Archive for author: makoadmin

This week on Lock and Code, we speak to cybersecurity advocate and author Carey Parker about “dark patterns,” which are subtle tricks online to get you to make choices that might actually harm you.

Dark patterns have been around for years, and the tricks they’re based on are even older. Ever bought a pretty much useless concert ticket warranty? Ever paid for 12 months at a gym when you were really just interested in a trial membership? Ever been fooled in spending just a little more money than you planned?

Well, those tricks exist online, too, and they often show up in hidden, visual cues that make you think that one option is better for you than another. But, lo and behold, the option that looks appealing to you might actually be the option that best serves a company. You could be tricked into staying into a newsletter subscription. You could find it exceedingly difficult to delete an account entirely. And you may be signing away your data privacy protections without even knowing it.

But, as Parker helps explain in today’s episode, even those lowered privacy protections are a means of making money for some of today’s largest social media companies:

“They want to know as much about you, they want to know about everyone you know, so they use dark patterns to trick you into providing way more personal data than any sane human would ever want to provide. And that’s how they make more money.”

Tune in to learn about dark patterns—how to spot them, what any future fixes might look like, and what one company is doing to support you—on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Shining a light on dark patterns with Carey Parker: Lock and Code S02E09 appeared first on Malwarebytes Labs.

“It’s cracking, the whole thing.”

The words were delivered quickly, but in a thoughtful and measured way. As if the person saying them was used to delivering difficult news. Little surprise, given they belonged to a doctor. But this doctor wasn’t describing a medical condition—this was their assessment of the situation on the ground in the hospital where they’re working today, in Ireland.

Since May 14, Ireland’s Health Service Executive (HSE) has been paralysed by a cyberattack. In the very early hours of Friday morning, a criminal gang activated Conti ransomware inside HSE’s computer systems, sparking a devastating shutdown.

Government officials were quick to reassure people that emergency services remained open and the country’s vaccine program was unaffected. The story echoed around the world, and then, outside of Ireland at least, the news moved on. Just as it had moved on from the Colonial Pipeline attack that preceded HSE, and the attack on AXA insurance that followed it.

But the HSE attack isn’t over.

Daniel (not his real name) sat with Malwarebytes Labs on condition of anonymity, to explain how this cyberattack is continuing to affect the lives of vulnerable patients, and the people trying to treat them. Throughout our interview he speaks quickly, but with control and understatement. He has the eyes and slightly exaggerated movements of somebody substituting adrenaline for sleep.

A 21st century health system runs on computers, but the computers in Daniel’s hospital have notes on them saying they cannot be used, and should not be restarted. While those computers are dormant, simple things become difficult; everything takes longer; complex surgeries have to be cancelled.

Daniel told us that before the attack he would go through a system linked to HSE for each of his appointments, looking for GP referrals by email, checking blood results, accessing scans, reading notes linked to each patient. That is gone now.

“Before surgery I review [each patient’s] scans. Or even during the surgery. Legally I have to look at the scans.”

“I can’t even check my hospital mail. Our communication with everyone has been affected… They can’t ring me. The whole thing is just breaking apart.” The GDPR, which is designed to protect patients’ data, prevents him from using his personal email or other messaging systems for hospital business. A generation of staff raised on computers are back to pen and paper. “You don’t know who’s looking for who, who wants to see who.”

I ask him how he first learned about the attack and he tells me about coming to work on Friday totally unprepared for what he’d encounter. The only nurse he sees asks “did you hear?”. He had not. The systems he relies on to stay informed aren’t working. “I didn’t get a heads up. All computers are not allowed to be touched. Do not restart.”

He describes how uncertainty hung over them, until at midday he let a patient who had been waiting for surgery since 7 am know that the day is cancelled. “She’s been fasting. With her stress up I had to tell her to go home.”

The staff are in the dark. “We were optimistic it would get done over the weekend. We thought it might get done the same day. Then we thought maybe Monday.” It has been this way since Friday and he is not optimistic that it will be sorted any time soon. “There is no official timeline but we’re thinking it will take at least a week or so. We are not optimistic about it.”

As he says this to me all I can think about is a statistic from the recent Ransomware Task Force report. According to the report, the average downtime after a ransomware attack is 21 days. The time to fully recover is over nine months. I can’t bring myself to mention it.

I ask him about the impact on patients.

“I have to tell patients, sorry I can’t operate on you. You’ve been fasting, you came a long distance, you rescheduled things to make time for me, maybe you have had to come off work. After all this I have to say sorry, I can’t see you.”

“I’m dealing with patients lives here. It’s not something you can take lightly. You either do it right or you do it wrong, and if you do it wrong you’re harming somebody.”

But not harming people requires access to information he no longer has. Delays can be life threatening. “If I reschedule a patient and they come back a few weeks or a few months later with a tumour that I couldn’t asses from the paperwork…”, he stops there. He doesn’t need to finish the thought. Those that don’t get worse while they’re delayed are still suffering too. They will stay that way until they can be seen.

And it’s obvious from my conversation with Daniel that it isn’t only the patients who are being put at risk. There are grinding, corrosive effects on the hospital staff too. Everything takes longer, which requires more work, and nobody knows when it will be over.

It is a wicked burden for a medical profession that has spent the last year grappling with a once-in-a-century pandemic. “Our backlog just became tremendous”, Daniel says, before explaining that over the last few months he and his colleagues have performed surgeries at nighttime and weekends to work through the backlog of operations and appointments delayed by the response to COVID.

And now there is another reason to work late.

Because of the ransomware attack, he must put in hours of extra effort after his day’s work is done just to determine which of tomorrow’s appointments he will have to cancel for lack of information. And then he must deal with those anguished, sometimes angry patients, telling them their appointment cannot go ahead.

“Imagine the scenario,” he says. “Patients will wait literally two years to see us. After two years they get a call saying ‘I’m sorry I can’t see you and I have to reschedule you and I can’t say when, because of the ransomware’. They know it’s not my fault but they are upset and very annoyed.” Daniel’s understatement kicks in. “They teach us ways to speak to angry patients, but it’s not nice.”

And hanging over all these interactions is the spectre of litigation. Whichever way he turns, his decisions have consequences and his decision making process is in tatters.

I ask him if he thinks they should pay the ransom (the Irish Taoiseach does not.) I am expecting rage and anger. A defiant “no”. I am projecting. His first thought is for the health of the people being denied care.

“I think they will pay the ransom. I don’t think there is another way around it. The pressure will build up, they will have to do what has to be done. This can’t go on. This is disastrous.” If it was his decision, would he pay? “I would. There is no money you can pay to take somebody’s life away. I would make my system more robust so this doesn’t happen again.”

I ask him if there’s anything he’d say to his attackers if he could.

“If your loved one was sick. Would you do this? If you had somebody you cared about, would you do this to them. That’s what I’d ask them.”

“I think they lost their humanity.”

The post A doctor reveals the human cost of the HSE ransomware attack appeared first on Malwarebytes Labs.

In the Android Security Bulletin of May 2021, published at the beginning of this month, you can find a list of roughly 40  vulnerabilities in several components that might concern Android users. According to info provided by Google’s Project Zero team, four of those Android security vulnerabilities are being exploited in the wild as zero-day bugs.

The good news is that patches are available. The problem with Android patches and updates though is that you, as a user, are dependent on your upstream provider for when these patches will reach your system.

Android updates and upgrades

It is always unclear for Android users when they can expect to get the latest updates and upgrades. An Android device is a computer in many regards and it needs regular refreshes. Either to patch against the latest vulnerabilities or when new features become available.

An update is when an existing Android version gets improved, and these come out regularly. An upgrade is when your device gets a later Android version. Usually a device can function just fine without getting an upgrade as long as it stays safe by getting the latest updates.

Depends on brand and type

Google is the company that developed the Android operating system (which is itself a type of Linux) and the company also keeps it current. It is also the company that creates the security patches. But then the software is turned over to device manufacturers that create their own versions for their own devices.

So, when (even if) you will get the latest updates at all, depends on the manufacturer of your device. Some manufacturer’s devices may never see another update because Google is not allowed to do business with them.

The critical vulnerabilities

In a note, the bulletin states that there are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663, and CVE-2021-28664 may be under limited, targeted exploitation. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. The four that may be being abused in the wild are:

• CVE-2021-1905 Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.
• CVE-2021-1906 Improper handling of address de-registration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.
• CVE-2021-28663 The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.
• CVE-2021-28664 The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r8p0 through r30p0.

Use after free (UAF) like CVE-2021-1905 is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Snapdragon is a suite of system on a chip (SoC) semiconductor products for mobile devices designed and marketed by Qualcomm Technologies Inc.

Arm Mali GPU is a graphics processing unit for a range of mobile devices from smartwatches to autonomous vehicles developed by Arm.

Mitigation

You can tell whether your device is protected by checking the security patch level.

• Security patch levels of 2021-05-01 or later address all issues associated with the 2021-05-01 security patch level.
• Security patch levels of 2021-05-05 or later address all issues associated with the 2021-05-05 security patch level and all previous patch levels.

We would love to tell you to patch urgently, but as we explained, this depends on the manufacturer. Some users who haven’t switched to new devices that still receive monthly security updates might even not be able to install these patches at all.

Stay safe, everyone!

The post Android patches for 4 in-the-wild bugs are out, but when will you get them? appeared first on Malwarebytes Labs.

Anyone following the court case between Epic and Apple is undoubtedly already aware of the “bombshell” dropped by Apple’s Craig Federighi yesterday. For those not in the know, Federighi, as part of his testimony relating to the security of Apple’s mobile device operating system, iOS, stated that “we have a level of malware on the Mac that we don’t find acceptable.”

This, of course, broke the internet.

Years ago, Apple promoted the idea that Macs don’t get viruses, as part of a flashy series of Get a Mac ads featuring Justin Long as a Mac and John Hodgman as a PC.

The irony of this 180 degree turnaround has caused a huge amount of snide commentary. Of course, these ads last played more than a decade ago, and things have changed significantly between then and now, so this isn’t exactly a sudden change of heart.

On the contrary, we should not be surprised by this. Apple’s actions over the last ten years speak volumes. It has implemented increasingly strict code signing requirements as a means for controlling some malware. It implemented Notarization requirements as a means of checking apps distributed outside the App Store for malware. (One could argue about the efficacy of these measures, but the intent is clear.)

Another recent addition is a series of access restrictions that must be approved on a per-app basis, such as access to the Documents or Desktop folders. (Ironically, there was a similar security feature in Windows that Apple mocked in another of the Get a Mac ads.) Admittedly, Apple really only talks about the privacy aspect of these restrictions, but the security aspect is pretty obvious.

Apple also implemented a new EndpointSecurity framework in macOS 10.15 (Catalina), in order to better support third-party antivirus software that—until then—was reliant on ageing, deprecated functionality provided by macOS. This was essentially an official acknowledgement from Apple that Macs get malware, and that there is a need for third-party antivirus software for the Mac.

It has also recently started adding information to its security update information disclosing when its aware of a fixed bug being actively exploited in the wild by malware.

All this and more shows very clearly that Apple has been aware of the malware issue for a long time. It may not make a lot of public statements acknowledging the malware problem, but actions speak louder than words. In the end, this all boils down to mocking Apple for publicly acknowledging something it has been mocked for years for not acknowledging. The irony!

Is a macOS lockdown imminent?

Not all of the hot takes out there have to do with mocking Apple. Others are taking Federighi’s words in a different light. By pointing out the weaknesses in macOS as a means for illustrating the security of iOS, some fear this is a sign that Apple intends to lock down the Mac in the same way that it has iOS.

However, this also isn’t indicated by Apple’s actions. First, consider Notarization, which is intended to curb distribution of malicious apps outside the App Store. Its efficacy can be called into question, since many pieces of malware have managed to get a clean bill of health from the Notarization process, but that’s not the question here. If Apple’s intent were to shove all developers into the App Store, why would they spend time, effort, and money on an attempt to improve the user experience with apps distributed outside the App Store?

Another point to consider is the EndpointSecurity framework. Apple has put a lot of effort into this. It had conversations with security companies to find out what they needed. It did a great job of implementing something that was able to deliver what was requested, and it spent time bringing antivirus developers to Apple HQ to teach them how to use the new framework.

Antivirus software on iOS is impossible, due to Apple restrictions. So, if it had plans to lock down macOS in the same way, why would it spend all that time, effort, and money on better supporting antivirus software? It doesn’t make sense.

If you still need convincing, just consider Federighi’s own words during his testimony. He said that an iOS device was something that anyone—even an infant—could operate safely. He compared the Mac to a car, something that could be operated safely but that required caution, saying, “You can take it off road if you want, and you can drive wherever you want.”

This, to me, embodies what I perceive to be Apple’s stance on macOS and iOS. The Mac is the workhorse, used to really get things done and “go off road.” It’s the only platform it supports for writing both Mac and iOS apps. There would be no iOS if not for the Mac. The Mac is for those who “think different,” while the nature of iOS does not encourage that.

The future of macOS?

Obviously, I don’t represent Apple and all I can do is speculate based on evidence at hand. That said, I don’t see any reason to think that macOS is going down exactly the same road as iOS. That also means that we will likely continue to have problems with malware on macOS. As long as there is money to be made from increasing numbers of Macs, creators of malware will continue to target Macs.

The post Apple confirms Macs get malware appeared first on Malwarebytes Labs.

Security researchers came across a Pega Infinity vulnerability through participation in Apple’s bug bounty program, after focusing on vendors that supplied technology to Apple. By using Burp Suite—an integrated platform for performing security testing of web applications—the security researchers discovered a password reset weakness in Pega Infinity that could allow an attacker to bypass Pega Infinity’s password reset system to lead to a full compromise.

Pega Infinity and Pegasystems Inc.

Pega Infinity is a popular enterprise software suite that provides customer service and sales automation, an AI-driven customer decision hub, workforce intelligence, and a ‘no-code’ development platform.

Pegasystems Inc. is an American software company based in Cambridge, Massachusetts. Founded in 1983, Pegasystems develops software for customer relationship management (CRM), digital process automation, and business process management (BPM).

Public facing

As with any customer relationship management (CRM) tool, these systems are largely public facing and aren’t necessarily designed to be run internally. Pega’s customers can be found in every sector and at the time of reporting, some of the customers included the FBI, US Air Force, Apple, and American Express. For example, using Pega, the FBI created a public-facing website that acts as an interface for all registered firearms dealers. When an individual attempts to purchase a firearm, an authorized user is able to securely log in and quickly submit a background check request to the FBI.

A patch is available

Pega was quick to work with the researchers to patch the vulnerability, even though they needed time for customers running Infinity on-premises to update their installations. This process, one of the researchers said, took over three months. One of the perks of running this type of software in the Cloud was that Pega could push out the patch to their cloud-based customers.

CVE -2021-27651

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability was assigned CVE-2021-27651. With the description:

“In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.”

Proof of concept (PoC)

There are several PoCs readily available, including complete videos on YouTube, so users of the Pega Infinity enterprise software platform are being advised to update their installations. The proof of concept demonstrates how an attacker could bypass Pega Infinity’s password reset system. Assailants could then use the reset account to fully compromise the Pega instance, through administrator-only remote code execution.

Version dependent updates

Pega advises their on–premise clients to review the table posted here to determine which hotfix corresponds with their Pegasystems installation. Once they have determined the appropriate hotfix ID, they can submit a hotfix request in the Pega support portal.  Pega Cloud environments running the relevant Pega versions are being proactively remediated by Pega.

Stay safe, everyone!

The post Pega Infinity patches authentication vulnerability appeared first on Malwarebytes Labs.

Royal Mail phish scams are still in circulation, slowly upgrading their capabilities with evasion tools deployed in far more sophisticated malware attacks.

Often, the quality of sites we see varies greatly. Many fake Royal Mail pages are cookie-cutter efforts existing on borrowed time. The operators know their scam is a case of here today, gone tomorrow. These bogus pages are often taken down quickly by hosts. As a result, many exist in an effort-free zone of “graphic design is my passion”.

Sometimes these sites will lift bits and pieces from the official pages they happen to be imitating. This can take the form of stolen image files, and in other cases they’ll simply hotlink the live images or design instead.

But what we haven’t seen while digging into these fake portals is a smattering of what looks to be researcher deterrents. That is until now.

Shutting down the investigation

Malware authors often obscure the inner working of their code, or prevent files from executing inside a virtual machine. A lot of analysis is done inside VMs, because it’s cheaper and less time consuming than infecting a “real” PC and then rolling everything back. This is why malware frequently looks for clues that it’s sitting inside a virtual environment, and then refuses to do anything.

Similarly, malware portals rely on the right kind of traffic. There’s no point spending a fortune on an exploit kit if potential victims aren’t running the outdated software required. Redirection Gates act like a kind of bouncer, making sure the right name is down on the list. Running an old version of Flash? Come on in. A fully patched system running security software? Sorry, this is an exclusive party.

Another similar check made by malware files when sitting in a virtual testing environment is to look for mouse movements and general desktop activity like an absence of PC screens/monitors. If none of that is happening, if no screen displaying the desktop is in evidence, the malware assumes “malware research” and doesn’t come out of its shell.

Finally, we come to phishing pages. Some phishes are aimed at mobile users only, and will check the browser’s referral agent. If it says “Chrome, desktop” the site will send the visitor away. If it says “Chrome, mobile” they’ll be allowed into the heart of the phish. What we have with this Royal Mail fake out, is an added layer of sophistication. This is, in effect, the malware portal bouncer on the door, but now they’re yelling about parcel deliveries.

Shall we take a look?

The Royal Mail phish in action

It begins with the usual SMS message claiming that a parcel has been redirected, and reads as follows:

Post Office: Your parcel has been redirected to your local post office branch due to an unpaid shipping fee. To reschedule a delivery please visit: [URL removed]

Something to note here is how much closer this is to actual Royal Mail processes. Our last example from March simply made vague references to parcels waiting for delivery. A lot of people would hopefully suspect something was suspect as a result. Here, parcels with no postage are indeed sent to the nearest Post Office to arrange a collection.

For anyone familiar with the more generic SMS blasts from this attack, this may well be the foot in the door the attacker needs.

A virtual phish? No thank you

Remember what we said about sites filtering you in or out of the scam, depending on your setup? That’s what we have here. When you click the link to visit the fake Royal Mail page, there’s a fair bit of code under the hood sniffing around for potential virtual machine use.

The below code tests for WebGL renders which it may associate with (for example) VirtualBox or RDP (Remote Desktop Protocol). It also wants to know if site visitors have a display or not. Remember, not having a screen is a possible sign of automated research tools in virtual machines. This is a tactic pulled right out of malware analysis evasion land.

Finally, the site throws a lot of placeholder text into the website’s code. This text seems to cause plenty of errors in Tor browser. Tor is another way for people researching sites to help keep themselves anonymous, so this is a smart move on the phish page creator’s part.

For those curious, the text performs the placeholder function of Lorem Ipsum text. In this case, it’s actually called Bacon Ipsum. While breaking Tor could be accidental, it seems too good to be true given the other measures on display.

Again, this isn’t a level of phish-based paranoia we’ve seen in fake Royal Mail land. Code which breaks Tor, checking for absent computer screens, sniffing for code which may denote a VM or RDP…this is an all new level of the bouncer on the door concept.

What does this Royal Mail phish do?

Assuming the bouncer lets someone in, the flow is a fairly standard Royal Mail phish scenario. The scammers ask for name, DOB, address, mobile number, and email address.

After that, the victim is asked to hand over what are essentially full banking details via the information on their debit card. That’s name, card number, expiry date, security code, account number and sort code.

If payment details are fully entered and submitted, the site pops a message to thank the victim for payment. “Your parcel will be sent out soon, and we will notify you when it is out for delivery”.

At this point, there’s a redirection off to the real Royal Mail website. We’d suggest the only thing left is to call the bank and sort out a replacement card / account block as soon as possible.

Returning a scam to sender

We’ve already looked at how devastating these attacks can be. Attackers are becoming smarter and more selective about who they want to snare in their trap. Making it harder for researchers makes it easier for them, so we all have a vested interest in bypassing these fakes and knowing what to look for. If you or your family members are worried about Smishing, we have just the thing. Fake Royal Mail messages aren’t going away anytime soon, so please keep your guard up and double check those messages. If in doubt, contacting your local depot is likely the best response you can make.

The post Royal Mail phish deploys evasion tricks to avoid analysis appeared first on Malwarebytes Labs.

Adobe. Yahoo!. The US Department of Energy (DoE). The New York Times.

What these names have in common is that they have all experienced at least one breach in 2013—the year when threat actors started targeting organizations across industries to either steal data for profit or leak them to “teach companies a lesson about cybersecurity.”

The majority of the data breached are credential information, such as usernames and passwords, with the former usually being an email address. Some personally identifiable information (PII) and other sensitive organization-centric data was added into the mix as well.

With so many breaches going on that year, plus the observed ramping up of such attacks a few  years before it, one may be led to think: How can people keep up with checking whether they’re affected by these breaches or not? Do they even know they have been breached?

This prevalence of data breaches coupled with his analysis on the Adobe attack have led Troy Hunt, an Australian cybersecurity expert, blogger, and speaker, to create Have I Been Pwned (HIBP), a website that allows internet users to check whether their personal data has been compromised or is part of a trove of leaked data following company breaches.

Feeling security fatigue? Listen to Troy Hunt with other cybersecurity experts Chloé Messdaghi and Tanya Janca in this episode of Lock and Code on how to beat it.

Is “Have I Been Pwned?” legit?

Yes, it is.

To date, HIBP has been around for almost a decade, and through the years, it has only proven itself to be an essential tool for everyday internet users, governments, and organizations alike.

Yes, you read that right: governments. HIBP has been assisting governments, such as the UK, Australia, and Romania (to name a few), in monitoring for breaches in government domains. Note that centralized monitoring is done by the  cybersecurity arms of these governments, such as the National Cyber Security Centre (NCSC) for the UK, the Australian Cyber Security Centre (ACSC) for Australia, and CERT-RO for Romania. These organizations, of course, cannot query other websites beyond government domains.

“The only access they have is to domains that their people working in those departments could query anyway via the existing free domain search model, we’re just consolidating it all into a unified service,” Hunt wrote in a 2018 blog post about this matter. If you’re interested in reading more about this, there is in-depth detail here.

HIBP is also single-handedly handled and maintained by Hunt himself, not a team. And Hunt is a well-known and very trusted name within the cybersecurity circle. On top of that, he runs the service “with maximum transparency.”

Is “Have I Been Pwned?” safe?

If you’re more of a privacy-centric person who never likes websites snooping on your queries whenever you use their search feature, it is understandable to be concerned about whether HIBP can actually snoop or, worse, record every query you make.

According to HIBP’s FAQ page: “Nothing is explicitly logged by the website. The only logging of any kind is via Google Analytics, Application Insights performance monitoring and any diagnostic data implicitly collected if an exception occurs in the system.”

Below are other storage-related questions covered in this page:

How is the data stored?
The breached accounts sit in Windows Azure table storage which contains nothing more than the email address or username and a list of sites it appeared in breaches on. If you’re interested in the details, it’s all described in Working with 154 million records on Azure Table Storage – the story of Have I Been Pwned

Does the notification service store email addresses?
Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.

How do I know the site isn’t just harvesting searched email addresses?
You don’t, but it’s not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you’re concerned about the intent or security, don’t use it.

In 2019, Hunt opened up to his readers about Project Svalbard, a name he associated with the future of Have I Been Pwned. In a nutshell, Hunt had planned to hand over the management of HIBP to a “better-resourced and better-funded structure” when he realized that he will burn out one day. The news could have raised alarm bells for those who have trusted the site all these years as there is always fear of either having the service monetized or misuse of data by whoever will be acquiring HIBP.

At the time, Hunt penned a long and thoughtful post on Project Svalbard, including his 7-point commitments to the future of HIBP, which you can read here. Here’s the tl;dr version of that:

• Freely available consumer searches should remain freely available.
• I (Troy Hunt) will remain a part of HIBP.
• I want to build out much, much more capabilities wise. 
• I want to reach a much larger audience than I do at present.
• There’s much more that can be done to change consumer behaviour. 
• Organisations can benefit much more from HIBP.
• There should be more disclosure – and more data. 

But in March 2020, something changed. According to last-minute, unforeseen developments, the sale of HaveIBeenPwned had been stopped. As Hunt wrote:

“Have I Been Pwned is no longer being sold and I will continue running it independently. “

Have you been pwnd? Here’s what to do

While it is important to know if your personal details or credentials have been leaked, it is significantly more important to act on it. What do you do now, knowing that your account has been compromised?

For starters, change your password. Make it longer. It doesn’t have to be a complex string of uppercase and lowercase characters, symbols, and numbers. Length is enough, according to a 2021 NIST guideline. You can formulate your own long password, or you can enlist the help of a password manager.

Lastly, use two-factor authentication (2FA) to add a layer of protection to your account. We strongly suggest using a one-time password (OTP) app, or if you have a physical hardware key, such as a Yubikey, all the better. Take note that some big-name companies like Facebook already have started giving their users the option to use a hardware key. So if you want to do that, check if your online service provider offers it, too, and take advantage of it.

Stay safe!

The post “Have I been pwnd?”– What is it and what to do when you *are* pwned appeared first on Malwarebytes Labs.

Researchers have discovered a new banking Trojan that has been found targeting customers of European and South American banks. They have dubbed the new Trojan Bizarro.

How does Bizarro spread?

The Bizarro malware spreads via Microsoft Installer (MSI) packages. Identified sources so far have been spam emails and attackers may also use social engineering to convince victims to download a smartphone app. Experts have detected infections in Brazil, Argentina, Chile, Germany, Spain, Portugal, France, and Italy. Bizarro uses compromised WordPress, Amazon, and Azure servers to host the MSI packages that victims are tricked into downloading.

What is Bizarro capable of?

Bizarro has quite a few tricks up its sleeve:

• It can capture login credentials entered on banking sites. To speed up this process it reportedly closes your existing browser windows, so you are forced to log in. Bizarro also creates fake prompts to solicit 2FA codes.
• Bizarro constantly monitors the clipboard and will replace any Bitcoin address it finds there with its own (hoping of course to capture any transfers that were supposed to be paid into the original address).
• And last, but not least, it is a full-blown backdoor, which gets fired up as soon as the user visits one of a set of hardcoded banking sites.

The backdoor offers a lot of options to the attacker, including:

• Gathering data about the infected system and sending them to the C&C server.
• Searching for and stealing files from the infected computer.
• Dropping files on the affected system (such as other malware).
• Remote control of the mouse and keyboard.
• Keylogging.
• Creating fake popup windows and messages. The messages are intended to slow down the user’s response time and include progress bars.
• Emulating banking sites on the fly.

Targets

Like many other banking Trojans of Brazilian origin, Bizarro focuses on European and South American banks. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries.

Besides the obvious victims that get the malware on their system, Bizarro also use money mules to operationalize their attacks, cash out, or simply to help with transfers. These money mules often have short-lived criminal careers before they end up in jail.

Mitigation and detection

As always the most important advice is to not click on links that come from an uncertain source. Also keep an eye out for unexpected behavior on your system. Especially when it comes to banking, it’s better to look into weird behavior than to just assume it’s Windows acting up. And double check your destination bitcoin addresses before sending them funds. (This is good advice in all circumstances: This isn’t the only malware that uses the clipboard to replace bitcoin addresses, and there are no do-overs with bitcoin!)

The downloaded ZIP archive contains the following files:

• A malicious DLL written in Delphi
• A legitimate executable that is an AutoHotkey script runner (in some samples AutoIt is used instead of AutoHotkey)
• A small script that calls an exported function from the malicious DLL

The DLL is detected by Malwarebytes’ machine learning module.

Stay safe, everyone!

The post Bizarro: a banking Trojan full of nasty tricks appeared first on Malwarebytes Labs.

As COVID-19 soldiers on, small and medium-size businesses now feel as ripe for malware attacks as deep-pocketed multinationals.

SMBs see that, along with remote work, our pandemic has also brought troubling new holes to their security. This means cybercriminals—equal opportunity charlatans that they are—now simply cast wider nets to snare any and all businesses. Large or small. Young or old. Public or private. Profitable or those just barely getting by.

For defense against these new vulnerabilities, nervous teams often purchase an endpoint protection solution. But, research shows, most SMBs are skeptical about the job their product is doing.

In Malwarebytes’ recent SMB Cybersecurity Trust & Confidence Report, 47% of respondents said their endpoint protection wasn’t up to the task of stopping new threats. Remarked a respondent: “Even a combination of solutions can’t catch every threat. Just like a flu shot can’t prevent every strain of the flu.”

According to the report, about 65% of SMBs with 50-99 employees try to make double-sure their endpoint protection is working as advertised by testing it.

And to do so, they often turn to VirusTotal.

If you’re not familiar with VirusTotal, it’s a service owned by Chronicle (part of Google/Alphabet). It offers a free service that lets you upload suspicious files and URLs for, where it inspects them and checks for viruses using 70+ third-party antivirus products, URL/domain blocklisting services, and other tools. It also offers a range of paid-for Premium Services, but in this article we will focus on its free offering.

Naturally, the price tag for analyzing malware (free) is appealing to SMBs on a limited budget. And the simplicity appeals to teams with limited resources and technical staff.

But is this the best testing solution for SMBs? Let’s explore.

1. VirusTotal isn’t running the same AV software as you

To stay up-to-date against both known and zero-day threats, endpoint protection providers update their products and protection software almost continuously. VirusTotal maintains a collection of over 70 endpoint protection solutions, and there is no guarantee that its version of what you’re running is as up to date as your version. This means they’re sometimes testing an SMB’s suspicious items with outdated AV software.

The service also runs command line versions of the AV software it tests with, rather than the GUI versions. In its own words, that means “…depending on the product, they will not behave exactly the same as the desktop versions.”

Lastly, the free version of VirusTotal performs a static analysis of your file. A more detailed and realistic view of the file is available through its Premium Services, which analyze them running in a sandbox environment.

It’s no surprise then that the free version of VirusTotal does not mirror your environment, which can easily lead to a false negative.

2. Some infections aren’t triggered in VirusTotal

Cybercriminals are getting smarter. They now create malware that senses when it’s in the VirusTotal environment, and therefore it won’t detonate. The virus just lays low until given the green light by VirusTotal. Then, when the unsuspecting SMB releases the “clean” item to their live endpoints, it wakes up and delivers the payload.

These nefarious threat actors are even getting cheeky. They sometimes program their malware to send a rude message to SMBs once the malware has exploded, taunting them for trying to outsmart them.

3. VirusTotal doesn’t want your private data

When uploading a suspicious file to VirusTotal, an SMB may also inadvertently include sensitive information. This is especially true among teams with inexperienced staff who are less familiar with what’s included in the sample.

Exposed info can range from internal data (like payroll records or intellectual property) to external information (such as customer passwords and banking information). This unprotected data can leak out to other VirusTotal customers or cybercriminals.

This is why many SMBs with compliance regulations, or those with advanced safety protocols, prohibit the use of VirusTotal, and it’s why the service’s home page says clearly: “Please do not submit any personal information.”

4. VirusTotal isn’t a testing tool

In many ways, VirusTotal is a victim of its own success. While it’s very useful for testing AV solutions it has always been clear that’s not what it’s for. Its job is to help antivirus vendors, as its FAQ makes plain:

VirusTotal service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors

The company shows no signs of embracing its widespread misapplication either. Instead, the company’s future centers around building its premium service, VirusTotal Intelligence. It lets subscribers download virus samples from VirusTotal to a team’s own test environment. SMBs can then scan these samples internally using their endpoint protection solution, to see what they catch or miss.

Is VirusTotal the answer?

Bottom line: VirusTotal is a free service staffed with top professionals. But testing the efficacy of your AV solution is not its focus. You’ll have to weigh the pros and cons. VirusTotal is useful for testing, and the price is right (you can’t beat free), but its shortcomings could have a major impact on your business and endpoint protection.

In a follow-up article, we’ll discuss viable options beyond VirusTotal for testing and verifying your endpoint protection.

The post 4 things you should know about testing AV software with VirusTotal’s free online multiscanner appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we watched and reported on the Colonial Pipeline ransomware attack as developments of its story unfolded. This attack triggered the White House to refine a planned Executive Order on cybersecurity. We also profiled DarkSide, the ransomware responsible for the Colonial Pipeline attack, and the criminal gang behind it.

Speaking of ransomware, we spoke with Jake Bernstein, a cybersecurity and privacy attorney and our guest in the latest Lock and Code podcast episode, to talk about the legal ramifications ransomware-turned-data-breach victims may face when they have been successfully attacked.

We also highlighted “wormable” Windows vulnerabilities on last week’s Patch Tuesday updates; touched on FragAttack, a term used to describe newly found Wi-Fi vulnerabilities that basically affects all Wi-Fi devices; addressed the question “Why MITRE ATT&CK matters”; warned about Avaddon, a new ransomware campaign; raged about WhatsApp call and message features breaking unless you share data with Facebook; applauded game developers who included cybersecurity as part of the whole gaming experience, and went “ooh!” at a novel way someone can exfiltrate data out of air-gapped networks using iPhones and AirTags.

Our expert threat hunters also noted the increase in iPhone spam attacks and observed Magecart Group 12 continuing to go strong and using a PHP-based skimmer as a new tool.

Lastly, we talked about Wi-Fi and honeypots.

Other cybersecurity news

• The group behind the Colonial Pipeline attack claimed to be behind the Toshiba attack and data breach. (Source: Kyodo)
• DarkSide also netted Benntag, a chemical distribution company, and got paid for it—to the tune of $4.4M USD. (Source: BleepingComputer)
• Imposter Amazon robocalls are reaching 150 million consumers per month, according to YouMail. (Source: PR Newswire)
• Threat actors take advantage of routine site maintenance to get people to download malformed copies of MSI Afterburn from fake website. (Source: MSI News)
• According to a report from Immersive Labs, 81 percent of software developers have knowingly released applications that are vulnerable. (Source: Immersive Labs)
• Panda, a new information stealer, could nab account credentials of NordVPN, Telegram, Discord, and Steam users. It also goes after cryptocurrency wallets. (Source: The Coin Radar)
• A report on TeaBot, an new Android malware targeting European banks, was released. (Source: Cleafy)
• Users are at risk as they continue to use Windows 7, which has already reached its end of life. (Source: Security Brief)

Stay safe!

The post A week in security (May 10 – 16) appeared first on Malwarebytes Labs.