Archive for author: makoadmin

The Microsoft Browser Vulnerability Research team has found and reported a vulnerability in the audio component of Google Chrome. Google has fixed this high-severity vulnerability (CVE-2021-21166) in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the vulnerability. It is not the first time that Chrome’s audio component was targeted by an exploit.

No details available

Further details about the vulnerability are restricted until a majority of Chrome users have updated to the patched version of the software. What we do know is that it concerns an object lifecycle issue in the audio component of the browser.

An object lifecycle is used in object oriented programming to describe the time between an object’s creation and its destruction. Outside of the lifecycle the object is no longer valid, which could lead to a vulnerability.

For example, if everything goes as planned with the lifecycle the correct amount of computer memory is allocated and reclaimed at the right times. If it doesn’t go well, and memory is mismanaged, that could lead to a flaw – or vulnerability – in the program.

More vulnerabilities patched in the update

As per usual Google patched several other vulnerabilities and bugs in the same update. Some of the other vulnerabilities were listed with high severity:

Google said that it fixed three heap-buffer overflow flaws in the TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160) components. A high-severity use-after-free error (CVE-2021-21162) was found in WebRTC. Two other high-severity flaws include an insufficient data validation issue in Reader Mode (CVE-2021-21163) and an insufficient data validation issue in Chrome for iOS (CVE-2021-21164).

The CVE’s

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

• CVE-2021-21159, CVE-2021-21161: Heap buffer overflow in TabStrip. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.
• CVE-2021-21160: Heap buffer overflow in WebAudio.
• CVE-2021-21162: Use after free in WebRTC. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. WebRTC allows programmers to add real-time communication capabilities to their application.
• CVE-2021-21163: Insufficient data validation in Reader Mode. Insufficient data validation could allow an attacker to use especially crafted input to manipulate a program.
• CVE-2021-21164: Insufficient data validation in Chrome for iOS.

When more details about the vulnerabilities come to light it’s possible that more exploits for them will be found in the wild. It depends a lot on how easy they are to abuse, and how big the possible impact can be. But with one already being used in the wild, it is advisable to update now.

How to update

The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

Stay safe, everyone!

The post Update now! Chrome fix patches in-the-wild zero-day appeared first on Malwarebytes Labs.

Detailed credentials for more than 21 million mobile VPN app users were swiped and advertised for sale online last week, offered by a cyber thief who allegedly stole user data collected by the VPN apps themselves. The data includes email addresses, randomly generated password strings, payment information, and device IDs belonging to users of three VPN apps—SuperVPN, GeckoVPN, and ChatVPN.

The attacks, which have not been confirmed by the VPN developers, represent the most recent privacy broadsides against the VPN industry. Two similar blunders have been revealed to the public since 2019, including one massive data leak that exposed several VPN apps’ empty promises to collect “no logs” of their users’ activity. In that data leak, not only did the VPN providers fail to live up to their words, but they also hoovered up additional data, including users’ email addresses, clear text passwords, IP addresses, home addresses, phone models, and device IDs.

For the average consumer, then, the privacy pitfalls begin to paint an all-too-familiar portrait: Users continue to feel alone when managing their online privacy, even when they rely on tools meant to enhance that privacy.

Cybersecurity researcher Troy Hunt, who wrote about the recent data leak on Twitter, called the entire issue “a mess, and a timely reminder why trust in a VPN provider is so crucial.”

He continued: “This level of logging isn’t what anyone expects when using a service designed to *improve* privacy, not to mention the fact they then leaked all the data.”

The data leak of SuperVPN, GeckoVPN, and ChatVPN

In late February, a user on a popular hacking forum claimed that they’d stolen account information and credentials belonging to the users of three, separate VPNs apps available on the Google Play store for Android: SuperVPN, GeckoVPN, and ChatVPN.

The three apps vary wildly in popularity. According to Google Play’s count, ChatVPN has earned more than 50,000 installs, GeckoVPN has earned more than 10 million installs, and SuperVPN weighs in as one of the most popular free VPN apps for Android today, with more than 100 million installs to its name.

Despite SuperVPN’s popularity, it is also one of the most harshly reviewed VPN apps for Android devices. Last April, a writer for Tom’s Guide found critical vulnerabilities in the app that so worried him that the review’s headline directed current users to: “Delete it now.” And just one month later, a reviewer at TechRadarPro said that SuperVPN had a “worthless privacy policy” that was cobbled together from other companies’ privacy policies and which directly contradicted itself.

Not more than one year later, that privacy policy has again been thrown into the spotlight with a data leak that calls into question just what types of information the app was actually collecting.

According to the thief who pilfered the information from SuperVPN, GeckoVPN, and ChatVPN, the data for sale includes email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and a user’s “Premium” status and the corresponding expiration date. Following the forum post, the tech outlet CyberNews also discovered that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.

According to CyberNews, the data was taken from “publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use.”

Past VPN errors

The unfortunate truth about the recent VPN app data leak is that this type of data mishap is nothing new.

In 2019, the popular VPN provider NordVPN confirmed to TechCrunch that it suffered a breach the year before. According to TechCrunch:

“NordVPN told TechCrunch that one of its data centers was accessed in March 2018. ‘One of the data centers in Finland we are renting our servers from was accessed with no authorization,’ said NordVPN spokesperson Laura Tyrell.

The attacker gained access to the server—which had been active for about a month—by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.”

Separate from the NordVPN breach, last July, seven VPN providers were found to have left 1.2 terabytes of private user data exposed online, according to a report published by the cybersecurity researchers at vpnMentor. According to the report, the exposed data belonged to as many as 20 million users. The data included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs.

The seven VPN providers investigated by vpnMentor were:

• UFO VPN
• Fast VPN
• Free VPN
• Super VPN
• Flash VPN
• Secure VPN
• Rabbit VPN

The researchers at vpnMentor also explained that there was good reason to believe that the seven apps were all made by the same developer. When analyzing the apps, vpnMentor discovered that all of them shared a common Elasticsearch server, were hosted on the same assets, shared the same, single payment recipient—Dreamfii HK Limited—and that at least three of the VPNs shared similar branding and layouts on their websites.

Finally, the report also highlighted the fact that all seven of the apps claimed to keep “no logs” of user activity. Despite this, vpnMentor said that it “found multiple instances of internet activity logs on [the apps’] shared server.”

The report continued: “We viewed detailed activity logs from each VPN, exposing users’ personal information and browsing activities while using the VPNs and unencrypted plain text passwords.”

So, not only did these apps fail to live up to their own words, but they also collected extra user data that most users did not anticipate. After all, most consumers might rightfully assume that a promise to refrain from collecting some potentially sensitive data would extend to a promise to refrain from collecting other types of data.

But, according to vpnMentor, that wasn’t the case, which is a clear breach of user trust.

Let’s put it another way:

Imagine choosing a video baby monitor that promised to never upload your audio recordings to the cloud, only to find that it wasn’t just sending those recordings to an unsecured server, but it was also snapping photos of your baby and sending those pictures along, too. 

Which VPN to trust?

The trust that you place into your VPN provider is paramount.

Remember, a VPN can help protect your traffic from being viewed by your Internet Service Provider, which could be a major telecom company, or it could be a university or a school. A VPN can also help protect you from government requests for your data. For instance, if you’re doing investigative work in another country with a far more restrictive government, a VPN could help obfuscate your Internet activity from that government, should it take interest in you.

The important thing to note here, though, is that a VPN is merely serving as a substitute for who sees your data. When you use a VPN, it isn’t your ISP or a restrictive government viewing your activity—it’s the VPN itself.

So, how do you find a trustworthy VPN provider who is actually going to protect your online activity? Here are a few guidelines:

• Read trusted, third-party reviews. Many of the issues in the above apps were spotted by good third-party reviewers. When picking a VPN provider, rely on the words of some trusted outlets, such as Tom’s Guide, TechRadar, and CNET.
• Ensure that a VPN provider has a customer support contact. Several of the VPN apps investigated by vpnMentor lacked any clear way to contact them. If you’re using a product, you deserve reliable, easy-to-reach customer support.
• Check the VPN’s privacy policy. As we learned above, a privacy policy is not a guarantee for actual privacy protection, but a company’s approach to a privacy policy can offer insight into the company’s thinking, and how much it cares more about its promises.  
• Be cautious of free VPNs. As we wrote about last week, free VPNs often come with significant trade-offs, including annoying ads and the surreptitious collection and sale of your data.
• Consider a VPN made by a company you already trust. More online privacy and cybersecurity companies are offering VPN tools to supplement their current product suite. If you already trust any of those companies—such as Mozilla, Ghostery, ProtonMail, or, yes, Malwarebytes—then there’s good reason to trust their VPN products, too.

It’s a complicated online world out there, but with the right information and the right, forward-looking research, you can stay safe.

The post 21 million free VPN users’ data exposed appeared first on Malwarebytes Labs.

Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.

“HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

The Hafnium attack group

Besides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to file sharing sites. Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).

Exchange Server

In many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.

In this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.

Not one, but four zero-days

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE’s (with descriptions provided by Microsoft) used in these attacks were:

• CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
• CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
• CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
• CVE-2021-27065: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.

They all look the same. Boring you said? Read on!

The attack chain

While the CVE description is the same for the 4 CVE’s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws — CVE-2021-26858 and CVE-2021-27065 — would allow an attacker to write a file to any part of the server.

Together these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

Urgent patching necessary

Even though the use of the vulnerabilities was described as “limited”, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.

Or as Microsoft’s vice president for customer security Tom Burt put it:

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”

Users of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.

Microsoft also advises that the initial stage of the attack can be stopped by “restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access”, although the other parts of the attack chain can still be exploited, if other means of access are used.

Stay safe, everyone!

The post Patch now! Exchange servers attacked by Hafnium zero-days appeared first on Malwarebytes Labs.

The French government’s computer emergency readiness team, that’s part of the National Cybersecurity Agency of France, or ANSSI, has discovered a Ryuk variant that has worm-like capabilities during an incident response.

For those unacquainted with Ryuk, it is a type of ransomware that is used in targeted attacks against enterprises and organizations. It was first discovered in the wild in August 2018 and has been used in numerous cyberattacks since, including high profile incidents like the attack on the Tampa Bay Times and other newspapers in January 2020. According to the FBI, it is the number one ransomware in terms of completed ransom payments.

How has Ryuk changed?

The French team found a variant of Ryuk that could spread itself from system to system within a Windows domain. Once launched, it will spread itself on every reachable machine on which Windows Remote Procedure Call (RPC) access is possible. (Remote procedure calls are a mechanism for Windows processes to communicate with one another.)

Why is this remarkable?

This is notable for two separate reasons.

• Ryuk used to be dropped into networks and spread manually, by human operators, or deployed into networks by other malware.
• Historically, one of the major players when it came to dropping Ryuk has been Emotet. And as it happens, the Emotet botnet suffered a serious blow when, in a coordinated action, multiple law enforcement agencies seized control of the Emotet botnet. And if the plan behind this takedown works, the botnet will be rolled up from the inside.

Targeted ransomware attacks command high ransoms because they infect entire networks, grinding whole organizations to a halt. Until this discovery, Ryuk had always relied on something else to spread it through the networks it attacked.

Given the timing of the Emotet takedown (January 27, 2021) and the discovery of the worm-like capabilities (“early 2021”) it’s tempting to connect the two. However, it would have required a very quick turn-around for these new capabilities to have been developed in response to the loss of Emotet. On the other hand, I’m not a firm believer in coincidence, especially when there are compelling reasons to suspect otherwise.

Not an Emotet alternative

But the new-found worm capabilities of Ryuk are not an alternative to the initial infection of a network that was done through Emotet. The worm-like capabilities can be deployed once they are inside and not to get inside.

And even though Emotet was renowned for appearing in combination with Ryuk, it certainly wasn’t its exclusive dealer. It is still hard to tell what the impact of the Emotet takedown will be on the malware families that were often seen as its companions.

Ryuk’s technical capabilities

The team behind Ryuk has proven with earlier tricks that they are very adept in using networking protocols. In 2019 researchers found that Ryuk had been updated with the ability to scan address resolution protocol (ARP) tables on infected systems, to obtain a list of known systems and their IP and MAC addresses. For systems found within the private IP address range, the malware was then programmed to use the Windows Wake-on-LAN command, sending a packet to the device’s MAC address, instructing it to wake up, so it could remotely encrypt the drive. Wake-on-LAN is a technology that allows a network professional to remotely power on a computer or to wake it up from sleep mode.

The combination of ARP and RPC.

Summing up, this new variant can find systems in the “neighborhood” by reading the ARP tables, wake those systems up by sending a Wake-on-LAN command, and then use RPC to copy itself to identified network shares. This step is followed by the creation of a scheduled task on the remote machine.

In 2019, the NCSC reported that

“Ryuk ransomware itself does not contain the ability to move laterally within a network,”

meaning that attackers would first conduct network reconnaissance, identify systems for exploitation and then run tools and scripts to spread the crypto-locking malware. With the development of this new capability, this statement is now no longer true.

Mitigating network traversal

One of the mitigation processes that were proposed, and that didn’t involve any cyber-security software, was to disable the user account(s) that are in use to send the RPC calls, and to change the KRBTGT domain password. The KRBTGT is a local default account that acts as a service account for the Kerberos Distribution Center (KDC) service. Every Domain Controller in an Active Directory domain runs a KDC service. Disabling the user account(s), and especially changing the KRBTGT domain password, will have a serious effect on the network operations and require many systems to reboot. But these troubles don’t outweigh the ramifications of a full network falling victim to ransomware.

Keep your networks safe, everyone!

The post Ryuk ransomware develops worm-like capability appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we talk to Eva Galperin, director of cybersecurity for Electronic Frontier Foundation, about the importance of protecting online anonymity and speech.

In January, the New York Times exposed a public harassment campaign likely waged by one woman against the family of her former employer. Decades after being fired, the woman allegedly wrote dozens of fraudulent posts across the Internet, ruining the family’s reputation and often slipping past any repercussions.

Frequently, the websites that hosted this content refused to step in. And, in fact, depending on what anyone posts on major websites today, those types of refusals are entirely within a company’s right.

These stories frequently produce reactionary “solutions” to the Internet—from proposals to change one foundational law to requiring individuals to fully identify themselves for every online conversation. Those solutions, however, can often harm others, including government whistleblowers, human rights activists working against oppressive governments, and domestic abuse survivors.

Tune in to hear about the importance of online anonymity for domestic abuse survivors and why changing one key Internet law will not actually fix the problems we have today, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on:

• The mystery of the Silver Sparrow Mac malware
• Clop targets execs, ransomware tactics get another new twist
• LazyScripter: From Empire to double RAT
• Scammers, profiteers, and shady sites? It must be tax season

Other cybersecurity news

• NCSC helps NurseryCam to secure itself (Source: The Register)
• Taking a peek behind the big-tech curtain (Source: Medium Blog)
• A tale of cloned attack tools (Source: Check Point Blog)
• Phishers imitate well-known shipping companies (Source: Tech Radar)
• Malware gangs forge alliances (Source: Threat Post)

Stay safe, everyone!

The post Defending online anonymity and speech with Eva Galperin: Lock and Code S02E03 appeared first on Malwarebytes Labs.

VPNs have been a subject of deliberation for a long time.

Is it even important to use one? I think the pandemic has made it clear that, yes, using a VPN is useful, even necessary, most especially for those working remotely.

But should you pay for it? Or would you rather settle for free?

We’re going to take a look at free VPNs and paid VPNs in general. Mind you, we didn’t recommend any brands. Instead, we paved a way to help you make an informed choice on which one to use. Let’s face it, although the security- and privacy-conscious lean heavily into using paid VPN services, free VPN services—if we’re going to be honest—also have their place.

But what exactly is free?

We think there are three kinds of “free” in the context of VPNs:

• The “free-for-a-while” VPN. These are the VPN products that are free trial versions of paid products. Key features can be used by anyone who is interested in giving the VPN a test run, but only for a while.
• The honest free VPN. Like “free-for-a-while”, these VPN products are often designed to entice you into paying for a VPN, but they are not time limited and are distributed to the public for free. Genuinely free. Their marketing makes it clear what potential users will get, and what they will not get by not paying. This may include bandwidth throttling, sporadic disconnections—you get the idea.
• The mystery free VPN. This is perhaps the trickiest of the free ones. It’s tricky because some of the information that users would like to know about a VPN (most importantly, why it’s free) is not there—they are not “visibility friendly”. Just because a VPN provider doesn’t make it clear what the trade offs of using its products are, that doesn’t mean that there aren’t any. As a result, users are hindered from making an informed choice, leaving them trying out a product blind.

Why use a free VPN?

There are several reasons why someone might use a free VPN. And the most obvious one is to save money. Why pay for something when you can get it for free?

Someone can also reason that, although they heard that some free VPNs can be bad, not this VPN, because it was recommended by a friend, a neighbor, or a tech-savvy colleague who knows what they’re talking about.

At times, internet users use free VPNs because they may have no choice. Some institutions, such as universities and non-profit organizations, provide free VPNs for members to use.

The most important thing to remember when choosing a VPN is that it effectively becomes your Internet Service Provider (ISP). You are hiding your traffic from everyone else by pushing it through the VPN. So you had better trust your VPN provider a lot.

Are free VPNs safe?

So, the key questions to ask about a free VPN are: Why is it free, and how is it paid for? And, if somebody else is paying for your VPN, what are they getting in return?

A widespread problem one may encounter with genuinely free VPNs is resource constraint. This may be deliberate, in the hope you’ll upgrade to a paid service, or just a side effect of using an under-funded service.

The problem with mystery free VPNs, is the possibility of your internet activity being monetised, either by recording it for sale, or by tampering with it (by injecting ads, for example). When we took a look at free mobile VPNs last year, we concluded that many of them have problems and they are generally not safe to use.

Speaking of data recording and storage, there’s a population of internet users who have accepted the fact that one way or another, their activity and data are being recorded. This becomes another reason for them to use free VPNs, in the belief that even paid providers cannot guarantee that they won’t keep records about how their users use their service. For many, this is perhaps the make-or-break factor when weighing the odds. Why pay for privacy when it’s not genuinely offered by the VPN providers, free or paid?

If you understand who’s paying for your free VPN and why, we think it’s alright to use a free VPN service. It’s perhaps most suitable for occasional and light VPN users. They may consider the many limitations normally offered by free VPNs as not problems at all. In fact, they may willingly accept these limitations.

A light VPN user typically would like to protect their data when occasionally using public hotspots, such as in a restaurant, hotel lobby, public park, mall, or coffee shop. They would also like to temporarily visit a website that is normally geo-blocked when accessed in the user’s current location.

Keep in mind that even if you trust your VPN, you should keep your cybersecurity senses about you. A VPN over a public Wi-Fi protects your traffic from snooping and manipulation, but it doesn’t protected you from all possible online threats, nothing does. So, it’s still important to practice good internet safety habits while on the go with your mobile device.

Why pay for your VPN?

To get our money’s worth, we need to know where our money goes.

In the case of VPNs, the really good ones boast of speed, unfettered connections, unlimited data, multiple server connection options, a high level of privacy—factors that a great majority of free VPN service providers can’t compete with.

When it comes to price, free will always come on top, of course. But contrary to what many people think or expect from commercial VPNs, the majority of which are based on a monthly subscription scheme, the must-haves they offer are actually quite affordable. Depending on the kind of package that is on offer, you can expect to dish out as little as $1.99 USD/month (£1.40/month). The most expensive package we’ve seen so far amounts to $12.99 USD/month (£9.17/month), and it’s still not bad value.

Incidentally, several VPN providers accept cryptocurrency as payment for their services although this is not yet a fully accepted form of payment. This is handy for anyone who’d like to take their privacy journey a bit further.

To date, accepted cryptocurrencies are Bitcoin, Ethereum, and Ripple.

As you may already know, a paid premium VPN does more than just hide your true location and enable you to watch Netflix from countries where it’s normally unavailable. Here’s a high-level breakdown of what they offer and see if they are, indeed, worth our $13 dollars a month:

• Truly protected data. These are big words. Some of us are used to hearing but not believing them most of the time. Premium VPN service provides do have the technology and know-how to truly protect user data. All the top tier ones can make your session data disappear whenever you disconnect from the web. And that’s a good thing. What’s more, they keep no logs of user activity, provide AES 256-bit end-to-end encryption, support many tunneling protocols, and use other protection features that won’t leak your data even if you get temporarily disconnected from your VPN server.
• Truly unlimited bandwidth and speed. More big words, but again, these are possible for paid premium VPNs to offer. They have servers optimized for not just bandwidth and speed but also security, privacy, peer-to-peer (P2P) file sharing, media streaming, and video gaming.
• More server locations to choose from. The more servers a provider offers in different locations, the more change you have of unblocking region-restricted content at a speed you are happy with. Some VPN providers also let paid users manually pick their own servers to connect to, whereas sometimes, in their free trial versions, this convenient feature is not included.
• Added security features. The age of VPNs only caring about privacy is gone, and the age of VPNs also providing security has come. Some paid-for VPNs stop you from accessing blocklisted sites and stop invasive and annoying ads or malvertising.
• Support availability. This is already a given, but it’s still worth mentioning. Many paid providers offer 24/7 support for their clients in need of technical assistance.

We’ve weighed the odds. Now what?

Running a VPN is an expensive business and we think that “you get what we pay for” is—for the most part—true. But truth be told, there are exceptions to this. At the end of the day, it all boils down to how you want to use a VPN and how you want your VPN to work for you.

If you’re looking for free, we recommend you choose a brand that has a freemium model that lets you access a basic service for free in the hope you’ll upgrade—the “free-for-a-while” and honest free options. It’s better to go this route than risk inviting the very thing that threatens your privacy and security.

The post To pay, or not to pay? That is the VPN question appeared first on Malwarebytes Labs.

TikTok, the now widely popular social media platform that allows users to create, share, and discover, short video clips has been enjoying explosive growth since it appeared in 2017. Since then, it hasn’t stopped growing—more so during the current pandemic. 

While we can no longer categorize TikTok as a kids’ app, most concerns about the app have been around the privacy of children. You can read more details about its track record in this field in our article Are TikTok’s new settings enough to keep kids safe?

Last year the app escaped a total ban in the US after rumors that it was sharing the data of US citizens with the Chinese government.

Now TikTok has agreed to pay $92 million to settle dozens of lawsuits alleging that it harvested personal data from users, including information using facial recognition technology, without consent, and shared the data with third parties.

What was TikTok accused of?

In fact, there were dozens of lawsuits alleging that the popular video-sharing app used personal data from users improperly. The suits were merged into one multi-district action in the Northern District of Illinois that cited violations of privacy laws in Illinois and California.

One lawsuit accused the social media platform of deploying a complex artificial intelligence (AI) system to scan for facial features in users’ videos, combined with algorithms to identify a user’s age, gender and ethnicity.

Another point brought forward, claims that TikTok doesn’t adequately disclose how user data is shared with entities outside the US. Since the owner of the app is the Chinese company ByteDance this behavior has already prompted some organizations—including Wells Fargo and some branches of the US military—to ask their employees to not use the app on devices that also contain data about them.

According to lawyers representing TikTok users, the app “clandestinely vacuumed up” vast quantities of private and personally identifiable data that could be used to identify and surveil users without permission. Even information from draft videos that were never shared publicly were mined by TikTok for data, the lawyers for the users alleged. Tiktok also shared information about users, without their consent, with Facebook, Google and other companies, the suit claims.

Code obfuscation

One of the arguments brought forward to prove their case was that investigators hired by the plaintiffs’ lawyers found that TikTok went to great lengths to obfuscate its data collection and sharing practices. It is worth noting here that obfuscation is not only done to hide illegal practices. Sometimes obfuscation is simply done to keep out the competition.

Did TikTok admit anything?

No. A spokesperson said:

Rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community.

So, they would rather spend their time elsewhere, rather than in court. Understandable, but $92 million is a hefty sum. And maybe, just maybe, they would like to keep their lawyers available for possible future actions against the company. Former President Donald Trump threatened to ban TikTok unless ByteDance sold the app to a US-based owner. The Biden administration has pulled back from that take on TikTok, instead launching a broader review of Americans’ use of Chinese technology.

TikTok has always denied the allegations of sharing data, arguing other competing social networks have similar data collection practices, and insisting the company does not ship American user data to foreign servers.

So, this is settled now?

Well, not completely. This part of the battle has taken the best part of a year. And a federal judge still needs to sign off on the $92 million agreement. If it is approved, the settlement money will be divided up among US-based TikTok users (it’s roughly one dollar per American TikTok user).

The proposed TikTok settlement follows a similar deal struck last year in which Facebook paid $650 million to resolve legal claims over collecting and storing the biometric data of millions of users.

Besides the monetary settlement, TikTok will no longer record users’ biometric information, including facial characteristics, nor track their locations using GPS data. TikTok also committed to stop sending US users’ data overseas, and the app said it would no longer collect data on draft videos before the content is published.

Biometric data

TikTok’s use of facial biometric data is interesting, but unexceptional. All across the world, governments and corporations are developing facial recognition technology. Facebook uses it, Apple Photos uses it, police forces all over the world use it.

There are many concerns, however. Lack of oversight, ethics, failures and false positives, and bias against marginalized groups are all pressing concerns. As a result, a backlash has started and bans or moratoriums on facial recognition are now being implemented or considered in many jurisdictions.

With increased scrutiny on the use of facial recognition, and on the use of Chinese technology, the use of biometrics and other personal data by social media with ties to foreign entities, especially China, is likely to attract a lot of attention from now on. Just ask Clubhouse.

The post TikTok pays $92 million to end data theft lawsuit appeared first on Malwarebytes Labs.

US tax season is upon us, a time of the year when a special kind of vermin comes crawling out of the woodwork: tax scammers! Not that their goals are any different from any other scammers. They want your hard-earned dollars in their pockets.

Most of the tax-related attacks follow a few tried and true methods: A phishing email or scam call from someone purporting to be from the IRS, or an accountant offering to help you get a big refund. With all the financial and personal data to be had, it’s a time to keep a close eye on who you give your details to.

Below you is a real example you can use as a guide to the things you need to consider if you decide to use an online tax filing service.

Online tax services

This blogpost was triggered by a web push notification I got from a search hijacker from the SearchDimension family I was investigating. Many search hijackers in this family also use notifications, which qualifies them as adware.

It’s not that I recognized the form displayed in the notifications, but I knew the notification would likely be aimed at US users of the extension I was investigating since I had set my VPN to New York.

Anyway, the thought of someone providing their financial status and personal data to a website that was advertized in this manner gave me the creeps.

The website

The full URL behind the “Click Here” field was:

https://www.e-file.com/offer.php?utm_medium=affiliate&utm_source=cake&utm_campaign=intango&utm_content=2648&pid=&utm_term=84733016804____&utm_medium=affiliate&lctid=&lcid=

The items after the question mark are Google Analytics campaign tracking parameters that help a website understand where its traffic is coming from. In this case the site appears to be using them so it can attribute traffic to different affiliates (presumably so the site knows how much to pay them).

A click on that link in the notification brought me to this site:

Note that I went from free to a 30% discount in just one click. A bad start! Some digging revealed that the domain e-file.com originally belonged to a record shop called “Vinyl Junkie.” The internet archive has a first snapshot dating back to October of 2000. In 2005 the domain had switched to an outfit selling software to organize and store files. The first snapshot promoting an online tax filing service shows up in 2010.

Phishing sites tend not to hang around that long, so while the domain’s history is certainly interesting, it is not in itself a bad sign.

Affiliates

Another interesting piece of information can be found in the page about their affiliate program.

There is no indication that e-file is using search hijackers itself. In this case it seems as if an affiliate is, and e-file may not know that it has an affiliate doing that. But offering the most aggressive payouts (“double what many of our competitors pay!”), even when the customer does not spend any money, is exactly what attracts the most obnoxious advertisers on the web.

We asked Dr. Fou of FouAnalytics to have a look at the affiliate program details and the notification I clicked on, and this is what he told us:

Anyone running or using affiliate programs to drive more leads and sales should carefully review who is sending the links, leads, and sales. This is clearly an example of scammers taking advantage of an affiliate program and using shady techniques to get paid. They are trading off of your good name, and consumers will think you scammed them. This is just like malvertising that happens on mainstream publishers’ sites; the consumers think the publisher compromised their device because they didn’t realize the malicious code came in through an ad served into the page.

Reviews

One way to find out more information about a company or site is to look for reviews from other users. When we did this for e-file.com and found many complaints that might indicate that their services are not always as free as they claim.

Other reviews speak of missed opportunities for a refund and a lack of service. Bad reviews aren’t proof of wrong doing though, and you may say: “OK, what did you expect from a free service?” If a service is offered for free, but it still promises to pay its affiliates high rates, that money is coming from somewhere.

Speaking for myself, I am not sure a free service is how I would try to save money in tax season.

ID theft

We are not accusing e-file of being up to no good, but one of its affiliates is. And they are not the only ones trying to make a quick buck from you in tax season. Chief among them are ID thieves.

Scammers like tax season because people don’t like tax, many are baffled by it, lots of people will be in a hurry or looking for ways to make it easier, and in they end they will have to hand over a lot of personal information.

For those that have no idea what information you do (and don’t) need to provide when you file your taxes, here is a pretty extensive list. Remember that a social security number, birth date, and a bank account number is all the information a cyber-criminal needs to perform identity theft. And the consequences of that theft can be devastating. Identity theft is not to be taken lightly. It can take years to recover from and be very costly. A good resource for information about it is the ITRC.

So, it is wise to do some research before you trust any website with your personal details (and not just those that help with your tax).

And even if a service is legitimate, you should consider how secure your data will be if you entrust it to them. If the data gets exposed in a breach, the result for you is practically the same as if it had been sold anyway.

You can find more general tips to stay safe in tax season in our blogpost Coughing in the face of scammers: security tips for the 2020 tax season.

Stay safe, everyone!

The post Scammers, profiteers, and shady sites? It must be tax season appeared first on Malwarebytes Labs.

Malwarebytes’ Threat Intelligence analysts are continually researching and monitoring active malware campaigns and actor groups as the prevalence and sophistication of targeted attacks rapidly evolves. In this paper, we introduce a new APT group we have named LazyScripter, presenting in-depth analysis of the tactics, techniques, procedures, and infrastructure employed by this actor group.

Although the observed TTPs have commonality with known actor groups, there are many notable differences setting LazyScripter apart from these groups; these similarities and differences are discussed in the Attribution section of this paper.

APT groups are traditionally tracked according to specific targets and tools or methodologies they employ. Many actor groups use spam campaigns, attaching weaponized documents to phishing emails themed to target the industry or demographic of interest. In this case, we initially discovered a number of malicious emails specifically targeting individuals seeking employment, which prompted a deeper investigation.

Digging deeper we uncovered a targeted spam campaign dating back as far as 2018 using phishing lures with themes aimed not only at those seeking immigration to Canada for employment, but also at airlines.

In the following analysis, we walk through the timeline of observed TTPs from the initial phishing campaign to the state of the current and ongoing activities of the actor. We take a deep dive into each of the tools used, including the weaponized documents and the multiple variants of malware and exploitation techniques employed. Finally, we detail the infrastructure used and discuss the attribution comparisons with known actor groups such as APT28 and Muddy Water.

This in-depth and detailed analysis has revealed a developing campaign by what we believe to be a previously unidentified APT actor. Not only has this campaign been active for several years, but ongoing tracking shows this actor is still maintaining the infrastructure used and is actively updating toolsets. For this reason, we continue to track this new group LazyScripter as the threat evolves.

Download paper here.

The post LazyScripter: From Empire to double RAT appeared first on Malwarebytes Labs.

Ransomware peddlers have come up with yet another devious twist on the recent trend for data exfiltration. After interviewing several victims of the Clop ransomware, ZDNet discovered that its operators appear to be systematically targeting the workstations of executives. After all, the top managers are more likely to have sensitive information on their machines.

If this tactic works, and it might, it’s likely that other ransomware families will follow suit, just as they’ve copied other successful tactics in the past.

What is Clop ransomware?

Clop was first seen in February 2019 as a new variant in the Cryptomix family, but it has followed its own path of development since then. In October 2020 it became the first ransomware to demand a ransom of over $20 million dollars. The victim, German tech firm Software AG, refused to pay. In response, Clop’s operators published confidential information they had gathered during the attack, on a dark web website.

Copycat tactics

When we first came across file-encrypting ransomware, we were astounded and horrified at the same time. The simplicity of the idea—even though it took quite a bit of skill to perfect a sturdy encryption routine—was of a kind that you immediately recognize as one that will last.

Since then, ransomware has developed in ways we have seen before in other types of malware, but it has also introduced some completely new techniques. Clop’s targeting of executives is just the latest in list of innovations we’ve witnessed over the last couple of years.

Let us have a quick look at some of these innovations ranging from technical tricks to advanced social engineering.

Targeted attacks

Most of the successful ransomware families have moved away from spray-and-pray tactics to more targeted attacks. Rather than trying to encrypt lots of individual computers using malicious email campaigns, attackers break into corporate networks manually, and attempt to cripple entire organisations.

An attacker typically accesses a victim’s network using known vulnerabilities or by attempting to brute-force a password on an open RDP port. Once they have gained entry they will likely try to escalate their privileges, map the network, delete backups, and spread their ransomware to as many machines as they can.

Data exfiltration

One of the more recent additions to the ransomware arsenal is data exfiltration. During the process of infiltrating a victim’s network and encrypting its computers, some ransomware gangs also exfiltrate data from the machines they infect. They then threaten to publish the data on a website, or auction it off. This gives the criminals extra leverage against victims who won’t, or don’t need to, pay to decrypt their data.

This extra twist was introduced by Ransom.Maze but is also used by Egregor, and Ransom.Clop as well, as we mentioned above.

Hiding inside Virtual Machines

I warned you about technical innovations. This one stands out among them. As mentioned in our State of Malware 2021 Report, the RagnarLocker ransomware gang found a new way to encrypt files on an endpoint while evading anti-ransomware protection.

The ransomware’s operators download a virtual machine (VM) image, load it silently, and then launch the ransomware inside it, where endpoint protection software can’t see it. The ransomware accesses files on the host system through the guest machine’s “shared folders.”

Encrypting Virtual Hard Disks

Also mentioned in the State of Malware 2021 Report was the RegretLocker ransomware that found a way around encrypting virtual hard disks (VHD). These files are huge archives that hold the hard disk of a virtual machine. If an attacker wanted to encrypt the VHD, they would endure a painfully slow process (and every second counts when you’re trying not to get caught) because of how large these files are.

RegretLocker uses a trick to “mount” the virtual hard disks, so that they are as easily accessible as a physical hard disk. Once this is done, the ransomware can access files inside the VHD and encrypt them individually, steal them, or delete them. This is a faster method of encryption than trying to target the entire VHD file.

Thwarting security and detection

Ransomware is also getting better at avoiding detection and disabling existing security software. For example, the Clop ransomware stops 663 Windows processes (which is an amazing amount) and tries to disable or uninstall several security programs, before it starts its encryption routine.

Stopping these processes frees some files that it could not otherwise encrypt, because they would be locked. It also reduces the likelihood of triggering an alert, and it can hinder the production of new backups.

What next?

It remains to be seen if Clop’s new tactic will be copied by other ransomware families or how it might evolve.

It has been speculated that the tactic of threatening to leak exfiltrated data has lowered some victims’ expectations that paying the ransom will be the end of their trouble. Targeting executives’ data specifically may be a way to redress this, by increasing the pressure on victims.

Clop, or a copycat, may also try to use the information found on managers’ machines to spread to other organisations. Consider, for example, the method known as email conversation thread hijacking, which uses existing email conversations (and thus trust relationships) to spread to new victims. Or the information could be sold to threat actors that specialize in business email compromise (BEC).

For those interested, IOCs and other technical details about Clop can be found in the Ransom.Clop detection profile.

The post Clop targets execs, ransomware tactics get another new twist appeared first on Malwarebytes Labs.