Malwarebytes

Subscribe to Malwarebytes feed
The Security Blog From Malwarebytes
Updated: 4 days 19 hours ago

US, EU, UK, NATO blame china for “reckless” Exchange attacks

Tue, 07/20/2021 - 14:11

Do you remember back when the latest urgent update was a vulnerability in Microsoft Exchange? How is that only four months ago? The trigger for the urgent advice in March was the fact that Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributed the attacks to a group they have dubbed Hafnium.

Hafnium at the time was a newly identified attack group that was also thought to be responsible for attacks on internet-facing servers, and which was known for exfiltrating data to file sharing sites. Its targets were mainly entities in the United States across a number of industry sectors. Despite the group’s use of leased servers in the US, Microsoft believed it was based in China.

The attack method used against the Exchange servers was called ProxyLogon. ProxyLogon quickly went from “limited and targeted attacks” to a full-size panic. Microsoft’s patches for the Exchange vulnerabilities were quickly reverse engineered. Before long attackers from everywhere in the world and every level of cybercrime were using the bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Attribution

As most security researchers will tell you, attribution is hard, especially when it involves international espionage. Nonetheless, the US, UK, EU, and NATO have simultaneously voiced their concern about what they say is the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace.

Australia, Japan, New Zealand and Canada have also joined the coalition that are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it. One of the elements of the exposure is to confirm that Chinese state-backed actors were responsible for gaining access to computer networks around the world using ProxyLogon attacks against Microsoft Exchange servers.

The US Department of Justice also announced criminal charges against four hackers from the Chinese Ministry of State Security, the country’s unofficial espionage institution (the same organization that the UK named as the culprit behind the cyberattacks on Microsoft Exchange servers that took place earlier this year). The indictments against Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong are believed to be a part of this broader set of actions the federal government took to expose cybercrimes the White House officials say are sponsored and encouraged by the Chinese government.

The allies are also attributing the Chinese Ministry of State Security as being behind activity known by cyber security experts as “APT40” and “APT31”. It is rare to see such a unified and orchestrated reprimand against one of the world’s leading economies, but so far that seems to be as far as it goes. We have not seen any sanctions to be announced.

Sanctions

The EU has urged China to adhere to the “norms of responsible state behaviour as endorsed by all UN member states”, and not allow its territory to be used for malicious cyber-activities, and “take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation”.

The UK is calling on China to “reaffirm the commitment made to the UK in 2015 and as part of the G20 not to conduct or support cyber-enabled theft of intellectual property of trade secrets.”

When asked about the Microsoft hack, Joe Biden said one reason the US has not imposed sanctions against China over the cyberattacks is that the Chinese government, not unlike the Russian government, is not doing this themselves, but are protecting those who are doing it and maybe even accommodating them being able to do it.

In the past the EU imposed its first-ever sanctions in response to cyberattacks in July 2020, targeting Russian, Chinese and North Korean hackers involved in major incidents in previous years, namely the NotPetya ransomware outbreak, Cloud Hopper supply-chain hack, and WannaCry ransomware attack. In October 2020, it imposed sanctions on two Russian intelligence officers and a unit of the GRU military intelligence services over their involvement in hacking the German parliament in 2015.

From state-sponsored to free-for-all

As we have seen with ProxyLogon, the impact of this type of state-sponsored cybercrime aren’t limited to states. Techniques used by state actors have a way of getting picked up by cybercriminals that will grab every opportunity to make a few extra bitcoins.

Just look at EternalBlue and the other SMB vulnerabilities – developed as NSA hacking tools – that came out of The Shadow Brokers leak. These vulnerabilities were quickly picked up by threat actors like  Emotet and TrickBot. EternalBlue was also the driving power behind WannaCry.

Observed tactics and techniques

The NSA, CISA, and FBI also issued a joint advisory containing more than 50 tactics, techniques, and procedures (TTPs) that Chinese state-sponsored cyber actors have used in attacks targeting the US and allied networks.

The post US, EU, UK, NATO blame china for “reckless” Exchange attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Remcos RAT delivered via Visual Basic

Mon, 07/19/2021 - 19:32

This blog post was authored by Erika Noerenberg

Introduction

Over the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos remote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive files containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system and allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs used by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which sells it openly on their website.

Distribution

Remcos often infects a system by embedding a specially-crafted settings file into an Office document, allowing an attacker to trick a user to run malicious code without additional notification. This variant of Remcos has been observed to be distributed via targeted spam emails with an attached archive file. The emails and attachment names have been primarily financially-themed; an example email is shown below:

Sample Email Delivering VBS Remcos

For illustration, the following table lists a sample of email subjects and attachment names from 2021 by date:

DateSubjectAttachment NameContents21 JanSeparate Remittance Advice: paper document no – 9604163Payment Advice.imgPayment Advice.vbs26 AprAppraisal Report for your Loan Application-11003354677341Appraisal.reportl1100335467734.zipAppraisal.vbs
Property.hta*18 MayFwd: Appraisal Report for your Loan Application-1100788392210Appraisalreportl1100788392210.zipAppraisal..vbs28 JunFwd: Reminder: Your July Appointment-11002214991transaction_completed11003456773311..zipReport-Slip.vbs6 JulFwd: Reminder: Your July Appointment-11003456773312transaction_completed11003456773312.zipReport-11003456773312.vbs

In most Remcos spam campaigns, the payload is an executable contained in an attached archive (.zip) or disk image (.img) file, though malicious documents are also sometimes used. In this campaign however, the emails contain a zip archive containing a Visual Basic script (.vbs) which downloads and executes additional scripts and finally installs the Remcos payload.

*Eariler versions also included a “Property.hta” file which only comprised the VB script wrapped in HTML as seen below. Interestingly, the body of this HTML consisted only of the text “demo”, which indicates this might have been test code.

Analysis

Remcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect keystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download and execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results in the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for this variant is shown below:

VBS Remcos Infection Chain

The samples analyzed below originate from the attachment Appraisalreportl1100788392210.zip (SHA256 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23e). As with all analyzed samples, the the infection chain followed the process flow above; the initial Visual Basic script initiates a series of download and execution of obfuscated scripts that eventually result in the injection of the final Remcos payload into aspnet_compiler.exe.

Remcos Initial VBS Script

Although the script above is lengthy due to obfuscation, it ultimately amounts to the following simple powershell command which downloads and executes a second Visual Basic script:

Deobfuscated Initial Script

The first downloaded script (ALL.TXT) also uses simple deobfuscation techniques to perform a few simple tasks. The $JUANADEARCO variable in this script contains Base64-encoded data which is decoded by the last line of the script (this data is shown as decoded in the highlighted box in the image below). This script performs the following actions:

  • Creates the directory C:\Users\Public\Run
  • Downloads Run_02_02_02.TXT (saved as C:\Users\Public\Run\Run.vbs)
  • Downloads Lerveri.txt (saved as Users\Public\Run\—–Run+++++++++.ps1)
  • Sets HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup to “C:\Users\Public\Run”
  • Sets HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup to “C:\Users\Public\Run”

The shell folder registry entries are legacy keys that are still existent for backwards compatibility. Setting the “Startup” value of these registry entries to the malware’s directory of execution effectively sets the contents of that directory to execute upon system startup, ensuring persistence.

ALL.txt – Second Script After Base64 Decoding

Run.vbs is obfuscated in a similar fashion to the initial Visual Basic script:

Run_02_02_02.txt (saved as C:\Users\Public\Run\Run.vbs)

This script (deobfuscated below) is responsible only for execution the main powershell script which contains embedded binaries, encoded in hex in plaintext.

Run.vbs Deobfuscated

One of the binaries encoded in —–Run+++++++++.ps1 is the Remcos payload which is loaded into the legitimate Windows binary aspnet_compiler.exe. The following function in the powershell script loads the Remcos PE into the binary:

Load function: Remcos Payload

Although all of the analyzed Remcos samples of this campaign since January 2021 call back to the same IP address and port, no actual C2 traffic has been observed. All of the script downloads have pointed to addresses on the legitimate website us.archive.org, and the payloads have connected (though only via TCP handshake) to the IP address 185.19.85[.]168 on port 8888.

Because this IP address has not changed over several months, we investigated the passive DNS records to see if the infrastructure may have been used in other recent attacks. We found that this IP address had the following resolutions over the last few months:

AddressFirst SeenLast Seenshugardaddy.ddns.net26 May 21<current as of writing>ch-pool-1194.nvpn.to24 May 2130 June 21 tippet.duckdns.org13 May 2116 May 21mail.swissauto.top29 May 2011 May 21randyphoenix.hopto.org4 April 2114 April 21

Examination of this IP address revealed several hosted services on multiple ports. The highlighted date range above is interesting as it appears to be a mail server, and Spamhaus Zen classifies this address as blocked due to spam. Furthermore, analysis also revealed that the #totalhash malware database contains malware associated with this address going back as far as 2013. Correlating additional malware associated with this address showed several other versions of Remcos samples connecting to the same IP (many to shugardaddy.ddns.net port 5946) – a few recent samples are shown below:

SHA256 HashDate Last Seen15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc16 Jul 210ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e5 Jul 218d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a29 Jun 2122634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab425 Jun 21898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d225 Jun 21d7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a3621 Jun 21

One identifying factor from this campaign is the use of us.archive.org to host payloads. Although this is not unique to malware campaigns in general, it is unique to the Remcos campaigns we have analyzed – only the VBS method of distribution has been observed to display this behavior.

In an analysis from Morphisec in March of this year, an HCrypt loader sample was analyzed that demonstrated a similar infection chain to the Remcos samples discussed above. Although the stages and scripts are not identical, the intermediary steps share a few similarities, such as the file names of the downloaded scripts ALL.txt, Server.txt, and in newer samples, Bypass.txt. The scripts also have a few function names in common, but the HCrypt samples have anti-analysis and anti-virus evasion functionality not seen in the Remcos samples. Further research is required to determine whether this set of scripts is a generically available package, or specific to a particular actor and being re-used across campaigns.

Although the actor or group behind this campaign is not known, the sporadic nature of the emails distributing this malware suggests that it could be targeted in nature. Remcos is a mature trojan that has evolved over many years; though the basic capabilities have remained the same, the methodologies of distribution and installation continue to change. Because it is software that can be purchased openly online, it is difficult to trace or attribute usage to a particular actor. However, given the consistency of network infrastructure and installation methodology, it is possible that the motivation or actors behind these attacks could be identified. Malwarebytes analysts continue to monitor and track this threat and will update detections and indicators as needed.

Protection

Malwarebytes protects users from Remcos by using real-time protection.

References

https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly

https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers

https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service

IOCs

Analyzed Samples:

TypeName / SubjectSHA256Email SubjectFwd: Appraisal Report for your Loan Application-1100788392210673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb09b5b753AttachmentAppraisalreportl1100788392210.zip4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23eExtracted Sample Appraisal..vbs1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd57fa176

Remcos VB Scripts:

92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 
b1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 
5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 
db01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad 
109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 
a5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb 
a465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 
d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 
7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 
dae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 
b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 
6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 

Related Remcos Samples:

15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1
0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e
8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a
22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4
898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2
d7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36
a80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026
1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc
4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce
c55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135
adf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8
59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91
adf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8
1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac
a54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2
92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084
46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175
1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195
47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15
509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81
e06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e
109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10
0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906
a465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200
0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2

Other IOCs:

185.19.85.168
ia601401.us.archive.org
ia601502.us.archive.org
ia601405.us.archive.org
ia601406.us.archive.org
shugardaddy.ddns.net
ch-pool-1194.nvpn.to
tippet.duckdns.org
mail.swissauto.top
randyphoenix.hopto.org

The post Remcos RAT delivered via Visual Basic appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Beware, crypto-scammer seeks foreigner with BLOCK CHAIN ACCOUNT

Mon, 07/19/2021 - 13:41

We’ve observed a 419-style scam (also known as an advance fee scam) which combines the promise of cryptocurrency riches with WhatsApp conversation.

The mail, which arrived with the subject “Urgent respond”, begins as follows:

Greetings to you my friend,

My name is Haifa Kalfan, I am the Store manager with a Security Firm here in Malaysia . I need your urgent assistance to transfer funds out of this firm. I cannot directly achieve this without the help of a foreigner and that is why I am contacting you. All documents to enable the smooth release of this fund to you will be carefully worked out and there will be practically no risk involved, this will be executed under a legitimate arrangement that will protect you from any breach of law as a change of fund ownership certificate in your name will be legally initiated.

A fairly typical opening. Claiming to be in a reassuring position of power, along with the promise of being protected from any “breach of law”. Are you ready for things to go a bit Blockchain? Because they’re about to go a bit Blockchain.

Things go a bit Blockchain

This is the part of the scam where the people behind it start to get technical. Folks already involved in cryptocurrency would likely have suspicions raised after reading the below. Those with no prior experience may think somebody is suggesting an unfamiliar yet safe way to make a fortune.

A perfect arrangement is in place for the release of the fund to you without hitches through crypto currency which you may call bitcoin if you want. This measure was thought of due to the difficulties in transferring huge funds from one country to another, because of global fight on illicit movement of funds to sponsor terrorism. Transferring the fund to you through bitcoin is a perfect way. You will have to create a BLOCK CHAIN ACCOUNT on your phone, but you will first download the blockchain application on your phone, register an account and send the QR code to the financial institution, the fund will immediately be transferred into your blockchain account within 24 hours as soon as you send your blockchain QR code to the the department of any of our paying banks responsible for crypto currency transactions.

This is a long-winded way of asking would-be victims to install an app and begin transferring funds. Regular readers will be aware this means someone is about to have their bank account emptied, or have themselves turned into a money mule. If they’re really unlucky, both of these things are on the cards.

Confidence tricksters

Here’s the part where they attempt to keep would-be victims talking. It’s all about that personal touch in the land of cryptocurrency scams.

If you are ready, I will have to send you the director of the cryptocurrency department WhatsApp number, you will have to chat him up on WhatsApp for more details and guidelines. I will secure a legal certificate of fund ownership change through our firm’s legal team which you will forward.

This is nothing more than “the place the specifics of the scam unfold”. We did attempt to make contact and find out:

  • Which app they want people to use and
  • What the process is once the scam takes hold on WhatsApp, but at time of writing we’ve received no reply. Should we happen to get one, we’ll update this blog post in due course.
A multifaceted approach to scamming

With cryptocurrency being so widespread, it’s possible folks with digital money in the bank could be completely cleaned out. Whether the victim is someone tech-savvy or somebody who simply thinks they see a good thing, it will only end in disaster.

The email we received was already flagged as spam by Gmail, so it’s possible other spam filters have already marked this one out too. This style of missive is incredibly popular and costs folks a fortune every year. “If it’s too good to be true, it probably is” may be a little tired and worn around the edges these days, but it’s 100% accurate in this case. Should you receive a mail similar to the above, flag it as spam and send it straight to the trash bin.

The post Beware, crypto-scammer seeks foreigner with BLOCK CHAIN ACCOUNT appeared first on Malwarebytes Labs.

Categories: Techie Feeds

StopRansomware.gov brings together information on stopping and surviving ransomware attacks

Mon, 07/19/2021 - 13:30

The US Department of Homeland Security (DHS) and the US Department of Justice (DOJ)—along with other federal partners—have launched a new website as part of the US government’s fight against ransomware: StopRansomware.gov.

StopRansomware.gov is said to be a one-stop hub for ransomware resources for everyone, may they be individuals, SMBs, enterprises, or others.

“As ransomware attacks continue to rise around the world, businesses and other organizations must prioritize their cybersecurity,” said Secretary of Homeland Security Alejandro Mayorkas in the official press release on the DHS website. “Cyber criminals have targeted critical infrastructure, small businesses, hospitals, police departments, schools, and more. These attacks directly impact Americans’ daily lives and the security of our Nation. I urge every organization across our country to use this new resource to learn how to protect themselves from ransomware and reduce their cybersecurity risk.”

This website release and announcement came three months after the Ransomware Task Force (RTF), a group of 60 volunteer experts across industries and governments, released a comprehensive, strategic plan to address the growing threat of ransomware.

StopRansomware.gov includes a useful section on what to do if you have been hit by ransomware.

Both the report and the new website are part of an escalation in the fight against ransomware in 2021. This year has seen devastating attacks against Colonial Pipeline, Ireland’s Health Service Executive, and Kaseya VSA, to name a few. In response, the Biden administration has issued new rules for critical infrastructure, promised to hold President Putin of Russia to account for the country’s apparent harboring of ransomware gangs, and offered rewards of up to $10 million for information about state-sponsored attacks on critical infrastructure.

StopRansomware.gov is the culmination of ransomware tools and resources from all US federal government agencies. When before, organizations would have to visit multiple sites to seek advice, threat updates, or alerts with regards to all ransomware matters, they can just visit this .gov website. Some of the resources included in StopRansomware.gov are content from Cybersecurity and Infrastructure Security Agency (CISA), the US Secret Service, the Federal Bureau of Investigation (FBI), the National Institute of Standards and Technology (NIST), the Department of Treasury, and the Department of Health and Human Services (HHS).

The post StopRansomware.gov brings together information on stopping and surviving ransomware attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 12 – July 18)

Mon, 07/19/2021 - 09:43
Last week on Malwarebytes Labs: Other cybersecurity news:

Stay safe!

The post A week in security (July 12 – July 18) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

“Seven or eight” zero-days: The failed race to fix Kaseya VSA, with Victor Gevers, Lock and Code S02E13

Mon, 07/19/2021 - 07:45

Kaseya VSA included at least “seven or eight” privately known zero-day vulnerabilities before it suffered a widespread ransomware attack that impacted hundreds of businesses, said Victor Gevers, chair of the Dutch Institute for Vulnerability Disclosure, or DIVD, a volunteer-run organization that found a remote code execution flaw in Kaseya VSA on April 1, 2021.

In speaking with Malwarebytes for its Lock and Code podcast (embedded below), Gevers revealed that Kaseya VSA’s vulnerabilities represent just one data point in a far larger and more worrying trend—that Internet-facing remote administration tools are rife with flaws and that, as organizations increasingly rely on such tools for working-from-home environments, cybercriminals will increasingly discover, target, and exploit those flaws.

“We are seeing these signals very clearly that the quality of products that are online and are exposed to the Internet are not up to par for the current situation that we are in,” Gevers said. “For attackers, this is the best way in—next to, of course, sending phishing emails. That will always exist because we cannot learn to stop [clicking on things]. But this second thing, this is going to screw us over in the long term.”

The ransomware attack against Kaseya VSA on July 2 has quickly become recognized as one of the most significant cyberattacks in recent history. In the attack, members of the REvil ransomware gang pushed malicious Kaseya VSA updates that locked up machines and networks after first disabling several protective features in Microsoft Defender, the default anti-malware software packaged with most Windows machines today. The impact of the attack, however, extended much further, because Kaseya VSA is one of the more popular remote monitoring and management tools used by Managed Service Providers. The MSPs that were hit by the attack saw not only their systems encrypted, but also the systems of the clients that they support.

Essentially, the attack cascaded down, first hitting Kaseya VSA users—MSPs—and then hitting the businesses that relied on those MSPs for day-to-day IT support.

Reportedly hundreds of businesses were hit. Schools in New Zealand warned their staff that their computers might be inaccessible. The Swedish grocery chain Coop closed roughly 500 stores for multiple days. Two small towns in Maryland saw their systems lock up. The scale helped prompt Kaseya’s CEO into publicly releasing a statement.

For Gevers, the number of victims is frustrating, largely because he and his team were working with Kaseya to patch the VSA vulnerabilities for months prior. Within a day of discovering a remote code execution vulnerability on April 1, DIVD built up a team to investigate further, Gevers said.

“We open a case, we get some other security engineers on board. If we can find a copy [of Kaseya VSA], then we get our own copy of it, a trial version to run. We set up a lab. Then we have to go through the process of creating a fingerprint, because we want to scan the entire Internet—we want to look to every web server in the world to have that specific fingerprint, so we know where those panels are, exactly,” Gevers said. “Within a day, we were able to scan all Internet-facing instances of that thing, and it took us two days to start identification of the possible victims that had the on-prem version.”

DIVD compiled a report that showed “all on-prem implementation[s],” along with unique customer ID codes, delivering the report to Kaseya on April 6, just days after first discovering the vulnerability.

Kaseya took responsibility for the vulnerability and began developing a patch, Gevers said, which DIVD helped test for effectiveness. During this time, DIVD was also offered a version of Kaseya VSA to test more extensively, and in those tests, Gevers said, a researcher found additional flaws.

“We finally had our version running in our test lab,” Gevers said. “This is how it went from one zero-day [to] seven or eight, eventually.”

While Kaseya managed to quickly test its patches on SaaS implementations of Kaseya VSA, it had more trouble with customers who still relied on the on-premises versions, Gevers said. But in the middle of that testing, it became too late:

“It took them quite a lot of effort and time, and more and more expertise to get the right patch out—to get it tested, to get it through quality assurance. And then, disaster struck.”

The fallout of the attack is both external and internal.

Internally, Gevers said that DIVD is already considering how to improve coordinated vulnerability disclosure—as a process—because, despite issuing a confidential warning as far back as April 6, some systems remained vulnerable. While many potential victims were saved by DIVD and Kaseya’s months-long work, Gevers said he would have preferred to see no victims at all.

Externally—beyond the immediate damage of the ransomware attack itself—Gevers said that security administrators can no longer look away from a growing problem that affects the very tools they rely on every day.

“We understand that it is convenient to have your administrative panels, your RDP, your VNC, your shared hosting panels… all that kind of things for doing maintenance and administrative, to have it directly connected to the Internet, we understand,” Gevers said. “But it is simply not safe, because there is always, there is always an issue with the software.”

Critically, Gevers said that these flaws are neither isolated, or complex:

“This is not just to hit on Kaseya. With Vembu, it was the same. The latest Citrix bug, you know, that caused an outage. With Pulse VPN. I am sorry, but these vulnerabilities—these are not advanced. Not advanced at all.”

For Gevers, there is a clear path forward: Fix today’s vulnerabilities as soon as possible, and prevent future, similarly-flawed products from ever entering the market.

In the short term, Gevers called for more security volunteers. At DIVD, the team is too small and not geographically dispersed enough to handle worldwide cyberattacks. For instance, having a volunteer in Miami, Florida, near Kaseya’s headquarters, could have helped DIVD, Gevers said.

In the long term, Gevers stressed that software vendors take greater responsibility of their products. He asked vendors to invite third party reviewers to analyze software code, and to step away from meaningless marketing language. By giving consumers more information from trusted analysts about how a product performs and what vulnerabilities it may have, Gevers said the market will then hopefully reward secure, transparent software. Finally, Gevers said that countries around the world should better incentivize independent security research so that cybersecurity researchers do not feel intimidated or afraid to report their findings.

The future, Gevers said, is at stake:

“It’s our duty to do something to make sure that the Internet stays safe enough for the next generation… because we are always leaving the next generation with political challenges, challenges in society, environmental challenges, economical challenges. Can we please leave a communications network behind that I can still trust to work on?”

Listen to the full Lock and Code podcast, with host David Ruiz, below.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post “Seven or eight” zero-days: The failed race to fix Kaseya VSA, with Victor Gevers, Lock and Code S02E13 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

US offers huge reward in fight against state-sponsored cybercriminals

Fri, 07/16/2021 - 15:40

The US Department of State has announced that its Rewards for Justice (RFJ) program is now offering:

…up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

Ransomware

The reward is a clear sign that the Biden administration is increasing its efforts to disrupt state-sponsored cyberattacks, and to punish the criminals who launch them. The press release specifically calls out ransomware campaigns, saying that violations of the statute “may include transmitting extortion threats as part of ransomware attacks.”

Other violations of the CFAA that it mentions include:

  • Intentional unauthorized access to a computer or exceeding authorized access and thereby obtaining information from any protected computer.
  • Knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.

“Protected computers” includes US government and financial institution computer systems, and also those used in or affecting interstate or foreign commerce or communication.

Protecting whistle-blowers

To enable the reward system the RFJ has set up a Dark Web reporting channel. Exactly the same privacy-enhancing technology ransomware gangs use to conduct their ransom negotiations without being located or identified.

Some may be surprised at the size of the reward. One of the key reasons we have seen ransomware get progressively worse is that the spoils often outweigh the risks. With the $10 million reward the US is hoping to rebalance the equation. Cybercrime has become a mature industry, with different groups specializing in different parts of the value chain. That requires a level of trust to operate smoothly, and with this financial incentive, the US has just given everyone involved in the cybercrime industry a new and very significant reason to doubt the trustworthiness of their suppliers and affiliates. A method to divide and conquer if you will.

Russia

Even though the press release mentions “a foreign government” everybody will understand that this is mostly aimed at Russia, although China, North Korea, Iran and others have also been implicated in cybercrimes committed inside the US. The strategy is necessary after Russian President Vladimir Putin’s obvious reluctance to curb ransomware operators. Mainstream ransomware operates know that if they avoid running inside Russia and the Commonwealth of Independent States they will probably be left alone.

Other options

Giving out rewards is not the only path the US will be pursuing though. The rewards are a part of a larger strategy that also entails:

  • Hardening US institutions’ defenses against ransomware attacks.
  • Making it harder to cash out cryptocurrencies gained by illegal means.
  • Better international cooperation against ransomware.

We have seen some examples of these strategies at work when:

The U.S. is not alone when it calls for more international cooperation against ransomware. Speaking at the INTERPOL High-Level Forum on Ransomware, Interpol’s secretary general Jürgen Stock urged police agencies and industry partners to work together to prevent what looks like a future ransomware pandemic. Secretary General Stock said that while some solutions existed nationally or bi-laterally, effectively preventing and disrupting ransomware meant adopting the same international collaboration used to fight terrorism, human trafficking, and mafia groups.

Sharing information would be an important part of such international cooperation, but there are talks about opening up other information sources. Like making it mandatory that victim organizations share information about how frequently such attacks occur and how they’re perpetrated, so others can learn from them.

More information about the reward offer is located on the Rewards for Justice website. The Tor-based tips-reporting channel can be found at the .onion URL below (you will need the Tor browser to access it):

he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion

Stop Ransomware

A good fit in the overall strategy is the launch of the StopRansomware website launched by the Cybersecurity and Infrastructure Security Agency (CISA) with the intention to become an official one-stop location for resources to tackle ransomware more effectively. The new StopRansomware.gov website is a collaborative effort across the federal government and the first joint website created to help private and public organizations mitigate their ransomware risk.

The Secretary of Homeland Security said: “As ransomware attacks continue to rise around the world, businesses and other organizations must prioritize their cybersecurity … I urge every organization across our country to use this new resource to learn how to protect themselves from ransomware and reduce their cybersecurity risk.”

The post US offers huge reward in fight against state-sponsored cybercriminals appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Does using a VPN slow down your Internet?

Fri, 07/16/2021 - 10:49

A Virtual Private Network (VPN) can stop others from snooping on or tampering with your Internet traffic. It does this by concealing your traffic inside an encrypted tunnel between you and your VPN provider. And because your traffic appears to join the the Internet from your VPN provider’s computer and not your own, a VPN can also conceal your IP address, which disrupts tracking and helps you circumvent geo-blocks. At Malwarebytes, we have noticed an increase in VPN usage worldwide.

Despite its benefits, some people hesitate to use the technology because they believe VPNs negatively impact the performance of their Internet connection. So, does a VPN slow down Internet speeds?

Yes, it does. The encryption process, the distance to the server, and the VPN protocol your VPN uses can impact your Internet speed. But that isn’t the whole story.

What really matters is: Is that slowdown noticeable? A good VPN may slow down your Internet, but only to a negligible degree. Most customers of cutting-edge VPN services find that a slight performance hit is worth the benefits, if they notice it at all.

VPN speed test

The best way to check how much a VPN is slowing down your Internet connection is to perform a VPN speed test. A VPN speed test compares your regular Internet speed with your VPN speed. Your Internet bandwidth is usually measured in megabits per second (Mbps).

Here is a fast and easy way to perform a VPN speed test:

  1. Deactivate your VPN.
  2. Search your favorite search engine for “Internet speed test.”
  3. Run an Internet speed test and note down your download and upload speeds.
  4. Activate your VPN.
  5. Connect to a VPN server.
  6. Repeat step three and compare the results.

Bear in mind though, that you are not a machine and that what actually makes a difference to you is not the measurable lag in your Internet connection (known as latency) but how you perceive that lag (known as perceived latency). In many situations, you won’t notice a small slow down. In other situations, perhaps when you’re waiting on something important like a credit card transaction to complete, you will be more sensitive to changes in latency you normally wouldn’t notice.

So, while objective speed tests are a useful guide, there is no substitute for actually using a VPN in the real world and seeing how it affects things you care about.

How can I make my VPN faster than before? Pick a different server

In general, the further your traffic has to travel to your VPN provider’s servers, the slower your VPN will be. Speed is also affected by how powerful those servers are, and how many people are using them at the same time, but all things being equal, distance matters.

Try picking a closer server to enjoy a faster connection. If it’s experiencing heavy traffic during peak hours, pick another server nearby to improve your Internet speed. It’s a good idea to subscribe to a VPN service that offers many servers across dozens of countries to have a fast connection.

Select a VPN that uses WireGuard

A VPN protocol is the set of instructions that establishes the way your data routes from your device to your VPN server. A VPN protocol impacts the speed, security, and stability of your connection. Many service providers have switched from OpenVPN to the WireGuard protocol because it’s secure, newer, and more efficient. In many studies, WireGuard is significantly faster than its competitors, including OpenVPN.

VPN speed boost

Some Internet Service Providers (ISPs) deliberately throttle your Internet speed during peak hours to reduce the server load by slowing down popular data packets. For example, Northeastern University and the University of Massachusetts Amherst found ISPs throttling streaming platforms like Netflix in their research. A top VPN service can help you bypass bandwidth throttling because it stops your ISP from examining data packets.

The post Does using a VPN slow down your Internet? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is scareware?

Fri, 07/16/2021 - 09:44

Scareware is a type of rogue program which has been around for many years, arguably dating back to 1990. It can be installed without permission, or via deception and false promises. Scareware is primarily used to panic or worry someone into performing a task they otherwise wouldn’t have done. There are some caveats to this, which we’ll cover below.

The rest of this article will reference scareware programs which are intended to be malicious. This means asking for payment, locking devices, or acting in a malware-like manner. Joke / trick programs need not apply (unless they’re also doing something malicious). There are, broadly, a number of different categories which various kinds of scareware fall into. Bogus web browser messages often assist shareware installations. As such, we’ll look at those too.

Examples of scareware Fake security software

Predating ransomware, rogue scanners used to be a major plague on the security landscape and are still problematic to this day. At one point, you simply couldn’t move for bogus programs. The standard procedure was to warn of infections via browser popups, or hijacked surfing and pages you couldn’t navigate away from. Bogus security programs would run a fake scan, and warn of fake infections. They’d also ask for payment to “unlock” the full version of software so cleaning could take place.

Many types of fake security software imitate the design / name of real programs, in order to seem more convincing.

Scareware as a system menace

Many fake security tools do little beyond triggering aggravating popups or fake infection warnings. They “just” want you to hand over some money for a useless program. Others go further, acting the same way actual spy/malware does while simultaneously saying the PC has an infection (spoiler – it does, but not in the way victims might think). Rogues changing desktops with fake blue screen of death imagery, restarting when trying to uninstall scareware, disabling genuine security tools, and much more are par for the course in this realm.

Web browser lockers

Although not an install, browser lockers were an integral part of how scareware used to end up on systems in the first place. Typically, this involved a web page using code to prevent the user shutting the browser window (or tab, after tabs were introduced). Some browser lockers would make the browser go full screen (as if you’d pressed F11) and use “scare” tactics as the webpage background.

This commonly took the form of fake representations of people’s “This PC” section, complete with representation of C or D drives, generic folders like Music / Pictures and so on. As mentioned, others would display fake BSoD screens. Whatever it took to panic the viewer into downloading and purchasing offered software.

Scareware influence

Many of these techniques ended up making their way into the hands of malvertisers. In fact, it’s not unusual to see malvertisers directing device owners to scareware messaging. You’ll notice the product at the end of that particular chain isn’t fake security software offering a cleanup. It’s a VPN. There’s at least some folks out there who may think installing it may be enough to “fix” the fictitious virus infestations. That’s all it takes for some money to change hands.

How to prevent scareware

Many scareware experiences begin with bad browser experiences. It pays to have a fully updated browser at all times to reduce the risk of attack from exploits. Additional extensions like our Browser Guard will further lower the possibility of scare screens and fake messaging.

Dire warnings of multiple infections out of the blue are a big hint scareware is in the offing. So too are immediate demands for payment, popups which won’t go away, tabs which refuse to close. Pressure to make decisions right away “or else” are also a major red flag. Ad blockers will help reduce the possibility of redirects to scareware and malvertising from bad ads. Double win!

General awareness of common social engineering techniques will also help steer you away from panic-based decisions. While scareware isn’t the mainstream force it once was, it still has the capacity to shock the money from your bank account. Stay safe out there!

The post What is scareware? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

SonicWall warns users of “imminent ransomware campaign”

Thu, 07/15/2021 - 14:30

SonicWall has issued an urgent security notice warning users of unpatched End-Of-Life (EOL) SRA & SMA 8.X remote access devices that they have been made aware of an imminent ransomware campaign using stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of SonicWall firmware.

In addition to the notice posted to its website, SonicWall sent out an email to anyone using SMA and SRA devices, urging some to disconnect specific devices (see below under Mitigation) immediately.

SonicWall

SonicWall is a company that specializes in securing networks. It sells a range of Internet appliances primarily directed at content control and network security, including devices providing services for network firewalls, unified threat management (UTM), virtual private networks (VPNs), and anti-spam for email.

Devices at risk

The devices that the security notice mentions are running 8.x versions of the firmware. Because these versions have reached their end of life they are unpatched. The notice mentions by type:

  • Secure Mobile Access (SMA) 100 series
  • Older Secure Remote Access (SRA) series

A lifecycle table for these products can be found here.

Vulnerability

In its report, SonicWall reports that ransomware attacks are being launched against these products using a known vulnerability in the 8.x firmware. This vulnerability has been patched in the later 9.x and 10.x firmware versions. It describes continuing to use its end-of-life products or 8.x firmware as “an active security risk” and at “imminent risk of a targeted ransomware attack”.

It is unclear which ransomware variant was caught targeting these devices, but last month NCC Group’s Incident Response team observed a new variant of the FiveHands ransomware using an externally facing SonicWall VPN appliance as the initial access vector.

Mitigation

The notice mentions the following products along with recommended actions:

  • SRA 4600/1600 (EOL 2019) disconnect immediately and reset passwords.
  • SRA 4200/1200 (EOL 2016) disconnect immediately and reset passwords.
  • SSL-VPN 200/2000/400 (EOL 2013/2014) disconnect immediately and reset passwords.
  • SMA 400/200 Update to 10.2.0.7-34 or 9.0.0.10 immediately, reset passwords, and enable MFA.
  • SMA 210/410/500v (Actively Supported) update firmware to 9.0.0.10-28sv or later, or to 10.2.0.7-34sv or later.

Additionally users are advised to immediately reset all credentials associated with SMA or SRA devices, as well as any other devices or systems that use the same credentials.

As is often the case, there is no rocket science here, just security bread and butter. That doesn’t mean that doing security is easy, but it does show the importance of staying on top of some basics: Using any product that’s out of support and unable or unlikely to get security updates is security risk that only gets worse over time; Using out of date software or firmware with known security vulnerabilities is similarly risky; and, as ever, it’s wise you use multifactor authentication (MFA) wherever you can.

Security devices as a way in

In the continuous wave of ransomware attacks you may have noticed a trend where the software and devices that are designed to keep you safe, are being used to establish the opposite. This year we have seen Pulse Secure vulnerabilities exploited in the wild, CISA warnings about successful attacks targeting a number of years-old vulnerabilities, and the colossal Kaseya supply-chain attack, among others.

Even when this may seem ironic, it does make sense. Cybercriminals will obviously use any available entrance into their target’s network. And defenses that control in- and outbound traffic like VPN’s, firewalls, and routers are attractive, privileged targets that users are often reluctant to bring down for maintenance. Vulnerabilities in these systems are golden opportunities for cybercriminals. So, it shouldn’t need any explanation why it is imperative to patch or remove such vulnerable devices as soon as possible.

Stay safe, everyone!

The post SonicWall warns users of “imminent ransomware campaign” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Ransomware’s Russia problem

Thu, 07/15/2021 - 10:55

This blog post was written in collaboration with members of the Threat Intelligence Team.

Last week, US news outlet NBC News caused a stir with an article proclaiming that the REvil ransomware used in the recent, colossal Kaseya supply-chain attack was “written to avoid computers that use Russian.”

The attack, one of the largest and most dramatic ransomware attacks in history, happened at a time when the Biden administration was escalating its rhetoric over Russian cyber-activity. To the uninitiated, and the NBC headline writer, it looked like a “new revelation.” Readers were invited to join the geopolitical dots.

But the stir it caused, at least among those familiar with ransomware, wasn’t surprise that REvil was coded to avoid Russia, but surprise that anybody would be surprised by that. TrustWave, authors of the the report the article was based on, certainly weren’t surprised that REvil didn’t want to run in Russia. They give it barely a mention.

Ransomware really caught the world’s attention in May when threat actors using DarkSide ransomware kicked the hornet’s nest by attacking the Colonial Pipeline, the largest fuel pipeline in the US. But as many readers will know, ransomware attacks have been relentless over the past few years, escalating each year. Even a global pandemic didn’t hamper the ransomware gangs’ activities, and just this year targets have included countless private companies, as well as hospitals, law enforcement agencies, governments, charities, and critical infrastructure.

There are multiple groups creating and developing different strains of ransomware—and many more affiliates enticed to use it to conduct their own attacks. Although their attacks follow similar patterns, there is constant innovation of tools, tactics and technology. And while some groups are cooperating, more or less, others work alone.

Yet, they all of them have one thing in common: Ransomware really, really doesn’t want to run in Russia or members of the Commonwealth of Independent States (CIS), and it never has.

Russia-averse ransomware families

The Commonwealth of Independent States (CIS, for short, or Sodruzhestvo Nezavisimykh Gosudarstv in Russian), is an international organization comprised of Russia and other republics that used to be part of the Soviet Union. Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan are member states of CIS. The two founding states, Ukraine and Turkmenistan, are allowed to participate in CIS although they are not recognized as official members.

Malwarebytes researchers have compiled a list of the most prolific ransomware families based on the number of known attacks in the first half of 2021 (this does not include the cascading Kaseya attack from July) and whether or not that ransomware will run in the CIS. None of them do. Almost anything is fair game for ransomware gangs it seems, unless it happens to be located in the CIS.

Ransomware familyKnown attacks in 2021†Currently Active?Runs in the CIS?Conti (215)215YesNoAvaddon (161)161NoNoREvil (116)116NoNoDarkSide (75)75NoNoPYSA (68)68YesNoDoppelPaymer (60)60YesNoCL0P (44)44YesNoBabuk Locker (43)43YesNoRagnarLocker (30)30YesNoNetWalker (22)22YesNoNefilim (17)17YesNoRansomEXX (14)14YesNoMount Locker (8)8YesNo† Known attacks is open source data from Dark Tracer that reflects the number of victims that were attacked but did not pay a ransom in the first half of 2021. This does not include the recent Kaseya supply-chain attack. The true number of attacks is certainly higher.

Among the 13 ransomware families listed in the table, 10 are known to be active. Avaddon and DarkSide seem to have been disrupted by law enforcement agencies. The CL0P money laundering operation was raided in June but attacks involving that ransomware have continued. The group behind Babuk Loader recently announced it was quitting the ransomware encryption scene but its ransomware builder later emerged on VirusTotal, and ransomware built with it has since been used in attacks. Following the enormous Kaseya attack, the websites and infrastructure of the REvil ransomware group have been shut down. Despite rampant speculation, the cause is unknown.

How ransomware avoids CIS countries

There are a number of techniques that ransomware creators commonly use and include in their code to avoid CIS countries, such as hard-coding country names and geographical territories, and checking the system language.

Sample hardcoded country check code taken from NEFILIN ransomware. (Credit: Malwarebytes)

Some threat actors include code to check for the default system language by, for example, calling the GetUserDefaultLangID or GetLocaleInfoW functions, which return a language particular to a user—American English, for example. Another checking process retrieves the victim’s IP address via a public API, such as api.ipify.org. Because IP addresses are allocated geographically they can be used to guess the user’s rough location.

Although ransomware tries very hard not to run in Russia or the CIS, sometimes it does. Where ransomware has netted systems in those countries by accident the attackers have been known to hand over decryptor keys and apologize for the error.

A conversation between an Avaddon ransomware contact reaching out to a victim company after finding out that the company has an office in Armenia, which is a no-no zone for them. (Source: LeMagIT)

On rare occasions threat actors have also chosen to avoid other targets based on the country they’re in. Famously, a Syrian father took to Twitter to plead with Coveware to mediate between him and GandCrab ransomware operators, to let him see his boys again. In an underground forum post, GandCrab threat actors decided to release decryption keys to anyone else affected by their attack in Syria. They also stated that not including Syria in the list of countries to avoid was a mistake. Their benevolence was patchy though, and targets outside Syria, including hospitals, were still considered fair game.

Why does ransomware avoid Russia?

So what’s behind ransomware’s keenness to avoid attacks inside the CIS? Although it’s possible that some ransomware gangs operate with the active cooperation of the Russian state, that isn’t the prevailing view.

The Biden administration, and many security professionals, believe that ransomware gangs are either operating with Russia’s blessing or that the country is turning a blind eye. Ransomware gangs don’t expect to face any penalty from inside the CIS, provided they avoid attacking its organizations. And since Russia has no extradition treaty with the US, the gangs operating there are also unreachable and untouchable by US law enforcement.

Put simply, ransomware is a low risk, high reward form of cybercrime, if you avoid the CIS.

The mood music is changing though, and efforts to increase the risks criminals face are underway. Even before the Colonial Pipeline attack in April, US government officials and cybersecurity experts were beginning to talk about ransomware as a threat to national security

“Those behind these malicious activities should be held accountable for their actions. That includes governments that do not use the full extent of their authority to stop the culprits,” says Homeland Security Secretary Alejandro Mayorkas in a speech he gave on March 31.

This sentiment is also echoed by the Ransomware Task Force (RTF), a group of expert volunteers tasked with tackling the ransomware problem and finding ways to disrupt it. In its April report [PDF], the RTF urged the US government to spearhead international coordination efforts to tackle the global problem of ransomware. Among a host of recommendations, it also suggested that ransomware be viewed as a threat to national security, and that the Racketeer Influenced and Corrupt Organizations Act, otherwise known as the RICO Act, be expanded to include ransomware gangs.

On several occasions, the Biden administration has indicated it intends to aggressively go after ransomware gangs. This includes treating, investigating, and prosecuting ransomware attacks as if they were terrorism. Involving the military is also being carefully considered, according to Commerce Secretary Gina Raimondo. Meanwhile, General Secretary of Nato Jens Stoltenberg told BBC Newsnight that the organization could respond to cyberattacks with military force “by air, sea, or land.”

Don’t invest in Russian keyboards

Regardless of whether ransomware—or any malware, for that matter—checks to see if its victim is in a CIS or CIS-affiliated state or not, it is worth remembering that the “big game” attacks they are used in are not automated. A level of human involvement is part of the modus operandi.

So, before you think about buying Russian keyboards, installing Russian language packs, or other weird tricks, realize that by the time a ransomware operator has put themselves in a position to attack you, they know a lot about you and your business, such as where your main HQ and satellite offices are. Trying to convince them otherwise—at any point, really—is a bit ridiculous, impractical, and a waste of effort.

Perhaps Fabian Woser, chief technology officer of Emsisoft, said it best:

Within the ransomware hunting team, we often joke about what new "innovative" ways people will claim to be the next big fix for ransomware. One of these 8-year-old running gags kinda turned into a real recommendation recently: Changing your keyboard layout to Russian.

— Fabian Wosar (@fwosar) May 18, 2021

Our advice: Avoid weird tricks. There is no substitute for a robust strategy of defense in depth.

The post Ransomware’s Russia problem appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Is crypto’s criminal rollercoaster approaching a terminal dip?

Wed, 07/14/2021 - 14:00

It’s a turbulent time in the cryptomining realm, especially for malware authors. Some big attacks and a lot of publicity has resulted in prolific groups promising to disband, even if potentially only temporarily.

Running a tight(er) ship

The mining banhammer continues to swing as China keeps putting pressure on miners to do it elsewhere. The US is tipped to become a hotspot for mining activity off the back of some of these actions, despite promises of a crackdown because of the enabling role cryptocurrency plays in ransomware attacks. India is still wondering about the ramifications of a cryptocurrency ban.

On top of all that, cryptocurrency mining away from infected desktops is suffering multiple problems. Computer part shortages are tipped to last anything up to two years. Graphics card shortages are so bad, miners are resorting to smuggling them, alongside other components.

Holding all the cards

Graphics cards are crucial for the task of mining. They’re the main source of mining muscle when it comes to making computations. In fact, large scale mining operations made up of little more than big warehouses and racks of machines crunching numbers are common. This means, of course, there are also plenty of illicit mining operations to contend with. Electricity theft, environmental impact, and the potentially dubious sourcing of equipment are all things to be considered.

Sure enough, the crackdowns keep coming.

Shutting it all down

It’s reported that Ukraine police “seized around 9,000 game consoles and computers in an illegal crypto mine”. Roughly $259,000 in electricity was stolen every month until the racket was shut down. This story has everything: Electricity meters not reflecting correct consumption, criminal proceedings in relation to electricity, thermal, and water theft, “more than 500 graphics cards” in addition to the computers and consoles…put simply, the works. The future is now, and it apparently involves drones tracking crypto thieves.

This is an astonishingly turbulent set of behind the scenes circumstances, chugging away in the background while dishonest miners try to make a living. That’s before we get to the volatile nature of Bitcoin’s value, seemingly nudged by memes and random tweets.

Throw in Vladimir Putin agreeing with Joe Biden to do something about ransomware emanating from Russia, and things feel a bit like they’re rushing towards a tipping point for criminals. No matter where miners pop up, the method of distribution is being observed, analysed, and shut down.

Ransomware’s weak link?

Back in the days when adware was at its peak, at some key point bundles became too problematic, too many people were yelling about it, too many cases went legal. In short, it was safer to abandon ship and move into other areas. Fake anti-spyware “You’re infected!” messages were everywhere at one point. In time, that style of trickery slowly became replaced by ransomware as the go-to method for fakeouts and extortion.

Arguably, ransomware couldn’t exist in its current form without pseudonymous cryptocurrencies like Bitcoin and Monero. But the transparency that gives these blockchain-based currencies their strength is arguably their biggest weakness too. Transactions are public, traceable, and available for forensic analysis forever—they’re just hard to link to individuals.

In June, the Wall Street Journal reported that the White House was “pushing to better trace ransomware payments.” At around the same time, the US Department of Justice successfully retrieved most of the ransom payment made in the Colonial Pipeline attack after tracing the passage of the payment through the Bitcoin blockchain. A week later the Cl0p ransomware gang’s money laundering operation was raided by Ukrainian police thanks to similar cryptocurrency tracing.

Ransomware payments have clearly been identified as a weak link, and while transactions on blockchains are frozen in time, the software and hardware used to analyse them improves with the passage of Moore’s law.

Ransomware gangs and scammers have had a fine old time of it up until now but it’s becoming increasingly hard to ignore the real-world battleground cryptocurrencies finds themselves in. Some of these changes and ramifications will almost certainly impact on their online activities. The question is, will they weather the storm, or is the rug slowly being pulled out from under the feet of criminal cryptocurrency activity as the risk becomes too great?

The post Is crypto’s criminal rollercoaster approaching a terminal dip? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday

Wed, 07/14/2021 - 11:56

The list of July 2021 Patch Tuesday updates looks endless. 117 patches with no less than 42 CVEs assigned to them that have FAQs, mitigations details or workarounds listed for them. Looking at the urgency levels Microsoft has assigned to them, system administrators have their work cut out for them once again:

  • 13 criticial patches
  • 103 important patches

You can find the list of CVEs that have FAQs, mitigations, or workarounds on the Microsoft July release notes page.

Six vulnerabilities were previously disclosed and four are being exploited in-the-wild, according to Microsoft. One of those CVE’s is a familiar one, 2021-34527 aka the anyone-can-run-code-as-domain-admin RCE known as PrintNightmare. Microsoft issued out-of-band patches for that vulnerability a week ago, but those were not as comprehensive as one might have hoped.

Since then, the Cybersecurity and Infrastructure Security Agency’s (CISA) has issued Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. These directive list required actions for all Federal Civilian Executive Branch agencies.

Priorities

Besides the ongoing PrintNightmare, er, nightmare, there are some others that deserve your undivided attention. Vulnerabilities being exploited in the wild, besides PrintNightmare, are:

  • CVE-2021-34448  Scripting Engine Memory Corruption Vulnerability for Windows Server 2012 R2 and Windows 10.
  • CVE-2021-33771  Windows Kernel Elevation of Privilege Vulnerability for Windows Server 2012, Server 2016, Windows 8.1, and Windows 10.
  • CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability for Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019.

Other vulnerabilities that are not seen exploited in the wild yet, but are likely candidates to make that list soon:

  • CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability for some Windows Server versions, if the system is hosting virtual machines, or the Server includes hardware with SR-IOV devices.
  • CVE-2021-34494  Windows DNS Server Remote Code Execution Vulnerability for Windows Server versions if the server is configured to be a DNS server.
Exchange Server

Another ongoing effort to patch vulnerable systems has to do with Microsoft Exchange Server. Flaws that were actually already patched in April have now been assigned new CVE numbers CVE-2021-34473 (Microsoft Exchange Server Remote Code Execution Vulnerability) and CVE-2021-34523 (Microsoft Exchange Server Elevation of Privilege Vulnerability). As you may remember this combo of elevation of privilege (EOP) and remote code execution (RCE) caused quite the panic when  attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

If you applied the patches in April, you are already protected. If you didn’t, move them to the top of your to-do-list.

Windows Media Foundation

Two other critical vulnerabilities, and one considered important, were found in Microsoft Windows Media Foundation. Microsoft Media Foundation enables the development of applications and components for using digital media on Windows Vista and later. If you do have this multimedia platform installed on your system you are advised to apply the patches, but note that many of them include the Flash Removal Package. So do the patches for CVE-2021-34497 a critical Windows MSHTML Platform RCE vulnerability.

Stay safe, everyone!

The post Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Nope, that isn’t Elon Musk, and he isn’t offering a free Topmist Dust watch either

Mon, 07/12/2021 - 13:50

Elon Musk is an incredibly popular target for scammers and spammers on social media. Attach his name to something he has no involvement in and watch it fly. Verified accounts on Twitter continue to be favourites for account compromise / fake Elon scams. Those often turn out to be Bitcoin related. Sometimes, it’s on a grand scale.

There are other Elon scams out there, though.

Elon, word searches, and watches

Here’s one currently doing the rounds on Twitter. It’s not Bitcoin for a change, nor does it appear to exclusively be the domain of verified accounts.

What happens is this:

A Twitter account goes viral with a popular (or even semi-popular) tweet.

On almost every tweet I do that gets more than a few RTs I get this same spam image of an Elon Musk tweet with a couple of random words as the caption, always from different Twitter users. It's really bizarre! pic.twitter.com/PqLpkbkiND

— Sooz Kempner (@SoozUK) July 12, 2021

An account which is almost certainly a bot replies to the popular tweet. They don’t appear to post anything coherent which is peculiar. You don’t want your fake message to loudly proclaim “I’m fake”, but we’re already perilously close in this instance. Two random words are mashed into a reply, along with a screenshot.

The screenshot appears to show Elon Musk, on Twitter, saying:

Just google “Topmid Dust Watch” and thank me later.

He hasn’t said anything of the kind, but anyone searching for this phrase will be met with…well…bafflement, for the most part.

Scrabbling in the dust

The aim of the game here is presumably to bypass spam detection, via images of bogus tweets. The very common name of the watch in this case (“Dust watch”) means the results are filled with YouTube videos and gaming articles about the popular CounterStrike map “Dust”. As far as results regarding watches go, there’s just a few scattered here and there. Easy to miss in a plethora of gaming pages and videos!

Now, we can’t say which site is tied to the spam messages on Twitter. The site responsible may already be offline. Instead, let’s outline what happens should you search for this product.

A “free” watch?

Tactics such as the above usually lead to portals “selling” the item for a grand total of $0. What you actually pay here is shipping only, calculated once you enter your address. However, you may not want to get your credit card out just yet.

This isn’t a recent marketing technique; sites giving away free stuff and “just” charging shipping have been around for years. And sites doing so-called limited time offers on shipping only watches had some attention in 2017.

What do offers really cost online?

Generally speaking, people should avoid suggestions to go search words and / or products in the replies of social media posts. The same goes for promotions pushed by accounts you know, or even verified accounts. There’s always a chance what you’re seeing is the result of a compromise. You’ve no idea what waits at the other end of a link, or indeed search result. It might be a slight peculiar watch offer, or something else altogether like phishing or malware.

If it’s too good to be true…well, you know the rest.

The post Nope, that isn’t Elon Musk, and he isn’t offering a free Topmist Dust watch either appeared first on Malwarebytes Labs.

Categories: Techie Feeds

DNS-over-HTTPS takes another small step towards global domination

Mon, 07/12/2021 - 12:28

Firefox recently announced that it will be rolling out DNS-over-HTTPS (or DoH) soon to one percent of its Canadian users as part of its partnership with CIRA (the Canadian Internet Registration Authority), the Ontario-based organization responsible for managing the .ca top-level domain for Canada and a local DoH provider. The rollout will begin on 20 July until every Firefox Canada user is reached in late September 2021.

This announcement came five months after Firefox rolled out DoH by default for its US-based users.

The overall purpose of this rollout is to increase the privacy of all Firefox users by encrypting DNS requests. DNS requests are sent in plain text—meaning, any computer they pass through is able to see what website domains you’re looking up and likely visiting. This includes websites you visit over an encrypted connection, prefixed with https://. The DNS resolver the request is sent to also sees the DNS request, too. It needs to in order to convert the domain name users want to visit to the IP address equivalent for that destination. DNS-over-HTTPS is designed to shut out everyone else.

Because a DNS request has no encryption—again, regardless of whether the website you want to visit is encrypted or not—intermediates can monitor or modify DNS requests. This means that the organization you work for, your favorite coffee shop, or your ISP, can spy on your web browsing history without you knowing or letting you know what they do with the information.

“Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives,” wrote Selena Deckelmann on Mozilla’s official blog. “We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.”

The downside of encrypting DNS

Not everyone is a fan of DNS-over-HTTPS. To many, DNS-over-TLS is a more appropriate solution to the encryption problem but its “correctness” is also its great flaw. DNS-over-TLS communication (and nothing else) happens on port 853. Your ISP, or employer, can’t spy on your DNS requests if you use DNS-over-TLS but they can block port 853 and stop you from using it, leaving you no option but to revert to the unencrypted version of DNS on port 53, which they can spy on.

DoH communication happens on port 443, the port used for https:// web browsing. Because of that, DoH requests are indistinguishable from web traffic. Your ISP or employer can’t block port 443 to stop DoH without also stopping all web browsing. And an ISP that does that will quickly find itself with no customers.

So, from a personal privacy point of view, DoH is a clear win. But from a corporate security point of view it’s a problem. Security appliances like Next-Generation firewalls want to peer inside network traffic to identify security threats, and encryption like DoH makes that harder.

Some are also concerned about the way DoH might centralize trust. Using DNS-over-HTTPs is similar to using a third-party VPN in that it keeps your traffic private inside an encrypted tunnel, but you have to trust the VPN vendor or DNS resolver at the end of the tunnel an awful lot. Because DoH is relatively new there aren’t many DoH resolvers. So instead of everyone’s DNS requests being fulfilled by their respective ISPs they are sent to one of a relatively small number of DoH resolvers, operated by organizations like Google and CloudFlare.

CIRA Canadian Shield

In the case of Canadian Firefox users, their DNS resolver is CIRA. Canadian users who use DoH by default will begin seeing “CIRA Canadian Shield” as their default DNS provider. You can read more about CIRA Canadian Shield on CIRA’s official website here.

Canadian users of Firefox should expect this window, letting them know that their DNS requests are encrypted and router through a DoH provider. (Source: Mozilla Blog)

“Protecting the privacy of Canadians is a key element of restoring trust on the internet,” says CIRA President and CEO Byron Holland in a statement, “Our goal is to cover as many Canadians as possible with Canadian Shield, and that means finding like-minded partners who share our values. We are proud to be the first Canadian participant in the Trusted Recursive Resolver (TRR) Program and are always seeking out new ways to extend the reach of Canadian Shield to enhance the privacy of Canadians.”

The post DNS-over-HTTPS takes another small step towards global domination appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 5 – July 11)

Mon, 07/12/2021 - 10:08
Last week on Malwarebytes Labs: Other cybersecurity news:
  • A group of privacy-first tech companies have published an open letter today asking regulators to ban surveillance-based advertising. (Source: The Record)
  • Fake cryptomining apps, some found on the Play Store, scam $350,000 from users. (Source: TechSpot)
  • Ransomwhere has been launched as the open, crowdsourced ransomware payment tracker.
  • The hard truth about ransomware: we are not prepared. (Source: DoublePulsar)
  • Hackers leak scraped data of 87,000 GETTR users. (Source: HackRead)
  • Cyber is the new weapons system of the future. (Source: The Cipher Brief)
  • NCSC: Impersonating the taxman remained phishers’ favourite pastime. (Source: The Register)
  • Hackers use new trick to disable macro security warnings in malicious Office files. (Source: The Hacker News)
  • How fake accounts and sneaker-bots took over the internet. (Source: ThreatPost)
  • Online course provider Coursera hit with API issues, with cloud driving additional exposure. (Source: SC Magazine)

Stay safe, everyone!

The post A week in security (July 5 – July 11) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to send an anonymous email

Fri, 07/09/2021 - 16:37

Sometimes readers ask us how to send an anonymous email or how criminals and scammers manage to send anonymous emails. Since this is not an easy question to answer, because, for starters, there are several ways to interpret the question, I’ll try to give you some information here.

Interpret the question

Sending an anonymous letter via snail-mail was easy. You forgot to add the sender address, filled out a false one, and if there was a chance the receiver could recognize you by your handwriting you used newspaper clippings to construct the sentences. And snail mail had the advantage that you could drop your message in a mailbox that gathered mails from various senders before starting the delivery process. So, not even the carrier had any way to identify the sender. The place of origin is hidden except maybe roughly by looking at the post stamp to see from what postal district the letter came. Unless the sender went through the trouble of driving halfway across the country to post the letter.

As you can see there are a few sides even to this low-tech version of an anonymous mail:

  • No sender address
  • False sender address
  • Masking the content > encryption
  • Carrier
  • Origin masking
What is a spoofed email?

Since sending an email without a sender address can result in errors and will certainly raise suspicion, it is easier to spoof a sender address. Spoofing is sending an email with a false sender address. Spoofing an address is relatively simple since the Simple Mail Transfer Protocol (SMTP) does not check the information in the  “From”, “Reply to”, or “Sender” fields. The only reason it is possible to track back an email with a spoofed address is because the email headers will include the sending IP address.

So, to pull off a completely untraceable spoofed email the sender will have to use a VPN to mask their IP address or use a compromised system to send the emails from. Compromised servers are popular with people running malicious email campaigns.

How can I send and receive an encrypted email?

A very different concern is to hide the content of an email from anyone except the intended receiver. This requires some type of encryption that only the receiver can decrypt. Encrypting emails like this—known as end-to-end encryption—has historically been difficult, although the tools for achieving this kind of encryption are getting better and easier to use.

Most emails are encrypted during transmission, but they are stored in clear text when they are at rest, making them readable by third parties such as email providers. But there are some providers that provide end-to-end encryption and zero access encryption to secure emails. This means even the service provider cannot decrypt and read your emails.

If you want to have full control and not depend on a provider you will need to exchange public keys with the parties that you want to start encrypted communications with. Once you have exchanged keys, most email clients will offer you the option to encrypt emails on a per-message basis.

How can I send an email anonymously?

I wrote a blog post on how to send encrypted mails a long time ago. Some things have become considerably easier since then. Some carriers offer you the option to send end-to-end encrypted email for free. Personally I have only tried Protonmail which allows you to come up with your own email address, and even the free version is free of advertisements. You only need to provide an existing email address if you want to use that as a recovery method in case you forget your credentials. If you do not need that option the sign-up procedure is completely anonymous.

Is ProtonMail really anonymous?

Protonmail is a secure email provider that does not solicit any information from you to use the free version, as long as you don’t chose to use the recovery option. For any legitimate use case Protonmail can be considered secure and private. This is considering that for any legitimate use cases it should be enough to send an encrypted email, so that the intended receiver is the only one that can read the content of the message.

Protonmail can even be used in combination with a VPN so that even your IP address remains hidden. Unfortunately this also makes the service very popular amongst ransomware peddlers who sometimes create individual Protonmail accounts for every single victim.

Can email be traced?

Even hardened criminals make mistakes, so you should always be weary of the fact that an email you sent can be tracked back to you. On the other hand it is virtually impossible for anyone to trace back an email that was sent using all the techniques we have described above. As so often, it is wise to assume the worst possible scenario. We have seen script kiddies that thought they could use a Gmail account as a means to send anonymous emails. Maybe the receiver will not be able to trace it back, but the police certainly will, with some help from Google. If you need plausible deniability don’t put it in writing. For legitimate use we hope to have handed you some useful tips.

I have received an anonymous or spoofed email. What should I do?

How you deal with any mails you receive normally depends on the content. As with any email, it is advisable to scrutinize whether the email and the sender are who and what they claim to be. If you recognize the sender but don’t trust the content, contact the sender through other means to verify they sent it. Do not send read receipts or other confirmations that you have read the mail before you are sure you can trust the sender.

You can find some tips on how to recognize and deal with unsolicited mail in this blogpost about recognizing and disposing of malicious emails and this article about phishing. If the mail has the character of an extortion email you may find our post describing what to do when you receive an extortion email helpful. Depending on where you live it may be prudent, or even mandatory, to inform the proper authorities about any extortion attempts.

The post How to send an anonymous email appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Judge drops hammer, dishes 7 years slammer for BEC and romance scammer

Fri, 07/09/2021 - 16:21

A Texas resident has finally paid the price for a heady mix of malicious mail antics. A combination of business email compromise (BEC) scams and romance fakeouts bagged them $2.2 million across roughly 6 years.

This is quite a divergent portfolio of scamming activity. You may typically assume BEC scammers, for example, stick to that as it’s their area of expertise. Did you want the fake romance department? Sorry, they’re back down the hall.

If nothing else, this case is instructive in that people running these schemes happily mix-and-match. Shall we take a look?

Business email compromise 101

Business email compromise is a simple yet potentially devastating attack aimed at organisations the world over. These begin with a phish from a stolen or spoofed company mail address. If the address belongs to someone in finance or a CFO, so much the better. The aim of the game is convincing someone to wire funds overseas. If the company has no mechanisms in place to deal with such a threat, there’s a good chance the money is gone forever.

Romance scams 101

These have been around pretty much forever. You know the score: Fake military generals promising a new life overseas, catphishing, random emails out of the blue from people who only need the cost of the airfare to fall into your arms, and so on.

Something this has in common with BEC scams is the ridiculous amount of money to be made from it. Both of these scam areas are wildly profitable for people who know what they’re doing.

So now you can perhaps see why this particular individual was so invested in dabbling in not one, but two scam tactics. With that short explanation out of the way, let’s get back to the story at hand.

What happened in Texas?

Roughly seven years of imprisonment and an order to pay $865,210.78 back to victims, that’s what.

You know how we’re always warning people about the risk to fraud victims from money laundering? That’s where an innocent party is tricked into moving money from / to accounts, without realising the money has been stolen. The innocent party, otherwise known as a money mule, is left holding the legal responsibility as the perpetrators pull strings from behind the scenes. Prison time often beckons.

Here, we have someone caught by those same rules while actively getting up to no good. According to the a release, the perpetrator pleaded guilty to one count of conspiracy to commit money laundering.

Using a “fraudulent foreign passport” to open a number of bank accounts in different areas, they used them to:

…receive, launder and distribute wire transfers to coconspirators illegally receiving proceeds of BEC and romance schemes.  For his efforts, Onoimoimilin collected between 10% and 15% of more than $420,000 in fraudulently obtained funds.

New crimes, old laws

It’s frequently tricky to charge people with bad computer related activities, despite there being quite a lot of laws to cover them. Money laundering though, that’s a relatively straightforward one and legal folks understand it perfectly. If they can prove you’ve been ushering money in and out of your account in ways you shouldn’t be, rest assured a whole lot of trouble is heading your way.

Mileage may vary for how satisfying it is for victims to see this person put in prison. There’s almost certainly folks who won’t be getting their money back. Considering we’re talking about life savings and wage packets, there won’t be a happy ending for everyone. Whether we’re talking BEC or romance scams, we need to do our part to ensure we give scammers as few opportunities to strike as possible.

The post Judge drops hammer, dishes 7 years slammer for BEC and romance scammer appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How one word can disable an iPhone’s WiFi functionality

Fri, 07/09/2021 - 15:41

A researcher has found a way to disable the WiFi functionality on iPhones by getting them to join a WiFi hotspot with a weird name.

This shouldn’t be happening. The first thing you learn in coding school when it comes to input (which is literally any data a device has to do something with) is to validate it. Well, maybe not the first thing, but if you want to practice secure coding it is one of the most important things: Make sure that a hacker can not abuse your application by feeding it something it can’t digest. Like a WiFi network name.

It is not the first time by the way that iPhones can be compromised by using a format string vulnerability. And I’m afraid it will not be the last.

Let’s talk iPhone

iPhones are supposedly much more secure than Android devices, but as it turns out I can disconnect your secure iPhone from any WiFi by using a simple format string vulnerability. All I would have to do is make you connect to a specific WiFi hotspot.

The magical WiFi network name (SSID) for fritzing your phone is %p%s%s%s%s%n but since the underlying issue is almost certainly the fact that  % is interpreted as a string format specifier, you can bet there are more possibilities to be found.

After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3

— Carl Schou (@vm_call) June 18, 2021 String format specifiers

In programming you sometimes have to build words and sentences you want to show the user using some information you know in advance, and some you don’t. In C and C-style languages, string format specifiers are used. They have a special meaning and are processed as variables or commands by the printf function.

A simple printf command might look like this:

printf("Malwarebytes %n rules", &c);

In this example %n is a string format specifier that modifies the output. When the program prints the sentence “Malwarebytes %n rules” the %n will be replaced by the number of characters preceding it, so it will output:

Malwarebytes 13 rules

There are many other format specifiers that do different things. They look like a percentage sign followed by a single character that specifies the type of data, for example %s will be replaced by a string of characters, %d by a number (a decimal integer), %p by a pointer address and so on.

So you can see why an WiFi network called %p%s%s%s%s%n might cause problems. Apple’s programmers should have ensured their code reads names like that as percent signs and letters, not as string format specifiers. It seems they didn’t.

Seriousness

I can hear you thinking, so what? I would never join a WiFi Hotspot with such a weird name. Well, maybe you wouldn’t, if you would notice that the name looks out of the ordinary. But anyone can spoof a well-known SSID and your device will happily connect to it again if it’s connected to an open SSID by that name before.

Other research has shown that the vulnerability is not only restricted to the iOS operating system, it can potentially affect the macOS operating system. The same research team found a way to construct the network name in a way that does not expose the user to the weird characters, making it look like a legitimate, existing network name.

It is not impossible that researchers will find a way to construct SSID names that can lead to remote code execution (RCE) attacks. But this will probably turn out to be too complicated since you would be limited by the maximum length of an SSID (32 characters), the limited functionality of the string  format specifier, and the memory location of the format string. The format string is located on the heap which does not provide the attacker control of the pointers on stack. Which is not to say that this method could not be used in combination with other vulnerabilities.

Recovery from testing

If you couldn’t resist testing this and now you want your WiFi options back, here is how to do it. You will have to reset their iPhone network settings (Settings > General > Reset > Reset Network Settings), which will erase all your WiFi passwords. This is not a permanent fix for the issue. Any time your device is affected by the issue, you will have to reset it again.

And don’t go overboard with your testing. As this researcher has found out the reset does not work for every possible string.

You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power
Resetting network settings is not guaranteed to restore functionality.#infosec #0day

— Carl Schou (@vm_call) July 4, 2021

The post How one word can disable an iPhone’s WiFi functionality appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malspam banks on Kaseya ransomware attack

Thu, 07/08/2021 - 16:45

The Malwarebytes Threat Intelligence Team recently found a malicious spam campaign making the rounds and banking on the ransomware attack that forced Kaseya to shut down its VSA service.

This is a classic example of an opportunistic attack conducted by (potentially) another threat actor/group off the back of another threat actor/group’s attack. With Kaseya being a big name in the MSP world and the company attempting to take their VSA SaaS platform off the ground, post-attack, it’s the perfect time and opportunity to also capitalize on organizations who are eagerly waiting for the hotfix that REvil exploited in the first place so they can get back to business as quickly as possible.

This is a sample malspam captured by Malwarebytes experts. Note that it appears to be a reply that is part of an email thread.

The email that Malwarebytes found contains both a malicious link and attachment purporting to have come from Microsoft. The link leads to the download of a file called ploader.exe while the attachment, named SecurityUpdate.exe. Both of these are Cobalt Strike payloads.

The email reads in part:

“Guys please install the update from microsoft to protect against ransomware as soon as possible. This is fixing a vulnerability in Kaseya.”

The Threat Intelligence Team at Malwarebytes also noted that the location where the payload is hosted is the same IP address used in another malspam campaign that was pushing Dridex, a known information stealer. In the past, threat actors behind Dridex campaigns were also observed using Cobalt Strike.

If you may recall, Cobalt Strike is a legitimate software that bills itself as an “adversary simulation software.” Ransomware actors, in particular, are known to abuse legitimate software and make it part of their overall malicious attack against target organizations during their big game hunting (BGH) campaigns.

If you’re a Kaseya client, you can get first-hand updates on the VSA incident here.

It goes without saying that any and all companies affected by the Kaseya ransomware attack should only get patches straight from their vendor. Links and/or attachments sent over your way, even from a trusted colleague, should be suspect until you have confirmed with your vendor of the availability of a patch and where or how to get it. Realize that this is not the first time that threat opportunists bank on attacks like what Kaseya experienced. Opportunists will show no mercy in targeting cyber attack victims multiple times as long as they get something out of it.

In this case, with the use of Cobalt Strike, these threat actors intend to also gain access to your already-compromised system possibly for further reconnaissance or to conduct a local, follow up attack.

Stay safe!

The post Malspam banks on Kaseya ransomware attack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages