their social, emotional and psychological development. They listen to grown-ups without questioning them, whereas teenagers are more likely to push back against what an adult tells them.”

Age breakdown of child sexual abuse graph, which further supports this trend against 11 – 13 year old girls. (Source: IWF Annual Report 2020)

Self-generated child sexual abuse content are on an uptick. 44 percent of images and videos analyzed by IWF in 2020 are classed as “self-generated” child sexual abuse content. This is a 77 percent increase from 2019 (wherein they received 38,400 reports) to 2020 (wherein they received 68,000 reports).

“Self-generated” content means that the child victims themselves created the media that online predators propagate within and beyond certain internet platforms. Such content is created with the use of either smartphones or webcams, predominantly by 11 to 13 year old girls within their home (usually, their bedroom) and created during periods of COVID-19 lockdowns.

Content concerning the use of webcams are often produced using an online service with a live streaming feature, such as Omegle.

Statistics on self-generated abuse vs contact sexual abuse among female children who are aged 11 to 13 years old (Source: IWF Annual Report 2020)

Europe is found hosting almost all child sexual abuse URLs. The IWF has identified that 90% of the URLs it analyzed and confirmed to house CSAM were hosted in Europe, in which they also included Russia and Turkey. Among all countries in Europe, the Netherlands is the prime location for hosting CSAM, a constant that the IWF has seen through the years.

Due to lower cost of web hosting, 77% of CSAM are physically hosted on servers in the Netherlands. (Source: IWF Annual Report 2020) Shutting the door on child sexual abusers

The IWF report highlights a worrying trend on child victimology and gives us an idea that online predators not only groom their targets but also coerce and bully them to do their bidding. And child predators usually frequent platforms that a lot of teenage girls use.

Sadly, there is no single measure or piece of technology that can solve the problem of child exploitation. The best protection for children is effective parenting, and the IWF urges parents and guardians to T.A.L.K. to their children. T.A.L.K. is a list of comprehensive and actionable steps parents and/or carers can take to help guide their children through a safer online journey as they grow up.

T.A.L.K. stands for:

* Talk to your child about online sexual abuse. Start the conversation – and listen to their concerns.

* Agree ground rules about the way you use technology as a family.

* Learn about the platforms and apps your child loves. Take an interest in their online life.

* Know how to use tools, apps and settings that can help to keep your child safe online.

If images or videos of your child have been shared online, it’s important for parents not to blame the child. Instead, reassure them and offer support. Lastly, make a report to the police about these images or videos, IWF, Childline, or your local equivalent.

“Don’t be shy. You look so pretty in your picture, Evie. Just wanna see what you’ve got under there. Just for me.”

The post 11-13 year old girls most likely to be targeted by online predators appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (April 19 – 25)

Mon, 04/26/2021 - 10:31

Last week on Malwarebytes Labs, we interviewed Youssef Sammouda, a 21-year-old bug bounty hunter who is focused on finding vulnerabilities on Facebook.

We looked into the CodeCov supply-chain attack, the vulnerabilities in Pulse Secure VPN that are being actively exploited by attackers, and the discovery of SUPERNOVA malware found on a SolarWinds Orion server.

We also featured technology, particularly facial recognition, used by the FBI to identify one of the Capitol rioters several months after it happened; we covered news about a FIN7 sysadmin being indicted for 10 years for “billions in damage”; and the calling out of EU’s proposed ban on the use of artificial intelligence, because it doesn’t deal with its potential for high abuse. Lastly, we have provided a comprehensive guide on how to pick the best VPN for you, whether you stream, play video games, or torrent.

Other cybersecurity news

Stay safe!

The post A week in security (April 19 – 25) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

SUPERNOVA malware discovered on SolarWinds Orion server

Fri, 04/23/2021 - 14:00

The Cybersecurity and Infrastructure Security Agency (CISA) has reported finding the SUPERNOVA web shell collecting credentials on a SolarWinds Orion server. These observations were made during an incident response to an Advanced Persistent Threat (APT) actor’s year-long compromise of an enterprise network. In its analysis, the organization warns that this threat actor behind the compromise “targeted multiple entities in the same period”.

NOT part of the SolarWinds attack

The SUPERNOVA web shell is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds Orion monitoring product. So, SUPERNOVA is placed by a lateral movement inside a network and not considered as a part of the SolarWinds supply chain attack. The threat actors are believed to be different from the ones behind the infamous supply chain attack.

Pulse Secure VPN

CISA found that the attacker(s) had access to the enterprise’s network for nearly a year, between March 2020 and February 2021. According to its investigation, the threat actor connected to the entity’s network via a Pulse Secure Virtual Private Network (VPN) appliance. CISA reports that it “does not know how the threat actor initially obtained these credentials” but, by coincidence, just two days ago we detailed multiple Pulse Secure vulnerabilities that are being actively exploited in the wild, and which could leverage such an attack.

The attacker(s) authenticated to the VPN appliance through several user accounts that did not have multi-factor authentication (MFA) enabled and were able to masquerade as legitimate teleworking employees.

From there they moved laterally to its SolarWinds Orion server to establish a backdoor that would allow them to persist, so they could connect even if their initial point of entry was closed.

Web shells

Web shells are usually small scripts that act as a backdoor or a first point of entry for an attacker. A minimal web shell can be as simple as this:

<?=`$_GET[1]`?>

A shell like this will site on a compromised server and simply execute whatever command an attacker sends it via a web URL. The SUPERNOVA web shell is more sophisticated, and written in .NET rather than PHP, but it is essentially no different.

It is initially installed by a PowerShell script and hides in a malicious version of the SolarWinds Orion Web Application module. It enables remote injection of C# source code into a web portal provided by the SolarWinds software suite. The injected code is compiled and directly executed in memory.

Harvesting credentials

The goal of the operation looks to have been to gather even more credentials. CISA reports that the threat actor was able to dump credentials from the SolarWinds appliance via two methods:

  • Cached credentials used by the SolarWinds appliance server and network monitoring.
  • By dumping Local Security Authority Subsystem Service (LSASS) memory.

The cached credentials are normally protected by encryption unless they are marked as exportable. So, either the threat actor was able to change or bypass that property, or the victim mistakenly marked the private key certificate as exportable.

The attacker put a renamed copy of procdump.exe on the SolarWinds Orion server to dump the LSASS memory. The credentials were then dumped into a text file and exfiltrated by an HTTP request.

CVE-2020-10148

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). CISA believes that a vulnerability listed as CVE-2020-10148 was used to bypass the authentication to the SolarWinds appliance.

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

Bypassing the authentication would have enabled them to run commands with the same privileges the SolarWinds appliance was running, which was SYSTEM in this case.

Recommendations

Based on findings done during the ongoing investigation CISA recommends all organizations implement the following practices to strengthen the security posture of their organization’s systems:

  • Check for common executables executing with the hash of another process
  • Implement MFA, especially for privileged accounts.
  • Use separate administrative accounts on separate administration workstations.
  • Implement Local Administrator Password Solution (LAPS).
  • Implement the principle of least privilege on data access.
  • Secure Remote Desktop Protocol (RDP) and other remote access solutions using MFA and “jump boxes” for access.
  • Deploy and maintain endpoint defense tools on all endpoints.
  • Ensure all software is up to date.
  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Enable a personal firewall on organization workstations that is configured to deny unsolicited connection requests.
  • Disable unnecessary services on organization workstations and servers.

It also urges users of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 to to review Emergency Directive ED 21-01 and associated guidance for recommendations on operating the SolarWinds Orion platform. US federal agencies are required to comply with these directives.

Stay safe, everyone!

The post SUPERNOVA malware discovered on SolarWinds Orion server appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Artificial Intelligence ban slammed for failing to address “vast abuse potential”

Fri, 04/23/2021 - 11:34

A written proposal to ban several uses of artificial intelligence (AI) and to place new oversight on other “high-risk” AI applications—published by the European Commission this week—met fierce opposition from several digital rights advocates in Europe.

Portrayed as a missed opportunity by privacy experts, the EU Commission’s proposal bans four broad applications of AI, but it includes several loopholes that could lead to abuse, and it fails to include a mechanism to add other AI applications to the ban list. It deems certain types of AI applications as “high-risk”—meaning their developers will need to abide by certain restrictions—but some of those same applications were specifically called out by many digital rights groups earlier this year as “incompatible with a democratic society.” It creates new government authorities, but the responsibilities of those authorities may overlap with separate authorities devoted to overall data protection.

Most upsetting to digital rights experts, it appears, is that the 107-page document (not including the necessary annexes) offers only glancing restrictions on biometric surveillance, like facial recognition software.

“The EU’s proposal falls far short of what is needed to mitigate the vast abuse potential of technologies like facial recognition systems,” said Rasha Abdul Rahim, Director of Amnesty Tech for Amnesty International. “Under the proposed ban, police will still be able to use non-live facial recognition software with CCTV cameras to track our every move, scraping images from social media accounts without people’s consent.”

AI bans

Released on April 21, the AI ban proposal is the product of years of work, dating back to 2018, when the European Commission and the European Union’s Member States agreed to draft AI policies and regulations. According to the European Commission, the plan is meant to not just place restrictions on certain AI uses, but to also allow for innovation and competition in AI development.

“The global leadership of Europe in adopting the latest technologies, seizing the benefits and promoting the development of human-centric, sustainable, secure, inclusive and trustworthy artificial intelligence (AI) depends on the ability of the European Union (EU) to accelerate, act and align AI policy priorities and investments,” the European Commission wrote in its Coordinated Plan on Artificial Intelligence.

The proposal includes a few core segments.

The proposal would ban, with some exceptions, four broad uses of AI. Two of those banned uses include the use of AI to distort a person’s behavior in a way that could cause harm to that person or another person; one of those two areas focuses on the use of AI to exploit a person or group’s “age, physical or mental disability.”

The proposal’s third ban targets the use of AI to create so-called social credit scores that could result in unjust treatment, a concern that lies somewhere between the haphazard systems implemented in some regions of China and the dystopic anthology series Black Mirror.

According to the proposal, the use of AI to evaluate or classify the “trustworthiness” of a person would not be allowed if those evaluations led to detrimental or unfavorable treatment in “social contexts which are unrelated to the contexts in which the data was originally generated or collected,” or treatment that is “unjustified or disproportionate to their social behavior or its gravity.”

The proposal’s final AI ban would be against “’real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement,” which means police could not use tools like facial recognition in real-time at public events, with some exceptions.

Those exceptions include the “targeted search” for “specific” potential victims of crime, including missing children, and the prevention of “specific, substantial, and imminent threat to the life or physical safety of natural persons, or of a terrorist attack.” Law enforcement could also use real-time facial recognition tools to detect, locate, identify, or prosecute a “perpetrator or suspect” of a crime of a certain severity.

According to Matthew Mahmoudi, a researcher and adviser for Amnesty Tech, these exceptions are too broad, as they could still allow for many abuses against certain communities. For instance, the exception that would allow for real-time facial recognition to be used “on people suspected of illegally entering or living in a EU member state… will undoubtedly be weaponised against migrants and refugees,” Mahmoudi said.

Aside from the proposal’s exceptions, it is the bans themselves that appear quite limited when compared to what is happening in the real world today.

As an example, the proposal does not ban post-fact facial recognition by law enforcement, in which officers could collect video imagery after a public event and run facial recognition software on that video from the comfort of their stations. Though the EU Commission’s proposal of course applies to Europe, this type of practice is already rampant within the United States, where police departments have lapped up the offerings of Clearview AI, the facial recognition company with an origin story that includes coordination with far-right extremists.

The problem is severe. As uncovered in a Buzzfeed investigation this year:

“According to reporting and data reviewed by BuzzFeed News, more than 7,000 individuals from nearly 2,000 public agencies nationwide have used Clearview AI to search through millions of Americans’ faces, looking for people, including Black Lives Matter protesters, Capitol insurrectionists, petty criminals, and their own friends and family members.”

Buzzfeed found similar police activity in Australia last year, and on the very same day that the EU Commission released its proposal, Malwarebytes Labs covered a story about the FBI using facial recognition to identify a rioter at the US Capitol on January 6.

This type of activity is thriving across the world. Digital rights experts believe now is the best chance the world has to stamp it out.

But what isn’t banned by the proposal isn’t necessarily unrestricted. In fact, the proposal simply creates new restrictions based on other types of activities it deems “high-risk.”

High-risk AI and oversight

The next segment of the proposal places restrictions on “high-risk” AI applications. These uses of AI would not be banned outright but would instead be subject to certain oversight and compliance, much of which would be performed by the AI’s developers.

According to the proposal, “high-risk” AI would fall into the following eight, broad categories:

  • Biometric identification and categorization of natural persons
  • Management and operation of critical infrastructure
  • Education and vocational training
  • Employment, workers management, and access to self-employment
  • Access to and enjoyment of essential private services and public services and benefits
  • Law enforcement
  • Migration, asylum, and border control management
  • Administration of justice and democratic processes

The proposal clarifies which types of AI applications would be considered high-risk in each of the given categories. For instance, not every single type of AI used in education and vocational training would be considered high-risk, but those that do qualify would be systems “intended to be used for the purpose of determining access or assigning natural persons to educational and vocational training institutions.” Similarly, AI systems used for employment recruiting—particularly those used to advertise open positions, screen applications, and evaluate candidates—would be classified as high-risk under the broader category of AI for employment, workers management, and access to self-employment.

Here, again, the proposal angered privacy experts.

In January of this year, 61 civil rights groups sent an open letter to the European Commission, asking that certain applications of AI be considered “red lines” that should not be crossed. The groups, which included Access Now, Electronic Privacy Information Center, and Privacy International, wrote to “call attention to specific (but non-exhaustive) examples of uses that are incompatible with a democratic society and must be prohibited or legally restricted in the AI legislation.”

Of the five areas called out as too dangerous to permit, at least three are considered as “high-risk” by the European Commission’s proposal, including the use of AI for migration management, for criminal justice, and for pre-predictive policing.

The problem, according to the group Access Now, is that the proposal’s current restrictions for high-risk AI would do little to actually protect people who are subject to those high-risk systems.

Per the proposal, developers of these high-risk AI systems would need to comply with several self-imposed rules. They would need to establish and implement a “risk management system” that identifies foreseeable risks. They would need to draft up and keep up to date their “technical documentation.” They would need to design their systems to implement automatic record-keeping, ensure transparency, and allow for human oversight.

According to the European Digital Rights (EDRi) association, these rules put too much burden on the developers of the tools themselves.

“The majority of requirements in the proposal naively rely on AI developers to implement technical solutions to complex social issues, which are likely self-assessed by the companies themselves,” the group wrote. “In this way, the proposal enables a profitable market of unjust AI to be used for surveillance and discrimination, and pins the blame on the technology developers, instead of the institutions or companies putting the systems to use.”

Finally, the proposal would place some oversight and regulation duties into the hands of the government, including the creation of an “EU database” that contains information about high-risk AI systems, the creation of a European Artificial intelligence Board, and the designation of a “national supervisory authority” for each EU Member State.

This, too, has brought pushback, as the regulatory bodies could overlap in responsibility with the European Data Protection Board and the Data Protection Authorities already designated by each EU Member State, per the changes implemented by the General Data Protection Regulation.

What next?

Though AI technology races ahead, the EU Commission’s proposal will likely take years to implement, as it still needs to be approved by the Council of the European Union and the European Parliament to become law.

Throughout that process, there are sure to be many changes, updates, and refinements. Hopefully, they’re for the better.

The post Artificial Intelligence ban slammed for failing to address “vast abuse potential” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to choose the best VPN for you

Fri, 04/23/2021 - 11:13

If you’ve been shopping for a VPN service in 2021, you’ve probably noticed how many providers are available. Using a personal VPN has grown in popularity in recent years, and for good reason. You may no longer be asking, “Should I use one,” but rather, “Which one should I choose?”

The answer might be different for different people. There are many features and providers to consider. Here, we guide you through some of the decision factors so you can select the best VPN for your needs.

Is a free VPN the best choice?

One of the first questions VPN shoppers might ask is whether to use a free VPN service or pay for one. If you’re familiar with what a VPN is, you probably know that there are costs associated with being a provider. A VPN is like a middleman for your Internet traffic, and just like you probably pay an Internet Service Provider for your home Internet, a VPN provider somehow has to cover the costs of their service.

You might compare free vs paid VPNs to free vs paid Internet access. For home Internet access, an Internet Service Provider maintains the infrastructure to deliver Internet to homes, and charges customers for it. If you go to a café and use their free WiFi, the café pays for the WiFi and might build that cost into how much they charge you for a cup of coffee. So, how would a free VPN provider build their costs into a free service?

A common way free VPN services cover their costs is through advertising. That might be showing you ads when you use the service, or by taking your Internet activity data (as well as their other customers’ data) and selling that to advertisers as marketing data. Given that one of the main reasons to use a VPN is to increase your online privacy, it seems that using a free VPN that covers its costs by using your Internet activity for advertising might not accomplish that goal.

If you decide you want to use a paid VPN service for your online privacy but you’re not ready to commit to a long-term subscription right away, many providers offer a free trial before you have to make that commitment.

Choosing a VPN for gaming, streaming, or torrenting

One of the key decision factors in choosing a VPN is what you plan to use it for. In your research, you’ll likely explore reviews to help narrow down your selection, and one of the best ways to make your choice is to take advantage of free trials, so you can take the VPN for a test drive, so to speak. 

The best VPN for you might not be the best one for someone else. Online privacy is the main concern for most VPN users, but if you intend to use one while gaming, watching streaming services based in other countries, or for torrenting, you will have other considerations too and might choose a different provider in each case.

Best VPN for gaming

Many avid gamers have not wanted to use a VPN while gaming due to increased lag caused by encrypting traffic and routing it through a VPN server. However, many VPNs have gotten faster and more efficient, and “gaming VPN” is less of an oxymoron than it used to be. In addition to the online privacy benefits, gamers may also be keen to hide their IP addresses due to threats like doxing and swatting.

Alternatively, some users don’t want to use a VPN for gaming, but do want to use a VPN for everything else other than gaming. In that case, they will want to pay attention to how easily and transparently they can do this. Do they have to do one thing at a time and remember to turn the VPN on and off as they need it, or can they keep their VPN on all the time while allowing games to bypass it?

If you’re a gamer searching for the best VPN specifically for gaming, take advantage of free trials, and test out your selections while gaming to see how they impact speed and performance. 

Best VPN for streaming

Most VPN services enable you to select a server in the country of your choice, and this can enable you to watch some streaming services as if you were located in that country. However, some streaming services have cracked down on this practice, and so not every VPN will enable you to watch the content you want. Testing out a VPN with the streaming services you want to watch is a good way to determine what works now, but keep in mind that your access may change as streaming services adapt. Before using a VPN to access a streaming service, be sure to check that doing so does not violate their terms and conditions.

Best VPN for torrenting

Torrenting is a form of peer-to-peer (P2P) file sharing. Torrent downloads are quick because they are drawn from multiple nearby peers instead of from a single faraway location. To get access to the network users must become peers and allow a small portion of their computer’s resources to be used for hosting torrent data. While sharing files with other users isn’t illegal in and of itself, torrenting is often associated with pirating copyrighted material. However, there is perfectly legal content that people torrent, such as classic movies, TED Talks, and content in indie or niche genres that might not be readily available on large streaming services.

Often for torrenting, connection speed is most important factor in choosing a VPN so you can start watching content quickly. Unlike gaming, where download performance is most important, torrent users will also care about upload performance. This is another example in which taking advantage of free trials to test out VPN speeds while torrenting can help you to pick the best VPN for this purpose.

VPN features

Once you’ve thought about how you plan to use a VPN, the final step to select the best one for your needs is to compare features. This includes:

  • Ease of use: Is the interface easy to navigate and use?
  • Connection speed: You can test this if you do a free trial of the services you’re considering, and look at VPN speed comparison tests.
  • Server locations: In how many different countries are servers available?
  • Data limits: Does the service provide unlimited data, or is there a cap?
  • Simultaneous usage: How many devices can use your plan simultaneously?
  • Operating systems: Can you use the same VPN service on Windows, Mac, Android, and iOS?
  • VPN protocol: Do they use WireGuard, OpenVPN, or another protocol?
  • Encryption: Does the VPN use 256-bit AES encryption, the current best-in-class standard? 
  • Logging: Do they keep activity logs or have a no-log policy? What data gets logged?
  • Kill switch: Do they offer a kill switch, to close your browsers or apps if the VPN disconnects unexpectedly?
  • Split tunneling: Do you want to be able to do some online activities inside the encrypted VPN, and others (such as high-bandwidth activities) just on your regular Internet connection?
  • Support: Is support available 24/7? Is it available via chat, email, phone?

What’s the best VPN for your needs? Different people will have different answers. Considering the available features and reasons you want to use a VPN service will help you to answer that question.

The post How to choose the best VPN for you appeared first on Malwarebytes Labs.

Categories: Techie Feeds

FBI face recognition trawl finds Capitol rioter via his girlfriend’s Instagram

Wed, 04/21/2021 - 18:40

Facial recognition tech is in the news again after the FBI discovered the identify of one of the Capitol rioters by using facial recognition software on his girlfriend’s Instagram posts. It may sound scary and invasive, but in truth, what’s happening isn’t particularly new. In this case, we have what’s fast becoming a fairly standard tale of tracking people down via online imagery. Sometimes there’s cause for concern even without the latest tech providing some sort of flashpoint.

What’s happened?

After the Capitol riots following the US election, those responsible were slowly arrested over a period of weeks of searching and identifying. The Verge story mentions that in this effort, law enforcement made use of “facial recognition tools” to track down people associated with the event. The tool apparently brought researchers to the Instagram feed of a suspect’s girlfriend. It was a short step from there to matching his clothes with images from the Capitol riot.

Everything unravelled for the suspect quickly. Facebook accounts revealed his name. This brought investigators (via his state driving licence records) to his identity, workplace, and home.

Recognising recognition

We’ve covered facial recognition on the blog many times. Most concerns tend to focus on the potential for abuse from repressive Governments and law enforcement overreach. It’s such a concern that tech giants regularly dip in, and then quickly dip out when public opinion turns.

I don’t think many people will complain if facial recognition is used to help identify the people at the Capitol riots. Organisations find new ways to secure their sites with facial recognition and biometrics on a daily basis. You may or may not object to your bank combining facial recognition with AI software. These are potentially useful applications of this technology. Even so, we need to know what we’re dealing with for this story.

When pop culture and cold hard reality collide

Facial recognition is very much one of those technologies made a cliche for all time by film and television. The camera zooms in from orbit, it picks up the target in seconds, the operator is able to tell where the suspect bought his suit by enhancing the fibers on his jacket and so on.

The reality here is, “some people used a program to play mix and match with publicly available photographs”. The end result is still impressive, but CSI: Cyber this is not.

Impressive, but not CSI: Cyber

How does this work, then? Well, the article mentions “open source facial recognition tools”. The affidavit doesn’t say which tool, because law enforcement doesn’t want to give perpetrators clues for avoiding the long arm of the law. You can see some of the more popular tools available here, if you’re interested in learning more or giving them a go.

Otherwise, there are many other ways to match images with the raft of materials floating around online. TinEye is a dedicated online tool for matching images, and Google / Bing / Yandex search all offer their own versions of this functionality. A little bit of sleuthing and familiarity with OSINT practices can go a long way.

A sliding scale of “that’s impressive”

One of the best examples of this happened just recently, with a lost hiker pinpointed via a photograph. To me, this is significantly more impressive than digging a fairly distinctive individual out from a never-ending pile of selfies and readily available data on popular image sharing websites. As a result, I’d say this one is interesting, but definitely nothing new. Crowdsourcing also has a history of going horribly wrong, and the infamous Reddit Boston Bombing debacle is as good a place to drop this warning as any.

We’ll definitely see more of these stories in the near future, but I wouldn’t necessarily start panicking about this branch of open sourcing just yet.

The post FBI face recognition trawl finds Capitol rioter via his girlfriend’s Instagram appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild

Wed, 04/21/2021 - 18:12

Pulse Secure has alerted customers to the existence of an exploitable chain of attack against its Pulse Connect Secure (PCS) appliances. PCS provides Virtual Private Network (VPN) facilities to businesses, which use them to prevent unauthorized access to their networks and services.

Cybersecurity sleuths Mandiant report that they are tracking “12 malware families associated with the exploitation of Pulse Secure VPN devices” operated by groups using a set of related techniques to bypass both single and multi-factor authentication. Most of the problems discovered by Pulse Secure and Mandiant involve three vulnerabilities that were patched in 2019 and 2020. But there is also a very serious new issue that it says impacts a very limited number of customers.

The old vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The patched vulnerabilities are listed as:

  • CVE-2019-11510 an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. We wrote about the apparent reluctance to patch for this vulnerability in 2019.
  • CVE-2020-8243 a vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.
  • CVE-2020-8260 a vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

The obvious advice here is to review the Pulse advisories for these vulnerabilities and follow the recommended guidance, which includes changing all passwords in the environments that are impacted.

The new vulnerability

The new vulnerability (CVE-2021-22893) is a Remote Code Execution (RCE) vulnerability with a CVSS score of 10—the maximum—and a Critical rating. According to the Pulse advisory:

[The vulnerability] includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.

There is no patch for it yet (it is expected to be patched in early May), so system administrators will need to mitigate for the problem for now, rather than simply fixing it. Please don’t wait for the patch.

Mitigation requires a workaround

According to Pulse Secure, until the patch is available CVE-2021-22893 can be mitigated by importing a workaround file. More details can be found in the company’s Security Advisory 44784. Reportedly, the workaround disables Pulse Collaboration, a feature that allows users to schedule and hold online meetings between both Connect Secure users and non-Connect Secure users. The workaround also disables the Windows File Share Browser that allows users to browse network file shares.

Targets

The Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target government, defense and financial organizations around the world, but mainly in the US. According to some articles the threat-actors are linked to China. The identified threat actors were found to be harvesting account credentials. Very likely in order to perform lateral movement within compromised organizations’ environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence. These modified scripts on the Pulse Secure system are reported to have allowed the malware to survive software updates and factory resets.

Threat analysis

FireEye’s Mandiant was involved in the research into these vulnerabilities. It has posted an elaborate analysis of the related malware, which they have dubbed SlowPulse. According to Mandiant, the malware and its variants are “applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so”. In their blogpost they discuss 4 variants. Interested parties can also find technical details and detections there.

Networking devices

State sponsored cyber-attacks are often more about espionage than about monetary gain with the exception of sabotage against an enemy state. A big part of the espionage is getting hold of login credentials of those that have access to interesting secret information. Breaking into network devices in a way that can be used to extract login credential is an important strategy in this secret conflict. Keep in mind that attribution is always hard and tricky. You may end up reaching the conclusion they wanted you to reach. Given the targets and the methodology however, it makes sense in this case to look first at state sponsored threat actors.

The post Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild appeared first on Malwarebytes Labs.

Categories: Techie Feeds

FIN7 sysadmin behind “billions in damage” gets 10 years

Tue, 04/20/2021 - 20:55

In 2018 three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe were arrested and taken into custody by US authorities. Ukrainian nationals Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov, were members of a prolific hacking group widely known as FIN7.

Hladyr is the systems administrator for the FIN7 hacking group, and is considered the mastermind behind the Carbanak campaign, a series of cyberattacks said to stolen as much as $900 million from banks in early part of the last decade. Last week Hladyr was sentenced in the Western District of Washington to 10 years in prison for his high-level role in FIN7.

The Carbanak campaign first made international headlines in 2015 as one of the first malware campaigns that specialized in remote ATM robberies. But FIN7 had already been active for a few years at that point and was involved in a lot more banking and financial malware than just the ATM machines manipulation.

The malware

Since 2013 FIN7 have attempted to attack banks, e-payment systems, and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. Carbanak is considered a further development of the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world.

The campaigns all started with spear-phishing targeted at bank employees. When targets executed a malicious attachment the criminals were able to remotely control the victims’ infected machine. With access to a bank’s internal network, they were able to work their way internally until they gained control of the servers controlling ATMs.

A very detailed analysis of Anunak by Fox-IT and Group-IB can be found here (pdf).

By the following year, the same coders had improved the Anunak malware into a more sophisticated version, known as Carbanak. From then onwards, FIN7 focused its efforts on developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software, but Carbanak remained part of their toolset.

In the US alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.

Attribution

Many believe that the Carbanak malware was used by at least two separate entities. FIN7 and the Carbanak Group. This can be very confusing when trying to establish a timeline. Or when trying to solve any “whodunnit” mysteries. Once malware has been released and has proven to be successful you can count on other criminals trying to steal, copy, or rip off the code and techniques. So, if the Carbanak malware was used in a specific attack, it is not always clear which group was behind that attack, although it is clear that FIN7 was one of its users.

The arrest

The leader of the crime gang behind the Carbanak and Cobalt malware attacks was arrested in Alicante, Spain. The arrest was announced by Europol on 26 March 2018. According to Europol, the activities of the gang were believed to have resulted in losses of over EUR 1 billion for the financial industry.

Arresting the leader of that group did not stop the activities of the group though. The FIN7 campaigns appear to have continued, with the Hudson’s Bay Company breach using point-of-sale malware in April of 2018 being attributed to the group.

The arrest of Hladyr in August of 2018 at the request of the US Department of Justice, along with two other high-ranking members of the group did not have that effect either. In 2020 a cooperation between FIN7 and the Ryuk operators was suspected when the tools and techniques of FIN7, including the Carbanak Remote Administration Tool (RAT), were used to take over the network of an enterprise.

The conviction

After being extradited to the US in 2019, Hladyr pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking, in his role as the systems administrator of the FIN7 group.

According to acting US Attorney Tessa M. Gorman of the Western District of Washington:

This criminal organization had more than 70 people organized into business units and teams.  Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems. This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.

The Department of Justice says that Hladyr joined FIN7 via a front company called Combi Security but soon learned that it was a fake cybersecurity company with a phony website and no legitimate customers. It asserts that Hladyr served as FIN7’s systems administrator and played a central role in aggregating stolen payment card information, supervising FIN7’s hackers, and maintaining the servers used to attack and control victims’ computers. Hladyr also controlled the organization’s encrypted channels of communication.

The post FIN7 sysadmin behind “billions in damage” gets 10 years appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages