Archive for author: makoadmin

A week in security (February 15 – February 21)

Last week on Malwarebytes Labs, the spotlight fell on the State of Malware 2021 report, wherein we have seen cyberthreats evolve.

We also touched on ransomware, such as Egregor and a tactic known as Remote Desktop Protocol (RDP) brute forcing that has long been part of the ransomware operators’ toolkit; insider threats, such as what Yandex recently experienced with one of its own sysadmins; romance scams; and put social media under scrutiny—looking at you, Clubhouse and Omegle; some wins for the good guys; and course, Cyberpunk 2077.

Other cybersecurity news

  • Following the water supply hack in a Florida city, the US government warned critical infrastructure operators to upgrade their Windows 7 operating systems. (Source: Security Week)
  • Baby monitor vulnerabilities are in the spotlight once again after the cybersecurity team at SafetyDetectives, an independent review site, unearthed a flaw that allows miscreants to take over a camera’s video stream. (Source: SafetyDetectives)
  • Phishers used “financial bonus” as lure to deliver the Bazar Trojan. (Source: ZDNet)
  • Speaking of phishing scams, they’re also promising free COVID vaccines. Again. (Source: Infosecurity Magazine)
  • Intelligence officials from South Korea claimed that North Korea is behind the COVID vaccine cyberattack against Pfizer. (Source: Computer Weekly)
  • A flaw in Agora, a voice and video platform, was discovered that could allow attackers to spy on private calls. (Source: CyberScoop)
  • Palo Alto’s Unit42 uncovered a cryptojacking campaign that has been in operation for the last couple of years. (Source: Palo Alto Networks)
  • ScamClub, a malvertising group, was discovered using an iPhone browser bug to push ads. (Source: Confiant)
  • With the introduction of Apple’s M1 computer processors, new malware made for them is starting to emerge. (Source: Motherboard)

Stay safe, everyone!

The post A week in security (February 15 – February 21) appeared first on Malwarebytes Labs.

Omegle investigation raises new concerns for kids’ safety

Social media site Omegle is under fire after an investigation found boys using the platform to expose themselves on camera, and adults exposing themselves to minors.

Omegle users are paired with a random stranger who they can socialize with via text or video chat. An investigation by the British Broadcasting Corporation (BBC) found boys and adults exposing themselves on camera, after its founder, Lief K-Brooks, claimed that he had increased moderation efforts months ago.

Just like TikTok, Omegle’s popularity has exploded during the pandemic. According to data collected by Semrush, an online visibility management platform, Omegle has enjoyed a global growth of 65 million visits from January 2020 to January 2021—a staggering 91 percent growth. Users from the US, the UK, India, and Mexico have helped spark interest.

What contributed to Omegle finding fame is that TikTok users started sharing Omegle videos to their friends and followers. TikTok now has a very active #omegle hashtag, which has been viewed 9.4 billion times as of this writing.

MEL magazine’s Magdalene Taylor theorized that it’s the allure of talking to strangers—or being exposed what our parents warned us about: “stranger danger”—that is fuelling this growth. “People wanted to experience what the Internet was like when people were still afraid,” Taylor wrote.


Read: Stranger Danger and the Sociable Child


Investigators from the BBC, who had monitored Omegle for approximately 10 hours, were paired with dozens of other users who appeared to be under 18 years of age, even as young as seven or eight. But within one two hour period they were connected with 12 men performing sexual acts (“a common occurrence”, the BBC noted), eight naked males, and a handful of pornographic ads. In instances wherein BBC investigators were paired with people who appeared to be, or identified themselves as, underaged Omegle user performing sexual acts, the broadcaster says “These instances were not recorded, and we ended both chats swiftly before reporting them to the authorities.”

Keira, a 15-year-old Omegle user from the US told the BBC that “Men being gross is something me and my friends see a lot. It should be better monitored. It’s like the dark web but for everyone.”

Like most popular social media platforms, Omegle has a minimum age limit of 13, and its terms of use say that users under 18 should only use it with a parent or guardian’s permission. It’s home page also features a prominent warning: “Video is monitored. Keep it clean!”. It does not attempt to verify users’ age, however.

Omegle login controls
Omegle’s home page asks users to “Keep it clean”

The Internet Watch Foundation (IWF), an international charity based in the UK that aims to minimize available abuse content against children, expressed concern over what the investigators have unearthed but are not surprised as this follows a trend. According to Chris Hughes, hotline director for IWF, they have found self-abuse material that were recorded from Omegle and distributed by predators online. They also know that such acts happen in a household where parents are present as evidence of background conversations they can hear in the videos.

“I’m absolutely appalled. This sort of site has to take its responsibilities seriously,” says Julian Knight MP, the House of Commons Digital, Culture, Media, and Sport Select Committee chairman in an interview with the BBC. “What we need to do is to have a series of fines and even potentially business interruption if necessary, which would involve the blocking of websites which offer no protection at all to children.”

The saga exposes some familiar fault lines. Age verification is fine in theory but it is difficult to do. Even if it’s implemented effectively it can simply replace one set of potential harms with a different one.

The history of social media suggests that if Omegle tried to tackle the problem by increasing the number of human moderators, it’s unlikely it could ever hire enough to effectively police the platform effectively.

Until (and perhaps even if) these intractable problems find a solution, parents who want to protect their children will have to educate themselves, and their children, to the hazards they might face online.

The post Omegle investigation raises new concerns for kids’ safety appeared first on Malwarebytes Labs.

North Korean hackers charged with $1.3 billion of cyberheists

The US Department of Justice recently unsealed indictments detailing North Korea’s involvement in several global cyberattack campaigns against institutions in the financial and entertainment sectors, and money laundering schemes in certain US states.

The first unsealed indictment is for hacking activities done by three computer programmers from North Korea. Prosecutors name Jon Chang Hyok (전창혁; aka “Alex/Quan Jiang”), Kim Il (김일; aka “Julien Kim” and “Tony Walker”), and Park Jin Hyok (박진혁; aka “Pak Jin Hek”, “Pak Kwang Jin”, and “Jin Hyok Park”) as members of the Reconnaissance General Bureau (RGB), a military intelligence arm of the Democratic People’s Republic of Korea (DPRK) that is known for conducting clandestine operations on behalf of its country.

Park was already indicted back in Septmber 2018 for his involvement in multiple destructive cybercrime attacks, which includes the creation of WannaCry that made headlines in 2017, the Bangladesh Bank cyber heist in 2016, and the attack on Sony Pictures Entertainment (SPE) in 2015.

According to the Justice Department, the RGB is known by many names in the cybersecurity industry, such as the Lazarus Group and Advanced Persistent Threat 38 (APT38). Other crimes the three North Koreans are charged with include: attempting to hack banks’ networks and sending falsified SWIFT messages; the theft of millions of US dollars worth of cryptocurrency from cryptocurrency companies; conducting ATM cash-out (aka FASTcash) and spear phishing schemes; deploying multiple malicious cryptocurrency applications; and the creation and marketing of the Marine Chain Token, an attempt to gain funds and evade US sanctions. A charge was also unsealed against Ghaleb Alaumary, a Canadian-American described by the FBI as a “prolific money launderer”.

While Jon, Kim, and Park are based in North Korea, their government has stationed them in other countries like Russia and China, the report further claims.

North Korean actors have not only heavily targeted the financial sector but also several cybersecurity professionals. Jérôme Segura, director of threat intelligence at Malwarebytes details, “In one of the most recent campaigns, Lazarus APT has targeted vulnerability researchers and exploit developers to steal new exploits as well as any additional tools they may be able to use in the future. This campaign has been conducted to broaden their capabilities in using zero days in their future attacks.”

“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” the report quotes Acting US Attorney for the Central District of California Tracy L. Wilkinson. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

Alaumary is already in custody while Jon, Kim, and Park remain at large.

A copy of the indictment in PDF can be downloaded here.

The post North Korean hackers charged with $1.3 billion of cyberheists appeared first on Malwarebytes Labs.

Cybersecurity in Cyberpunk 2077: the good, the bad, and the cringeworthy

What game caused some players to experience seizures, allows you to have unauthorized sex with Keanu Reeves, features a lead character who can’t keep the contents of his pants contained, was pulled from the PlayStation Store weeks after release, and still managed to shatter sales and streaming records? 

Of course we’re talking about Cyberpunk 2077, the latest game from Polish developer CD Projekt Red.

In spite of countless, often embarrassing, bugs CDPR created an engrossing open world RPG that even the game’s detractors can’t stop hate-playing. Arguably, a big part of Cyberpunk’s appeal is its setting. Taking place in a fictional American metropolis known as Night City during the year 2077, this dystopian vision of the future attempts to cram every single sci-fi cyberpunk trope into one 30 hour game. Hacking, virtual reality, body modification, sentient computer AIs—it’s all in there.

For all its high tech wonder, some aspects of day to day life in Night City feel familiar. The Internet (or Net, as it’s called in the game) looks about the same as it does in real life, with players browsing websites on a monitor, a mouse, and keyboard. And it’s still possible to get a computer virus. In fact, falling victim to a computer virus is central to the game’s plot.

Since Cyberpunk features computers, hacking, viruses, and has the word “cyber” in the title, we obviously had to write about it.

So, the two members of the Malwarebytes Labs staff who actually played the game were asked to weigh in on cybersecurity in Cyberpunk 2077. And if we get to talk about video games for work, we’re all for it.

SPOILER ALERT: This discussion covers some major plot points.

Who are you?

Philip Christian: Hi! I was an avid gamer through college. Now I play a few major releases per year. I completed the main quest in Cyberpunk. All in, I’ve sunk about 70 hours into the game. I played on Google Stadia (don’t hate me). I work at Malwarebytes so I must know something about cybersecurity, but when it comes down to how threats operate on a technical level, I turn to the experts, like Chris.

Chris Boyd: I’m a Lead Malware Intelligence Analyst for Malwarebytes. I’ve played games dating back to the Atari 2600 days, have worked on a few titles you won’t have heard of many moons ago, and particularly enjoy modding the guts out of Bethesda titles. I’ve put roughly 200 hours into Cyberpunk, and spend a long time looking at hacking in games generally.

The most cringeworthy cybersecurity moment?

Philip: The hacking mini game was total baloney. When you try to hack a computer you’re shown this number matrix and you’re trying to select the correct numbers from the matrix. Not sure what this has to do with hacking unless hacking IRL has something to do with Sudoku.

If I’m being generous, it does bear a vague resemblance to brute force attacks, which are kinda big right now. With a brute force you’re just mashing in numbers, letters, and characters hoping you guess the correct login credentials, but you’re doing it really fast with an automated program entering the credentials for you.

Chris: Would have to agree, the hacking minigame is a horribly confusing pattern matching puzzle which is badly explained and not very realistic. This is common in games, and unless the game is entirely focused on hacking I think the right approach is to try and keep it simple. Sadly, that hasn’t worked here.

The most realistic cybersecurity moment?

Philip: There’s a mission in the game where you need to hack into someone’s password-protected computer. The mission entails looking at websites and figuring out the person’s password from what they’ve shared about themselves online. It’s really just a small part of a larger mission to find a missing teenager. This is a more realistic take on hacking than the numbers mini game. We all reveal way too much about ourselves via social media and cybercriminals use that info against us.

Chris: The cybersecurity realism in the game seems to come from incredibly meta real-world happenings related to the title. For example, the character Goro Takemura is a legendary personal bodyguard / security expert who trains literal cyber ninjas. The gag is he is also absolutely useless with technology, and often sends accidental selfies to the player character while trying to do something else.

Sure enough, a bug occurred in the game which could essentially break saves and prevent progress. The cause? Goro, the guy who can’t use his phone properly, would call the player character and the call would bug out.

“Videogame character who can’t use his phone breaks your game, with his phone” is meta enough. But then we have Elon Musk announcing a Tesla model will be able to play cyberpunk, at roughly the same time it’s announced his Neuralink, Musk’s neurotechnology company, may be trialling computer chips in brains by the end of the year.

Being able to play a game about the dangers of placing chips in your brain, in a car built by somebody who wants to put chips in people’s brains, is the kind of crossover I live for!

Best representation of hacking in the future?

Philip: My favorite NPC in the game is Delamain the AI taxi driver. He looks like a cross between Johnny Cab from Total Recall and Death from Bill and Ted’s Bogus Journey. Anyway, his system gets infected by a rogue AI and it’s up to you to help him clean it out and regain control of his fleet of computer controlled taxis. Cars today are computers on wheels and car hacking is already a thing.

Chris: More than the hacking mini game, the real hacking meat on the bone here concerns Biohacking and more technology-centric body modifications. Almost everyone in the game is walking round with some sort of Internet-connected body part at all times.

People can overload your ocular implants, fry chips in your body, shut down devices and leave you at a standstill, wipe your short-term memory, and more.

It’s only natural we’ll see an increasing number of technological solutions for medical issues, and the tech industry has a habit of connecting things to the Internet without much care for security. In some ways the future is already here, and has been for some time.

Pacemaker hacks already exist. “Looping”, a DIY method for hacking your own insulin pump, has brought about a surge in purchases for the device needed to do it. A killer-app remote control for insulin pumps? Yep, those exist too.

As we creep towards Transhumanism, we’re going to have to be very careful regarding our final destination. If we aren’t careful we’ll quickly arrive at a point where anybody could be running anything. How do you prepare for that? How do you secure it? It’s entirely possible that we won’t be able to.

Screen Shot 2021 02 05 at 12.13.24 PM
Johnny Silverhand is feeling frisky tonight.

Scariest representation of hacking in the future?

Philip: Someone put out a mod that swaps the Johnny Silverhand skin (modeled and voiced in-game by Keanu Reeves) with one of the sex workers (aka joytoys), allowing your character to have sex with an NPC that looks exactly like Keanu. It’s more weird than anything, but the incident got me thinking about deepfakes. This incident isn’t a deepfake in the strictest sense of the word, but it does give us a high profile example of a real person’s likeness being manipulated with technology. It’s something we’re just starting to see and we should expect to see more of it in the near future.

Chris: In games specifically, character swaps are nothing new. As good as Cyberpunk 2077 looks, even the highly detailed models such as Keanu’s are very much video gamey and not very realistic looking, once you get up close. It’s more an approximation of what the developers think he looks like, as opposed to even a fairly basic deepfake which can look very real indeed. Having said that, the developers were well within their rights to shut the mod down because the modder didn’t have Keanu’s permission. The issue of consent is paramount, whether the mod is ultra-realistic or some sort of PlayStation 2 callback.

I think games have a long way to catch up to deepfake levels of controversy, and this would be a subject to revisit if and when realistic models of real people work their way into VR titles.

What else caught your attention?

Philip: I liked how you could hack mundane items like soda vending machines, TVs, and security cameras as a way of distracting enemies. IRL it’s already possible to hack IoT (Internet of things) devices, control them remotely, and cause them to behave in weird ways. There’s examples of coffee machines being hacked, baby monitors, smart TVs—you name it. If it’s connected to the Internet, it’s susceptible to hacking so maybe think twice. Does your refrigerator really need to be connected to the Internet?

Chris: A major aspect of the game is trying to cheat death by any means necessary. Replacing vital organs and upgrading body parts, even when there’s no medical requirement for it, to make yourself run faster or punch harder. You can even scan people in the street with ocular implants tied to the city’s crime database (hello, facial recognition glasses).

The biggest push where that’s concerned involve’s the game’s main quest. Corporations offer immortality by copying your consciousness to a computer chip, and the ramifications thereof.

It’s amusing to me that we’re playing through this fairly common sci-fi/technology trope at the same time as Microsoft’s patent for dead relatives revived as AI chatbots was discovered.

Where this technology goes from here is anyone’s guess.

Is it safe to mod your game?

Philip: Going back to the Keanu Reeves sex mod thing. CDPR had the mod removed from the site where it was being hosted. Since it’s not available through legitimate channels I think people who are curious will try to obtain it through less safe backchannel methods. This is a perfect scenario for scammers and criminals. In fact, CDPR recently advised gamers not to install mods from unknown sources due to a vulnerability that might allow criminals to remotely execute code on the target system.

Chris: They’ve already updated the game to address issues from that vulnerability, which is great news. Having said that, there’s always a risk from modding any game where you download unknown code and files. Most major mod sites perform some sort of security check on files offered for download, but gamers should always run some tests of their own. You’re entrusting your whole system to random people offering you files.

Some of the mental safeguards we deploy to avoid sketchy downloads tend to come down when modding. “I’m on a trusted site, everything here is legit, what could possibly go wrong”. A little caution is always a good thing where modding is concerned, whether it’s your favorite game or your ocular implants.

The post Cybersecurity in Cyberpunk 2077: the good, the bad, and the cringeworthy appeared first on Malwarebytes Labs.

Romance scams: FTC reveals $304 million of heartache

In 2020, reported losses to the FTC for romance scams went up by 50% from 2019, totalling $304 million. And things weren’t exactly good before: Romance scams have cost people a fortune for 3 years running, according to the FTC. Their latest report suggests a steady rise in these kind of scams generally and ponders the impact of the pandemic. If nobody can go out, it stands to reason that dating in the virtual world would experience a surge of interest.

Love is most definitely in the air for people up to no good.

Some key findings

  • Scams often begin on social media but are unexpected. Potential victims aren’t necessarily on a site for dating in the first place.
  • The use of gift cards for sending money to scammers increased 70%.
  • Reports of money lost increased across every age group in 2020.

Many of the old tricks are still in play, because they’re tried and tested. Throw enough of them out there and a scammer snags a bite eventually. It only takes one or two direct hits to make a small fortune. Meanwhile, people face losing huge sums of money which is often not recoverable.

Sending all my love…and my money

The report mentions many reports of large losses involve scammers claiming to send a victim money. Once the victim receives it, the scammer invents a reason why they need it sent back, or forwarded to a third party. This is how people end up as money mules. As we often mention, this is a bad situation to be in. While the mule ends up in various degrees of legal trouble, the anonymous scammer pulling the strings gets away with it.

It’s unfair, and very cruel for people who would naturally assume they’d done nothing wrong.

We see a variety of romance con-tricks involving requests to move funds. One we examined recently adds a small spin to proceedings. The scam works as follows:

  • The scammer connects with a victim on a dating app, and supplies photos and audio recordings.
  • After some small talk, the scammer says they want to send the victim some money. The scammer “can’t use their account” from their location, but they’re happy to give login details so the victim can do it themselves.
  • The scammer sends a link to a fake banking website where the victim is likely to be asked to complete a transaction, to increase their trust in the scammer, or for their own personal or banking details.

Gift cards: a wealth of opportunity

As mentioned already, gift cards are an attractive proposition for people up to no good. They’re easy to obtain and can be bought in small amounts. Unlike a few years back, they’re not limited to a narrow selection of items or stores. This is good for fakers, because they’re less likely to make victims feel like they’re being sent on a wild goose chase. They can pretty much buy anything and it’ll be of value to the scammer, either through usage or selling on. If gift cards are ever mentioned on dating apps or on social media, you’ve every right to be suspicious.

Steering victims away from the theoretical safety of their online space is a common tactic, not specific to dating scams. (Gaming scams will often take victims away from their gaming console ecosystem to third party sites, for example.) Romance scammers often try to lure people away from the dating apps where they met. This is good for the scammer, problematic for the victim: The digital paper trail becomes muddied, certain protections and safety mechanisms may not apply or be usable, and so on.

A trick of the eye

Catfishing romance scams use fictional personas that often rely on stolen images. People will use photos of models from different parts of the world, or pretend to be U.S. Army soldiers, or even celebrities, to get the job done. All they care about is grabbing the cash, and it doesn’t matter how much the victim on the other side of the screen is impacted.

To combat this, people should make use of reverse image search to see where else the images appear. AI generated images are also common in this realm though, so reverse image search is useful but not foolproof.

On a similar note, refusing to do video calls could be suspicious. They may simply be shy, but one would probably expect video for dating is a reasonable expectation a year into the pandemic.

Tips for avoiding romance scams

Attempts to get you away from the platform where you met, requests for cash, or requests for a lot of personal information / logins should set alarm bells ringing. Asking for money for a visa / travel, or sudden medical aid, should too. Sending scans of passport pages is also a bit unusual. Anything which goes from 0 to 60 in the blink of an eye or seems too good to be true should definitely cause you to be very careful.

Be sure to check out our tips for dating safety and security before you next delve into the world of digital dating. The last thing anybody needs right now is financial fallout caused by a bogus romantic interlude. The more you can reduce the odds of that happening, the better everyone using dating platforms will be for it. Let’s consign these fakers to the digital rubbish bin, where they belong.

The post Romance scams: FTC reveals $304 million of heartache appeared first on Malwarebytes Labs.

Yandex sysadmin caught selling access to email accounts

Yandex, a European multinational technology firm best known for being the most-used search engine in Russia, has revealed it had a security breach, leading to the compromise of almost 5,000 Yandex email accounts.

The company says it spotted the breach after a routine check by its security team. They found that one of their system administrators with access to customer accounts was allowing third-parties to see some of these accounts “for personal gain”. Yandex made it clear in its official press release that no payment details were compromised.

With so much attention paid to eye-catching external threats like ransomware and BEC, it’s easy to forget that one of the biggest threats organisations face isn’t trying to force its way into their network, it was invited in.

Insider threats

Current and former employees, contractors, business partners, suppliers, third-party vendors, and service providers are all potential insiders. And they don’t have to be technologically savvy to pull off an “inside job”.

In fact, some insiders aren’t even intentionally malicious. The most common cause of incidents is employee negligence, such as the misuse of access privileges or a general inattention to keeping sensitive information private and secure, can cause employers a lot of headaches. This can be further compounded by a lack of effective cybersecurity and privacy training programs or an utter absence of an intentional culture of security.

Negligent and careless employees (or what others call “accidental insider threats”), more often than not, have zero intention to hurt their organizations; malicious employees, on the other hand, knowingly act against their employers for personal gain.

According to the 2020 Cost of Insider Threats: Global Report from the Ponemon Institute, the costliest insider threat is credential theft, which averages to nearly $875,000 USD to remediate. Not only that, incidents of credential theft have tripled in the last 5 years. With a booming demand for employees who are willing to share company secrets with criminals, it wouldn’t be a stretch to expect that cases involving this would be popping up more frequently. They pay well after all.

“Employees are always a prime target for adversaries, whether it is targeting them to leverage their machine or identity or recruiting them actively on a closed source forum,” said Brandon Hoffman, chief information security officer at Netenrich, an IT service management company, in an interview with Threatpost. “There has been several cases where we have seen a disgruntled employee posting messages on the dark web aiming to make a contact where they can ‘cash out’ their leverage as an employee.”

Organizational breaches have become a mainstay in news outlets, with many of them about outside parties forcing themselves inside private networks either by force (hacking) or social engineering (phishing). With the current pandemic and everyone working remotely, spotting insider threats has become more challenging than ever. This should make businesses more vigilant and determined in curbing insider threats before it happens. For those who don’t know where to start, here’s a good place: look at the zero trust model, and see how you can adapt it within your organization.

The post Yandex sysadmin caught selling access to email accounts appeared first on Malwarebytes Labs.

Clubhouse under scrutiny for sending data to Chinese servers

The audio-chat app Clubhouse is the latest rage in the social media landscape. What makes it so popular and, now it’s part of the social media landscape, can we trust it?

The Clubhouse app

Clubhouse was launched about a year ago and was initially only used by Silicon Valley’s rich and famous. It is different from other social media in that it focuses on the spoken word. Clubhouse members can enter virtual rooms to listen in or participate in live conversations. The conversations can only be joined when they are live and the people having the conversation determine who is allowed to listen and who can talk.

The Clubhouse app is freely available for download to every iPhone user, and an Android version is in the pipeline, but participation is kept exclusive by making it invitation only.

Every new user only gets a few (initially only two) invitations to give away. The developers claim it was done this way to allow for a controlled growth, so as not to overload the server infrastructure. Whether by design or coincidence, this also seems to work as a clever marketing scheme. Deep down, we all want to be part of the club of cool kids.

As a member you can select the subjects you are interested in and apply to be allowed in on conversations about those subjects. The conversations are not saved by the app, so the idea is that you “had to be there” to know what they talked about. But in the digital world thinking that some information is gone for good is very often an illusion. What’s to stop someone from recording a conversation they’re in?

Chinese servers

Recently Clubhouse went viral among Chinese-speaking audiences. But as soon as the Chinese government became aware of political discussions on the app, it was abruptly blocked by the country’s online censors, on Monday February 8, 2021. This line of events made some researchers wonder how private the conversations really were.

An investigation by the Stanford Internet Observatory found that some of the back-end infrastructure for the Clubhouse App was provided by Agora. Agora is a Shanghai-based start-up, with US headquarters in Silicon Valley, that sells a “real-time voice and video engagement” platform for other software companies to build upon. Exactly what Clubhouse needed to roll out their app.

The Stanford Internet Observatory

In their blog Clubhouse in China: Is the data safe? the Stanford Internet Observatory (SIO) team unravels the ties between Clubhouse and Agora and speculates not why the Chinese government banned the app, but rather why it took them so long.

According to the article “SIO has determined that a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio … It is also likely possible to connect Clubhouse IDs with user profiles.”

In a series of tweets one of the team members, Alex Stamos, adds:

“We found Chinese servers being used even for conversations that only involved Americans.”

He goes on to say that neither Agora, nor another Chinese supplier, EnjoyVC, are listed as data sub-processors in the Clubhouse privacy policy.

Alex Stamos is adjunct professor at Stanford University’s Center for International Security and Cooperation. He is also the former chief security officer at Facebook, so he does know a thing or two about social media.

Clubhouse statement

Clubhouse’s reaction to the analysis done by the Stanford Internet Observatory was:

“Clubhouse is deeply committed to data protection and user privacy.

We designed the service to be a place where people around the world can come together to talk, listen and learn from each other. Given China’s track record on data privacy, we made the difficult decision when we launched Clubhouse on the App Store to make it available in every country around the world, with the exception of China. Some people in China found a workaround to download the app, which meant that—until the app was blocked by China earlier this week—the conversations they were a part of could be transmitted via Chinese servers.

With the help of researchers at the Stanford Internet Observatory, we have identified a few areas where we can further strengthen our data protection. For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the globe—which can include servers in China—to determine the fastest route to the client. Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers. We also plan to engage an external data security firm to review and validate these changes.

We welcome collaboration with the security and privacy community as we continue to grow. We also have a bug bounty program that we operate in collaboration with HackerOne, and welcome any security disclosures to be sent directly to security@joinclubhouse.com.”

Countered by Alex Stamos with:

“We found that the use of Shanghai-based Agora is fundamental to the function of the app and building logical and technical controls between the US and PRC infrastructure will be extremely complicated.”

Meaning that not only is the Chinese infrastructure essential for Clubhouse at this point, but it will also prove to be hard to keep the US traffic away from it.

So, is it safe?

As TikTok discovered last year, popularity comes with scrutiny. The Stanford Internet Observatory report is interesting but it isn’t a poof of malice. It should help Clubhouse improve its privacy and security though, and Clubhouse will be under no illusion that people are watching it closely on both sides of the Great Firewall.

Our advice is to treat Clubhouse the same way you do with every social media app. Once you release information on social media it is out of your control and you should treat it as if it’s freely available. It is up to each user to decide much information they are willing to share about themselves. It is not always easy to balance the scales between privacy and social interaction. But it is better to be aware of the risks and not invest your trust in a social media app, just because it is cool to be a part of. Or just because they claim to value data protection and user privacy.

Stay safe, everyone!

The post Clubhouse under scrutiny for sending data to Chinese servers appeared first on Malwarebytes Labs.

Extortion, precision malware, and ruthless scams. Read the State of Malware 2021 report

Last year, threat actors took advantage of the COVID-19 public health crisis in a way previously considered unimaginable, not only preying on uncertainty and fear during the initial months of the global pandemic, but retooling attack methods, reneging on promises, strengthening malware, and extorting victims to the tune of $100 million—and that was without the threat of ransomware encryption.

In short, in 2020, cyberthreats evolved.

Today, we are showing readers just what that evolution looked like, in our State of Malware 2021 report. This report provides our most comprehensive analysis of last year’s malware trends, with breakdowns by malware category, malware type, operating system, region, industry, and more.

Here are key takeaways of what we learned in 2020:

  • Malware detections on Windows business computers decreased by 24% overall, but detections for HackTools and Spyware on Windows increased dramatically—by 147% and 24%, respectively
  • Among the top five threats for both businesses and consumers were the Microsoft Office software cracker KMS, the banking malware Dridex, and BitCoinMiners; business detections for KMS and Dridex rose by 2,251% and 973%, respectively
  • Detections for the most notorious business threats Emotet and Trickbot fell this year by 89% and 68% respectively, although the operators behind these threats still pulled off several big attacks in 2020
  • A new ransomware called Egregor came onto the scene in late 2020, deployed in attacks against Ubisoft, K-Mart, Crytek, and Barnes & Noble
  • Overall Mac detections decreased by 38%, though Mac detections for businesses increased 31%
  • Malware accounted for just 1.5% of all Mac detections in 2020—the rest can be attributed to Potentially Unwanted Programs (PUPs) and Adware
  • ThiefQuest tricked many researchers into believing it was the first example of ransomware on macOS since 2017, but the malware was hiding its real activity of massive data exfiltration. It accounted for more than 20,000 detections in 2020
  • On Android, HiddenAds—which aggressively pushes ads to users—racked up 704,418 detections, an increase of nearly 149%
  • We twice uncovered pre-installed malware on phones provided by Assurance Wireless through the US government-funded Lifeline Assistance program
  • Stalkerware-type app detections—which include detections for Monitor apps and Spyware apps on Android—surged in conjunction with shelter-in-place orders that governments began implementing in February and March: Monitor app detections rose from January to December by 565%; Spyware app detections rose across the same time period by 1,055%
  • The agriculture industry suffered through a 607% increase in malware detections, while detections in the food and beverage industry increased by 67%
  • More traditional targets, such as manufacturing, healthcare and medical, and automotive all experienced drops in detections by varying degrees—education fell 17%, healthcare dropped 22%, and the automotive industry decreased by 18%

As you can see from these findings, 2020 proved to be a tumultuous year.

When COVID-19 cases first began spiking in several countries, cybercriminals preyed upon people’s fears mercilessly, with an avalanche of coronavirus phishing emails and scams.

Around the world, governments tried to stop their hospitals from being overwhelmed by ordering lockdowns, stay-in-place orders, and school closures. By April 2020, half the world’s population had been asked or ordered to stay at home. As entire businesses switched to remote working, IT teams found themselves trying to fit months-long projects into days, with security an unfortunate but understandable casualty.

Faced with a new landscape, cybercriminals ditched some old tactics and placed a new emphasis on gathering intelligence. And as people adapted to their “new normal,” scammers exploited their isolation with a resurgence in tech support scams. New adversaries crawled out of the woodwork, too. April’s global shutdown was accompanied by a staggering rise in the use of stalkerware, a short-hand term for the type of mobile monitoring and spyware apps that are sometimes deployed by abusive partners.

The pandemic also created new challenges to online privacy. As countries turned to digital contact tracing to contain outbreaks, a stark dichotomy emerged: It is possible for people to have personal privacy or effective contact tracing, but probably not both. Around the world, the progress of privacy-preserving legislation slowed to a crawl.

And what began as a global health crisis soon became a global economic crisis too, with almost no business left unscathed. The fate of different industry sectors was mirrored in the number of cyberattacks they suffered. As the manufacturing and automotive sectors contracted, attackers simply turned their faces to agriculture and other essential industries instead. Ransomware gangs reneged on early promises to stay away from hospitals and hit new lows instead, attacking hospitals and medical facilities in organized campaigns

Through it all, there is one form of business that seems to have thrived in 2020 though—the creation and operation of malicious software. The pace of innovation picked up in 2020 as many entirely new malware families emerged. Ransomware gangs continued to learn from each other too, with successful tactics spreading quickly between them. Perhaps the most important new tactic that emerged was “double extortion,” which saw cybercriminal groups extorting more money with threats to leak sensitive data than from decrypting compromised computers.

If 2020 taught us anything, it’s that cybercrime stops for nothing. There are no targets, and no opportunities for exploitation, that are beyond the pale.

Thankfully, the year had another lesson for us too: That there are heroes everywhere. The healthcare professionals, teachers and other essential workers rightly deserve the loudest acclaim, but heroes emerged in all areas of life. So, we want to offer an enormous thank you to the unsung army of sysadmins and security professionals who moved mountains in 2020 to keep millions of people safe online as the world around them was turned on its head.

To get the full story, read the State of Malware 2021 report.

The post Extortion, precision malware, and ruthless scams. Read the State of Malware 2021 report appeared first on Malwarebytes Labs.

Egregor ransomware hit by arrests

In a collaboration between French and Ukranian law enforcement, arrests have been made that might put a dent in one of the world’s most sophisticated ransomware operations.

As reported first by France Inter, law enforcement made the arrests after French authorities traced ransom payments to individuals located in Ukraine. While the arrests have not been formally tied to Egregor the statements and circumstances surrounding it have led to a lot of speculation. Let’s start with the basic background information.

What is Egregor ransomware?

Egregor is a ransomware-as-a-service (RaaS) operation with multiple affiliates. A great number of Egregor affiliates were formerly tied to the Maze ransomware. Many believe Egregor is a follow up to Maze, because of:

  • The similarity of their business models—both used the data exfiltration and extortion method that was introduced at a large scale by Maze.
  • The transfer of affiliates from Maze to Egregor before the Maze group announced its retirement.
  • The timing of the Maze retirement and the explosive growth of Egregor led security experts to believe that at least some of Maze’s team members created Egregor in cooperation with Egregor’s predecessor Sekhmet. Egregor is considered a variant of Ransom.Sekhmet based on similarities in encryption, obfuscation, API-calls, and its ransom note.

Tracing ransom payments

Some people still believe that Bitcoin payments are completely anonymous and untraceable. This is not true.

The Bitcoin blockchain is an open and transparent ledger. Every payment is publicly visible to anyone and it’s easy to see how coins move from one address to another. Users are pseudonymous, meaning that their activity is visible, but their identity isn’t. Unmasking the flow of money is a matter of tying a real identity to one or more of the Bitcoin addresses in the chain. Successful cybercriminals know this and use mixers or tumblers to hide their tracks.

Usually, the most precarious moment for criminals is when their illegally obtained virtual currency is exchanged for a fiat currency, often referred to as a cash-out point.

Were the arrested people key players?

In the original report the arrested people were mentioned as individuals that provided logistical and financial support. In another report they were said to be people whose job was to hack into corporate networks and deploy the ransomware. But that last bit is usually what the affiliate does, which would suggest they weren’t members of the Egregor crew.

However, some parts of the Egregor infrastructure have been offline for a few days, which may indicate the people arrested played a more important role in the organization. The offline parts are mainly their extortion site, where they published exfiltrated data, and the command and control (C2) infrastructure. For now, it remains unclear what the lasting damage might be.

Arrests follow Egregor attacks in France

France Inter said French authorities got involved in the investigation after several major French companies were hit by Egregor last year, such as game studio Ubisoft and logistics firm Gefco. As a result, an investigation was started last year, and French police, together with European counterparts, were able to track down Egregor members and infrastructure to Ukraine.

This does not mean however that Egregor focused on French victims. The group is active worldwide and has achieved estimated earnings between $40 million and $50 million according to a Chainalysis report. This is since their arrival on the scene in September of last year and makes them one of the five most active and best earning ransomware groups.

The arrests come hot on the heels of the recent, dramatic takedown of Emotet and the surprise retirement of the Fonix ransomware group.

Let’s hope that Egregor is on the way to joining them.

Stay safe, everyone!

The post Egregor ransomware hit by arrests appeared first on Malwarebytes Labs.

RDP, the ransomware problem that won’t go away

The year 2020 will certainly be remembered as one of the most difficult and tragic years humankind has faced in modern times. The global pandemic changed the way we live and work in ways unimaginable, perhaps forever.

It also altered the cybersecurity landscape dramatically. The FBI reported a 300 percent increase in cybercrime in the first quarter of that year, and the rate and cost of ransomware attacks escalated at an unprecedented rate. Almost thirty attacks were reported in December 2020 alone, including the infamous $34 million demand levied against electronics giant Foxconn.

One of the primary reasons these attacks are growing rapidly is due to a shift from secure office locations to less secure remote work environments. Prior to the global pandemic, less than 4 percent of the population worked from home. The genie is out of the bottle now though, and there’s no going back. It’s no surprise then, that a recent Gallup poll found that 82 percent of business leaders plan to maintain a larger work-from-home (WFH) posture well after the pandemic.

While many organizations can benefit from a wider selection of job candidates and reduced maintenance and facility costs, for security professionals, work-from-home environments expand the attack surface they have to protect, and increase the risks for phishing, malware, and ransomware.

The target for today’s organized and sophisticated cybercriminals, like the ones operating Maze or Ryuk, isn’t a single computer, but an organization’s entire network. A majority of all ransomware attacks gain access to a victim’s network  through a “backdoor” approach that exploits weaknesses in Remote Desktop Protocol (RDP) software, or the way it is deployed.

The threat of RDP brute forcing has been widely reported, and brute force protection for RDP has been a “must have” for several years, and yet these attacks continue to succeed. The truth is that simply telling people to harden RDP isn’t working fast enough. Brute force protection needs to be more than just another item in an overworked system administrator’s ever growing task list. Instead, we need to see RDP brute forcing for what it is, an endpoint detection and response (EDR) problem, and handle it there.

Less well publicized are the vulnerabilities that continue to be turn up in popular RDP software. In 2020, security researchers found twenty-five vulnerabilities  in some of the most popular RDP clients used by businesses. These include:

  • FreeRDP, which is the most popular open-source RDP client on Github
  • Microsoft’s built-in RDP client with the executable file mstsc.exe
  • Rdesktop, another open-source RDP client and a default RDP client in Kali distributions of Linux

Many security professionals may not be aware of the reverse RDP vulnerabilities that can affect a remote machine rather than the host where the user is connected. The grunt work of inventory taking and patching remains as vital as ever.

The post RDP, the ransomware problem that won’t go away appeared first on Malwarebytes Labs.