Archive for author: makoadmin

Significant cyberattacks against critical targets in Europe have doubled in the past year, according to EU figures obtained by CNN. And with the announced pressure from the US against major ransomware gangs we can expect these figures to go up even more.

It’s also clear from recent attacks that the holiday season and the associated spending sprees make online retailers an attractive target for cybercriminals. Last week, we reported about UK based jewelry house Graff that was a target of Conti ransomware. But more and more European firms are showing up on the target list. Below you can see some examples from the last few days.

Angling Direct

The UK’s biggest fishing shop, Angling Direct has been hacked, with its website redirecting shoppers to an adult website. While this may seem a prank at first, there are signs that the hacker gained access to a few key systems of the company. Most people trying to access the site saw a warning like this:

On top of that, Angling Direct’s Twitter account was taken over, and it would seem that the hacker has at least some access to Angling Direct’s mail server, as they have claimed a local mail account as their own.

The company said it has brought in cybersecurity experts to tackle the problem, and alerted authorities. Angling Direct said it is too early to tell if any personal data has been compromised, but reassured customers that no payment data could have been leaked.

MediaMarkt

Dutch electronics retail giant MediaMarkt has fallen victim to the Hive ransomware group. The brick and mortar shops of MediaMarkt and Saturn, which can be found in the Netherlands, Belgium, Luxemburg, and Germany, are still open for business, as are their online shops, but the computer systems in the physical shops seem to be the ones that were encrypted. The cash registers cannot accept credit cards or print receipts at affected stores.

The systems outage is also preventing returns due to the inability to look up previous purchases. Employees were told not to use the computers in the shops, disconnect the cash registers from the network, and to refrain from rebooting systems.

While the functionality of its online shop seems unaffected, shoppers are shown a message that delivery may be delayed due to “technical problems.”

According to some sources, MediaMarkt is negotiating with the attackers about the 43 million Euro ransom (close to US$50 million) in Bitcoin.

Let’s go to Europe

For now it is hard to tell whether the increased amount of attacks in Europe is some sort of waterbed effect due to the US government’s harder stance against cybercriminals and ransomware in particular. It could be that it is simply ransomware groups expanding to new markets due to more competition among themselves and greener pastures on the other side of the pond. We have already seen a ransomware affiliate group called Lockean that concentrates on French targets.

In the ransomware industry, the time of “spray and pray” is long gone. Most of the well known groups know exactly which kind of targets they want to go after and even when the best time to strike is. So it’s not unlikely that we will see more of these attacks on online shops and large retailers with the shopping season around the corner.

For retailers it is time to shore up your defenses if you want to keep on serving your customers.

Stay safe, everyone!

The post Are cybercriminals turning away from the US and targeting Europe instead? appeared first on Malwarebytes Labs.

On what might seem a relatively calm Patch Tuesday with 55 vulnerabilities being patched, the fact that six of them were rated “Critical” and two of them actively exploited spoils the Zen factor somewhat.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

Exchange Server (again)

CVE-2021-42321: A Microsoft Exchange Server Remote Code Execution (RCE) vulnerability that is known to be exploited in the wild. This vulnerability was disclosed during the Tianfu International Cybersecurity Contest and requires an authenticated user to run arbitrary code on an on-premise Exchange Server.

Two other Exchange Server vulnerabilities, rated as “Important” are listed under CVE-2021-42305 and CVE-2021-41349. Both are Microsoft Exchange Server Spoofing vulnerabilities. The exploitation appears to be easy as the attack can be initiated remotely and no form of authentication is required for a successful exploitation. However, successful exploitation does require user interaction by the victim.

Excel

CVE-2021-42292: A Microsoft Excel Security Feature Bypass vulnerability which is also being exploited in the wild. Microsoft doesn’t suggest what effect the vulnerability might have, but its CVSS score of 7.8 out of 10 is worrying Two interesting notes in the Microsoft FAQ about this vulnerability:

• No, the Preview Pane is not an attack vector.
• The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.

Remote Desktop Protocol (RDP)

As if RDP wasn’t a big enough problem already, four vulnerabilities have been found in this widely abused protocol. Three of them are Information Disclosure vulnerabilities and one, listed under CVE-2021-38666 is a “Critical” RCE. The attack can be initiated remotely and no form of authentication is needed for a successful exploitation. It does however require the victim’s interaction.

3D Viewer

The Microsoft 3D Viewer lets you view 3D models with lighting controls, inspect model data and visualize different shading modes. Two “Important” RCE vulnerabilities in this utility have been patched in this update. They are listed under CVE-2021-43208 and CVE-2021-43209. The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately. App package versions 7.2107.7012.0 and later contain this update.

Microsoft Defender

CVE-2021-42298 is a Microsoft Defender Remote Code Execution vulnerability that is rated “Critical.” Defender is designed to scan every file and run with some of the highest levels or privileges in the operating system. An attack can be initiated remotely without any form of authentication. But successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

Other patches

It’s not just Microsoft who has issued patches recently, so check you’re using the most up to date version of the below, too.

Siemens issued updates to patch vulnerabilities in in the Nucleus RTOS (realtime operating system) versions Nucleus 4 and Nucleus ReadyStart (Nucleus 3). The vulnerabilities CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 have the highest CVSS scores with 10.0, 9.9 and 9.9 out of 10 respectively.

Citrix published information about vulnerabilities that have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.

Adobe made security updates available for RoboHelp Server, Adobe InCopy, and Adobe Creative Cloud.

Android published a security bulletin last week, which we discussed in detail here.

Cisco published a security advisory that mentions two “Critical” issues. One in Cisco Policy Suite Static SSH Keys, and one concerning Cisco Catalyst PON Series Switches Optical Network Terminal.

SAP has its own Patch Day Security Notes. One vulnerability listed under CVE-2021-40501 has a CVSS score of 9.6 out of 10 and the description Missing Authorization check in ABAP Platform Kernel.

VMWare’s security advisory includes one critical update for VMware vCenter Server which addresses multiple security vulnerabilities.

Intel also issued several security advisories, which are fixes or workarounds for vulnerabilities identified in Intel products.

In case you have no idea where to start, maybe our post about the CISA directive to reduce the risk of known exploited vulnerabilities will help you on your way.

Stay safe, everyone!

The post Patch now! Microsoft plugs actively exploited zero-days and other updates appeared first on Malwarebytes Labs.

Over the weekend, hackers revealed that the Playstation 5 (PS5), Sony’s latest darling, has been broken into—not just once but twice.

Fail0verflow, the hacking group notorious for breaking Playstation consoles, and Andy “TheFlow” Nguyen, a security engineer at Google and widely known in the Playstation Vita scene, both tweeted samplings of their successful PS5 hacks.

Fail0verflow announced they were able to retrieve all PS5 symmetric root keys, including a per-console root key, from the firmware itself. A root key is used to decrypt and reverse engineer the console’s firmware. A reverse-engineered firmware, of course, opens the door for creating and introducing homebrew PS5 software into the console, allowing other software and games to run in it. These homebrews will be signed with the same symmetric root keys so the PS5 can recognize them as belonging to its own. This also opens the door for finding future exploits.

Fail0verflow are yet to reveal any details about how they did the hack, but there has been speculation that they may have used a kernel exploit or carried out some “significant hardware glitching”.

Nguyen, on the other hand, was able to access the Debug Setting option of a retail PS5, something that is normally available only on hardware testkits. Wololo, the site who first wrote and published about this, said the Debug Setting option is disabled on retail consoles. “But it can be enabled on retail consoles by patching some flags, located at specific addresses in the firmware at Runtime.”

Nguyen gaining access to the usually invisible console option makes one think he likely used a PS5 kernel exploit. It remains to be seen if Nguyen’s and fail0verflow’s exploits are the same, if not similar.

We won’t be hearing any confirmation or refutation from Nguyen though, as he already pointed out in a tweet that he has no plans of disclosing the exploit he used. Fail0verflow may or may not choose to disclose either. In a blog post eight years ago, the group admitted that developing homebrew software for closed consoles no longer appeals to them. Not only does this require a great deal of work, they are also constantly at risk of litigation. To top it off, game pirates get the bank on their hard work.

So, what can we expect from these PS5 hacking revelations? A firmware patch from Sony, perhaps, which has happened before, or nothing at all. But it is interesting to think about the future of homebrew software at this point. Is the homebrew scene in the Playstation—or other consoles for that matter—dead? If so, would anyone dare take up the mantle?

The post Playstation 5 hacked—twice! appeared first on Malwarebytes Labs.

It shouldn’t be surprising that Android devices are the targets of threats like adware and other Potentially Unwanted Programs (PUPs). After all, there are millions of apps on the Google Play Store, servicing billions of monthly active users globally. And, as we have noted with Mac virus trends, platforms with rising popularity tend to attract threats.

What is adware?

Adware is a type of bothersome malware that sits quietly on your device, generating revenue for its authors through unwanted marketing campaigns. Usually, adware hits your screen with advertisements, but some adware can be sneakier.

What can adware do to Android phones?

While adware isn’t as threatening as more dangerous malware like spyware, stalkerware, or ransomware, it can be unpleasant. Most commonly, adware throws up advertisements on your screen in the shape of irritating popups. It may also hijack your browser, redirect you to different web pages, install toolbars, extensions, or plugins, and track your activity for marketers. Here are some other potential signs of an adware infection on your Android phone:

• Your phone slows down or crashes inexplicably
• Your browser slows down or crashes inexplicably
• Downloading, uploading, and browsing takes longer than usual
• You need to recharge your device more often
• Apps take longer to load or run sluggishly
• Your data usage is higher than usual
• New software is on your phone that you didn’t download or install

Of course, many of these symptoms are also signs of an aging Android device, or could be a sign of a different type of malware infection than adware. A few of these symptoms, combined with core signs of adware like popups or browser redirection, are a red flag. Check out the next section to see how to get rid of adware on Android devices.

How to remove adware and malware on an Android phone

Removing any malware from your phone requires a holistic approach. For example, even if you remove an infection with mobile device security tools, you may attract new threats if some problematic apps remain. Here are some steps that can help you remove adware from Android devices, and protect your device from future infections:

1. Use adware removal tools

The most obvious first step is to use a cybersecurity tool, such as Malwarebytes for Android, that protects against adware on Android devices. When selecting an adware removal app, ensure that it has the following traits:

• It scans and removes adware quickly.
• It’s light, doesn’t hog your system resources, and runs seamlessly in the background.
• It alerts you about suspicious apps.
• It keeps an eye on URLs and warns you against unsafe websites.
• It doesn’t create false positives to appear more valuable.

Of course, adware is just one type of malware that can infect an Android device. An exhaustive cybersecurity app will find all kinds of malware, including viruses, spyware, stalkerware, Trojans, ransomware, rootkits, and adware. So dig into the details of the app you are considering to make sure you’re protected against all of these.

It’s also a good idea to check your cybersecurity app’s reputation before you download it. For example, some cybersecurity tools were criticized for harvesting user data to supply it to marketers. There’s little point in downloading software to remove adware if it also takes a page out of the adware playbook.

2. Remove dubious apps

You can check out what suspicious apps you already have lurking on your phone by doing the following:

1. Hold down the power button on the side of your phone.
2. Tap and hold the Power Off icon on your screen.
3. Tap Safe mode to restart your device in Safe mode.
4. Tap Settings.
5. Tap Apps.
6. Select Suspicious apps.
7. Hit Uninstall.
8. Restart your phone.

3. Clean your browser

Your browser may carry data or plugins that leave your Android device susceptible to adware. Remove all unnecessary extensions, clear your browsing history, and delete stored data. You can also uninstall your browser entirely and reinstall it to start afresh.

Where do Android adware and malware come from?

Hundreds of thousands of instances of new malware are detected every day, according to some experts. The authors of malicious software include online trolls, hackers, blackmailers, thieves, and other cybercriminals. Threat actors often hide adware and other malware in shady links, untrustworthy websites, and even on apps in the official Google Play Store.

Tips to safeguard Android devices from adware

• Make sure you have security software installed.
• Keep your operating system, security tools, and apps updated.
• Only download apps from trustworthy sources.
• Even when downloading apps from Google Play Store, check reviews.
• Avoid apps that are new or ask for unnecessary permissions.
• Don’t visit untrustworthy websites.
• Avoid opening suspicious links, emails, and text messages.

The post How to remove adware on an Android phone appeared first on Malwarebytes Labs.

Smart TVs are back in the news due to the potential pitfalls of embedded advertising. It may come as a surprise to some, but these devices aren’t particularly new. As far back as 2013, security researchers were already exploring the issues related to internet connected televisions in a home environment.

In 2016, we looked at an LG brand TV which sent a variety of information related to files and viewing habits despite telling it not to. Even then, we can see similar tactics used to block ads on home video game consoles, and desktop PCs. It’s all about blocklists, and domains shut down at the router.

A privacy versus convenience mashup

Yes, it’s cool that you can control your TV with your voice and use hand gestures to change the channel. However, advertising built into the fabric of a TV is something people don’t pay much attention to. You can try and block these ads in increasingly sophisticated ways. Realistically though, most folks aren’t rushing to spin up a Pi-hole. And hey, why should they? This is the kind of problem solved by a “No, I don’t want that but thanks anyway” button.

Unfortunately, those buttons appear to be in short supply.

Today, in ad land…

The owner of a new Samsung TV noticed a huge chunk of ad space on one of the menu screens.

To be clear, the ad banner in the picture isn’t serving up brands of washing up liquid or footwear. It’s a feature which essentially lists things to watch on the device. Caveat: some of those options are paid, and there are several more general ad-specific domains requiring a block to be ad free.

It’s adverts all the way down

Smart TVs generally have multiple layers of advert options, banners, and dashboards. They may offer downloadable apps for popular streaming services or other products used to watch, or buy products unrelated to television. Whatever you do, some form of analytics/tracking is inevitable. It’s not all bad news…sort of. Certain brands will allow you to switch off many of these features. Have you ever set your Android to low power mode and watched as all the apps disabled themselves? Televisions can do the same thing.

Again, this isn’t perfect. Assuming you want to use the apps displayed, there’s going to be an element of analytics under the hood even if just specific to the app and not the television as a whole. For example: does this reference content inside the apps which are still functional, or somewhere on the dashboard unrelated to the apps?

Even the device owner doesn’t know, because they don’t currently see any ads. Is it regional specific? Or have they yet to hit the random button or screen which finally pops an advert?

All good questions, and ones which most of us don’t have answers for.

Tech downgrades as a solution

Some folks don’t want to mess around at a network level. They’re turning to other methods instead to bypass ads altogether. This is certainly one (expensive) way to do it:

Others choose to buy up so-called “hotel” televisions, which may have all internet capability stripped out of them. Even with these measures taken, there’s no real guarantee you can avoid ads and tracking. You may have an ad-free television, as far as built in popups go. But what if it’s plugged into a cable TV box from a provider who also provides your broadband? Your ISP knows what you’re doing online and also potentially what you’re watching, at a bare minimum.

You can read more about this latest round of TV advertising here. One thing is for certain: ads in the home aren’t going to go away anytime soon. People who disagree with this type of televisual promotion may wish to object via tech solutions, or downgrades, or simply buying something else instead.

Perhaps the advert revolution will not be televised.

The post Smart TV adverts put a wrinkle in your programming appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Celebrity jewelry house Graff falls victim to ransomware
• Lessons from a real-life ransomware attack
• Is Apple’s Safari browser the last, best hope for web privacy?
• What is Twitch?
• Google patches zero-day vulnerability, and others, in Android
• Zuckerberg’s Metaverse, and the possible privacy and security concerns
• This Steam phish baits you with a free Discord Nitro
• BlackMatter ransomware group announces shutdown. But for how long?
• Trojan Source: Hiding malicious code in plain sight
• Update now! Mozilla fixes security vulnerabilities in Firefox 94
• Credit card skimmer evades Virtual Machines
• CISA sets two week window for patching serious vulnerabilities
• Wanted! US offer $10m bounty for ransomware kingpins

Other cybersecurity news

• New “Frankenstein” phishing kits are becoming increasingly popular. (Source: RiskIQ)
• Call center scammers use Justine Bieber and The Weeknd concert tickets as bait. (Source: ZDNet)
• Expect delivery firms to be impersonated by cybercriminals in holiday phishing scams. (Source: Tessian)
• According to a report, New Zealand residents are unaware of common cyber scams and don’t take basic precautions. (Source: IT Brief)
• CERT-France has identified the ransomware group behind attacks on French companies. (Source: The Record)
• SalesForce bug allows Outlook and Microsoft calendar events to be exposed. (Source: Varonis)
• Credential phishers impersonate Proofpoint to go after Microsoft and Google credentials. (Source: Armorblox)
• Data of Labour Party supporters in the UK were stolen during a ransomware attack. (Source: Sky News)
• Scammers bank on popularity of crypto wallets to steal cryptocurrency. (Source: Check Point)
• We experienced the first example of “insider threat by machine” when Facebook went dark for 6 hours. (Source: CSO Online)

Stay safe, everyone!

The post A week in security (Nov 1 – Nov 7) appeared first on Malwarebytes Labs.

The cybersecurity basics should be just that—basic. Easy to do, agreed-upon, and adopted at a near 100 percent rate by companies and organizations everywhere, right?

You’d hope. But the reality is that basic cybersecurity blunders continue to affect businesses of all sizes, which has led to embarrassing vulnerabilities, hacks, and attacks. And some of those very mishaps have been the focus of the Lock and Code podcast for months.

In August, Luta Security CEO Katie Moussouris told us about simple security oversights at the company that develops the popular “social listening” app Clubhouse. After poking around with the app on two separate devices, Moussouris discovered that she could easily eavesdrop on conversations without having her user icon present in a room. That same month, hacker Sick Codes told us about how he and roughly 10 other hackers gained extensive reach in just a few days into John Deere’s data operations center, revealing data about farms, farm equipment, and the equipment’s owners. And in July, the chair of the Dutch Institute for Vulnerability Disclosure Victor Gevers told us that he and his organization had found “seven or eight” zero-days in the popular managed service provider tool Kaseya VSA. What’s worse is that Gevers said that he and his volunteers had been finding similar vulnerabilities in many remote networking tools for months.

About these flaws, Gevers said: “I am sorry, but these vulnerabilities—these are not advanced. Not advanced at all.”

The big problem about these vulnerabilities is that, because they are so basic, they are so easy to abuse.

The zero-days that Gevers and his team found in Kaseya VSA led to one of the most catastrophic ransomware attacks in recent history. A failure to differentiate user passwords on a remote access tool used by a Florida water plant likely led to the attack on that plant’s chemical treatment facilities, and though the attack was caught and prevented, it was still a bit worrisome. And when the meat supplier JBS was hit with ransomware, even though it reportedly had backups in place—which are the single most effective defense against ransomware—the company still chose to pay $11 million to its attackers for a decryption key.

Many of these problems could have been prevented—or at least better mitigated—if the organizations in question had a better grasp on the cybersecurity basics. As our guest on today’s episode of Lock and Code explains, there are huge risks in failing to get these basics right. Jess Dodson, who described herself as a “recovering Windows systems administrator” (ha), said:

If you are not doing these things, I would say that there is a high chance that you already have a threat actor in your environment. That is the risk.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Dodson about what are the most commonly-missed cybersecurity basics, which are the most foolish ones to get wrong, and why do we keep failing at what we can all agree is, after all, pretty basic stuff.

Tune in to hear all this and more on this week’s Lock and Code podcast, by Malwarebytes labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why we fail at getting the cybersecurity basics right, with Jess Dodson: Lock and Code S02E21 appeared first on Malwarebytes Labs.

We’ve seen quite a few complaints from gamers this past weekend, unable to load up and play games on the Steam platform. The problem wasn’t hackers, or DDoS attacks, or anything else. Rather, the issue is something bundled with the game by default designed to keep titles “secure” from tampering. When something simple is overlooked, the fallout can be significant and that’s what we’re going to dig into.

What is Digital Rights Management?

This is something generally designed to protect copyrighted works or certain types of hardware. You’ve almost certainly encountered it going about your daily business. If you bought MP3 files from a music store but were unable to copy the files to different drives, or they only used the store’s own music player? That’s DRM. If you tried to copy a DVD and were prevented? That too is DRM.

If you tried to pirate a video game and all your attempts were thwarted? That is most definitely DRM. There’s been lots of somewhat peculiar DRM tactics in gaming land down the years. Who could forget Monkey Island’s Dial-A-Pirate? With always-on internet, things aren’t quite so peculiar anymore. Everything is typically done with software and digital/hardware identity verification.

The many forms of DRM

There are many different types of DRM for video games. Some of them are called plain old DRM. Others may be anti-tamper, or anti-cheat. Some might be a combination of all three.

One company, Denuvo, doesn’t want to be seen as DRM, and emphasizes the anti-tamper approach. Eventually, everything gets cracked. It’s one of those inevitable happenings. At that point, the DRM/anti-tamper/anti-cheat people go back to the drawing board. They then come back with something designed to last a little longer. And on it goes.

Still, whether you call it DRM, or anti-tamper, or anything else: if something goes wrong, the game(s) may not work for a while. Sometimes there are hotly contested claims about game performance, or degradation of certain types of hard drive. No matter your own opinion on these issues, if the game has something bundled in as DRM/anti-tamper, you’re stuck with it. Unless the developer relents and you don’t intend to sail the piracy high-seas, it’s a case of learning to live with the additions.

What happens when the additions fall over?

DRM additions to games have been in the news recently. Roughly 50 games broke on the new Alder Lake CPUs due to Denuvo tech not being compatible. The software saw two types of cores running and assumed they were from different PCs instead of the same processor. At this point the game would exit or crash out because the protection software thought someone was trying to run the game on two PCs sharing the same game key.

This is most definitely not optimal, and can only be addressed by workarounds and/or official patches, all of which takes time. However, things can definitely get worse.

When things get worse

There were multiple reports of games suddenly breaking, or not being bootable on Sunday. The key factor between all the titles affected was that they used some form of Denuvo. For example, Back 4 Blood uses the anti-tamper system. So what happened to these games?

Expiration notice

Well, it definitely wasn’t hackers or some form of shenanigans.

DRM or anti-tamper systems will usually validate the install of a game on a PC the first time it runs. It may also do something similar anytime the game or the operating system updates, or you install the game onto another PC. Some games will only allow you to install on a handful of systems simultaneously. They may go down a different route and grant you a certain number of installs. Once you use them all up, you might have to contact the game developer for a new batch of installs, or re authenticate your account.

Why did so many games apparently break at the weekend? Fingers are pointing at a domain registration snafu. It seems as though a URL used for some form of authentication wasn’t renewed. It likely entered a form of grace period and then once it passed, everything stopped functioning as expected.

While this state of affairs existed, many games simply wouldn’t work anymore. It didn’t matter if the games in question were single or multiplayer titles. The domain in question has now been updated and games are working again, so that’s good news. Those of a nervous disposition may wish to pretend the new expiration date has been set years in advance, instead of 2022.

What could possibly go wrong…

The post Multiple video games break after domain name snafu appeared first on Malwarebytes Labs.

The US State Department is offering a massive $10 million reward if you can help bring DarkSide to justice.

The U.S. Department of State announces a reward offer of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group.

And they aren’t just after the ransomware group members.

The State Department is also offering a reward of up to US $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident. An incentive that seems to be aimed at capturing the affiliates that penetrate victims’ networks with the goal of deploying the ransomware later on.

The Department of State manages two US government programs that offer rewards of up to $25 million for information leading to the arrest and/or conviction of members of significant transnational criminal organizations and the disruption of other forms of transnational organized crime. 

DarkSide

DarkSide is thought to have originated in the Russian Federation and/or Ukraine, and was first observed in the wild in August 2020 and is thought to be a product of the FIN7 group.

DarkSide has targeted many organizations in almost every vertical in the Middle East, Europe, and the United States, but it is most notorious for its role in the attack on the Colonial Pipeline. The attack in May 2021 triggered a shutdown of the largest fuel pipeline on US east coast, which sparked a new urgency in the US government’s determination to tackle ransomware.

DarkSide ransomware was sold using the Ransomware-as-a-Service (RaaS) distribution model, so attacks were carried out by affiliates. Like many other modern ransomware families, DarkSide was mostly manually-operated. This means that the ransomware was executed by an actual person behind the screen, after they had successfully infiltrated a target network. Such attacks focus on extracting enormous ransoms from a relatively small number of victims, rather on extracting small ransoms from large numbers of victims, as was more common in the past.

Threat actors can spend weeks or even months inside victims’ networks before running the ransomware; moving laterally, scouring the entire network, elevating their privileges, deleting backups, and leaving backdoors in vulnerable systems. When an attacker has administrator credentials, and access to business-critical systems, they deploy DarkSide.

The DarkSide ransomware group called it quits after some of its servers and Bitcoin accounts were seized, and its DarkSide Leaks blog was shut down. This was believed to be the work of either the US government, local law enforcement, or other gangs looking to profit from DarkSide’s downfall.

Soon after, a new ransomware group who called themselves BlackMatter surfaced on the dark web, which was generally seen as the latest flavor in a long lineage of RaaS providers. Recently, the BlackMatter ransomware gang announced they are going to shut down their operation, citing pressure from local authorities.

Motives for the reward

One question that immediately popped into my head, is why they would offer such a reward for members of an organization that, officially, no longer exists?

Officially, the press statement tells us that in offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cybercriminals. On top of that, it mentions the Colonial Pipeline incident as a prime example for how disruptive these ransomware attacks are.

But, given the timing and the unlikelihood of ever apprehending one of the key players, it stands to reason to speculate about possible other motives. One way to disrupt the ransomware industry might be to feed the growing distrust between groups and their affiliates.

With the recent announcement that BlackMatter is about to shut down its operation, and many security professionals expecting it to re-surface under yet another new name, you can imagine that having a price of $10 million dollars on your head might slow you down a bit. Not just because it becomes harder to trust new partners, but also because it might scare potential new partners away.

By creating unrest and spreading disinformation among ransomware groups and their affiliates, the US government can hope to slow down operations. And by going after the key players of the group and their affiliates, they may instigate some caution in the operators at the moment when they pick a target.

The size of the reward is perhaps a counterweight to the enormous ransoms feeding the ransomware epidemic. The ransomware model is so profitable that smaller rewards may not be enough to attract an insider willing to snitch.

Should you manage to cash in that reward, don’t forget where you read about it first.

Stay safe, everyone!

The post Wanted! US offers $10m bounty for ransomware kingpins appeared first on Malwarebytes Labs.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued binding directive 22-01 titled Reducing the Significant Risk of Known Exploited Vulnerabilities. This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency’s behalf.

One of the most welcomed of the required actions set forth in the directive is that CISA will keep a catalog of vulnerabilities alongside timeframes in which they must be remediated. According to the plan, this catalog will list only the most important vulnerabilities that have proven to pose the biggest risks.

The scope

In the US, a binding operational directive is an instruction that federal, executive branch, departments and agencies have to follow. They also provide a strong indication of the kind of cybersecurity measures that CISA thinks are important, which other organizations may wish to follow. (It’s also easy to imagine that what’s required of federal agencies today may be required of the vast web of suppliers to federal agencies tomorrow.)

To that end, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments review and monitor its catalog. CISA has done the hard work of identifying what should be patched first, and anyone who follows its guidance is likely to find their security and resilience posture improved.

The reason

It will come as no surprise that the continued cyberattacks against US entities are the reason for this directive: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

Many of the attacks against US organizations rely on vulnerabilities that could have been patched months or even years ago, but haven’t been. For example, earlier this year CISA issued a joint advisory with the FBI and NSA urging US organizations to patch five old vulnerabilities from 2018 and 2019 that were regularly exploited by the Russian Foreign Intelligence Service.

The idea is that better patch management, supported by the prioritization provided by the CISA catalog, can prevent future attacks.

The rules

The required actions are pretty simple and straightforward—to read at least. Execution of the rules may prove to be more difficult. The rules are:

• Plan. Organizations have 60 days to come up with a vulnerability management plan.
• Execute. CISA is giving notice that the clock is running on vulnerabilities it cares about. The affected departments and agencies have six months to fix anything with a CVE issued before 2021, and two weeks to fix everything else.
• Report. Organizations have to report on the status of vulnerabilities through the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard.

While 6 months may seem a long time for the CVE’s prior to 2021, that doesn’t mean they are less important than this year’s vulnerabilities. The grace period may reflect the difficulty that organizations have already had in fixing older bugs, or the fact that “everything prior to 2021” is just a much longer period of time than the ten months of 2021. After six months is up and all those vulnerabilities are fixed, presumably everyone will be on a much shorter lease, with just two weeks to fix anything CISA deems serious enough to put on its list.

In some cases the catalog already lists a vulnerability with a due date in the past, such as CVE-2019-11510. In August, 2019, scans performed by Bad Packets found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510, four months after a patch became avaiable. Over 5,000 of those were in the US, including military, federal, state, and local government agencies—and this was after advisories have been issued by the NSA and the NCSC.

The notes column for this CVE references CISA’s ED 21-03 for further guidance and requirements. In that Emergency Directive you will find the due date of April 23rd of 2021. So, it was already required to be patched for organizations that are bound to follow emergency directives.

Patch management

Because patch management has proven to be a challenge, having a catalog to fall back on when you are looking for prioritization rules can be very helpful. On the other hand, by telling organizations what needs to be done, inadvertently they may skip necessary patches, simply because they were not listed. Or worse, they were listed but the people responsible for patching didn’t find them.

Either way, if this is a first step in setting up a compliance program, where all the vulnerabilities that are used in the wild get patched within two weeks we will certainly welcome it. We have seen the impact of, for example, the disclosure rules set forth by Google’s Project Zero on the generally accepted rules for responsible disclosure, and would love to see this directive have a similar effect on the average patching speed.

Stay safe, everyone!

The post CISA sets two week window for patching serious vulnerabilities appeared first on Malwarebytes Labs.