Archive for author: makoadmin

The popular npm netmask library recently encountered a serious problem, explained as follows:

The npm netmask package incorrectly evaluates individual ipv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on netmask to filter or evaluate ipv4 block ranges, both inbound and outbound.

Got that?

In case you can’t read mumbo jumbo, hold on, and I’ll try to explain.

The basics

The npm library netmask is used by hundreds of thousands of applications and amasses over 3 million weekly downloads. It is used to read and manipulate IP addresses.

If you understand IP addresses and octals, you can skip the next section.

IP address

An IP address tells us how to find a certain device within a network. For each network a computer is connected to, it has an IP-address on that network. The IP address for this website is 130.211.198.3, for example.

Some things that happen inside a computer rely on an IP address too. For that we can use either 0.0.0.0 or 127.0.0.1, which is why that one is called “home” or “localhost”.

Domains, names used to address computers, are associated with IP-addresses. The Domain Name System (DNS) translates domain names used by people, like blog.malwarebytes.com into the IP addresses used by computers, like 130.211.198.3. The DNS system is often compared to a phone book where you can look up a person’s name to find their phone number.

IPv4 octets

When you see an IP address you will probably recognize it for what it is. The typical format of an IP version 4 address is very familiar: Four numbers between 0 and 255 separated by three dots.

In fact, an IP address is a decimal representation of a 32-bit number. The 32-bit number is grouped 8 bits at a time, each group of 8 bits is an octet. The octets are separated by a dot, and represented in decimal format, this is known as dotted decimal notation. The possibilities range from 0.0.0.0 to 255.255.255.255.

The difference between decimal and octal

Decimal means a number expressed in the base-ten system which is the system that we use every day that uses the digits 0 to 9, whereas octal means the number system that uses the eight digits 0, 1, 2, 3, 4, 5, 6, 7.

Since an IP address is a 32 bit number it makes a lot of sense to use the octal number system. In that system the dotted octal 127.0.0.1 looks like 0177.0000.0000.0001. Here’s why:

In decimal, numbers are written according to how many ones they have, how many tens, how many hundreds, and so on. So the number 127 is 1 * 100, 2 * 10 and 7 * 1.

In octal, numbers are written according to how many ones they have, how many eights, how many 64s, and so on. So the number 127 is represented as 0177, which is 0 * 128, 1 * 64, 7 * 8 and 7 * 1.

Using different numerical systems is no problem for computers, as long as it’s clear which one you are using. Allowing mixed input for an application is asking for problems, however.

The netmask vulnerability

Zeroes

To understand the problem it helps to understand how things are supposed to work, copy the octal IP address 0177.0000.0000.0001 into your browser address bar. It should get correctly translated to 127.0.0.1. And try 0177.0.0.1 in the same browser you used before. And act surprised when it still takes you to 127.0.0.1 despite the fact that we did not write out the last three octets in full.

127.0.0.1 and 0177.0.0.1 look like they are in the same notation but they are not. The first zero on 0177.0.0.1 makes all the difference, and your browser knows this.

The bug

The problem with tnetmask was that it stripped leading zeroes from IP addresses. So, if you fed it an address that starts with a zero, like 0177.0000.0000.0001, it will not recognise it as an octal address and turn it into the decimal version, 127.0.0.1 like your browser. Instead it would treat it a decimal address, 177.0.0.1, which is an address for a completely different computer.

While this may seem more of an inconvenience than a security problem at first sight, but when an attacker is able to influence the IP address input being parsed by the application, the bug can give rise to various vulnerabilities.

Private IP or not?

Remember when I wrote that your computer has an IP address in every network it is connected to? Some IP address ranges are reserved for internal networks and can’t be used on the Internet. The most well-known is probably 192.168.1.0 to 192.168.1.255, often written as 192.168.1.xxx. Many home networks use the 10.0.1.xxx network range.

Importantly, many systems are set up to be more trusting towards traffic coming from inside a private network. See how that might pose a problem? If an attacker fed a vulnerable version of netmask the address 012.0.0.1, netmask would read it as the public address 12.0.0.1 instead of the private address 10.0.0.1.

According to netmask’s own maintainer, the vulnerability could have allowed an attacker to abuse this trust and gain access to all kinds of things they shouldn’t:

A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts

CVE-2021-28918

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This zero-day is listed as CVE-2021-28918.

The fix for CVE-2021-28918 has been released in version 2.0.1 of netmask on npm downloads. The Perl component Net::Netmask also suffered from this flaw, and its maintainer, Joelle Maslak has released a fix in the 2.0000 version today.

Stay safe, everyone!

The post The npm netmask vulnerability explained so you can actually understand it appeared first on Malwarebytes Labs.

You’ve probably heard that PHP’s Git repository was recently compromised, allowing backdoors to be added to the code located there. You may also be wondering what that means, what a supply chain attack is, and how you could be affected. Read on and we’ll lead you though a straightforward description of this attack’s many moving parts.

What is a supply chain attack?

This is where an attacker compromises something a project or organisation depends on. In the world of modern software development, where third-party code is reused on a massive scale, it often means compromising something used by lots of other organisations, which can result in the compromise of everyone else further down the chain too.

The bigger the target they snag initially, the wider the reach as the attack slides downstream. This can be very messy to sort out afterwards as news of the attack slowly comes to light over time. It’s a win for attackers, as organisations can’t typically build everything they need themselves. Third-party tools and software will come into play eventually and if one of them is compromised by attackers, everything that uses or includes them is affected.

In this case, attackers going after PHP, which is used the world over, would qualify as a potentially huge supply chain attack.

What is Git?

Git is a version control system which tracks changes to your file(s) over a period of time. It makes this rather cumbersome process much more straightforward thanks to its repository. You can roll back changes if you make a mess of things, move files around, merge contributions from others, and so on.

That may sound a bit confusing, but don’t worry. A very basic comparison would be the page history view on Wikipedia, where you can see all changes made from creation of the page onward. If you understand how that works, then you’ll grasp how Git allows you to outline the who’s and what’s of edits made, the file reversions, the ability for different developers to work on projects in a non-chaotic fashion, and so on.

Put simply, it’s really good and very handy for all sorts of projects.

What is PHP?

PHP is something you almost certainly run into all the time. PHP, created in 1994, is a scripting language which is ideal for web development. It’s also incredibly popular. If something went wrong with or for PHP in terms of malicious actions, that could be quite bad.

As it happens…

A backdoor was added to the PHP code repository, which is definitely up there in the “quite bad” stakes. The PHP team aren’t sure how it happened yet.

What did the attackers do?

Remember the Wikipedia mention earlier? You know how some pages attract trolls and an edit war with defacements and roll-backs is the end result? A similar thing happened here. The malicious code additions were made by someone disguising their alteration as a typo fix, under the name of the creator of PHP.

The rogue code allowed for backdoor access into websites running the non-legit version of the code. It was removed, put back, and removed again some time later.

As a result of this attack, the PHP team are making some changes to how they operate moving forward. According to PHP’s Nikita Popov, “everything points towards a compromise of the git.php.net server”, meaning that the computer that Git was running on was compromised, rather than individuals’ Git accounts. So, like much of the rest of the world, the team is moving its code to GitHub:

While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.

Contributors will also have to be part of the PHP organization on GitHub, which requires two-factor authentication.

This will hopefully make it much more difficult for something like this to happen again.

Am I affected?

According to ZDNet’s reporting, the commits (changes) were caught in the nick of time. As a result, users shouldn’t be affected. The PHP team are also digging into everything available, to ensure no other dubious alterations were made without anybody realising.

In short, you’re likely fine. The story is still developing, so it’d be wise to keep an eye on the news for the next few weeks. As for the attack itself? Opinion is split in some quarters as to how malicious it was intended to be. Although the commits were done in a way to suggest they wanted to stay hidden, it was almost inevitable they’d be found. Some folks have suggested a zero day was publicly “burnt” (used up) to warn of the danger of such a technique. Others maintain it was flat out malicious, end of story.

Whatever the truth of the story, it’ll be fascinating to see how things pan out. A little less excitement for stories related to code keeping 79% of websites ticking over would be a nice status quo to go back to.

The post Malicious commits found in PHP code repository: What you need to know appeared first on Malwarebytes Labs.

The education sector’s cybersecurity problem has compounded in the last few months. A recent warning from the FBI, in mid-March, put schools in the US and UK on notice of increased attacks from the threat actors behind the PYSA ransomware.

If this is the first time you’ve heard of this family, read on.

What is PYSA ransomware?

The PYSA ransomware is a variant of the Mespinoza ransomware.

PYSA, which stands for “Protect Your System Amigo”, was first named in open source documents in December 2019, two months after Mespinoza was spotted in the wild. Mespinoza originally used the .locked extension on encrypted files, and then shifted to using .pysa. Because of this, many use the names PYSA and Mespinoza interchangeably.

PYSA, like many known ransomware families out there, is categorized as a ransomware-as-a-service (RaaS) tool. This means that its developers have rented out this ready-made ransomware to criminal organizations, who may not be technically savvy enough to produce their own. PYSA customers can customize it based on options provided by the RaaS groups, and deploy it to their liking. PYSA is capable of exfiltrating data from its victims before encrypting the files to be ransomed.

According to Intel 471, a threat intelligence company, PYSA/Mespinoza is a tier 2 RaaS operator as it has been gaining reputation in the underground. Operators or crews who do this have a page—called a “leak list”—where they name and shame victims who decide not to pay the ransom. Victims are listed with an accompanying attachment containing files the threat actors exfiltrated from them.

PYSA ransomware has at least three known infection vectors: Brute-force attacks against management consoles and Active Directory (AD) accounts, phishing emails, and unauthorized Remote Desktop Protocol (RDP) connections to domain controllers. Once inside a network, the threat actors take their time scanning files using Advanced Port Scanner and Advanced IP Scanner, both are free software, and move laterally within the network using PsExec.

The threat actors then manually execute the ransomware within the network after exfiltrating all the data they need for leverage. Files are encrypted using AES implemented with RSA-encrypted keys.

Who has been attacked by PYSA?

PYSA is known to target large private organizations and those belonging in the healthcare industry. They have also hit government groups across multiple continents. Recently, PYSA has increasingly been used against educational institutions in the US and UK.

Below is a non-exhaustive list of incidents involving PYSA:

• In March 2020, CERT France issued a warning to French local governments of PYSA’s increased attacks.
• In May 2020, MyBudget, Australia’s money management firm, experienced an “outage” that lasted 13 days (from 9 May to 22 May). Leaks of exfiltrated data landed on PYSA’s blog. The company then later confirmed to iTWire on 29 May that the long outage was caused by a ransomware attack. The next month, however, sources noticed that MyBudget’s name and files were taken down from PYSA’s blog, leading some to speculate that it may have paid the ransom, despite assurances that it had “no intention of engaging with ransom demands.”
• In October 2020, a “serious cyberattack” affected London’s Hackney Council in the UK, leaving it unable to process housing benefit payments and causing house purchases to fall. Although they were tight-lipped about the entire incident at first, it has become known that the PYSA ransomware threat actors were behind the attack after leaking the data they exfiltrated from the company in January 2021.

Does Malwarebytes detect PYSA ransomware?

We sure do. We detect is as Ransom.Mespinoza.

Indicators of compromise (IOCs)

SHA256 hashes:

• 7fd3000a3afbf077589c300f90b59864ec1fb716feba8e288ed87291c8fdf7c3
• e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead
• a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
• 327934c4c11ba37f42a91e1b7b956d5a4511f918e63047a8c4aa081fd39de6d9
• e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8
• 327934c4c11ba37f42a91e1b7b956d5a4511f918e63047a8c4aa081fd39de6d9
• f0939ebfda6b30a330a00c57497038a54da359e316e0d6e6e71871fd50fec16a
• 48355bd2a57d92e017bdada911a4b31aa7225c0b12231c9cbda6717616abaea3
• 0f0014669bc10a7d87472cafc05301c66516857607b920ddeb3039f4cb8f0a50
• 61bb42fe06b3511d512af33ef59baa295b29bd62eb4d0bf28639c7910a65e4ae
• 425945a93beb160f101d51de36363d1e7ebc45279987c3eaf5e7f183ed0a3776
• a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
• 5510ae74b7e2a10fdafa577dc278612f7796b0252b7d1438615e26c49e1fc560
• 1a0ff707938a1399e23af000567806a87fff9b8789ae43badb4d28d4bef1fb81
• b1381635c936e8de92cfa26938c80a359904c1d709ef11ee286ba875cfb7b330

Ransom note file, Readme.README, containing the following content:

Hi Company,

Every byte on any types of your devices was encrypted.
Don’t try to use backups because it were encrypted too.

To get all your data back contact us:
{2 @protonmail.com email addresses}

————–

FAQ:

1.

Q: How can I make sure you don’t fooling me?

A: You can send us 2 files(max 2mb).

2.

Q: What to do to get all data back?

A: Don’t restart the computer, don’t move files and write us.

3.

Q: What to tell my boss?

A: Protect Your System Amigo.

The post PYSA, the ransomware attacking schools appeared first on Malwarebytes Labs.

The IT security researchers at AdaptiveMobile have called out what looks like an important vulnerability in the architecture of 5G network slicing and virtualized network functions. They warn that the risks, if this fundamental vulnerability in the design of 5G standards had gone undiscovered, are significant.

What is 5G?

5G is the 5th generation mobile network. It is the fifth new global wireless standard after (you’ll never guess) 1G, 2G, 3G, and 4G. 5G enables a new kind of network that is designed to connect virtually everyone and everything together, including machines, objects, and devices. 5G is based on OFDM (Orthogonal frequency-division multiplexing), a method of modulating a digital signal across several different channels to reduce interference.

What is 5G network slicing?

5G network slicing is a network architecture that enables the multiplexing of virtualized and independent logical networks on the same physical network. Basically, the actual 5G network is compartmentalized into multiple virtual networks that function independently.

This allows the infrastructure providers to divide their network up into several independent ones for separate mobile network operators. A mobile operator can create specific virtual networks that cater to different clients and use cases.

The vulnerability

Network functions are services available within a network, and in 5G they can be dedicated to single slice, or shared between multiple slices. AdaptiveMobile Security looked at 5G networks that contain both shared and dedicated network functions.

What it learned was that when a network has network functions that support several slices there is a lack of mapping between the application and transport layers identities, which allows rogue slices to do more than they are allowed. The separate networks were not as separate as they should be.

The fundamental vulnerability has the potential to allow data access and denial of service attacks between different network slices on a mobile operator’s network.

5G networks are complex, and so are the attacks. AdaptiveMobile sets out a few examples in its report, but the easiest to explain is an example of a Denial of Service (DoS) attack.

Imagine a network carved into two slices that can both have access to the same shared network function (“the shared service”). We’ll call the slices “Victim” and “Aggressor”, just to make it really obvious! In our example, the Aggressor network slice is under the control of a rogue operator who wants to run a DoS attack against the Victim network slice.

In simple terms, the Aggressor slice sends a message to the shared service, claiming that it is the Victim slice, and that it’s overloaded and does not want to receive any communication from the shared service, thereby denying that service to Victim.

The attack works because although the shared service checks that the Aggressor slice is permitted to speak to it (correctly), it does not have to check that the messages it sends actually relate to it and not a different one.

Or, as the report puts it:

Currently, there is no requirement in the 3GPP specifications to validate if the slice identity in the 3GPP-Sbi-Oci header matches the slice identity in the token for the service API usage.

How can this be abused?

According to AdaptiveMobile, an attacker could gain access to data and launch denial of service attacks across multiple slices if they have access to the 5G Service Based Architecture.

• The operator and their customers would be exposed and risk the loss of sensitive location data.
• Denial of service against another network function on the same network.
• Access to a network function and related information of another vertical customer.

Is there any real danger?

To pull off a successful attack you would have to get accepted as a mobile operator and get assigned a “slice” of the 5G network. Which would set you back by a significant amount. Probably a lot more than you could ever hope to gain by successfully exploiting the flaw. The only real and current danger would be if two competitors on the same network decided to spy on one another. Given the limited amount of network operators and the cost involved in becoming one, the danger to customers seems non-existent.

But, once a flaw has been found, there is a good chance more will follow, and it is better to expose these flaws than to discard them just because they are harmless now. Because, as the head of 5G Security Research at AdaptiveMobile Security, Dr. Silke Holtmanns, put it:

“Having brought this to the industry’s attention through the appropriate forums and processes, we are glad to be working with the operator and standards communities to highlight this issue and promote best practice going forward.”

In short, it’s good to be aware of existing vulnerabilities, but we have seen much more effective DoS attacks against 5G.

The post 5G slicing vulnerability could be used in DoS attacks appeared first on Malwarebytes Labs.

For years, Apple has marketed its iPhone as the more secure, more private option when compared to other smart phones, which do not, by default, include an end-to-end encrypted messaging app, warn users repeatedly about app location requests, or provide a privacy-forward Single Sign-On feature.

But, while Apple has taken several, commendable steps into protecting users, the company’s reach only goes so far, which means that it alone cannot stop threat actors from snooping on users’ unencrypted web traffic, poorly configured apps from leaking user data to rogue WiFi networks, or mobile phone carriers from selling user data to make money.

For those problems, iPhone users would greatly benefit from using a Virtual Private Network (VPN). A VPN creates an encrypted “tunnel” between your phone and somebody you trust, such as the company you work for, or your VPN provider. Your phone traffic is routed through the tunnel, where it’s protected from surveillance, before joining the internet.

Using a VPN on an iPhone can bolster the overall privacy and security that users have come to expect from the Cupertino-based phone maker, which has literally gone to court to fight back against efforts to downgrade its mobile operating system’s security.

If there’s one reason users need to use a VPN with their iPhones, it’s this: A VPN can protect where Apple cannot. Below are a list of reasons why you need a VPN on your Apple iPhone:

VPNs encrypt your iPhone’s web activity

The Internet is a complex place, with countless servers hosting trillions of web pages, visited by billions of machines every day. When you use the Internet, there are some safeguards in place for protecting your online activity, but those safeguards are incomplete and they aren’t the work of Apple. Expecting Apple to protect all of your Internet traffic is like expecting Ford to make safer highways.

Because of this, when you use an iPhone to browse online, you could still be vulnerable to threat actors snooping on your Internet traffic when you use a public WiFi network, like when working at a café, staying at a hotel, or waiting for a flight at the airport.

Using a VPN on your phone can protect you against those attacks, in exactly the same way it would if you were browsing the web on your laptop or desktop machine. You get the same security and the same privacy boosts, no matter the device. This is crucial because, as users begin to spend more time navigating the Internet on their phones, they are spending more time connecting to it from untrusted environments, over somebody else’s WiFi.

The good news for Internet users is that there is a long-standing effort to encrypt the entirety of the web. But although great strides have been made in the last decade, it’s important to remember that the Internet today is not yet reliably private or secure. Whilst lots of web pages are served over HTTPS (the secure form of HTTP) many are not, and most DNS lookups—which reveal the names of the websites you’re visiting—are vulnerable to snooping.

The better news is that, until the entirety of the web is encrypted, a VPN will fill in the gaps and provide much of the security online that Apple can’t control. Remember, the iPhone’s security can only go so far.

VPNs encrypt your iPhone’s app traffic  

Encrypting your iPhone’s web activity while browsing online is good, but realistically, many of your iPhone apps are connecting to the Internet on a near round-the-clock basis, crunching data in the Cloud, and refreshing in the background to check for notifications and updates. Just because these connections aren’t happening through a browser doesn’t mean that threat actors are any less interested in it.

In fact, the vulnerabilities of many poorly configured apps are likely too many to count. Time after time, studies of different types of apps have shown too many are either missing the encryption necessary to protect you, or that it exists in a weak, flawed or broken state. And, most alarmingly, there is no way for users to tell the good apps from the bad ones without specialist knowledge and equipment.

Just like the web, there is only so much that Apple can do to protect you from apps that communicate insecurely. But, again, a VPN can help plug the gaps in your apps’ encryption by wrapping it all in a protective tunnel.

VPNs stop your carrier from monetizing your data

Protecting your Internet activity from eavesdropping doesn’t just defang threat actors, it also prevents your mobile service carrier from making an extra buck at your expense of your privacy. At least in the United States, mobile service carriers like Verizon, AT&T, and T-Mobile can look at your Internet activity—including what you look at, what apps you’ve downloaded, and how you interact with certain services— and then bundle that activity into profiles that it can then sell for advertising purposes.

If this sounds wrong to you, you’re not alone. And if you think that mobile carriers wouldn’t abuse your data, think again. Last year, the US Federal Communications Commission announced a collective $200 million in fines against Verizon, AT&T, Sprint, and T-Mobile for those companies’ sale of user location data without users’ consent.

A VPN on iPhone will hide a great deal of your Internet activity from your mobile carrier, in the exact same way that it hides your online activity from your Internet Service Provider. Your carrier is on the outside of the VPN’s tunnel and can’t look inside it. Take a stand for your privacy and reclaim your Internet activity for yourself.

By now, it should be clear that using a VPN with an iPhone isn’t futile, or redundant, or useless. In fact, it’s a great way to bolster your security and your privacy.

The post The one reason your iPhone needs a VPN appeared first on Malwarebytes Labs.

Suppose that, out of the blue, a Steam user tells you they’ve accidentally reported you for something you didn’t do, like making an illegal purchase, and that your Steam account is going to be suspended.

They ask you to message a Steam admin, whose profile they kindly provide, to help you sort out this dilemma.

What do you do?

There are some scams on Steam which have stood the test of time. Their tactics and target have remained generally consistent for years. Phishing campaigns aimed at harvesting as many user credentials as possible, for example, are a dime a dozen. And let’s not forget the many ways a fraudster can dupe Counter Strike: Global Offense (CS:GO) players.

Like Steam phishing campaigns, this particular Steam scam—referred to loosely as the “I accidentally reported you” or “I accidentally reported your account” scam—has been coming and going since initial reports of it emerged in late 2018. To date, it has no other target apart from Steam users. And, based on its new latest iteration, it targets Steam users with a Discord account.

For those who aren’t aware of this scam and its variants, below is a breakdown of how the scam works. On the other hand, if you’re quite acquainted with it, dear Reader, then feel free to skip to the next section.

The Steam scam playthrough

The hello

The fraudsters behind the “I accidentally reported you” scam usually approach their targets under the pretext that they need something, or they have something to say. Anything to suggest that it’s something important and that they should be heard out.

They may already be a Steam “friend”, from a couple of days or years ago, someone in the same Steam group as you, or a user who wants you to add them to your friends list.

I’m so sorry but I accidentally reported your account to the steam admin for scamming me and duping items instead of someone who impersonated your profile and that impersonator is a scammer who scammed me

There is no word-for-word script that scammers stick to, but the gist is this: someone posing as you scammed them, but they reported you instead of the impostor.

Note that other variants of this scam will claim that they have reported you for “doing illegal purchases”—another reason to cause a degree of alarm but flawed, nonetheless.

The help

I’m worried about your account now bro because the steam admin already ban his account

if my report on your account gets process you will get ban too just like the scammers account

At this point, the scammer drives the point that your account will get banned next, unless something is done. The scammer then insinuates that help is on the way: a “Steam admin” that will cancel the report and remove the target’s account from the ban pile. However, they should confirm that the report against them was a mistake first.

ok so here is the profile of the steam admin if he accept just file a ticket to him that you are not involved in the report

The sharing of a legitimate profile—or what appears to be legitimate—that is connected to Steam or its developer, Valve, is one of the tactics scammers employ to make their claims look more truthful.

If you raise the possibility that this Steam admin might not accept your friend request, the scammer suggests that you contact them via Discord.

can you add him on discord? so that if he cannot notice your req on steam maybe he will notice it on discord.

anyway I need to show you something

Oh no, what now?

this is a reply about my report on your account

It’s another reinforcement tactic, to erase any doubts you may still have. Frankly, it’s overkill at this point.

The hogwash

Convinced of what you must do and who you need to contact, you get in touch with the Steam admin. Of course, this admin is fake and likely either the scammer or an accomplice.

Note that the tone of the conversation changes here. The scammer’s concerned and helpful front is gone once you start chatting with the fake admin:

Hello there, Please state the reason why did you add me?

After you briefly explain the situation, the fake admin asks for a screenshot of the chat that transpired between you and the scammer.

I received the report according to our coordinator’s review about illegal activity for Illegal Purchased but you don’t have to worry here if you’re not really involved in the said issue. I will remove the banned report issue in your account. All you need to do is to prove that your account is in good condition and it was a false accusation so that Valve Report Assistance Team will cancel the Banned report charge on your account

The proof they ask for is a screenshot of your purchase history. They will also ask you to log out of your Steam account on your computer and/or mobile so they can “start the scanning of your account status”. Of course, there is no scan. The fake admin asks this as a lead in to asking for more information—for starters, the email address tied to your Steam account.

An email address is needed when a Steam user finds themselves locked out of their account and they forgot their account name or password.

The fake admin asks you to get the verification code sent by Steam to your email address. If you happen to have Steam Guard enabled, the fake admin will ask for the code as well.

Never give anybody your Steam Guard password.

In some cases, the fake admin will ask you to send them the reported duplicate item to check if it was, indeed, a duplicate via the Steam trading function. This is framed as “borrowing” the item, but you won’t be getting it back.

If you comply with the fake Steam admin you can lose your accounts, your game items, and even money.

Targets who question any of the tasks the fake admin asks them to do are met with the pressure to respond quickly because they’re “running out of time”, they are presented with a fake certificate, or they are threatened with having their accounts deleted.

Although several Steam users will not reach this part of the scam, many aren’t so lucky. Some, despite knowing that something is off, aren’t 100 percent sure if they’re dealing with a scammer or not.

True social engineers, or just desperate?

What we believed to be the first variant of this scam in 2018 was simple and solely focused on misusing the Steam trading function. This scam is now highly evolved and, one can say, has branched out into other nefarious acts, such as hijacking accounts, rare item theft, and other ways scammers can milk victims of their (or their parents’) hard-earned money.

Like most scams, the “I accidentally reported you” scam relies heavily on social engineering tactics that aim at gaps in a Steam user’s familiarity with how things work within the platform’s ecosystem.

Scammers want to appear believable, so it’s no surprise they use already hijacked accounts that have a good standing on Steam when reaching out to targets. The same can be said about Discord accounts under their control.

The scammers behind this scheme also come prepared. Not only do they have the materials—screenshots and a guide script—they need to counter frequent questions raised about their credibility, they are also not afraid to play on Steam users’ fears, even at the risk of losing the credibility they already built up with their target.

Familiarize and exercise

Steam has always put the onus of not getting scammed onto the shoulders of its users. If you did get scammed, Steam Support will assist to the best of their abilities, including getting your hijacked account back. But beyond this, like retrieving a stolen rare item, refunding money if your account has been used to purchase Steam gift cards (for example), they likely won’t be able to help.

That said, it’s crucial for Steam users to realize that they may have blind spots and may not be as well acquainted with some aspects of the platform as they think. Filling in these blind spots can help you spot scams.

Know that:

• There is no such thing as “Steam admin”, false report, or a “Certificate of Eligibility”.
• There are Valve employees with Steam profiles. And they proudly display a legitimate badge to prove this. They are top-tier moderators (mods) who have full administrator privilege in Steam.
• Real Valve employees belong to two invite-only groups, which are Valve and Steam.
• There are Steam Community Moderators. Like Valve employees, current and retired moderators have their own badges, too. Community moderators can ban users, among other things.
• Real Steam Community Moderators, both active and inactive, belong to the invite-only group, STEAM Community Moderators (SUFMods).
• There is a page where you can look up all Steam Community Moderators.
• Scammers link back to legitimate profiles of Valve employees or Steam moderators to hook targets into reaching out to through Discord. These Discord accounts are not manned by Valve employees but by scammers.
• There is no such thing as an illegal item. That said, there is no need for anyone to review an item.
• If an item does need inspection, Valve employees would not require you to hand them over. They will just look it up in their database.
• Duplicate items (or dupes) exist, but they are not illegal. Duplication was done years ago by Steam Support to restore scammed or stolen items for hijacked victims. Steam Support doesn’t do this anymore.
• If you have handed over an item to someone claiming to be a “Steam admin”, consider it gone forever. The current policy is that Steam Support does not restore items that have left an account, including scammed ones.
• If there is a problem with your account, or you have an impending ban, Steam will let you know either via email, a Support ticket, or account alerts. Here is an example [link to account-alert-sample] (taken from Steam on Reddit).
• A Steam moderator will never contact you via chat or a third-party app like Discord for any reason.
• A Steam moderator will never mediate between you and another user.

Secure your Steam account by using a strong password, taking full advantage of Steam Guard—Steam’s two-factor authentication method—and be aware of the latest scams that are targeting you as a Steam user. Keep the above points in mind, and stay safe!

The post Steam users: Don’t fall for the “I accidentally reported you” scam appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we speak to Malwarebytes senior security researcher JP Taggart about the importance of trusting your VPN.

You’ve likely heard the benefits of using a VPN: You can watch TV shows restricted to certain countries, you can encrypt your web traffic on public WiFi networks, and, importantly, you can obscure your Internet activity from your Internet Service Provider, which may use that activity for advertising.

But obscuring your Internet activity—including the websites you visit, the searches you make, the files you download—doesn’t mean that a VPN magically disappears those things. It just means that the VPN itself gets to see that information instead.

Tune in to hear about what your VPN can see, why it is important for that information to be secured, and how you can safely transfer your trust to a VPN, on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on the Apple iTunes store, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on:

• Report goes “behind enemy lines” to reveal SilverFish cyber-espionage group
• Six social media safety sins to say goodbye to
• The human impact of a Royal Mail phishing scam
• Software renewal scammers unmasked
• How to enable Facebook’s hardware key authentication for iOS and Android
• Safe Connections Act could help domestic abuse survivors take control of their digital lives
• When contractors attack: two years in jail for vengeful IT admin
• Slack hurries to fix direct message flaw that allowed harassment
• Perkiler malware turns to SMB brute force to spread

Other cybersecurity news:

• Hades ransomware has been linked to the Evil Corp cybercrime gang who uses it to evade sanctions. (Source: BleepingComputer)
• Researchers discover two dozen Chrome extensions that are being used to serve up unwanted adds, steal data, and divert users to malicious sites. (Source: DarkReading)
• An advisory for two high-severity flaws has been issued by the OpenSSL project. (Source: SecureBlink)
• A $50m ransomware demand made against PC manufacturer Acer by the REvil/Sodinokibi cyber crime syndicate sets a nw record. (Source: ComputerWeekly)

Stay safe!

The post Why you need to trust your VPN: Lock and Code S02E05 appeared first on Malwarebytes Labs.

If you or anyone you know is committing the below social media sins, it’s time to change that habit of an online lifetime. Even the most innocuous of things can cause trouble down the line, because everyone’s threat model is different. Unfortunately, people tend to realise what their threat model is when it’s already too late.

With this handy list, you’ll hopefully avoid the most common mistakes which are served up to social media with a dash of eternal regret.

Don’t post: credit card information

Yes, people do this. Someone is issued a new credit card. Perhaps it’s their first and they’re really excited. They want to tell the world…and they do it by posting up un-redacted shots of the front and back of the card. If they’re really unlucky, they’ve left bits and pieces of personal information on the same profile or elsewhere. I’m not sure why, but these posts often stay online long after hundreds of people have replied with “Delete this!”

It’s a mystery we may never get to the bottom of.

Don’t post: medical information

This is quite a timely one. Various forms of medical data are very popular on social media right now, especially due to the pandemic. Got a nice health and wellbeing story? Off it goes into Twitter or Facebook. This can bring problems, however. Back in 2017 we looked at the trend of posting X-Rays to social media. Even where people thought they’d redacted everything, some details still slipped through the net.

Wind forward to 2021, and we have people posting vaccination selfies. Those are fine. However, close ups of the sheets / slips detailing patient info in relation to their vaccine are not. There’s plenty of folks posting these images up from all over the world, which is to be expected. We beg you to ask yourself if you really need to post it and, if you do, please redact most if not all the information on these cards. You really don’t need it online.

Don’t post: visas and passport photos

Many immigration advice firms post to social media whenever they manage to obtain visas for their clients. That’s great! Well done. What’s not so great? Posting images of the client’s passport to social media, usually along with the visa, or other entry document.

Occasionally they’ll redact some of the data…but not all of the time. And even when name / address / D.O.B. is obscured, other elements are left visible. That could be their biometric residence permit number, or something else specific to their identity in their new country of residence. Given these are Government issued documents, it’s best not to post any of it online at all. There’s often steep fees for replacement documents, and I’m not sure if it’s any better if they need replacing due to negligence as opposed loss.

Let’s say “It’s probably worse” and resolve to never do it again.

If you’re a customer of organisations helping arrange visas and you know they have social media accounts? Feel free to keep an eye on their feeds, especially if you see they already do this. You’ll probably find yourself posted online at some point, and even with redactions applied this feels like a very uncomfortable practice.

Don’t post: personal information in customer service chats

Interacting with customer service reps on Twitter is something people do 24/7. It’s often one of the fastest ways to resolve an issue, but trouble beckons when people post the inner workings of their problem. Something wrong with an order? Missing screws for your DIY table? Milk expired 3 weeks ago?

Okay, but you don’t need to post everything to go with it. Order numbers tied to public accounts, screenshots of your order summary complete with home address listed, telephone numbers, we’ve seen them all down the years.

Is your delivery driver disputing that someone was in when they rang the doorbell? It happens, but you don’t need to post up a shot of the GPS indicator from their website showing exactly where you live.

All of this information is usable to some degree by people up to no good. It could be phishing, it could be doxxing, it might be stalking. Bottom line: start from a position of total redaction and only show what you absolutely need to.

If you’re taking the conversation to direct messages? Don’t post anything sensitive in there either, and that includes things like passwords.

Don’t post: vacations in real-time

Given it’s an age since anyone likely went on holiday, it’s worth dusting off one more golden oldie. If and when we’re all able to go on vacation, remember to control your travel experience ruthlessly.

We strongly suggest you post about your trip after you get back home. It may be appealing to get everything online as it takes place, but “I’m hundreds of miles away from my empty home” seems a bit dangerous to us.

This is especially the case if any of your profiles make use of geolocation, or you happily tag your home address in any geolocation service. You may as well hire someone to fly a plane over your house with a big banner that says “We’re empty for 14 days, come on in”. This isn’t a very catchy marketing slogan, but people up for a bit of burglary will love it.

Don’t post: the TMI selfie

This probably isn’t what you’re expecting it to be. However.

Something we regularly see on social media is the TMI selfie. This is an entirely boring and normal photo, with one major exception lurking. That pic of your nice new sofa in the front room? There’s a letter on the shelf with your bank statement on it. The Instagram-worthy snap of your meal? You can see a reflection of confidential work information on your laptop in the mirror. Finally received that delivery you’ve been waiting on and Tweeted it out? You left the label with your address on the box.

We let out guard down in places we trust. This often proves disastrous for people who prefer to remain a little bit anonymous on social media. The TMI selfie is usually brought to light by helpful followers of whoever happens to post it. Interestingly, unlike the credit card snaps, these usually get deleted swiftly. That’s definitely a good thing.

Keeping it safe on social

These are the social media sins which frequently have a negative impact on people’s lives when they least expect it. By avoiding them, you’re encouraging solid security and safety practices in all aspects of your life both offline and on. If you can think of others, we’d love for you to add some of your own in the comments.

The post Don’t post it! Six social media safety sins to say goodbye to appeared first on Malwarebytes Labs.

The enormous work messaging platform Slack quickly reversed course yesterday, promising to revise a brand-new direct message feature that could have been misused for harassment.

Added to the company’s “Slack Connect” product—which lets enterprise users share messages with contract workers and third-party partners outside their company—the new “direct message” feature allowed paying Slack users to message anyone outside of their company or organization, so long as they had another person’s email address. The messages came attached to an invite, but as many tech news outlets and concerned online users noted, there was no way for recipients to block the invites, or to block the content of the messages that came attached to the invites.

As Twitter product employee Menotti Minutillo said on Twitter, the implementation of Slack Connect DMs meant that malicious users could send repeated DM invites with harassing language, and that Slack would also email the DM’s recipient with the invite, including the harassing language. DM recipients would also have trouble blocking those emails as they came from a generic email address, too, Minutillo said.

Further, according to TechCrunch, the Slack Connect DM feature is opt-in at the organizational level, meaning that individual employees could not, alone, overwrite their company’s decision, should it choose to enable the feature.  

Less than 24 hours after Slack Connect DM’s full release, Slack realigned. According to Slack Vice President of Communications and Policy Jonathan Prince, the company will disable the capability to customize messages that are attached to Slack Connect DM invites.

Prince’s full statement is as follows:  

 “After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages. We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs. Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”

Slack’s quick work to fix the problem is appreciated, but it is curious that the company did not catch the problem before the full rollout. The company has already faced complaints about the limited features in the free version of its platform, which allows users to visibly show harassing language without even having to actually write and send messages. This is because Slack automatically sends notifications when new users join a thread, so if those new users stylize their username to be an insult, then the users in that thread will receive a notification that includes that language.

Further, the problem of harassment on messaging platforms is far from new. On the Lock and Code podcast, when we spoke with Electronic Frontier Foundation’s Director of Cybersecurity Eva Galperin, Galperin warned about this very issue.

“Primarily, the onus for making safe platforms, is on the makers of the platforms,” Galperin said. “And so, if there are people who are listening to this podcast, who are developing software or who are developing platforms or services for commercial use, I encourage them to think about how their tool will be used for harassment.”

Galperin provided specific guidance for any platform with messaging capabilities. She said that those platforms should make it possible for users to not use their real names, and for users to block other users or to mute certain keywords. This setup, Galperin said, is beneficial for both the user and the company.

“If you give the power to the users, then they can decide what is harassment and what is abuse, and it really takes the onus off the platform to be judge, jury, and executioner for every communication that somebody has online.”

Unfortunately, Slack users could not block users—and in fact the company has pushed back against such a feature for years—or mute keywords, and users would have trouble filtering out emails from Slack’s generic email addresses that included the DM invites and the accompanying messages.

These may sound like high-level discussions that are difficult to forecast, but there is actually a far simpler way to look at the problem. To borrow the words of Twitter user @geekgalgroks, a developer and accessibility advocate:

“Seriously with every new messaging system and feature ask yourself if people can send unsolicited dick pics and if those receiving them can block the sender.

Because it will happen.”

The post Slack hurries to fix direct message flaw that allowed harassment appeared first on Malwarebytes Labs.

Researchers at Guardicore have identified a new infection vector being used by the Perkiler malware where internet-facing Windows machines are breached through SMB password brute force.

Perkiler is a complex Windows malware with rootkit components that is dropped by the Purple Fox exploit kit (EK) and was spread by phishing campaigns.

What is SMB?

Server Message Block (SMB), aka Common Internet File System (CIFS), is the network-protocol that enables file exchanges between Microsoft Windows computers. You will find it wherever Windows computers are sharing printers, files, and sometimes remote control. By default, SMB is configured to use the ports 139 and 445.

SMB vulnerability history

SMB has a history of being used by malware (coupled with a history of being enabled by mistake and exposed to the Internet by accident). The most famous example of SMB-exploiting malware is WannaCry. This worm-like outbreak spread via an operation that hunted down vulnerable public facing SMB ports and then used the EternalBlue exploit to get on the network, chained with the DoublePulsar exploit to establish persistence, and allow for the installation of the WannaCry ransomware.

What are brute force attacks?

A brute-force password attack is a relentless attempt to guess the username and password of one or more systems. As it sounds, a brute-force attack relies on force rather than cunning or skill: It is the digital equivalent of throwing everything and the kitchen sink at something. Some attacks will try endless combinations of usernames and passwords until finding a combination that works, others will try a small number of usernames and passwords on as many systems as possible.

Brute force attacks are usually automated, so they don’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system-specific property, an attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and wait to get notified when one of the systems has swallowed the hook.

Not a new infection method

The fact that the researchers found the Perkiler malware attacking Windows machines through SMB password brute force came as something of a surprise. Not because of the SMB brute force per se. SMB has always been brute forced, but why would you bother when you have:

• EternalBlue that allows you to own every single unpatched SMB server without going through the brute force routine.
• A few million RDP ports you can brute force with a potentially bigger gain. Remote desktop is exactly what the name implies, an option to remotely control a computer system. Which is much more interesting to an attacker than just being able to drop a file on an SMB server.

The answer to this question remains a mystery for now. Maybe they are planning ahead for when the number of vulnerable RDP servers dries up.

Using compromised machines

Perkiler uses a large network of compromised servers to host its dropper and the payloads. These servers appear to be compromised Microsoft IIS 7.5 servers. Most of these Windows Servers are running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels.

The rootkit

Once a machine is infected with the new variant of Perkiler, it reboots to load the rootkit that’s hidden inside the encrypted payload. The purpose of this rootkit is to hide various registry keys and values, files, etc. Ironically enough, the hidden rootkit was developed by a security researcher to conduct various malware analysis tasks and to keep the research tasks hidden from the malware.

Infected machines

Once the machine is restarted, the malware will be executed as well. After its execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine responds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords, or by trying to establish a null session.

One interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the malware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets.

Mitigation

In theory, brute force password attacks conducted over the Internet can be defeated by even moderately strong passwords (six characters should be enough). However, even the threat of big-game ransomware using RDP brute force attacks hasn’t been enough to get people using stronger passwords. And if the prospect of facing a $50 million ransom isn’t enough motivation, it’s hard to see anything else working.

Luckily there are other, easier ways to blunt brute force attacks. The best defence of all is to remove the SMB (or RDP, or anything else) service from the Internet entirely, if possible, or to put it behind a VPN protected by two-factor authentication if it isn’t possible.

The post Perkiler malware turns to SMB brute force to spread appeared first on Malwarebytes Labs.