Archive for author: makoadmin

Safe Connections Act could help domestic abuse survivors take control of their digital lives

A bill introduced in the US Senate could help domestic abuse and sex trafficking survivors—including those tracked by stalkerware-type applications—regain digital independence through swift, shared phone plan termination and the extension of mobile phone plan subsidies.

Titled the Safe Connections Act, the bill targets the significant problem of shared mobile phone contracts between abuse survivors and their abusers. For survivors in these situations, a shared mobile phone plan could reveal who the survivor has called and when. Shared mobile phone plans also complicate matters for survivors who hope to physically escape their abusers, as abusers could report phones owned in their name as stolen, weaponizing law enforcement to locate a survivor.

Democratic US Senator Brian Schatz, who is one of the sponsors of the bill, said that he hopes the Safe Connections Act will give control back to survivors.

“Giving domestic violence abusers control over their victims’ cell phones is a terrifying reality for many survivors,” Schatz said in a press release. “Right now there is no easy way out for these victims – they’re trapped in by contracts and hefty fees. Our bill helps survivors get out of these shared plans and tries to find more ways to help victims stay connected with their families and support networks.”

Importantly, the bill would also extend easier access to government-subsidized mobile phone programs, which means that survivors being tracked through stalkerware-type applications could more easily toss their compromised device and start anew.

What does the Safe Connections Act do?

The Safe Connections Act—which you can read in full here—was introduced earlier this year by a bipartisan slate of US Senators, including Sens. Schatz of Hawaii, Deb Fischer of Nebraska, Richard Blumenthal of Connecticut, Rick Scott of Florida, and Jacky Rosen of Nevada.

The bill has three core components to aid “survivors,” which the bill defines as anyone over the age of 18 who has suffered from domestic violence, dating violence, sexual assault, stalking, or sex trafficking.

First, if passed, the bill would place new requirements on mobile service providers—such as Verizon, AT&T, T-Mobile, and Mint Mobile—to more rapidly help survivors who request to remove either themselves or an abuser from a shared phone plan, whether the survivor is the primary account holder or not. Wireless phone companies will have to honor those requests within 48 hours, and in doing so, they cannot charge a penalty fee, increase plan rates, require a new phone contract under a separate line, require approval from the primary account holder if that account holder is not the survivor, or prevent the portability of the survivor’s phone number so long as that portability is technically feasible.

Also, in severing a shared phone contract, companies must also sever a contract for any children who are in the care of a survivor.

The bill specifies, though, that survivors who make these requests will have to show proof of an abuser’s behavior by submitting one of two categories of information. Survivors can submit “a copy of a signed affidavit” from licensed social workers, victim service providers, and medical and mental health care providers—including those in the military—or a survivor can submit a copy of a police report, statements provided by police to magistrates or judges, charging documents, and protective or restraining orders.

The second core component of the bill would require phone providers to hide any records of phone calls or text messages made to domestic violence hotlines. As the bill states, those providers must “omit from consumer-facing logs of calls or text messages any records of calls or text messages to covered hotlines, while maintaining internal records of those calls and messages.”

This provision would not come into effect until 18 months after the bill passes, and it would require the US Federal Communications Commission to create a database of those hotlines, providing updates every quarter. This section would also apply to providers of both wireless and wired phone services.

A possible stalkerware intersection

The third component of the Safe Connections Act could help survivors who are also facing the threat of stalkerware. The bill would enroll survivors who have severed their contract under the new powers of the bill into the government’s Lifeline phone assistance program “as quickly as feasible,” with a period of coverage in the program for a maximum of six months.

The Lifeline program, run by the FCC, attempts to provide subsidized phones and phone services to low-income communities. Extending program eligibility to survivors could help them physically escape their situations while offering them a quick opportunity to regain digital independence.

In fact, in Malwarebytes’ continued work to protect users from the threat of stalkerware, it has learned that many of those who suffer from stalkerware tracking often have to leave their cell phones behind and start with entirely new devices.

As Chris Cox, founder of Operation Safe Escape, told Malwarebytes Labs last year when discussing how to help survivors of domestic abuse who have encountered stalkerware on their devices:

“What we always advise, consistently, if an abuser ever had access to the device, leave it behind. Never touch it. Get a burner,” Cox said, using the term “burner” to refer to a prepaid phone, purchased with cash. “You have to assume the device and the accounts are compromised.”

With access to the Lifeline program, that purchase of a new device could become more feasible.

Unfortunately, the benefits of the Lifeline program must be looked at comprehensively. Last year, Malwarebytes Labs discovered that two Android devices offered through the Lifeline program actually came with pre-installed malware. The devices are no longer available through Assurance Wireless, which was the supplier contracted with the Lifeline program, but the broader point remains: No one should have to suffer lowered cybersecurity because of their income. With the Safe Connections Act, we hope that the Lifeline program’s unfortunate mishap does not repeat, harming even more communities.

The post Safe Connections Act could help domestic abuse survivors take control of their digital lives appeared first on Malwarebytes Labs.

A week in security (March 15 – 21)

Last week on Malwarebytes Labs, our podcast featured Adam Kujawa, who talked us through our 2021 State of Malware report.

We cover our own research on:

Other Cybersecurity news

Stay safe, everyone!

The post A week in security (March 15 – 21) appeared first on Malwarebytes Labs.

Resident Evil 8 just the latest game plagued by fake demos and early access scams

There’s been a number of scams targeting fans of major upcoming video game releases over the last week or two. Why is this happening, and what can you do to ensure both you and your children avoid such fakeouts?

Preview power: the 80s and 90s

Back in the 80s, games reviews were only really found in dedicated gaming magazines like ZZap!64 or Amstrad Action. A couple of magazine publishers had the idea to distribute full games and demos on cassette tapes mounted to the cover. This led to some spectacular covertape related magazine warfare, distribution of games without permission, and copyright breach extravaganzas.

Downloadable demos: 2000s and beyond

When net-connected consoles blasted their way into homes from around the time of the original Xbox onward, this granted a second life to the old cover tapes and discs. Consoles came with demos pre-loaded, you could download demos or full games, and update purchased titles on the fly.

Consoles going digital slowly came with its own problems. Even so, the digital download revolution encouraged new funding models and ways to play games. Early access, where players are granted first look at a title by paying or for free, is where our latest scam lies.

What are the scammers doing?

Scammers are using demos and early access promises as bait for phishing and other forms of attack. The upcoming Resident Evil title, Village, currently has a spin-off demo version called “Maiden” on the Playstation 5 with other versions to follow. Enterprising phishers are distributing fake mails offering “Early access invitations” to play Village itself, which is the full game, set after the events of Maiden.

In this way, they’re trying to ride the wave of popularity for Maiden by encouraging people to get their hands on the rest of the content. The game developers, Capcom, also mention avoiding any files offered up by the phish. This sounds very much like the phishers were also dabbling in malware distribution.

We bring tidings. Bad tidings.

The full Capcom message sent to press reads as follows:

We’re sending this message as we’ve been made aware that there are currently emails circulating that pretend to contain “Early Access invitations” to Resident Evil Village. The sender address is being displayed as “no-reply(at)capcom(dot)com”.

We want to inform you that these messages are NOT from Capcom and appear to be phishing attempts by an unauthorized third party. If you have received such a message, please DO NOT download any files or reply, and delete the message immediately.

If you are unsure of the authenticity of correspondence from Capcom, please contact us directly to verify.

This is perfect bait for younger gamers who may not be aware of this type of scam attempt. No doubt it’ll have caught out many an adult gamer, too. That’s the most recent attempt at tricking people with fake early access. Shall we take a look at a slightly earlier effort?

Fake Beta build scammers come for Far Cry

Far Cry 6 is the soon to be released entry into Ubisoft’s unstoppable game series. Last month, a supposed “beta” build of the game was mentioned in emails to various influencers / content creators in the gaming space. The mail, flagged as being under embargo, comes complete with an access password. When the password is entered, and we’re not sure if they mean to open a zip or on a fake website, an infection is downloaded to the PC. According to potential victims, it “watches your screen and records everything you do”.

That’s bad enough. This is by no means the end of the wave of fake beta/early access/demo invites though.

Gaming a wide audience

In January, THQ Nordic warned of scam mails related to their game Biomutant. As with the other missives, it seems to focus on content creators / developers. Seeing developers state that no early builds of games are being mailed to people is bad news. Could one group specifically be trying this early access build gimmick? Or is everyone at it? Quite often, a new way to go on the offensive is posted to underground forums and then people go off and try it. That could be what is happening with these attacks, or it could just be coincidence.

As far as fake betas go, those have been around for a long time. A good example of this is Cyberpunk 2077, back in July of last year. How about a Fortnite Android beta scam from 2018? We can certainly round things out with a Valorant themed, malware laden closed beta key generator from last April.

Some tips to avoid fake beta/access scams

  1. At least some of these attacks are targeted towards gaming influencers or people with big platforms. As a result, this means you may not encounter a few of them. If you do fall into this category, basic security hygiene applies. Check the security of all your accounts and enable two-factor authentication if it’s available. Run up to date security software, and ensure all your devices are patched and up to date.
  2. Begin locking down your gaming accounts if you haven’t already. It might not just be your PC at risk from attacks. They could be after your console logins / details too. All major gaming consoles have plenty of security features. It’s well worth digging out their security documentation and shoring up any gaps in your defence.
  3. If a games developer emails you out of the blue, it’s fairly easy to figure out what’s real and what isn’t. Major titles announce betas, and early access programs clearly on websites, social media, and gaming portals. It isn’t left to random mail shots and mysterious attachments. If there’s no evidence of whatever you’ve been sent in some sort of official capacity, steer clear. Worst case scenario, you can always contact most developers on social media. They will likely be happy to help if what you’re showing them is a scam.

Press X to continue?

We recommend telling younger gamers in your household about these scams, and also the security solutions used to address them. The “exclusive preview build” technique aimed at influencers probably won’t remain aimed at them exclusively for very long, so watch out for that. You may as well get ahead of the game now before the inevitable next wave of beta invite scams land in mailboxes near you. There’s always something to think about in video game land.

The post Resident Evil 8 just the latest game plagued by fake demos and early access scams appeared first on Malwarebytes Labs.

Report reveals the staggering scale of Business Email Compromise losses

Internet crime is ever present, and with the ongoing pandemic, levels of scams and fraud were exceptionally high in 2020. Opportunistic fraudsters didn’t give a second thought to riding the COVID-19 wave and preying upon those who are truly in need of help, or those who truly want to help.

The Internet Crime Complaint Center (IC3), an arm of the FBI where internet users can report online fraud crimes, recently released the 2020 Internet Crime Report, an annual report that contains high-level information on suspected fraud cases reported to them and their losses. A state-by-state statistical breakdown of these cases were included in an accompanying report, 2020 State Reports, that you can browse through here.

The IC3 has found that the three biggest complaints they received in 2020 are phishing scams, which garnered the highest number of complaints (241,342), ransomware (2,474), and, perhaps the most striking of these, Business Email Compromise (BEC) (19,369). It’s striking, not because of the number of complaints but because BEC scams recorded the highest total losses by victims, at roughly $1.8 billion USD. Although phishing led to the highest number of complaints, victims “only” lost $54 million USD, a fraction of the money lost to BEC scams.

According to IC3, BEC can also be called Email Account Compromise (EAC). It may or may not involve a layered attack, depending on how a threat actor can better mimic the person they’re spoofing, and how much their target employee would be able to buy into the overall deception.

It starts off with an email, either from a compromised account or spoofed address, to make it look like it originated from a particular sender. The threat actor, usually posing as a higher-up within a company, contacts a more junior employee in the company who is cleared to perform funds transfers. The attacker gives the junior employee a plausible but urgent instruction to make a large, confidential transfer of money to a fake supplier.

“In 2020, the IC3 observed an increase in the number of BEC/EAC complaints related to the use of identity theft and funds being converted to cryptocurrency,” according to the report. “In these variations, we saw an initial victim being scammed in non-BEC/EAC situations to include Extortion, Tech Support, Romance scams, etc., that involved a victim providing a form of ID to a bad actor. That identifying information was then used to establish a bank account to receive stolen BEC/EAC funds and then transferred to a cryptocurrency account.”

We remind businesses, regardless of sector, to be aware of BEC attack trends and be very vigilant in combatting it. BEC scams rely, in part, on the pressure that junior employees feel when asked to comply with demands from senior employees, and told not to alert anyone else. Employees should be empowered to seek advice and take the time they need.

Also, if your company doesn’t have an extra layer or two of authentication before the request to transfer money is green-lit, put one in place now. A phone or video call is ideal.

True, these steps introduce a bit of friction into your company processes, but a little inconvenience and delay could your company millions of dollars.

Good luck!

Other post(s) on the subject of business email compromise:

The post Report reveals the staggering scale of Business Email Compromise losses appeared first on Malwarebytes Labs.

HelloKitty: When Cyberpunk met cy-purr-crime

On February 9, after discovering a compromise, CD Projekt Red (CDPR) announced to its 1+ million followers on Twitter that it was the victim of a ransomware attack against its systems (and made it clear they would not yield to the demands of the threat actors, nor negotiate).

Cyberpunk 2077, the latest game released by CD Projekt Red and once hailed as the “most anticipated game of the decade”, was released in December 2020 with many calling it an “unplayable mess”.

No surprise then that some people suspected that enraged gamers were hitting back at the company for releasing the game in that state. But infamous ransomware hunter Fabian Wosar (@fwosar), of Emsisoft begged to differ.

Although what he said was an informed claim, we cannot say for sure what hit CDPR until a ransomware sample is retrieved and analyzed. Nevertheless, the name-check was enough to put the HelloKitty ransomware family in the headlines.

HelloKitty ransomware

The HelloKitty ransomware, also known as Kitty ransomware, was first seen in November 2020, a few months after the first variants of Egregor were spotted in the wild.

CEMIG (Companhia Energética de Minas Gerais), a Brazilian electric power company, revealed on Facebook in late December 2020 that it was a victim of a cyberattack. Succeeding reports revealed that HelloKitty was the ransomware behind it, and that this ransomware strain was used to steal a large amount of data about the company. The attack didn’t cause any damage, however, but it caused the company to suspend its WhatsApp and SMS channels, and its online app service.

This ransomware family was named after a mutex it used called “HelloKittyMutex.”

Some researchers refer to HelloKitty as DeathRansom—a ransomware family that, based on its earlier variants, merely renames target files and doesn’t encrypt them. We speculate, however, that HelloKitty was built from DeathRansom. As such, Malwarebytes detects this ransomware as Ransom.DeathRansom.

The threat actors behind HelloKitty ransomware aren’t as active as some other threat groups, so there is little information about it. Below is what we know so far.

Infection vector

According to SentinelLabs, current intelligence suggests that HelloKitty arrives via phishing emails or via secondary infection from an initial malware attack.

Symptoms

hellokitty CEMIG
HelloKitty ransom note

Systems affected by HelloKitty ransomware display the following symptoms:

1. Terminated processes and Windows services. Once it reaches an affected system and executes, HelloKitty terminates processes and Windows services that may interfere with its operation. These processes are generally associated with security software, backup software, accounting software, email servers, and database servers (to name a few). Overall, it can target and terminate over 1,400 processes and services.

It performs the termination process using taskkill.exe and net.exe, two legitimate Microsoft Windows programs.

SentinelLabs also notes that if there are processes HelloKitty cannot terminate using these executables, it then taps into Windows’s Restart Manager to perform the termination.

2. Encrypted files with .KITTY or .CRYPTED file extensions. On Windows systems, HelloKitty ransomware uses a combination of AES-128 + NTRU encryption. On Linux systems, it uses the combination AES-256 + ECDH. These encryption recipes are not known to have any weaknesses, making decryption impossible without a key.

Encrypted files will have the .kitty or .crypted file extension appended to the file names. For example, an encrypted sample.mdb file will either have the sample.mdb.kitty or sample.mdb.crypted file names.

3. Targeted ransom note. The HelloKitty ransom note is usually a plain text file bearing either the name read_me_lkdtt.txt or read_me_unlock.txt that references its target and/or its environment. For a sample content of the note, below is a portion of the CEMIG ransom note as follows:

Hello CEMIG!

All your fileservers, HyperV infrastructure and backups have been encrypted!

Trying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss of data!

The only way to recover your files is by cooperating with us.

To prove our seriousness, we can decrypt 1 non-critical file for free as proof. We have over 10 TB data of your private files, databases, personal data… etc, you have 24 hours to contact us, another way we publish this information in public channels, and this site will be unavailable.

The ransom note also includes a .onion URL that victims can open using the Tor browser. URLs are different for each victim.

4. Deleted shadow copies. Similar to other well-known ransomware families like Phobos and Sodinokibi, HelloKitty deletes shadow copies of encrypted files on affected systems to prevent victims from restoring them.

Indicators of Compromise (IOCs)

Tor Onion URLs:

  • 6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion
  • x6gjpqs4jjvgpfvhghdz2dk7be34emyzluimticj5s5fexf4wa65ngad.onion

SHA256 hashes:

  • 78afe88dbfa9f7794037432db3975fa057eae3e4dc0f39bf19f2f04fa6e5c07c
  • fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb
  • c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e
  • 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
  • 38d9a71dc7b3c257e4bd0a536067ff91a500a49ece7036f9594b042dd0409339

The post HelloKitty: When Cyberpunk met cy-purr-crime appeared first on Malwarebytes Labs.

NFTs explained: daylight robbery on the blockchain

Did you hear about the JPG file that sold for $69 million?

I’ll give you some more detail, the JPG file is a piece of digital art made by Mike Winkelmann, the artist known as Beeple. The file was sold on Thursday by Christie’s in an online auction for $69.3 million. This set a record for artwork that exists only digitally. Which for many people raised the question: what’s to stop me from copying it and becoming an owner as well? After all, digital files can be copied ad infinitum, with no loss of quality.

Which is where non-fungible tokens (NFTs or “nifities”) come in. NFTs are the latest, most eyebrow-raising use of blockchain technology.

Non-fungible means the token has unique properties so it cannot be interchanged with something else. Money, for example, is fungible. You can break down a dollar or a bitcoin into change and it will still have the same value. An artwork is more like a house, each one is unique and can’t be broken into useful fractions. (Although for houses sometimes it is only the location that makes it different from its neighbors.)

But I made the analogy because for houses we have a ledger to keep track of who owns the house. If you want to know who owns a house, you look it up in the ledger. You can think of an NFT as a certificate of ownership for a unique object, virtual or tangible.

Art and technology

While the combination of art and technology may have sounded strange a century ago, nowadays they are no longer a rare combination. The first use of the term digital art was in the early 1980s when computer engineers devised a paint program which was used by the pioneering digital artist Harold Cohen. This became known as AARON, a robotic machine designed to make large drawings on sheets of paper placed on the floor.

Andy Warhol or David Hockney may be more familiar names, even for those that are not that into art. Andy Warhol created digital art using a Commodore Amiga where the computer was publicly introduced at the Lincoln Center, New York in July 1985. Hockney is huge fan of the iPad.

Art and NFTs

The maintenance of the digital ledger to keep track of who owns a digital work of art is done using blockchain technology. Blockchains make it almost impossible to forge records.

Copies of the blockchain are kept on thousands of computers and each item in the blockchain is cryptographically linked to every item that comes after it. Forging a record in a blockchain ledger means re-doing the transaction you want to forge, and every subsequent transaction, on a majority of all the copies in existence, at the same time.

Unlike bitcoins, each NFT is unique and can contain details like the identity of its owner or other metadata. NFTs also include smart contracts. Smart contracts store code instead of data in a blockchain, and execute when particular conditions are met. An example of an NFT smart contract might give an artist a percentage of future sales of their work.

But to answer the original question, this doesn’t stop anyone from copying a digital masterpiece and enjoying it at home. The NFT ledger only shows who the owner of the original is.

Stolen NFTs

Even though the blockchain technology itself is secure, the applications that are built on or around it, such as websites or smart contracts, don’t inherit that security, and that can cause problems.

Users of the digital art marketplace Nifty Gateway reported hackers had taken over their accounts and stolen artwork worth thousands of dollars over the weekend.

victim complaining on Twitter

Someone stole my NFTSs today on @niftygateway and purchased $10K++ worth of today’s drop without my knowledge. NFTs were then transferred to another account.

Some victims reported that the digital assets stolen from their accounts were then sold on the chat application Discord or on Twitter. The underlying problem, according to many claims, was that the thieves hacked the owner’s accounts. They then used the accounts to sell, buy, and re-sell NFTs.

This is possible because blockchain security is designed to prevent forgery, not theft. If somebody steals your NFT and sells it, the blockchain will faithfully record the sale, irreversibly.

Art turned into NFT without the artist’s knowledge

Some artists are reporting their work has been stolen and sold on NFT sites without their knowledge or permission. In some cases, the artist only learned about the theft weeks or even years later, having stumbled upon their work on an auction site. The people creating the NFT had no ownership and probably just copied the artwork from the artist’s website.

Identifying the original file

The way NFTs are set up now they depend too much on URLs that might end up broken at some point in time. Or get hijacked by some clever threat actor. Jonty Wareing did an analysis on how Nifty references the original and was not impressed. He expressed his concerns on Twitter. He found the fact that both the NFT token for the json metadata file as well as the IPFS gateway are defined by URLs set up by the seller. IPFS is a distributed system for storing and accessing files, websites, applications, and data.

The NFT token you bought either points to a URL on the internet, or an IPFS hash. In most circumstances it references an IPFS gateway on the internet run by the startup you bought the NFT from.

Which means when the startup who sold you the NFT goes bust, the files will probably vanish from IPFS too

Problems with art and NFTs

The reported crimes are made possible by two apparent flaws in the way the system was set up.

  • It is possible to create more than one NFT for the same work of art. This creates separate chains of ownership for the same work of art.
  • If no NFT exists for a certain work of art, creating one does not require you to be the owner. This creates false chains of ownership.
  • The references defining the original depend too heavily on URLs that are vulnerable and could vanish at some point.

To circle back to our analogy with real estate, the only way a ledger can be expected to give an accurate account of ownership is by having one central ledger that checks whether the first owner did buy the object directly from the creator. The creation of such a new ledger should also include a check whether there is not an existing registration for the same object to avoid creating a duplicate. And for digital files we need a better way to define them. Storing URLs in the blockchain will protect the URL and not the underlying file.

The post NFTs explained: daylight robbery on the blockchain appeared first on Malwarebytes Labs.

Mother charged with using deepfakes to shame daughter’s cheerleading rivals

A Pennsylvania woman reportedly sent doctored photos and videos of her daughter’s cheerleader rivals to their coaches, in an attempt to embarrass them and get them kicked off the team. She’s alleged to have used deepfake technology to create photo and video depictions of the girls naked, drinking, and vaping, law enforcement officials said.

The woman—50-year-old Raffaela Spone—was arrested in early March and charged with multiple misdemeanor counts of cyberbullying, after targeting three teen girls in Victory Vipers, her daughter’s cheerleading squad, and three counts of harassment. However, she was later released on the condition that she attends her preliminary hearing on March 30.

A deepfake, is a realistic fake image or video that uses machine learning to replace the original subject with somebody else’s likeness. The usual recipe needed to create one is a deepfake tool, which are becoming widely accessible online, the original image or video, and a photo or photos of the person being added to it.

According to reports, Spone likely used images from the girls’ social media accounts to create the fake media. She also anonymously sent harassing text messages from multiple fake phone numbers to the girls, their parents, and the owners of the gym where the cheerleading squad practiced. Some messages contained deepfakes, and some messages urged them to kill themselves, according to The Philadelphia Inquirer.

Police were able to identify that the fake numbers Spone used belonged to an app called Pinger. This allowed them to acquire the IP address messages were coming from, and then use the IP to acquire Spone’s home address and phone carrier. Further searches on Spone’s phone revealed evidence tying her to the deepfakes.

Per court records, there was no indication that her daughter knew what her mother was doing.

“Here are some of my concerns in this case,” said Bucks County District Attorney Matt Weintraub during a news conference Monday, “[deepfake] tech is now available to anyone with a smartphone. Your neighbor down the street, somebody who holds a grudge—you’ll just have no way of knowing. This is prevalent.”

He continued, “This is also another way for an adult to now prey on children, as is the case of the allegations in this instance.”

Crimes committed by Spone was something Henry Ajder, a deepfake researcher, saw coming. Speaking to The New York Times, Ajder, who anticipates that deepfake depictions will become more realistic in the next five years, is concerned they could be used to “attack individuals, create political disinformation … conduct fraud and manipulate stock markets”.

Robert Birch, Spone’s attorney, revealed to WPVI-TV, a local network, that his client has received death threats after reports about the deepfakes appeared in the press.

Victory Vipers apologized to all individuals involved in this case. “Victory Vipers has always promoted a family environment and we are sorry for all individuals involved. We have very well-established policies, and a very strict anti-bullying policy in our program.” said Mark McTague and Kelly Cramer in a statement.

“When this incident came to our attention last year we immediately initiated our own internal investigation and took the appropriate action at the time. This incident happened outside of our gym. When the criminal investigation ensued, we fully cooperated with law enforcement. All athletes involved, are no longer a part of our program.”

Other posts on the subject of deepfake:

The post Mother charged with using deepfakes to shame daughter’s cheerleading rivals appeared first on Malwarebytes Labs.

Teen behind 2020 Twitter hack pleads guilty

The so-called “mastermind” behind the 2020 Twitter hack that compromised the accounts of several celebrities and public figures—including President Barack Obama, Bill Gates, and Elon Musk—pleaded guilty to several charges on Tuesday in a Florida court.

As part of an agreed-upon plea deal with prosecutors, Graham Clark will serve three years in juvenile prison, with an additional three years spent under probation.

First reported by 10 Tampa Bay WTSP-TV, Clark’s plea deal will include restrictions to “electronic devices,” with access only permitted by the Florida Department of Law Enforcement and by those supervising Clark during his eventual probation. According to 10 Tampa Bay, at 18 years old, Clark will also be sentenced as a “youthful offender,” which could allow him to serve some of his prison time in a “boot camp.” He will also earn credit for the 229 days that he has already spent in jail.

Clark’s plea deal represents a reversal of his earlier position on August 4, 2020, when he pleaded not guilty to 30 charges of fraud brought against him by state prosecutors in Florida for allegedly stealing Bitcoin payments from countless victims. According to Hillsborough State Attorney Andrew Warren at the time, the charges filed against Clark were for “scamming people across America.”

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.” 

Last year, Clark allegedly worked with two other individuals to compromise the accounts of about 130 Twitter users in a broader scheme to steal Bitcoin payments from unsuspecting victims. On July 15, the Twitter accounts of several celebrities and industry leaders began tweeting nearly the exact same message: Sparked by sudden gratitude, anyone who donated payments to a specific Bitcoin address would receive double those payments in return.

According to the public bitcoin ledger, at the time, the hackers conned people out of more than $100,000.

Nearly two weeks later, Clark was arrested at his apartment in Tampa. Two other men—Mason Shepperd from the UK and Nima Fazeli of Orlando—were also charged in connection with the hack. Shepperd was charged with wire fraud and money laundering, while Fazeli was charged with aiding and abetting.

At the time of the attack, many asked how such a small operation—led by a teenager—could have successfully breached the security of a major technology company. According to an investigation by The New York Times, Clark’s Twitter hack was not the work of an experienced hacker, but of a tried-and-true fraudster. Having bilked victims out of small sums of about $50 for years, Clark is alleged to have eventually worked his way into a scam that involved the theft of $856,000 worth of Bitcoin, at the age of 16.

After the theft, Clark posted photos of himself on Instagram wearing a Rolex watch.

To compromise Twitter, Clark used his practiced social engineering skills to gain access to an employee control panel. From there he was able to change users’ email addresses, and to use those new email addresses to reset passwords and disable two-factor authentication, giving him access to numerous user accounts, and their millions of followers.

The post Teen behind 2020 Twitter hack pleads guilty appeared first on Malwarebytes Labs.

FBI warns of increase in PYSA ransomware attacks targeting education

On March 16, the Federal Bureau of Investigation (FBI) issued a “Flash” alert on PYSA ransomware after an uptick on attacks this month against institutions in the education sector, particularly higher ed, K-12, and seminaries. According to the alert [PDF], the United Kingdom and 12 states in the US have already affected by this ransomware family.

PYSA, also known as Mespinoza, was first spotted in the wild in October 2019 where it was initially used against large corporate networks.

CERT France issued an alert a year ago about PYSA widening its reach to include French government organizations, and other governments and institutions outside of France. PYSA was categorized as one of the big-game hunters, joining the ranks of Ryuk, Maze, and Sodinokibi (REvil). “Big-game” ransomware attacks target entire organizations, with threat actors operating their ransomware manually, after spending time breaking into and an organization’s networks and conducting reconnaissance.

PYSA/Mespinoza can arrive on victims’ networks either via phishing campaigns or by brute-forcing Remote Desktop Protocol (RDP) credentials to gain access.

Before downloading and detonating the ransomware payload, threat actors behind this ransomware were also found to conduct network reconnaissance using open-source tools like Advanced Port Scanner and Advanced IP Scanner. They also install other such tools, such as Mimikatz, Koadic, and PowerShell Empire (to name a few), to escalate privileges and move laterally.

The threat actors deactivate security protection on the network, exfiltrate files, and upload the stolen data to Mega.nz, a cloud-storage and file-sharing service. After this, PYSA is then deployed and executed. All encrypted files in Windows and Linux, the two platforms this ransomware primarily targets, will have the .pysa suffix.

The FBI report also reveals a possible double extortion tactic that might occur against victims: “In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort
victims to pay a ransom.”

In the last six months, the FBI and other law enforcement organizations have been warning the education sector about increased threat activity against them. And this isn’t just limited to ransomware attacks. Phishing campaigns and domain typosquatting also come into play.

The FBI’s “Flash” alert includes these recommended mitigations for potential targets.

To prevent attacks:

  • Install security updates for operating systems, software, and firmware as soon as they are released.
  • Use multi-factor authentication wherever possible.
  • Avoid reusing passwords for different accounts and implement the shortest acceptable timeframe for password changes.
  • Disable unused RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the lowest privileges you can.
  • Use up-to-date anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organization.
  • Disable hyperlinks in received emails.
  • Provide users with training on information security principles and techniques as well as emerging cybersecurity risks.

To mitigate the effects of an attack:

  • Back up data and use air gaps and passwords to make them inaccessible to attackers.
  • Use network segmentation to make lateral movement harder.
  • Implement a recovery plan and keep multiple copies of sensitive or proprietary data in physically separate, segmented, secure locations.

The post FBI warns of increase in PYSA ransomware attacks targeting education appeared first on Malwarebytes Labs.

Apple shines and buffs Mac security—Is it enough to stop today’s malware?

There’s a lot going on in the Mac security world lately.

Over the last few months, Apple has ramped up security efforts across its platforms. From an endpoint security framework overhaul of macOS Catalina to phasing out kernel extensions, the tech giant has been battening down the hatches—especially of macOS and Mac computer hardware.

Despite Apple’s best efforts—or perhaps as a result of them—the Mac threat landscape has become even more dangerous. But instead of welcoming allied assistance via third-party security vendors, Apple is closing the gate. And cybercriminals are closing the gap.

A crack in the Mac door

It seems like only yesterday there weren’t many breaking news stories on Mac security threats to bite into. In fact, news on Apple cyberthreats wasn’t just infrequent—it was inconsequential. But over the last few years, credible threats, exploits, and hacks of Apple products have become more persistent. There was KeRanger ransomware in 2016. Several effective Mac-facing miners joined the crypto-rush in 2018. The iOS vulnerability exploited by checkm8 rattled quite a few cages in late 2019.

However, from the start of 2020 onward, the malicious momentum has been building. In the 2020 State of Malware Report, Malwarebytes researchers found that Mac malware—primarily backdoors, data stealers, and cryptominers—had risen by 61 percent over the previous year.

2020 served Apple users with a number of targeted attacks using RATs and APTs developed by nation-state actors from China, North Korea, and Vietnam. Some of these made their way into the wild; others appeared on journalists’ iPhones. ThiefQuest, a Mac malware masquerading as ransomware, was discovered in mid-2020.

Despite having the most locked-down security system of Apple’s platforms, iOS was particularly pummelled in the last year. A zero-click exploit remained unpatched for six months of 2020, leaving innocent iPhone users unaware that anyone nearby could completely take over their device without touching it. In November 2020, Apple released patches for three zero-day vulnerabilities in iOS and iPadOS that were being actively exploited in the wild.

Unfortunately, 2021 is proving to be similarly rotten for Apple. Just last week, the company released a patch for iPhone, iPad, and MacBook for a bug that could allow code execution through websites hosting malicious code. Reading between the lines, this means its browsers were vulnerable to exploits that could be launched from malicious website content, including images and ads.

While Apple didn’t comment on whether this particular vulnerability had been discovered by cybercriminals, the company released patches for three separate security bugs that were being actively exploited in January 2021. (Note: These are a different three vulnerabilities than the zero-days found in November.) And just a couple weeks ago, there was Silver Sparrow.

Silver Sparrow is a new Mac malware that swooped in on February 18 and was found on nearly 40,000 endpoints by Malwarebytes detection engines. At first considered a reasonably dangerous threat (researchers now believe it’s a form of adware), Silver Sparrow is nevertheless a malware family of intrigue for showcasing “mature” capabilities, such as the ability to remove itself, which is usually reserved for stealth operations.

One of Silver Sparrow’s more advanced features is the ability to run natively on the M1 chip, which Apple introduced to macOS in November. The M1 chip is central to Apple’s latest security features for Mac computers, and that makes it central to the apparent security paradigm shift happening within the company’s walls.

Apple security paradigm shift

And what paradigm shift is that? Macs running the M1 chip now support the same degree of robust security Apple consumers expect from their iOS devices, which means features like Kernel Integrity Protection, Fast Permission Restrictions (which help mitigate web-based or runtime attacks), and Pointer Authentication Codes. There are also several data protections and a built-in Secure Enclave. Put plainly: Apple have baked security directly into the hardware of their Macs.

But the security changes aren’t limited to the M1 chip or even macOS. On February 18, the company released its Platform Security Guide, which details the changes in iOS 14, iPadOS 14, macOS Big Sur, tvOS 14, and more—and there are many. From an optional password manager feature in Safari that looks out for saved passwords involved in data breaches to new digital security for car keys on Apple Watches and the iPhone, the security sweep appears to be comprehensive. In the guide preamble, Apple touts:

“Apple continues to push the boundaries of what’s possible in security and privacy. Apple silicon forms the foundation for…system integrity features never before featured on the Mac. These integrity features help prevent common attack techniques that target memory, manipulate instructions, and use JavaScript on the web. They combine to help make sure that even if attacker code somehow executes, the damage it can do is dramatically reduced.”

Looking at the collective security improvements made to Macs over the last several months—the M1 chips, changes to system extensions, an entirely new endpoint security framework—it appears Apple is making great strides against the recent uptick in cyberattacks. In fact, they should be commended for developing many beneficial technologies that help Mac (and iPhone) users stay more secure. However, not all of the changes are for the better.

Securing themselves in the foot

Unlike their Microsoft counterparts, Apple have been historically far more reticent about working with others—and that extends to third-party antivirus programs and security researchers alike. Their recent security upgrades for macOS and MacBook hardware are, unfortunately, right on brand.

The security components of M1-based Macs are harder to analyze and verify for those looking in from the outside. Security researchers and the tools they use may be thwarted by a less-than-transparent environment. Essentially, the new developments have hidden Mac defenses behind castle walls, which could make it more difficult for users, businesses, or analysts to know whether their devices have been compromised.

In a recent article in the MIT Technology Review, journalist Patrick Howell O’Neill said that Apple’s security succeeds in keeping almost all of the usual bad guys out, but when the most advanced hackers do break in, “Apple’s extraordinary defenses end up protecting the attackers themselves.” Those threat actors with the resources to develop or pay for a zero-day exploit can pole jump over the Apple security wall and, once inside, move around fairly undetected because of its locked-down, secretive nature.

Mac system extensions and the endpoint security framework introduced in Catalina are similarly problematic. Third-party software developers must apply to Apple for system extensions, and they aren’t just handing them out like masks and sanitizer. Once a developer gets a system extension approval from Apple, though, that developer’s software is protected by System Integrity Protection—and it’s nearly impossible to remove the extension unless you’re the owner of the software.

That’s great for legitimate third-party software programs, like Malwarebytes for Mac, especially in protecting against outside threats that might try to disable security software during an attack. But not every company that applies for system extensions is legitimate.

There have already been a few examples of developers known for cranking out potentially unwanted programs (PUPs) getting extensions from Apple. Because of this, some PUPs can no longer be fully removed by Malwarebytes (or any other security vendor) from Mac computers running Catalina or Big Sur. And while there are some ways that users can manually remove these programs, they are by no means straight-forward or intuitive.

No matter the malware

There’s been much fuss made about “actual” Mac malware in the press (and in this very article), but PUPs and adware are a significant issue for Mac computers. Cue the classic rebuttal: “But it’s only PUPs!” While many like to trivialize them, PUPs and adware open the door for more vulnerabilities, making an attack by malicious software even easier. Adware, for example, can host malicious advertising (malvertising), which can push exploits or redirects to malicious websites. If the most recent vulnerability patched by Apple wasn’t already being exploited, that would have been a perfect opportunity for cybercriminals to penetrate the almighty Apple defenses.

As discovered in the State of Malware Report, PUPs represented more than 76 percent of Mac detections in 2020. Adware accounted for another 22 percent. Actual malware designed for Macs is but a small slice of the apple. But it’s a growing slice for businesses with Mac endpoints.

In 2020, Mac threat actors decided to take a page out of the Windows cybercriminal book and turn their attention toward larger organizations instead of individuals. To that end, Mac malware increased on business endpoints by 31 percent in 2020—remote work and all. There may not be as many “actual” malware attacks on Mac endpoints as on Windows, but the share of Macs in business environments has been increasing, especially since the start of the pandemic.

Apple has developed some impressive armor for its Macs, but it doesn’t protect against the full scope of what’s out there. Further, Apple only uses static rules definitions for its anti-malware protection, which means it won’t stop malware it doesn’t already recognize. A security program that uses behavioral detection methods (heuristic analysis), like Malwarebytes Endpoint Detection and Response, has the potential to catch a lot of bad apples that Apple hasn’t seen yet.

As time goes on, we’re increasingly in danger of a major attack waged against Macs. There are still a myriad of Mac users who don’t install any third-party security. Fundamentally, Macs still aren’t all that difficult to infect—even with all the bells and whistles. And by closing their systems, Apple is limiting the capabilities of additional third-party security layers to assist in stopping that major attack from doing major damage.

Apple’s days of sitting on the security fence are certainly over. Time will tell if their fortress-like defenses win out, or if they’ll eventually need to depend on their allies for assistance.

The post Apple shines and buffs Mac security—Is it enough to stop today’s malware? appeared first on Malwarebytes Labs.