IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

A week in security (May 23 – 29)

Last week on Malwarebytes Labs:

Stay safe out there!

The post A week in security (May 23 – 29) appeared first on Malwarebytes Labs.

Firefox, Thunderbird, receive patches for critical security issues

Mozilla has published updates for two critical security issues in Firefox and Thunderbird, demonstrated during Pwn2Own Vancouver. The vulnerabilities, discovered in the Firefox JavaScript engine (shared by the Firefox-based Tor browser) relate to Firefox 100.0.2, Firefox for Android 100.3.0, and Firefox ESR 91.9.1. For users of Thunderbird, the vulnerability there is in relation to Thunderbird 91.9.91.

Additionally, there is some fallout beyond the standard versions of Firefox and Thunderbird. Users of the anti-surveillance Tails Operating System have been warned to stop using the bundled Tor browser until a fix goes live. This is because it could be potentially vulnerable to CVE-2022-1802:

This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.

This vulnerability doesn’t break the anonymity and encryption of Tor connections.

The fix for this Tails issue may not be seen until at least version 5.1. At time of writing, the expected release date for this is May 31.

The vulnerabilities

The two issues come with the following description:

CVE-2022-1802 is a critical prototype pollution vulnerability. According to Mozilla, an attacker who was able to corrupt the methods of an Array object in JavaScript via prototype pollution, could have executed malicious JavaScript code in a privileged context.

CVE-2022-1529 is another critical prototype pollution vulnerability. In this case, Mozilla says that untrusted user input was used in object indexing, leading to prototype pollution, which could have allowed an attacker to execute malicious JavaScript code in a privileged context.

Update now, if you haven’t already

Most installations of Thunderbird and Firefox will be set to update by default. If this is the case, you should already have the security fixes applied and you have nothing to worry about.

This isn’t the case for all installations, however. If you don’t have Firefox or Thunderbird set to update automatically, the fix won’t be present. As a result, you’ll need to manually apply the update.

In Firefox, navigate to Settings and then click General > Firefox Updates.

From here, select the most suitable option from Allow Firefox to:

  • Automatically install updates
  • Check for updates but let you choose to install them.

The update process for Thunderbird is much the same as Firefox. By default, it’s set to update manually, but you can select similar options to Firefox using the Advanced option in the Updates tab.

With both of these tasks accomplished, you should no longer be at risk from either CVE.

The post Firefox, Thunderbird, receive patches for critical security issues appeared first on Malwarebytes Labs.

Twitter fined $150M after using 2FA phone numbers for marketing

The Federal Trade Commission (FTC) and the Department of Justice (DOJ) have ordered Twitter to pay a $150M penalty for using users’ account security data deceptively.

The deception violates an FTC order from 2011, that bars Twitter from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.”

This penalty stemmed from a complaint the DOJ filed on behalf of the FTC against Twitter. From May 2013 to September 2019, Twitter asked users to provide an email address and contact number for security reasons, such as setting up two-factor authentication (2FA); password recovery; and for re-enabling full access to accounts thought to have acting suspiciously.

However, Twitter used it for another purpose: Targeted advertising.

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said Lina M. Khan, chairperson of the FTC, in a press release. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

On top of Twitter paying the penalty, the FTC has added new provisions to protect Twitter users in the future.

The company has been told it must notify users about its improper use of their phone numbers and email addresses, tell them about the FTC action, and explain how they can turn off personalized ads and review their multi-factor authentication settings. It is also prohibited from using the phone numbers and email addresses it illegally collected to serve ads. It will also have to provide multi-factor authentication options that don’t require a phone number.

It will also have to create and resource a “comprehensive privacy and information security program” that “protects the privacy, security, confidentiality, and integrity” of users’ data.

The press release also noted that Twitter violated the EU-US Privacy Shield and Swiss-US Privacy Shield agreements, which require participating countries to follow certain privacy protocols when legally transferring data from the EU and Switzerland.

The post Twitter fined $150M after using 2FA phone numbers for marketing appeared first on Malwarebytes Labs.

ChromeLoader targets Chrome Browser users with malicious ISO files

If you’re on the hunt for cracked software or games, be warned. Rogue ISO archive files are looking to infect your systems with ChromeLoader. If you think campaigns such as this only target Windows users, you’d sadly be very much mistaken. The attack sucks in several operating systems and even uses mobiles as bait to draw in additional victims.

Of PowerShells and ISOs

An optimal disc image (ISO) is a disk image containing everything written to an optical disc. If someone copied a DVD or CD-ROM, they may end up with an ISO. With the right software, these files can be mounted and read as if the device was reading from a physical disc.

If a malware author claims to be offering cracked or pirated versions of games or software, an ISO is frequently what’s on offer. They may be promoted on social media, video sites, game crack portals, or torrents. Sadly for would-be file downloaders, they’re frequently booby trapped with malware.

PowerShell is a way to automate tasks and comes complete with  a command line interface. It can be used by infection files to execute specific commands and get the infection ball rolling. This ChromeLoader attack combines both Powershell and ISOs to compromise systems.

How does ChromeLoader infect a device?

The flow is as follows:

  1. Bogus files are promoted on Twitter and other services. Some victims are simply grabbing the infection from rogue sites and/or torrents.
  2. Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites.
  3. Double clicking the ISO file mounts it as a virtual CD-ROM. The executable in the ISO claims to be the content the victim was originally looking for.
  4. ChromeLoader makes use of a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task and the victim is none the wiser that their browser has been compromised. At this point, search results cannot be trusted and bogus entries will be displayed to the user.
  5. As BleepingComputer notes, users of macOS are also at risk from this attack. Instead of ISO, attackers use DMG (Apple Disk Image) files, which is a more common format on that OS.

Tips to avoid ChromeLoader

  1. Searching for cracked games and software is a very risky business. Many sites promoting malware masquerading as “genuine” crack portals are hard to spot. If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices. Deep sales on games and products are fairly common. Unless it’s a brand new title, it may be worth waiting for a product-centric sale.
  2. In Chrome, Click the More icon, then More Tools -> Extensions. From there, you can see what’s installed, what is active or disabled, along with additional information about all extensions present. Google also has advice for resetting browser settings and additional clean-up methods.
  3. Keeping your security software up to date and running regular scans helps prevent this kind of attack. You should also always scan a downloaded file before making use of it.
  4. Keep in mind that rogue extensions don’t just come from bad websites or rogue downloads. The Chrome web store itself has been known to play host to bad files. Always check reviews, developer information, extension permissions and anything else of note before installing a new extension to your browser.

The post ChromeLoader targets Chrome Browser users with malicious ISO files appeared first on Malwarebytes Labs.

If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake

Our spam traps recently caught a phishing scam that neatly illustrates some of the tactics scammers use routinely to avoid both human intuition, and automatic detection.

The scam starts with an unsolicited email, of course…

A scam email posing as a message from the Post Office

The scam email is ostensibly from the Post Office, an instantly recognisable postal service brand in the UK, and it tells recipients “There is a update in your parcel. item stopped due to unpaid customs fee.” [sic] This is an echo of an extremely popular SMS scam from 2021 that told recipients they had to pay a small postage fee to release a parcel waiting for delivery.

The spelling and grammar in the email is predictably awful, and a little weird—it looks like a bad scan by an optical character reader (OCR). However, despite decades of security advice highlighting poor spelling and grammar as an enormous red flag, the fact is it doesn’t seem to hurt the scammers. So while other tactics have evolved, poor English has persisted.

As simple as it is, and as bad as it seems, the message includes a number of features that help to avoid raising suspicions:

It’s a familiar message from a trusted brand

Half the email is taken up by a giant logo for an organisation that is instantly recognisable to anyone in the UK. The scammers are building trust in the sender and telling users this is about a postal delivery, without writing a word.

They are also piggybacking on a very familiar form of email communication. Delivery companies like DHL and Royal Mail regularly bombard us with email and SMS updates about deliveries, recipients are often asked to click through to websites to track parcels, and occasionally they have to pay postage or customs fees.

The address looks good

The from address starts “PostOffice.co.uk”, suggesting it’s come from the postoffice.co.uk domain. However, that’s the Display Name, a user-friendly name that can be anything the sender wants. The address is the part in angle brackets: support@subsecure-community.zendesk.com.

Some sharp-eyed users may spot that it’s actually a zendesk.com email address, but Zendesk itself is a trusted system that’s used by big brands, and getting an email from Zendesk isn’t unusual either.

Because Zendesk is an online business, it makes setting up new accounts very easy. And because it relies heavily on email, it uses features like DKIM to minimise the chances of its emails being forged or flagged by anti-spam tools. By setting up genuine Zendesk accounts, the scammers are able to benefit from those security features, and the trustworthiness of the zendesk.com domain.

Of course criminals don’t expect their accounts to last long, and this one was quickly shut down.

The scammer's Zendesk account no longer exists

The links don’t look bad

Users who hover their pointer over the email’s links, hoping to see if they look nefarious, will be disappointed, as they’ll just see an impenetrably-complicated URL. A lot of emails use odd-looking and convoluted URLs, so it’s rare to see links that are obviously good or obviously bad, and these are unlikely to ring alarm bells.

The only oddity that might tip off knowledgeable users is that links go to Google. They look like this:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi2z4al48_3AhUDgf0HHQYWA-sQFnoECAkQAQ&url=https%3A%2F%2Fexample.org%2Fbaby-music%2F&usg=AOvVaw2RWSxL7fWRChaS7EhY5OuA

This URL in the email is borrowed from a Google search results page. Why? Because the links in Google search results pages are open redirects that can be used by anyone to create a google.com URL that will redirect to a web page of their choice. Many companies regard open redirects as a security vulnerability, but Google does not.

The web page you end up on if you click the link in the phishing email is highlighted below, although we’ve replaced the name of the compromised website with example.org:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi2z4al48_3AhUDgf0HHQYWA-sQFnoECAkQAQ&url=https%3A%2F%2Fexample.org%2Fbaby-music%2F&usg=AOvVaw2RWSxL7fWRChaS7EhY5OuA

The Google open redirect helps to hide the real URL from curious users, but it may help to hide it from automatic detection too. The open redirect on google.com uses JavaScript rather than HTTP, so automated tools that follow chains of HTTP redirects won’t reach the scammer’s website, they’ll simply stop at google.com, which returns a status of 200 OK rather than 301 Redirect.

So where does it end up? Right now, nowhere. Whatever was waiting for victims on the compromised website—malware, malvertising, a payment form, or some other equally unpleasant thing—has been removed by the site owner. All that’s left is an empty directory.

empty directory

The scammers, no doubt, have already moved on to a new compromised website, a new “burner” Zendesk account, and a different Google URL.

The post If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake appeared first on Malwarebytes Labs.

Watch out! Tinder and Grinder users targeted by cruel scammers using real abuse photos

A horrible catfishing scam is using real abuse photos in order to lure in unsuspecting victims on sites like Tinder and Grinder. Recently unearthed by Bleeping Computer, it works like this:

Boy meets good-looking girl on dating site. The longer they talk, boy notices the conversation turning into a confession of abuse, with good-looking girl providing him pictures to back up her story. Good-looking girl then asks boy to “prove” his identity using an ID service which, you’ve guessed it, costs money.

Michael (not his real name) shared screenshots of a portion of his chat records with a “beautiful trans woman” with BleepingComputer.

“I almost fell victim to a uniquely cruel catfishing scheme,” he said.

bleepingcomputer conversation copy
Michael’s chat session included disturbing images of the alleged abuse. (Source: BleepingComputer)

The woman Michael was chatting with asked that he used a third-party “ID verification” service to prove that he’s not a former sex offender, backing up her request with “evidence” of abuse she’s suffered. “Cassey Queen” directed Michael on what website to use and what to do.

From one of the sites Bleeping Computer found:

“We provide safety insurance in which both parties who are suppose to meet are being verified for safe meet up because some of our members complain that they are being harassed and sometimes ended up being robbed and beaten. We make sure that someone will be apprehended if he make some disrespectful acts.”

Many of the sites ask people to register with their card details and other information, including their full name, country of residence, ZIP code, and email address. The form where users enter their details is an HTML iframe, served by dot com sites with keysmash names. ntrfrnc.com is one of them.

ntrfrnc support wm
One of the many keysmashed dot com sites that process payment details for scammy “ID verification” sites.

There are a handful of sites with the very same site template, and they all list the same office address in Cyprus.

To verify or not to verify? No need to ask

These “ID verification” services cost victims a lot of cash.

Screenshot 2022 05 25 at 00.11.23
A sample listing of what daters would have to pay should they sign up for an ID check service. Those who sign up are also enrolled in a recurring subscription with membership options. (Source: BleepingComputer)

Additionally, all the details you give to these sites will be stored, processed, and used by these services however they like. This also means they could sell your details to third parties, use them to create synthetic profiles, or use them to pose as you online.

Users on Tinder and Grindr appear to be the targets of this scam, but keep in mind that tactics like this could easily spill over into social media sites and other watering holes that enable people to meet someone new.

Both Tinder and Grindr highly encourage their users to block and report profiles that appear to be a scam. So should you encounter one while looking for a potential date, you know what to do.

Stay safe!

The post Watch out! Tinder and Grinder users targeted by cruel scammers using real abuse photos appeared first on Malwarebytes Labs.

Update now! Multiple vulnerabilities patched in Google Chrome

Google has announced an update for the Chrome browser that includes 32 security fixes. The severity rating for one of the patched vulnerabilities is Critical.

The stable channel was promoted to 102.0.5005.61/62/63 for Windows, and 102.0.5005.61 for Mac and Linux.

Critical

Google rates vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This update patches the critical vulnerability listed as CVE-2022-1853: Use after free in Indexed DB.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

IndexedDB is a low-level Application Programming Interface (API) for client-side storage of significant amounts of structured data, including files. This API uses indexes to enable high performance searches of this data. While Document Object Model (DOM) Storage is useful for storing smaller amounts of data, IndexedDB provides a solution for storing larger amounts of structured data.

Each IndexedDB database is unique to an origin (typically, this is the site domain or subdomain), meaning it should not be accessible by any other origin.

Google does not disclose details about vulnerabilities until users have had ample opportunity to install the patches, so I could be reading this wrong. But my guess is that an attacker could construct a specially crafted website and take over the visitor’s browser by manipulating the IndexedDB.

Other vulnerabilities

Of the remaining 31 vulnerabilities, Google has rated 12 as High. High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate, other origins.

Another 13 vulnerabilities were rated as Medium. Medium severity bugs allow attackers to read or modify limited amounts of information, or which are not harmful on their own but potentially harmful when combined with other bugs.

Which leaves six vulnerabilities that were rated as Low. Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or a highly limited scope.

How to update

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which uses the same method as outlined below but doesn’t need you to do anything. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome up to date

You should then see the message, “Chrome is up to date”.

Affected systems:

  • Google Chrome for Windows versions prior to 102.0.5005.61/62/63
  • Google Chrome for Mac and Linux versions prior to 102.0.5005.61

Stay safe, everyone!

The post Update now! Multiple vulnerabilities patched in Google Chrome appeared first on Malwarebytes Labs.

How the Saitama backdoor uses DNS tunnelling

Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article.

Understandably, a lot of cybersecurity research and commentary focuses on the act of breaking into computers undetected. But threat actors are often just as concerned with the act of breaking out of computers undetected too.

Malware with the intent of surveillance or espionage needs to operate undetected, but the chances are it also needs to exfiltrate data or exchange messages with its command and control infrastructure, both of which could reveal its presence to threat hunters.

One of the stealthy communication techniques employed by malware trying to avoid detection is DNS Tunnelling, which hides messages inside ordinary-looking DNS requests.

The Malwarebytes Threat Intelligence team recently published research about an attack on the Jordanian government by the Iranian Advanced Persistent Threat (APT) group APT34 that used its own innovative version of this method.

The payload in the attack was a backdoor called Saitama, a finite state machine that used DNS to communicate. Our original article provides an educational deep dive into the operation of Saitama and is well worth a read.

Here we will expand on the tricks that Saitama used to keep its DNS tunelling hidden.

Saitama’s DNS tunnelling

DNS is the Internet’s “address book” that allows computers to lookup human-readable domain names, like malwarebytes.com, and find their IP addresses, like 54.192.137.126.

DNS information isn’t held in a single database. Instead it’s distributed, and each domain has name servers that are responsible for answering questions about them. Threat actors can use DNS to communicate by having their malware make DNS lookups that are answered by name servers they control.

DNS is so important it’s almost never blocked by corporate firewalls, and the enormous volume of DNS traffic on corporate networks provides plenty of cover for malicious communication.

Saitama’s messages are shaped by two important concerns: DNS traffic is still largely unencrypted, so messages have to be obscured so their purpose isn’t obvious; and DNS records are often cached heavily, so identical messages have to look different to reach the APT-controlled name servers.

Saitama’s messages

In the attack on the Jordanian foreign ministry, Saitama’s domain lookups used the following syntax:

domain = message, counter '.' root domain

The root domain is always one of uber-asia.com, asiaworldremit.com or joexpediagroup.com, which are used interchangeably.

The sub-domain portion of each lookup consists of a message followed by a counter. The counter is used to encode the message, and is sent to the command and control (C2) server with each lookup so the C2 can decode the message.

Four types of message can be sent:

1. Make contact

The first time it is executed, Saitama starts its counter by choosing a random number between 0 and 46655. In this example our randomly-generated counter is 7805.

The DNS lookup derived from that counter is:

nbn4vxanrj.joexpediagroup.com

The counter itself is encoded using a hard-coded base36 alphabet that is shared by the name server. In base36 each digit is represented by one of the 36 characters 0-9 and A-Z. In the standard base36, alphabet 7805 is written 60t (6 x 1296 + 0 x 36 + 30 x 1). However, in Saitama’s custom alphabet 7805 is nrj.

The counter is also used to generate a custom alphabet that will be used to encode the message using a simple substitution. The first message sent home is the command 0, base36-encoded to a, which tells the server it has a new victim, prepended to the string haruto, making aharuto.

A simple substitution using the alphabet generated by the counter yields the message nbn4vxa.

a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9
                                                
n j 1 6 9 k p b h d 0 7 y i a 2 g 4 u x v 3 e s w f 5 8 r o c q t l z m

The C2 name server decodes the counter using the shared, hard-coded alphabet, and then uses the counter to derive the alphabet used to encode aharuto.

It responds to the contact request with an IP address that contains an ID for Saitama to use in future communications. The first three octets can be anything, and Saitama ignores them. The final octet contains the ID. In our example we will use the ID 203:

75.99.87.203

2. Ask for a command

Now that it has an ID from the C2 server, Saitama increments its counter to 7806 and signals its readiness to receive a command as follows: The counter is used to generate a new custom alaphabet, which encodes the ID, 203, as ao. The counter itself is encoded using the malware’s hard-coded base36 alphabet, to nrc, and one of Saitama’s three root domains is chosen at random, resulting in:

aonrc.uber-asia.com

The C2 server responds to the request with the size of the payload Saitama should expect. Saitama will use this to determine how many requests it will need to make to retrieve the full payload.

The first octet of the IP address the C2 responds with is any number between 129 and 255, while the second, third and fourth octets signify the first, second, and third bytes of the size of the payload. In this case the payload will be four bytes.

129.0.0.4

3. Get a command

Now that it knows the size of the payload it will receive, Saitama makes one or more RECEIVE requests to the server to get its instructions. It increments its counter by one each time, starting at 7807. Multiple requests may be necessary in this step because some command names require more than the four bytes of information an IP address can carry. In this case it has been told to retrieve four bytes of information so it will only need to make one request.

The message from Saitama consists of three parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the payload is required. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7807, giving us the message k7myyy.

The counter is encoded using the hard-coded alphabet to nr6, and one of Saitama’s three root domains is chosen at random, giving us:

k7myyynr6.asiaworldremit.com

The C2 indicates which function it wants to run using two-digit integers. It can ask Saitama to run any of five different functions:

C2 Saitama
43 Static
70 Cmd
71 CompressedCmd
95 File
96 CompressedFile
Saitama functions

In this case the C2 wants to run the command ver using Saitama’s Cmd function. (In the previous request the C2 indicated that it would be sending Saitama a four byte payload: One byte for 70, and three bytes for ver.)

In its response, the C2 uses the first octet of the IP address to indicate the function it wants to run, 70, and then the remaining three octets to spell out the command name ver using the ASCII codepoints for the lowercase characters “v”, “e”, and “r”:

70.118.101.114

4. Run the command

Saitama runs the command it has been given and sends the resulting output to the C2 server in one or more DNS requests. The counter is incremented by one each time, starting at 7808 in our example. Multiple requests may be necessary in this step because some command names require more than the four bytes an IP address can carry.

p6yqqqqp0b67gcj5c2r3gn3l9epztnrb.asiaworldremit.com

The counter is encoded using the hard-coded alphabet to nrb, and one of Saitama’s three root domains is chosen at random.

In this case the message consists of five parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the response is being sent; the size of the buffer; and a twelve-byte chunk of the output. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7808, giving us the message p6yqqqqp0b67gcj5c2r3gn3l9epzt.

Detection

Malwarebytes customers are protected from this attack via our Anti-Exploit layer. To learn more about the recent attack involving Saitama, read APT34 targets Jordan Government using new Saitama backdoor.

IOCs

Maldoc

Confirmation Receive Document.xls
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b

Saitama backdoor

update.exe
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

C2s

uber-asia.com
asiaworldremit.com
joexpediagroup.com

The post How the Saitama backdoor uses DNS tunnelling appeared first on Malwarebytes Labs.

Massive increase in XorDDoS Linux malware in last six months

Microsoft says it’s recorded a massive increase in XorDDoS activity (254 percent) in the last six months. XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie (MMD).

MMD believed the Linux Trojan originated in China. Based on a case study in 2015, Akamai strengthened the theory that the malware may be of Asian origin based on its targets.

Microsoft said that XorDDoS continues to home on Linux-based systems, demonstrating a significant pivot in malware targets. Since Linux is deployed on many IoT (Internet of Things) devices and cloud infrastructures, we are likely to see DDoS (distributed denial-of-system) attacks from botnets that have compromised such devices.

DDoS attacks—where normal Internet traffic to a targeted server, service, or network is overwhelmed with a flood of extra traffic from compromised machines—have become part of a greater attack scheme. Such powerful attacks are no longer conducted just to disrupt. DDoS attacks have become instrumental in successfully distracting organizations and security experts from figuring out threat actors’ end goal: Malware deployment or system infiltration. XorDDoS, in particular, has been used to compromise devices using Secure Shell (SSH) brute force attacks.

XorDDoS is as sophisticated as it gets. The only simple (yet effective) tactic it uses is to brute force its way to gain root access to various Linux architectures.

As Microsoft said in the report:

“Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

microsoft xorddos attack flow
XorDDos’s attack vector (Source: Microsoft)

Security IoT devices

If you have an IoT device at home, know there are ways to secure it. Note that you may need some assistance from the company who built your IoT device if you’re unfamiliar or unsure how to do any of the below.

  • Change your device’s default password to a strong one
  • Limit the number of IP addresses your IoT device connects to
  • Enable over-the-air (OTA) software updates
  • Use a network firewall
  • Use DNS filtering
  • Consider setting up a separate network for your IoT device(s)
  • When you’re not using your IoT device, turn it off.

If you plan to get an IoT device soon, buy from a well-known brand. You’re much more likely to get assistance from your supplier in beefing up your IoT device’s security.

Stay safe!

The post Massive increase in XorDDoS Linux malware in last six months appeared first on Malwarebytes Labs.

Eerie GoodWill ransomware forces victims to publish videos of good deeds on social media

Ransomware does what the name implies: holds your files or network to ransom. Pay the authors, typically in cryptocurrency, and you may get your files back. Refuse, and the files could be lost forever or even leaked to the far corners of the net.

Sometimes creators of ransomware try different things. In this case, a proof of concept called GoodWill ransomware’s approach is to force victims into performing seemingly nice tasks instead of pay a ransom.

Hunting for GoodWill

GoodWill ransomware functions like any other, at least in terms of basic functionality. It encrypts the most common file types: videos, documents, photos, databases. Without the decryption key, you won’t be able to recover your locked files.

There’s one key difference, however. The people behind this attack want victims to get out there and do some public good. Perform three good deeds, and you get your files back. That’s right: No cryptocurrency payment, no gift card codes required.

Hoop jumping as kindness

Things quickly become a bit disturbing.

Imagine: you’ve just had your computer locked up with ransomware. You’re told you must perform three acts of kindness to get your files back. The catch: you have to film and upload these good deeds to social media. Is this already beginning to creep you out? Because it should.

To be clear: criminals are asking victims of crime to humiliate themselves on social media to recover things stolen from them.

The three “activities” that victims are asked to do in order to get their files back are as follows:

“Activity 1”

“That we all know Thousands of people die due to sleeping on the roadside in the cold because they do not have clothes to cover their body.
So, your 1st task is to provide new clothes/blankets to needy people of road side and make a video of this event.
Later post this video/photo to your Facebook, Instagram and WhatsApp stories by using photo frame provided by us and encourage other people to help needy people in winters. Take a screen shot of your post and send email to us with valid post link, later our team will verify the whole case and promotes you for the next activity.
It’s Does not costs you high but matters for humanity.”

“Activity 2”

“Thousands of poor children have to sleep hungry in the long cold nights, because those ill-fated people have no luxury to have dinner every night in this cruel world. You cannot feed them food for life, but you can give them 2 moments of happiness!
How!! Hmm, Listen. In the evening, pick any 5 poor children (under 13 years) of your neighborhood and take them to Dominos Pizza Hut or KFC, then allow them to order the food they love to eat and try to make them feel happy. Treat those kids as your younger brothers. Take some Selfies of them with full of smiles and happy faces, Make a beautiful video story on this whole event and again post it on your Facebook and Instagram Stories with photo frame and caption provided by us. Take a screen shot of your posts, snap of restaurant’s bill and send email to us with valid post link, later our team will verify the whole case and promotes you for the next activity.
Help those less fortunate than you, for it is real human existence.”

“Activity 3”

There are so many people in the world who have suffered the pain of losing their loved ones due to lack of money. Lack of money is the biggest misfortune to get medical treatment at the right time.
Hmm, what’s your duty now! Hmm, Listen again! Visit the nearest hospital in your area and observe the crowd around you inside the hospital premises. You will see that there will be some people who need certain amount of money urgently for their medical treatment, but they are unable to arrange due to any reason. You have to go near them and talk to them that they have been supported by you and they do not need to worry now, Finally Provide them maximum part of required amount. Again, Take some Selfies of them with full of smiles and happy faces,
Record Audio while whole conversation between you and them and send it to us.
Write a beautiful article in your Facebook and Instagram by sharing your wonderful experience to other peoples that how you transform yourself into a kind human being by becoming Victim of a Ransomware called Good Will.

Once the victim has performed all three tasks, they must send the links and the gang promises to “verify the whole case” and hand over the decryption keys.

No good will for GoodWill

Aside from anything else, this is incredibly invasive of people’s privacy. Do the people in the videos get a say in this? It seems they do not.

This is genuinely one of the most disturbing infection-themed attacks I’ve seen in a long time. Turning people into some sort of game show contestant, complete with performative acts of kindness which are only occurring because of blackmail, flies in the face of their alleged intended goal.

We also have no indication if the authors intend to change their tasks at a later date. Reports mention the file attempts to geolocate victims. Could we see location-themed tasks which account for differences in rules, funding, social norms? Or is it a dice-roll in terms of hoping you’re assigned tasks you’re actually able to complete?

Despite the file name, there’s not a lot to feel good about here. Asking for cryptocurrency payments to release files and hope they’re not leaked is bad. Making people upload videos of themselves performing baffling and potentially dangerous tasks feels even worse.

Malwarebytes detects GoodWill as Ransom.FileCryptor.MSIL.Generic.

ransomfilecryptormsilgenericblock 1

We are yet to see anyone being infected with the ransomware, so can only hope this never makes it off the drawing board in any significant capacity.

The post Eerie GoodWill ransomware forces victims to publish videos of good deeds on social media appeared first on Malwarebytes Labs.