Archive for author: makoadmin

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called Russian SVR Targets U.S. and Allied Networks,  to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories’ executive summary reads:

Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.

Remarkable mentions in the cybersecurity advisory

Released alongside the advisory is the US Government’s formal attribution of the SolarWinds supply chain compromise, and the cyber espionage campaign related to it, to Russia.

Mentioned are recent SVR activities that include targeting COVID-19 research facilities via WellMess malware and targeting networks through a VMware vulnerability disclosed by NSA.

Vulnerabilities

NSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The advisory lists the following CVEs:

• CVE-2018-13379 as discussed here: Fortinet FortiGate VPN
• CVE-2019-9670 as discussed here: Synacor Zimbra Collaboration Suite
• CVE-2019-11510 as discussed here: Pulse Secure Pulse Connect Secure VPN
• CVE-2019-19781 as discussed here: Citrix Application Delivery Controller and Gateway
• CVE-2020-4006 as discussed here: VMware Workspace ONE Access

We have added a link to the vendor’s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.

General mitigation strategy

While some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:

• Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.
• Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.
• Disable external management capabilities and set up an out-of-band management network.
• Block obsolete or unused protocols at the network edge and disable them in device configurations.
• Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.
• Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.
• Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach’s full scope before remediating.

Techniques

The techniques leveraged by SVR actors include:

• Exploiting public-facing applications. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.
• Leveraging external remote services. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.
• Compromising supply chains. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
• Using valid accounts. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.
• Exploiting software for credential access. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
• Forging web credentials: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.

The items listed under mitigations and techniques probably won’t be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.

Stay safe, everyone!

The post Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities appeared first on Malwarebytes Labs.

14-year old Michael (not his real name) from Scandinavia first visited Omegle, the video online chat that has become hugely popular since the start of the pandemic, after hearing about “unpredictable and weird encounters” one may experience on the site from other students in school. He was intrigued.

At the end of his “session”, however, he was worried.

The allure of talking to strangers and doing “stuff”

A couple of months ago, Malwarebytes Labs covered a BBC investigation into Omegle, wherein they found that young boys are exposing themselves on camera, and adult males are also exposing themselves to minors.

Michael, now 21-years-old, reached out to the media company after reading about their investigation in the hopes of sharing his disturbing experience, so other people could learn from it and start questioning who really is on the other side of the screen.

He had expressed doubts as to whether the first person Omegle paired him with—an older woman, he claimed—when he was 14 was what she claimed to be.

After quitting the site for several years, Michael, then 18, came back to Omegle and became addicted. “I started going on the site again and started doing ‘stuff’ on camera with different people. Video sex,” he said in a BBC interview.

Michael would later realize that at least one of his “sessions” was recorded. He was horrified to find that, after quitting the video chat site again for more than a year and coming back due to lockdown boredom, Omegle paired him to a recording of his 18-year old self “doing 18+ stuff” while a stranger he was chatting with at that time, who was clearly posing as him, was encouraging him to join in.

Michael told the BBC he believes the same technique was used to groom him as minor: “I am constantly stressed about it, but I find peace that at least my face is not in it. But it pains me I am used that way to hurt other people. In fact, I believe this is the way I was groomed into the site as a 14-year-old, although I can’t confirm the other person was fake at that time.”

Stranger danger fostered, thanks to VCW

Sarah Smith, the chief technology officer of the UK’s child abuse hotline, Internet Watch Foundation (IWF), sympathized with Michael’s plight. “I can’t imagine how distressing it must be to find someone using a video of yourself in this way,” she said in a BBC interview.

Smith described the technology these shady people in Omegle are using as Virtual Cam Whores (VCW). A VCW is a recording of someone that a controller can manipulate to trick their target into thinking that the person they’re seeing on the camera is the person they’re talking to. In reality, it’s like a digital puppet.

The video doesn’t talk back, which gives scammers a good excuse to force people to talk to them via text chat instead, while they parade and move the VCW puppet/bot to their will.

Essentially, Michael has been turned into a VCW bot so scammers can collect more videos of other people and potentially transform them into bots without them knowing as well. Perhaps this is also a way for scammers to make their bots more believable, by recording unknowing Omegle users doing things the scammer wants them to do. (One of the ways to tell bots from real users is to ask someone to do something unusual on cam.)

While we have seen that women are commonly used as VCW bots, we’ve also seen the male kind. We have not seen evidence of child bots, but given Michael’s experience as a fourteen year old, it does not seem out of the question.

Omegle is not safe for children—and for good reason

Thanks to TikTok, many young users are flocking to Omegle, not knowing the possible dangers they might encounter in the platform. Michael’s story could illuminate this path for them and help them decide to look somewhere else.

Omegle’s home page (unusually) includes its terms and conditions, which include the stipulation: “Do not use Omegle if you are under 13” on the very first line. The site also contains a warning that “Predators have been known to use Omegle, so please be careful”.

Parents and carers, we know it is not always easy keeping an eye out for your children and knowing what they do or where they go online daily. But remember that at times like these, they need your guidance, support, and understanding.

Try to keep an open, healthy communication with your children. Talk to them about how to stay safe online. Teach them how to be kind and respectful to anyone they talk to, even when the other party doesn’t do the same. Lastly, be involved in some of their online activities. Trust us, doing these (and more) will do both parents and their children a lot of good.

The post Shady scam bots trick Omegle users into nonconsensual video sex recordings appeared first on Malwarebytes Labs.

For much of 2020, the most visible conversation about the US election and tech was related to deepfakes (images or videos where the subject is replaced by another likeness). They could “destroy democracy” generally, and influence the US election in ways we couldn’t possibly imagine. People talked about disinformation, regulation, and how automated detection probably wouldn’t help a great deal.

It all sounded very bad indeed. And it didn’t happen.

With hindsight we can see that the flash points related to the November election were entirely unrelated to deepfakes. The election came and went with a spectacular fizzling out of the deepfake hype train. The one notable moment I can recall from the election period is a fake of Republican Matt Gaetz. It’s so bad, it resembles an old PlayStation cutscene.

Is your message “If we can do this, imagine what Putin can do”? And is what you’ve done awful? Because if it is, then people aren’t going to take it seriously.

Deepfake creators follow the money

Deepfake pros almost certainly decided to stay where they make their money: dubious porn clips. It’s (somewhat) more under the radar than drawing attention to your election interference. There’s a never-ending supply of people wanting celebrity fakes, or revenge / blackmail pornography.

Indeed, data from Sensity illustrated this perfectly. Although the US was the most targeted nation for deepfake activity, politics wasn’t the target. The most popular sector for fakes was entertainment at 63.9%. Politics weighed in at an incredibly low 4.5%.

Creating a political deepfake capable of turning the tide of an election, when even major outlets can only create very bad fakes? It was always going to be a long shot.

Where did all the deepfake election interference go?

The biggest problem for the November election was disinformation, conspiracy theories, and outright manipulation going viral. Creating a politically charged deepfake and having it be believable long enough before the inevitable debunking seems just plain unnecessary. Why invest all that time and effort into something when you can spin up millions of likes and reposts on social media instead?

These are questions which may not have been asked as rigorously as they should have been. The 2020 election has come and gone, and so has the chance for fakers to make an indelible mark on key aspects of democracy. What we ended up with, was half a dozen poorly made clips which feel more like parody than anything particularly serious. Indeed, the serious part is where folks working in and around Government look at the political clips offered during the run-up to the vote, and genuinely think they’re good uses of technology. They are not, and this suggests they perhaps need to be brought up to speed on the convincing (and not so convincing) aspects of this realm.

The bright side is that it appears the time for deepfakes to impact an election…any election…is gone. Many analysts suspect their best use is as an addition to scams, not the main feature. Even a little scrutiny brings the walls of artifice crashing down, so it’s best to leave them at the edges of peripheral vision.

Actual uses of deepfakes in the wild

Some of the biggest media splashes for deepfakes the past few months have had little, if nothing, to do with electioneering. One smash was the Tom Cruise Deepfakes posted to TikTok back in March which dazzled people with their brilliance. If you missed it, this video from creator Chris Ume will give you a sense of just how good deepfakes can be:

Sadly the genuinely well-done nature of the clips was undone almost immediately:

• The creator posted them to an account called “Deeptomcruise”, which linked to social media accounts of a well-known Tom Cruise impersonator.
• Viral attention was drawn to the clips as intended, instead of them simply being uploaded in low-key fashion and left to spread slowly, unnoticed, across the web for months or years.
• The creator spilled the beans in the press almost immediately, and mentioned they were essentially trying to get work off the back of it.

This was arguably never intended to be a clever commentary on the unreal nature of AI, but a VFX job reel.

The case of the face-swapped biker 

The other interesting fake media content happening was the reveal that a popular female biker was using FaceApp to hide the fact he was a middle-aged man. This one genuinely shocked people, and unlike the Cruise approach was designed to conceal the truth from the get-go. If they hadn’t had a change of heart and told all, their many fans would still be none the wiser.

Compare and contrast all of the sophisticated GAN tools you see in the news, with “middle-aged man performs face swap using incredibly commonplace phone app”. Which one is more relevant? Which one had more impact outside of actual observable harm, such as deepfake revenge porn?

Digital detection and disclosure

While the notion of exposing your own fakery seems contradictory, in some ways the Tom Cruise deepfake creator had it right. Yes, it’s fake – but they’re not exactly pretending it’s genuine. By the same token, we now have app developers planning to add watermarks to their user-generated clips. The EU may want organisations to disclose when deepfakes are deployed. Researchers continue to study new methods of deepfake detection. Note that the researcher in that last link also seems more concerned about deepfake antics away from major electioneering.

Wherever you look, there’s a growing consensus that people simply want to know what’s placed before them is legitimate. If there is fakery involved, I suspect they’re cool with it as long as upfront disclosure takes place. The comfort levels around this technology somewhat suggests folks now view it the same way they view cinema-based VFX. This itself could be a problem. Become too complacent with it, and the tech runs the risk of causing unexpected damage down the line. Sure, it’s mostly fun and amusing right now – but what about when it suddenly isn’t?

There is also the significant volume of people out there prone to conspiracy theories and other virtual shenanigans. No matter how bad the fake, or how silly the story it’s attached to, there’s a good chance they’ll believe the content no matter what disclaimer is provided.

For now, deepfakes remain the weapon of choice for malign interference campaigns, troll farms, revenge porn, and occasionally humorous celebrity face-swaps. It remains to be seen, a year on from 2020, if they’ll ever strike a decisive blow in the misinformation wars on a grand scale.

The post Deepfakes were going to change everything. And then they didn’t appeared first on Malwarebytes Labs.

Researchers at Netscout have released a report analyzing the malicious internet traffic of 2020 and comparing it to the years before. Some of the results were as expected: Brute-forcing credentials and more targeting towards internet-connected devices were foreseeable and have been discussed at length. And even a record-breaking year in Distributed Denial of Service (DDoS) attacks might have been expected as it follows the upward trend over the years. But the sheer number of attacks, their size, and a new big player in the field of DDoS extortion may raise some surprised eyebrows.

The records

The report identifies a “huge upsurge” in DDoS traffic during 2020, with a number of records broken:

• The most DDoS attacks launched in a single month (929,000).
• The most DDoS attacks in a single year (more than 10 million).
• Monthly DDoS attack numbers that regularly exceed the 2019 averages by 100,000-150,000 attacks.

As you can see the records are found in the number of attacks. The attack frequency spiked by 20 percent year over year and 22 percent in the last six months of 2020.

New methods

A DDoS attack stops people from using a computer system by keeping it so busy with traffic from multiple locations that it is overloaded and either crashes or is permanently busy. Because they work by delivering more traffic than the system or network under attack can handle, they hinge on an attackers’ ability to deliver significant volumes of traffic.

To increase the amount of data they can deliver, attackers look for methods that amplify the amount of traffic they can create. Typically an attacker will look for a service that will return a lot of data in response to a simple request (often hundreds of times more data). They will then make as many requests to that service as possible, but spoof their address so that it looks like the requests are coming from the victim. Because of the spoofed address the responses are reflected: sent to the victim instead of back to the attacker.

According to Netscout, threat actors exploited and weaponized at least four new reflection/amplification DDoS attack vectors in 2020. The report specifically mentions that abusable applications and services based on the UDP protocol remained a valuable asset for attackers. These applications and services were analysed and abused to provide new reflection/amplification vectors for DDoS attacks and helped provide the power required for the new wave of attacks.

Old methods

According to the report, UDP-based reflection/amplification attacks continued to dominate the list of most popular attack vectors, with TCP ACK flood attacks coming in a close second. This represents a changing of the guard, given that TCP SYN floods were dominant in previous years. However, Domain Name System (DNS) reflection/amplification attack frequency rose steadily over approximately the past 18 months and became the top vector of choice in 2020.

Recommended background reading: SYN/ACK in the TCP Protocol

Lazarus Bear Armada

The Netscout report also reveals that in August of 2020 a new threat actor in the field of DDoS extortion emerged and quickly started to make waves. In a DDoS extortion attack an attacker demands a ransom in exchange for halting a DDoS attack that is stopping the victim or its customers from using systems they need. The new group named themselves Lazarus Bear Armada (LBA). Very likely to imply that they are affiliated with well-known APT groups like the Lazarus Group, Fancy Bear, and the Armada Collective. Affiliations that they like to emphasize when threatening victims.

Their extortion attacks were primarily directed towards companies in the financial and travel-industry sectors, and sometimes included their upstream internet transit providers too. ISPs, healthcare providers, insurance providers, personal care product manufacturers, regional energy providers, and IT-related vendors were also targeted, according to Netscout.

Extortion and attacks

The LBA attacks are characterized by the attacker initiating a demonstration DDoS attack against parts of the target’s online infrastructure, followed shortly after by an email demand for a substantial payment in Bitcoin. The extortion demands typically stated that the attacker had up to 2 Tbps of DDoS attack capacity at the ready, which could be directed at the victim’s systems if the demands were not met. And they did not shy away from actual DDoS attacks against those unwilling to pay. Not even when it concerned organizations that played a crucial role in fighting the pandemic.

DDoS attack capacity

Even though there are no, agreed upon, international standards to measure DDoS attack capacity, the attack volumes observed over the course of the LBA’s campaign maxed out at 300 Gbps, which is significant.

Defending against a DDoS attack

As in most areas of security, searching for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. DDoS mitigation is a complex subject, but we suggest that your chosen solution should offer you one or more of these options:

• Allow users to use your systems normally as much as possible, even during an attack.
• Protect your network from breaches during an attack.
• Establish an alternative system to work with.

Broadly speaking organizations either need to be able operate in spite of systems being unavailable, with ways to keep the work going and the revenue flowing, or they need a way to absorb, re-route or drop DDoS traffic so they can continue to operate as close to normally as possible. Defending against massive-scale DDoS attacks requires access to enormous network resources, which may only be accessible via a third-party offering DDoS mitigation services. Whatever form your protection takes, make sure you have a plan or protocols in place before an attack occurs.

You can read more on the subject in our article DDoS attacks are growing: What can businesses do?

The post “Huge upsurge” in DDoS attacks during pandemic appeared first on Malwarebytes Labs.

Two weeks after Google launched a trial to replace run-of-the-mill online user tracking with new-fangled online user tracking, several companies and organizations have pushed back, criticizing the new technology—called FLoC—which is designed to respect people’s privacy more, as a detriment to user privacy.

The good news is that, if you want to escape Google’s silent experiment into how it thinks you should be tracked across websites, you now have several options. You can test whether you are included in Google’s new trial, download a browser plug-in to stop Google’s new tracking, or choose to install another web browser that is committed to preserving user privacy.

Because Google’s experiment into user tracking is primarily happening on its own browser Google Chrome (we’ll talk about Chromium-based browsers further down), our advice is split between two categories of users:

• Google Chrome users who do not want to give up Google Chrome
• Google Chrome users who are open to using a new browser

Some of the steps we offer are as simple as downloading a new browser, while others require users to go into their Google Chrome settings and make some changes. That latter option may sound easy, but for such a seismic shift in how users are being tracked online, it’s unfortunate that users have to, yet again, take even more proactive steps to simply enjoy a private experience online.

As we wrote last time, if Google believes its new technology is a step towards respecting user privacy, it should at least respect the user, too.

Before we get to our advice, let’s briefly explain some background.

What’s going on?

At the heart of the issue is Google’s Federated Learning of Cohorts—or FLoC—technology, which is now being tested on at least 0.5 percent of Google Chrome users across the world.

FLoC is Google’s planned replacement for third-party cookie tracking which, after years of enormous influence in digital advertising, is losing its relevance. Simply put, more users are beginning to push back against the types of online user tracking enabled by third-party cookies, and several companies are making it easier for those users to do it. Browser plug-ins abound to stop third-party tracking, and year ago, both Mozilla’s Firebox browser and Apple’s Safari browser disabled third-party tracking by default.

But this could spell trouble for Google, as much of its advertising revenue depends on the third-party cookies that its ad networks use to track users across countless websites.

Thus, enter the third-party cookie’s replacement: FLoC.

According to Google, FLoC is supposed to serve as an improvement on the third-party cookie because it will create advertising profiles on user groups, or cohorts, and not on users as individuals. Cohort membership is calculated by the browser and the data that drives the calculation doesn’t leave users’ machines. The company said that FLoC technology will prevent the creation of cohorts based on “sensitive topics,” with no cohorts based on medical diagnoses or online searches for help with suicide prevention.

According to Google, then, FLoC will give users the best of both worlds, preserving their online privacy while still providing revenue to online publishers who have relied on third-party cookies for years.

According to several outside organizations and companies, though, FLoC is just the latest attempt to box users into an unfair compromise, trading their own privacy for someone else’s gain.

“FLoC, along with many other elements of Google’s ‘Privacy Sandbox’ proposal, are a step backward from more fundamental, privacy-and-user focused changes the Web needs,” wrote Peter Snyder and Brendan Eich, senior privacy researcher and CEO of the privacy-forward web browser Brave. “Instead of deep change to enforce real privacy and to eliminate conflicts of interest, Google is proposing Titanic-level deckchair-shuffling that largely maintains the current, harmful, inefficient system the Web has evolved into, a system that has been disastrous for the Web, users and publishers.”

Importantly, users caught in the FLoC trial will not be subject to solely FLoC-enabled tracking. Instead, the FLoC trial is additive, meaning that Chrome users in the trial will be tracked both through FLoC and through traditional third-party tracking.

Here’s what you can do to push back against FLoC.

How can you opt out of FLoC?

As we wrote above, Google’s FLoC trial is primarily affecting users of its Google Chrome browser. If you are currently using Google Chrome, read on to understand how to find out if you’re included in the FLoC trial, how to opt out, and how to block the FLoC technology through outside means.

For the Google Chrome user who does not want to give up Google Chrome

First, Chrome users should check to see whether they’re included in Google’s FLoC trial. Google itself made this impossible when it launched its trial, as it did not provide any individualized notifications to the affected users.

Flatly, this is bad practice. An experiment that allegedly aims to respect user privacy should also respect the user, and that includes whether that user even wants to be included in the trial.

Alas, technologists at Electronic Frontier Foundation have developed a Google FLoC scanner for Google Chrome users. Simply follow the link to amifloced.org and run the test to see if you’re included in the Google FLoC trial.

If you are included in the trial, don’t panic! There are two methods you can take to remove yourself from the FLoC trial, one method provided by Google, and another provided by the search giant’s privacy-preserving competitor, DuckDuckGo.

If you want to just stick to Google Chrome’s settings and opt out of the FLoC trial, you can disable third-party cookies in Google Chrome. You can navigate to your Google Chrome preferences from the dropdown menu from “Chrome,” or, you can enter chrome://settings into your URL bar and press enter.

In your preferences, you next need to click on the “Privacy and security” option in the left-hand menu. Once there, click on the “Cookies and other site data” option, which should be below “Clear browsing data.”

Finally, once you’re in this menu, you need to click on the option to “Block third-party cookies.”

If you don’t want to fuss about with your settings, you can also choose to download the DuckDuckGo browser extension for Google Chrome. According to DuckDuckGo, the company has “enhanced the tracker blocking in [its] Chrome extension to also block FLoC interactions on websites.”

For users who don’t want to change settings or download extensions, there’s also another path: Download and use a different browser.

For the Google Chrome user who is open to using a new browser

It may sound simple to just download and start using a new browser, but we understand how difficult it can be to leave a platform for another that you may not know about or trust. For that reason, you should look at the actions of other web browsers and how they line up with their promise for a more private web experience for you, the user.

Last week, the Chromium-based web browsers Brave and Vivaldi both pledged to disable FLoC technology on their browsers. As the two browsers are built on Chromium’s code, it is important that both of the browsers came forward to clear any confusion about whether Google’s FLoC technology had wormed its way into their own browsers.

“The privacy-affecting aspects of FLoC have never been enabled in Brave releases; the additional implementation details of FLoC will be removed from all Brave releases with this week’s stable release,” the company wrote, adding that it also removed FLoC in its “Nightly” version of the browser, the testing and development version of Brave that receives nightly updates.

Vivaldi co-founder and CEO Jon von Tetzchner also chimed in on FLoC, writing that “the FLoC experiment does not work in Vivaldi. It relies on some hidden settings that are not enabled in Vivaldi.”

As another comparison point, the web browsers Firefox and Safari disabled third-party tracking years ago by default. So, while FLoC obviously will not apply to those browsers, because they aren’t based on Chromium, it’s also important that users understand that those browsers made privacy-protective moves long before Google’s FLoC experiment.

What this all means is that users actually have several options if they want to avoid FLoC and are open to using a new browser. They can try Vivaldi, Brave, Safari, or Firefox.

We wish users did not have to keep taking new steps to enjoy a private web experience, but until we’ve recreated the entire infrastructure of the Internet, Malwarebytes Labs will keep telling users how to stay private and safe online.

The post Chrome users, here’s how to opt out of the Google FLoC trial appeared first on Malwarebytes Labs.

What can we say about 2020 that hasn’t already been said? Beliefs were shaken. Values were questioned. Truths were tested. Then COVID happened and things really got crazy.

The World Health Organization declared the coronavirus outbreak a global pandemic on March 12, 2020. That same day cybersecurity got flipped on its head. 

Entire businesses had to transition from mostly in-person workforces to mostly remote. Even schools and hospitals transitioned to online instruction and virtual doctor visits. Sysadmins had to contend with more endpoints, spread across more locations, giving cybercriminals a whole lot of new ways to attack a network. And attack they did.

Heading into 2020, hackers mostly preferred sneak attacks powered by some form of automated malware like a Trojan, carrying a secondary payload, often ransomware. Several months later, hackers were bashing down the front door, favoring brute force attacks on Remote Desktop Protocol (RDP) clients. 

What a difference a year makes.

That got us thinking. In light of these dramatic changes to the threat landscape, what is the current state of trust and confidence when it comes to IT security professionals and their corporate endpoint protection?

The good news and bad news from the front line

The Malwarebytes SMB Cybersecurity Trust & Confidence Report 2021 is a first-of-its-kind survey of the hardworking IT professionals on the front lines of the fight against cyberthreats.

We spoke with 704 CIOs, IT directors, sysadmins, decision makers, and heads of security from businesses across the US, ranging in size from 50 to 999 employees. What did we find?

Let’s start with the good news.

In spite of everything that happened in 2020, stalwart SMBs remain confident that their endpoint protection can handle whatever threats come their way. The vast majority, 95 percent, say they trust their vendor to provide effective cybersecurity. At the same time, more than 90 percent also say their endpoint protection is effective and they’re confident it protects against dangerous threats. 

That’s some unusually high trust and confidence going on here. 

Could this be an example of security hubris (i.e., overconfidence in limited or untested security measures) or can we count on optimistic SMBs as a reliable barometer for overall trust and confidence in the world of technology and e-commerce?

That leads us to the bad news.

Almost half of SMBs, 47 percent, say the endpoint security products they hold in such high regard are very complex and hard to manage. And only a third, 36 percent, of SMBs expected those same endpoint security products to detect every single threat.

Going one step further, a full 56 percent of respondents said it’s not a matter of if but when their organization suffers a successful attack or breach.

Clearly, there’s some cognitive dissonance happening. What SMBs want to believe about their endpoint protection is at odds with what they’re actually experiencing.

We attempted to discover truth of the matter with even more questions:

Q: Are malware threats harder to stop than in years past?
A: Definitely.

Q: Has your endpoint protection product ever failed to detect a threat?
A: Uh-oh.

Q: Have you tested your endpoint protection product to see if it is detecting cyberthreats in the past 12 months?
A: Mostly yes, but testing methods vary and each has its flaws.

Q: What’s at stake if your organization comes under any cyberattack?
A: Depends on the size of the organization.

Q: Are you satisfied with the performance of the endpoint protection provider?
A: Yes, with some serious caveats.

Q: How does your endpoint protection fall short?
A: Reasons vary, but SMBs know a good deal when they see it.

Q: Do hackers prefer to target bigger organizations?
A: Everyone thinks they’ve got a target on their back, regardless of size.

The complete answers to these questions and many more await curious readers in Malwarebytes’ SMB Cybersecurity Trust & Confidence Report 2021. 

Download the full report.

The post Malwarebytes releases SMB Cybersecurity Trust & Confidence Report 2021 appeared first on Malwarebytes Labs.

When malware found its way into the network of Bakker Logistiek, a company specializing in the transport and warehousing of food and other products, on the night of 4 to 5 April, its IT systems ground to a halt. And, along with them, the reception of orders from clients, and the delivery of goods to branches of Albert Heijn, the largest supermarket chain in the Netherlands. With systems down, companies affected have resorted to using pen and paper for the time being.

Thankfully, all systems are back online now, according to Bakker Logistiek’s CEO Toon Verhoeven who gave an interview to local news organization, Nederlandse Omroep Stichting (NOS). The company is now in the process of contacting customers so they can begin deliveries as normal.

Verhoeven also confirmed with De Telegraaf, a Dutch morning newspaper, that the malware in question is ransomware, but the variant is yet to be disclosed by the company. “We have filed a complaint and it is now with the judicial authorities,” Verhoeven said in the NOS interview, which we have translated using Google Translate. “We are not making any further statements about that. We have worked very hard over the past six days to get our information systems up and running again.”

One of the foodstuffs most affected by the attack is packaged cheese. Albert Heijn said in a statement that they, too, are working hard to get the availability of cheese both in shops and online, although the latter is still a bit difficult to achieve in terms of ordering. Although headline writers have had some fun with the attacks affect on cheese supplies, the plain fact is that a gang of criminals has successfully disrupted a food supply chain, and that’s no laughing matter.

The CEO suspects that the compromise had something to do with the ProxyLogon vulnerability affecting Microsoft Exchange Servers. You may recall, Microsoft issued patches for four Microsoft Exchange zero-day exploits last month. The flaws were being taken advantage of by an attack group called Hafnium. After news of the patches broke, criminals were quick to reverse engineer the patches and use the vulnerabilities to attack servers, deploy web shells and drop ransomware payloads like Black KingDom and DearCry, knowing that many organizations would be slow to apply the patches.

The attack on Bakker Logistiek is yet another real-world example in the lengthening list of malware attacks affecting vital organizations with major consequences that go beyond the targeted businesses. We’re not even going to take a look back at what happened to Maersk in 2018 when NotPetya struck them hard. Or when EKANS disrupted industrial control systems (ICS) of Honda, GE, and Honeywell.

And it isn’t just businesses. The number of schools and hospitals that have experienced downtime because of ransomware is staggering, with some of them paying the ransom not only to get their systems up and running as quickly as possible but also to get their precious time back. In turn, those ransom payments fund the boom in ransomware.

In all honesty, although we don’t endorse ransom payments, it is not difficult to see why people make the calculation that they should pay, and we wouldn’t have been surprised if Bakker Logistiek had done the same.

As the sophistication of ransomware grows, organizations must continue to take this threat seriously, act swiftly in auditing their security posture as a whole, and plan accordingly. Preparing for ransomware doesn’t just mean beefing up security, it also means having a realistic plan in place for how to recover if the worst does happen, and keeping off-site, air-gapped backups that will be out of any attackers’ reach.

Every organization is a target, and the victims are everyone that relies on that organization. Your organization must be better prepared than ever. You can start by reading our guide to ransomware.

The post Ransomware disrupts food supply chain, Exchange exploitation suspected appeared first on Malwarebytes Labs.

A day late and a dollar short is a well-known expression that comes in a few variations. But this version has a movie and a book to its name, so I’m going with this one. Why?

Google has published an update for the Chrome browser that patches two newly discovered vulnerabilities. The browser’s Stable channel has been updated to 89.0.4389.128 for Windows, Mac and Linux. Both being exploited in the wild.

Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild.

Note that other browsers, such as Edge, Brave and Vivaldi are also based on Chrome and likely to be affected by the same issues.

Which vulnerabilities are patched?

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The first zero-day was listed as CVE-2021-21220 and was discovered at the Pwn2Own 2021 event last week. The vulnerability is caused by insufficient validation of untrusted input in V8, Google’s high-performance JavaScript and WebAssembly engine that interprets code embedded in web pages.

The second zero-day was listed as CVE-2021-21206 and is described as a “use after free in Blink”. Use after free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Blink is the name of the rendering engine used by Chromium to “draw” web pages.

Why did I say a day late?

Researcher Rajvardhan Agarwal managed to publish a working exploit for CVE-2021-21220 (the vulnerability discovered at Pwn2Own) on GitHub over the weekend, by reverse-engineering a patch produced by the Chromium team. Chromium is the open source browser that Chrome is built upon, and it in turn is made up of components, like V8 and Blink. Fixes appear in Chromium first, and then Google packages them up, along with some Google-specific goodies, into a new version of the Chrome browser.

And why a dollar short?

Because the same researcher stated that (at the time) although the vulnerability affecting Chromium-based browsers had been patched in the latest version of V8, it worked against the current Chrome release, thereby leaving users potentially vulnerable to attacks.

Luckily, although Agarwal proved that exploitation was possible, he stopped short of handing criminals the keys to the entire castle. Purposely, the published exploit only worked if users disabled their browser’s sandbox, a sort of protective software cage that isolates the browser from the rest of the computer and protects it from exactly this kind of exploit. Criminals looking to use his exploit would have to chain it with a sandbox “escape”, a technically difficult task (although not an impossible one, as the Pwn2Own winners proved).

The update

The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the working exploits. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

Stay safe, everyone!

The post Update now! Chrome needs patching against two in-the-wild exploits appeared first on Malwarebytes Labs.

A rather remarkable story has emerged, setting the scene for lively debates about permissible system access. A press release from the US Department of Justice Judge has revealed that the FBI were granted permission to perform some tech support backdoor removal. Bizarrely, they did this without letting the admins know beforehand.

A campaign targeting vulnerable Exchange servers has left web shells scattered everywhere. Those shells are backdoors. They allow attackers to access and creep around inside the compromised networks. Additionally, it seems that not all shells were properly locked down. They fell foul to password reuse. This means criminals figuring out the passwords to other criminals’ web shells could also potentially access the compromised servers. Having those shells lying around on systems for such a long time isn’t a great thing to happen.

When calls to fix systems go unheeded

Despite repeated warnings, and even one-click tools from Microsoft aiming to mitigate the issue, and no small amount of patching, some vulnerable servers remained. Some organisations missed or ignored the mass-massaging about the threat. Or perhaps they just didn’t know what to do to fix the problem. It’s likely that some also patched the vulnerability without also finding and removing the web shells.

This means lots of compromised exchange servers all over the place, just waiting for illicit access to begin all over again. What do you do in this situation? We’ll get to that but before we do, let’s talk about the perils of getting involved in situations. Any situation.

Getting involved in situations. Any situation.

People love to help. Members of the public often get involved in security issues alongside professional researchers and organisations. They may give tip-offs, or send files over, and most commonly, do some work in anti-phishing. It’s fairly easy to do, has a steady stream of ready-made content in their mailboxes to check out, and there’s a lot of places to report it to.

The problem is when individuals who mean well take it a step further without taking appropriate security measures. For example, a popular past time is filling up phish pages with bogus data. This is done to slow down phishers by making their data worthless. If folks aren’t careful, issues can arise.

At the extreme end, the same goes for vigilante style takedown tactics / breaking into servers / deleting data or “hacking back”. It might feel good to wipe large quantities of illegal content from a server you’ve taken control of which belongs to very bad people. But the law of unintended consequences has a way of biting the hand that feeds it. Even if your commands have exactly the effect you expect (and how often does that happen?), in one fell swoop you may have ruined an already ongoing law enforcement investigation, scrubbed the evidence needed to put someone in jail, and now you’re on the wanted list for breaking into a server and doing things you shouldn’t have been.

When the golden rule is broken

The golden “don’t do this” rule is “don’t touch servers and devices you have no permission to access”. It’s a great rule and helps keep people from getting into trouble, and it’s the backbone of computer misuse laws in both the US and the UK.

Where it gets a bit less clear, is when law enforcement agencies are granted permission from a Judge to access previously compromised servers and change things (in this case by deleting web shells). As per the release:

“the FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

The release mentions that “hundreds” of vulnerable computers had shells removed. These removals were done upfront with no knowledge of the system owners beforehand, according to the below:

The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells. For those victims with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search. For those victims whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as a victim’s ISP) who are believed to have that contact information and ask them to provide notice to the victim.

You weren’t home, so we left a message…sort of

It is rather alarming to think that a chunk of these system owners will probably go about their business for years to come with no idea the FBI stopped by to do a bit of digital tidying up. We also wonder how realistic it is to think ISPs will actually do some outreach. Even if they do, the business owners may think the mails are fake. Perhaps they’ll accept them as real, but still have no idea what to do about it. It’s surely unrealistic to think the ISPs will be able to take on an intermediary tech support role in all of this. If the goal is to have ISPs tell affected organisations to get in touch with the FBI directly, that’s still dependent on the victim not ignoring the ISP in the first place.

However you stack it up, it’s a bit of a mess.

“New” changes, a long time coming

The FBI requested a rule change for expanded access powers back in 2014, and it was granted in 2016. Essentially, we’ve known this would happen for some time but perhaps didn’t know quite what form it would take. While coverage of the proposed powers focused on “hacking” systems and talking about the issue in terms of offensive / surveillance capabilities, what we’ve ended up with is something a little different.

At the very least, I don’t think many expected the breakthrough story would be “they cleaned up compromised devices”. The question is, have we seen the opening of a Pandora’s box which really should have stayed shut?

General approval or generally derided?

Many of the arguments against this practice say there’s no real way to know if anything else on the servers was accessed or changed. There’s also the problem that solutions like this tend to breed their own additional complications. Just wait until scammers start pushing “FBI access required: problem detected” messages. It’ll be like the bad old days of fake antivirus pop-ups, except now the law enforcement mentioned is offering to help instead of send you to jail.

On the other hand: despite everyone’s best efforts to notify infected organisations and a massive splash of mainstream media coverage, it’s likely that lots of systems would simply have stayed compromised for a very long time to come if the FBI hadn’t done this. And it isn’t just the organisation that’s targeted that suffers, it’s everyone who depends on that organisation, and everyone who becomes a victim if the compromised system is used to launch further attacks.

So, where does the buck stop, and who specifically is going to stop it? Do you think this was a justified action? Is it acceptable in the most dire of situations, where no help is coming? Does it pave the way for overreach and the feeling your devices are under fire from all quarters?

We’d love to know what you think in the comments.

The post FBI shuts down malware on hundreds of Exchange servers, opens Pandora’s box appeared first on Malwarebytes Labs.

A US diplomatic mission in Nigeria warns of a visa scam affecting Nigerian citizens looking to move to the United States. It’s an old scam message, dressed up with a fresh coat of paint. Shall we take a look?

Work visa scams are a solid fixture in the scammer’s toolkit. This one blends the pandemic, data harvesting, and a slice of bank account emptying. There’s several variations of the scam, but they follow the same pattern.

The fake e-visa press release

No matter which version you’re looking at, the bogus press release begins as follows:

President Joe Biden, the 46th U.S. President has signed an Executive Order that interested citizens of the Federal Republic of Nigeria who measure in some special professions are eligible for American work E-visa and residence permit. This was communicated to the Nigerian Mission in the United States by the U.S. Department of Immigration.

The terms of the Executive Order allow 25,000 citizens of the Federal Republic of Nigeria between the age of 35 to 55 whose area of expertise are among the following: 1. Health workers, 2. engineers, 3. marine workers, 4. civil servants, 5. business administrators, 6. accountants, 6 [SIC]. lecturers, 7. those with special skills.

The official warning from the embassy warns the target age range is 40 – 55, whereas the example above focuses on those between 35 – 55. There is yet another version discussed here, focusing on potential victims aged between 25 – 55.

Promoting a scam

There’s almost certainly more versions of this scam in circulation by email. The example given by the embassy is a screenshot of a fake press release posted to Instagram. We’ve also discovered another version, again posted to Instagram from another account.

In both cases, the accounts claim to be involved in (or offering) some form of immigration service(s). For other versions of the fake press release, they follow the same template changing details relevant to the scammer’s own interests.

What are they asking for?

No matter who is sending the individual scams, the data they ask for is pretty standard across the board. They want potential victims to either hand over certain documents, or follow some crucial steps:

1. Passport biodata pages, with “at least 6 months left before expiry date”. A work resume. A passport photograph. Government-issued ID if available. This is classic data harvesting for identity theft or social engineering.
2. The “brush off”. They claim that if potential victims haven’t heard back after 2-3 business days they should forget the whole thing. The visa won’t be headed their way, and they should simply wave goodbye to the money paid to apply.
3. A warning that potential victims shouldn’t tell anyone they’ve applied may set off alarm bells for some, but not everyone. “Applicants must go about their applications themselves without involving any third parties such as travel agents, family members living in the United States, or any other delegates”. This is simply so people with more knowledge of procedure don’t declare the whole thing one big scam.
4. A payment of $250 for an “English proficiency test”. They also ask for a further $150 for “Covid screening” if applicants have not yet had a COVID-19 vaccination.
5. A deadline. The “Press release” claims to have been signed in February or March depending on which version is on display. All of the ones we’ve seen so far claim the application deadline is the 30^th of April, 2021. Is this offer too good to be true? Better hurry up and submit those fees and find out before the opportunity is lost! This is a time-honoured pressure tactic, dusted off and reused once again.

Turning a profit on false hope

This is an awful scam, and the people behind it don’t care about the fallout for victims. They even try and make some additional cash from the pandemic. You can bet that once April 30 passes, new versions will be released with May or June listed as the new cut-off point. We’ve covered the occasional visa scam previously, and they can have serious consequences for people caught in the trap.

If you’re unsure about too-good-to-be-true visa announcements, stick to official sources. Anyone can claim to be anything on social media platforms and mailbox missives. Major changes will have major coverage, and you can always contact the relevant embassy directly in a worst case scenario.

The post Sorry, Joe Biden isn’t offering you a work visa, it’s a scam appeared first on Malwarebytes Labs.