Archive for author: makoadmin

Despite warnings from domestic abuse networks, privacy
rights advocates, and a committed faction of cybersecurity vendors, Americans may
be accepting and minimizing online stalking behaviors, including the use of
invasive apps that can pry into a user’s text messages, emails, photos, videos,
and phone logs.

The limited opposition to these at-times abusive behaviors
was revealed by a new
study conducted by NortonLifeLock, consumer cyber safety vendor and founding
member of the Coalition Against
Stalkerware, which Malwarebytes helped form last year.

The distressing survey revealed that nearly half of
individuals between the ages of 18 and 34 said they found online stalking to be
“harmless.” Further, the study revealed that 1 in 10 Americans admitted to
using digital monitoring apps—sometimes referred to as stalkerware—against
their ex or current romantic partners.

How did we get here?

Unfortunately, we cannot exact whether the NortonLifeLock
survey results represent a shift in attitudes or reflect a long-held acceptance
of surveillance culture online. While US government agencies have recorded
stalking statistics for decades, those same agencies either have not recorded
admissions of online stalking behavior and perceptions of its harms, or did not
respond to requests for such data.

However, domestic abuse advocates and researchers agreed
that several factors play a role in the public’s acceptance of this type of
behavior. Many romantic comedy films romanticize stalking, while increasingly
more consumer home devices have normalized private, digital surveillance.
Further, current mobile apps have turned the viewing of someone’s private life
into an otherwise harmless interaction.

More likely, though, is that the public has always failed to
recognize and respond to the actual harms of stalking, said Elaina Roberts,
technology safety legal manager with National Network to End Domestic Violence.

“This is an age-old crime and people’s perceptions of it, in
my opinion, haven’t changed all that much,” Roberts said.

The NortonLifeLock Online Creeping Survey

In conjunction with The Harris Poll, NortonLifeLock surveyed
more than 2,000 adults in the United States about “online creeping”—behavior
that includes consistent, stealthy tracking of someone online, which could also
veer into behavior that is more akin to cyber stalking.

Overall, the survey found that 46 percent of respondents
admitted to “stalking” an ex or current partner online “by checking in on them
without their knowledge or consent.”

The most common forms of online stalking included checking a
current or former partner’s phone—at 29 percent—and looking through a partner’s
search history on one of their devices without permission—at 21 percent. Disturbingly,
9 percent of respondents admitted to creating a fake social media profile to
check in on their partners, and 8 percent of respondents admitted to tracking a
partner’s physical activity through their phone or through a health-related
app.

Kevin Roundy, technical director for NortonLifeLock, warned
about these behaviors.

“Some of the behaviors identified in the NortonLifeLock
Online Creeping Survey may seem harmless, but there are serious implications
when this becomes a pattern of behavior and escalates, or when stalkerware and
creepware apps get in the hands of an abusive ex or partner,” Roundy said.

When asked why respondents engaged in these behaviors, the
top two answers revealed a lack of trust and an itching, potentially harmful level
of concern; 44 percent said “they didn’t trust [their partner] or suspected
they were up to no good,” while 38 percent said they were “just curious.”

The gender disparity in the results was clear. In seemingly
every category, men found it more acceptable to engage in these behaviors and
to have these behaviors enacted against them.

While 35 percent of respondents said “they don’t care if
they are being stalked online by a current or former partner as long as they
are not being stalked in person,” it was 43 percent of men who agreed with that
statement versus 27 percent of women. Further, 20 percent of men said they
tracked a current or former partner’s location, versus 13 percent of women. Men
also showed that they more readily accepted online stalking if one or both of
the partners in a relationship had cheated or were merely suspected of
cheating.

These results reflect broader statistics in America about
who is more often victimized by stalking.

According to a national report of about 13,000 interviews
conducted by the Centers for Disease Control and Prevention (CDC), an estimated
15.2 percent of women and an estimated 5.7 percent of men have been stalked in
their lifetime. Women who said they were stalked during their lifetimes stated
they were the target of a variety of behaviors, including being approached at
home or work (61.7 percent); receiving unwanted messages like texts and voice
mails (55.3 percent); and being watched, followed, or spied on with a
“listening device, camera, or GPS device” (49.7 percent).

When asked if the CDC records the rate of admission of
stalking behavior and perceptions to stalking behavior, a spokesperson said the
agency does not keep such statistics.

The Bureau of Justice Statistics, which also tracks stalking in America, did not respond to a request for similar data.

Despite the two agencies’ robust datasets on the threat of
stalking, the NortonLifeLock survey revealed a different perspective on similar
behavior—a potentially concerning coziness with it. Young Americans in
particular, the survey showed, found little threat in online stalking.

The survey said that 45 percent of those aged 18–34 found
online stalking to be “harmless.” The same age group most heavily engaged in
the behavior—65 percent said they have “checked in on a current or former
significant other.”

Domestic abuse advocates argue that those high statistics
reflect a society that fails to fully recognize the harms of stalking,
cyberstalking, and invasive behavior toward romantic partners. Further, the
language actually used in the survey might point to less nefarious
interpretations by young people.

The normalization and minimization of stalking

Despite the NortonLifeLock study revealing troubling
perceptions of online stalking behavior, Erica Olsen, director of Safety Net at
National Network to End Domestic Violence, said these perceptions existed long
before the advent of technology-enabled abuse. It’s been happening for decades,
Olsen said.

“I unfortunately think that stalking behaviors have always,
to some extent, been accepted and minimized.” Olsen said. “I think a lot of it
has to do with the romanticizingof some of the behaviors—specifically
following and spying.”

Olsen pointed to many romantic comedies that portray
stalking as endearing.

In The Graduate, Dustin Hoffman’s character follows
Katharine Ross’s character despite explicitly being told to drop contact, much
like John Cusack’s character in Say Anything ignores the wishes of his
ex-girlfriend played by Ione Skye. The 1954 film Seven Brides for Seven
Brothers involves several men who kidnap a group of women, and no, it isn’t
a horror movie.

As The New Statesmen wrote:

“A group of brothers kidnap six attractive women by causing
a life-threatening avalanche that keeps them imprisoned all winter. The women
play pranks on the men in revenge, and, in a shocking case of Stockholm
syndrome, everyone has an all-round jolly time. They pair off and are all
married by summer.”

These types of films can impact audience perceptions of
intrusive and aggressive behavior, found Julia Lippman, a research fellow at
the Center for Political Studies-Institute for Social Research at the
University of Michigan.

According to Lippman’s paper, “I Did It Because I Never Stopped Loving You: The Effects of Media Portrayals of Persistent Pursuit on Beliefs About Stalking,” women who watched movies with positive portrayals of aggressive romantic pursual were more likely to accept those behaviors, as opposed to women who watched movies with scary or threatening depictions of those same types of behaviors.

In speaking to the online outlet Bustle, Lippman said:

“Positive media portrayals of stalking—like those where
the pursuer is rewarded by ‘getting the girl’— can lead people to see stalking
in a more positive light.”

Media portrayals aside, another factor could play a role in the public’s acceptance of online stalking that amounts to digital surveillance—the privatization of surveillance in our own neighborhoods. Millions of smart doorbells have crept into countless suburbs across America, capturing footage of package thieves, yes, but, more often, of neighbors, children, and animals engaged in harmless behavior.

According to a survey conducted by The Washington Post,
smart doorbell owners who understood the privacy risks of their devices said
the risks were not enough to deter them from ownership. As The Washington Post
wrote:

“[In] the unscientific survey, most people also replied that
they were fine with intimate new levels of surveillance—as long as they were
the ones who got to watch.”

Finally, the acceptance of “online stalking” by younger
generations could intersect with emerging ways of staying in touch with one
another, and with the language that young people—particularly teenagers—use.

Diana Freed, a PhD student at the Intimate Partner
Violence tech research lab led by Cornell Tech faculty, said that, in
her research, she has found that teenagers often use the term “stalking” in a
harmless way to check in on people online.

“It’s a very common term used with teens—‘Let’s stalk that
person on Instagram,’—but they’re not saying it with the intent to harm,” Freed
said.

(Full disclosure, when this Malwarebytes Labs writer
attended college, he frequently heard the words “Facebook stalk” used to
describe looking up a romantic crush, whether that meant viewing their photos
or trying to find their “Relationship Status.”)

Freed said many apps also provide an opportunity for
“wholesome” viewing of other people’s lives. With features like TikTok’s
constant video feed or Snapchat Stories and Instagram Stories—which give users
the ability to post phots and short videos for only 24 hours—users can view
another user’s daily activities, despite being physically separated. That type
of behavior does not have to be covert, Freed said, and can be done “with full
knowledge” between two people who are friends offline.

“The ability to follow people closely is made available to
us just by the features offered,” Freed said.

As to whether the presence of the technology
itself—including stalkerware-type apps—has somehow created more stalkers, no
expert interviewed for this piece saw a provable correlation.

Roberts of NNEDV said that even before the proliferation of
GPS devices and stalkerware, domestic abusers would excuse their persistent,
physical following of their partners by saying they were merely concerned for
their partner’s safety. Today, she said, abusers use the same lies—urging survivors
to use GPS location apps or stalkerware as a way to ensure safety.

“So, while we can potentially say that people are just more
inclined to be accepting of this behavior today,” Roberts said, “I believe the
truth is that people have always minimized these types of ‘caring’
behaviors as they appear to be done out of concern.”

Moving forward

All of this presents two concerning realities—Americans are
growing warm to online stalking; Americans have always accepted stalking. Neither
is the type of reality that should go unopposed.

Remember, online stalking that violates a person’s privacy is not harmless. Many of the behaviors described in the survey are the same types of behaviors that domestic abuse survivors face every day, from using stalkerware to learn private information, to tracking a person’s GPS location as a means to find them to inflict violence.

For years, Malwarebytes has worked to detect and raise
awareness about invasive monitoring apps that can pry into users’ lives without
their consent. This latest survey only proves that more work is needed.
We’re ready for it.

The post Stalkerware and online stalking are accepted by Americans. Why? appeared first on Malwarebytes Labs.

Threat actors love to abuse legitimate brands and infrastructure—this, we know. Last year we exposed how web skimmers had found their way onto Amazon’s Cloudfront content delivery network (CDN) via insecure S3 buckets. Now, we discovered scammers pretending to be CDNs while exfiltrating data and hiding their tracks—another reason to keep watchful eye on third-party content.

Sometimes, what looks like a CDN may turn out to be anything but. Using lookalike domains is nothing new among malware authors. One trend we see a fair bit with web skimmers in particular is domains that mimic Google Analytics: Practically all websites use this service for their ranking and statistics, so it makes for credible copycats.

In the latest case, we caught scammers using two different domains pretending to be a CDN. While typically the second piece of the infrastructure is used for data exfiltration, it only acts as an intermediary that attempts to hide the actual exfiltration server.

Oddly, the crooks decided to use a local web server exposed to the Internet via the free ngrok service—a reverse proxy software that creates secure tunnels—to collect the stolen data. This combination of tricks and technologies shows us that fraudsters can devise custom schemes in an attempt to evade detection.

Inspecting code for unauthorized third-parties

We identified suspicious code on the website for a popular Parisian boutique store. However, to the naked eye, the script in question looks just like another jQuery library loaded from a third-party CDN.

Although the domain name (cdn-sources[.]org) alludes to a CDN, and unveil.js is a legitimate library, a quick look at the content shows some inconsistencies. There should not be fields looking for a credit card number for this kind of plugin.

To clear any doubts, we decided to check an archived copy of the site and compared it with a live snapshot. We can indeed see that this script did not exist just a couple of weeks prior. Either it was added by the site owner, or in this case, injected by attackers.

The script checks for the current URL in the address bar and if it matches with that of a checkout page, it begins collecting form data. This typically includes the shopper’s name, address, email, phone number, and credit card information.

Data exfiltration via ngrok server

Once this data is collected, the skimmer will exfiltrate it to a remote location. Here, we see yet another CDN lookalike in cdn-mediafiles[.]org. However, after checking the network traffic, we noticed this is not the actual exfiltration domain, but simply an intermediary.

GET https://cdn-mediafiles.org/cache.php HTTP/1.1
Host: cdn-mediafiles.org
Connection: keep-alive
Accept: /
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Referer: https://www.{removed}.com/checkout/onepage/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Length: 36
Ly9kNjgzNDRmYi5uZ3Jvay5pby9hZC5waHA=

Instead, the GET request returns a Base64 encoded response. This string, which was already present in the original skimmer script, decodes to //d68344fb.ngrok[.]io/ad.php which turns out to be the actual exfiltration server.

Ngrok is software that can expose a local machine to the outside as if it was an external server. Users can create a free account and get a public URL. Crooks have abused ngrok to exfiltrate credit card data before.

To summarize, the compromised e-commerce site loads a skimmer from a domain made to look like a CDN. Data is collected when a shopper is about to make a payment and sent to a custom ngrok server after a simple redirect.

The above view is simplified, only keeping the key elements responsible for the skimming activity. In practice, network captures will contain hundreds more sequences that will make it more difficult to isolate the actual malicious activity.

Blocking and reporting

We caught this campaign early on, and at the time only a handful of sites had been injected with the skimmer. We reported it to the affected parties while also making sure that Malwarebytes users were protected against it.

Threat actors know they typically have a small window of opportunity before their infrastructure gets detected and possibly shutdown. They can devise clever tricks to mask their activity in addition to using domains that are either fresh or belong to legitimate (but abused) owners.

While these breaches hurt the reputation of online merchants, customers also suffer the consequences of a hack. Not only do they have to go through the hassle of getting new credit cards, their identities are stolen as well, opening the door to future phishing attacks and impersonation attempts.

Indicators of Compromise

Web skimmer domain

cdn-sources[.]org

Web skimmer scripts

cdn-sources[.]org/jquery.unveil.js
cdn-sources[.]org/adrum-4.4.3.717.js
cdn-sources[.]org/jquery.social.share.2.2.min.js

Redirect

cdn-mediafiles[.]org/cache.php

Exfiltration URL

d68344fb.ngrok[.]io/ad.php

The post Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server appeared first on Malwarebytes Labs.

Intrepid Labs readers might be happy to know that we’re stepping into territory long-requested and desired: we’re launching a podcast.

Malwarebytes researchers and reporters are on the front lines of cybercrime, delivering both fast-breaking news and thoughtful features on our blog to raise awareness and help users stay safe and private online. We want to take what we do here and bring it to a new medium so that even more folks can incorporate cybersecurity lessons into their daily lives.

As our real world and online world continue to blend, staying secure and aware are ever more critical in defending against attacks from criminals and encroachment on privacy from big tech. And that’s why, every two weeks, we’ll be breaking down the top headlines into easily digestible soundbytes and inviting marquee experts, both in-house and outside, to dive deep into some of the more complex issues.

Take a listen to the trailer for our podcast—Lock and Code—for a taste of things to come:

Tune in next Monday, March 2, for the first episode of Lock and Code, where host David Ruiz will break down news from the RSA floor, plus talk with the annual conference’s Director of Content and Curation Britta Glade on this year’s theme: the human element.

The post Introducing Lock and Code: a Malwarebytes Labs podcast appeared first on Malwarebytes Labs.

The level and speed of innovations taking place in the biotech industry are baffling. On the one hand, it makes us hopeful we can quickly reduce the number of illnesses and their consequences through technological advancement—saving thousands of lives. On the other, concerns about the application of Internet-connected technology leave us wondering: at what cost?

Where does the mix of technology and medicine lead us? Advancements in genetic therapy have reshaped cancer treatment as we know it. Yet, other applications, such as automating medicine intake by measuring biometrics, may introduce whole other problem sets the medical and security world haven’t solved for.

Knowing that every human body is unique and may react in another way to the same procedure, it seems prudent to draw the line at a certain amount of automation. But how do we determine where to draw the line? Is it smart to leave that decision to the big pharmaceuticals? Let’s have a look at the developments in biotech that require bigger picture thinking from the security and privacy perspectives.

Developments in the health care industry

Some of the most promising health care developments in late stages of refining or even already in use are techniques where sensors are attached to or inserted into the patient’s body. The sensors are designed to transmit data about certain bodily conditions back to healthcare personnel.

One such technology is inserted directly into patients’ medication via chip. These “smart pills” send biometric data from within the blood stream. When the patient ingests the pill, the chip will be detected by a patch on her stomach the moment it is digested. If the patch doesn’t receive the appropriate signal, it alerts the patient’s doctor.

A big step forward for the future of smart pills will be the automation and timely administering of medicine; something currently in development. These smart pills are being designed to make patients life’s easier by embedding a tracking system in the pill that trigger the release of the drug in a timely manner, so you can’t forget.

Smart pills could also be programmed to release the medication when certain circumstances are met. A system similar to this already exists for diabetes. Insulin pumps for type 1 diabetics are in use that release insulin when a low blood sugar is detected, basically by mimicking the way the pancreas would behave for healthy people.

Diagnostic biotech

Existing bio-sensors are internal measurement devices that broadcast body metrics like blood pressure, pulse, oxygen saturation, blood sugar, etc. These bio-sensors and sensors measuring the presence of other substances in the blood can be used to finetune the administration of drugs. But what if anybody else can receive these transmissions?

The feasibility of multiplex biosensors for
bloodstream infection diagnosis has been under investigation for a few years
and is another development that could lead to transmissions concerning our health
from inside our body to a “smart” device.

Pharmaceutical companies have already released digital smart pills containing computer chips. The first digital cancer pill, which was released in early 2019, contains a chip and capsules filled with capecitabine, a cancer chemotherapy that patients need to take several times a day.

Other biotech innovations

The human genome has been almost fully mapped and we are rapidly finetuning the ability to read the map. But what does this prospect bode for the future of the information that can be extracted from the DNA samples we provided for various different reasons?  Will donating blood or participating in a DNA test now result in a privacy nightmare later on? Will the risk we take now grow on us as science finds out more about the information stored in our DNA.

With greater understanding of our genetics comes greater capacity for their manipulation. And gene editing currently stands as one of the most exciting, and worrying, areas within the biotech industry.

Another worrying advancement is the use of artificial intelligence (AI) to make the development of new drugs faster and cheaper. AI particularly can be used to reduce the amount of trial and error needed to design a drug candidate once a promising disease target had been identified. It can also be used to investigate and find unexpected use cases for drugs that fail in clinical trials. Promising changes, for sure. But what might AI miss that the human mind would catch? And how much would morality come into play if machines are conducting all of the testing?

Remote control of artificial limbs and animals

The advancement of modern prosthetics has
gone hand in hand with the upcharge in rapid developments in the biotech health
care sector.

In a combination of robotics and neuro-engineering
scientists are working on a new robotic hand that could be a life-changing
device for amputees. The goal is to read and transmit intended finger movement
read from the muscular activity on the amputee’s stump for individual finger
control of the prosthetic hand.

In the military field sharks and other
animals have been given brain implants that makes them remotely controllable. These
sharks could for example be used to find enemy submarines.

Communication protocols in biotech

The smart pill, produced and patented by Proteus and called Abilify MyCite, sends a simple pulse from the pill to the patch as soon as the pill gets absorbed by stomach acid. No problem there, but then the patch sends data like the time the pill was taken and the dosage to a smartphone app over Bluetooth. The data is stored in the cloud where the patient’s doctor and up to four other people chosen by the patient, can access the information. The patient can revoke their access at any time.

In 2017 the FDA stated it was planning to hire more staff with “deep understanding” of software development in relation to medical devices, and engage with entrepreneurs on new guidelines, because it expected to get more approval requests for digital pills. This was after the approval of Abilify MyCite, which is a typical symptom of legislation running after technical innovations without ever truly catching up.

In 2018 hackers demonstrated they could install malware on an implanted pacemaker after they had discovered bugs Medtronic‘s software delivery network, a platform that doesn’t communicate directly with pacemakers, but rather brings updates to supporting equipment like home monitors and pacemaker programmers, which health care professionals use to tune implanted pacemakers.

Bluetooth and medical devices

Bluetooth is ideal for the short-range, continuous wireless connection, that we use for streaming audio and data. The most commonly used Bluetooth protocols in medical equipment are Bluetooth Low Energy (BLE) and Bluetooth Classic

BLE is a Bluetooth protocol that was launched in 2010, it was designed to achieve goals of low power consumption and latency while accommodating the widest possible interoperable range of devices. The downside is that it can behave differently depending on smartphone platforms. This is because the device advertises on a schedule for smartphone response. When the smartphone responds, a handshake (bonding) is made, facilitating a confirmed transfer of the data packet to the smartphone before closing the connection. This saves energy, but it’s also responsible for unpredictable data transfer speed.

BLE also does not require paring between
the sender and receiver and it can send authenticated unencrypted data. We
understand the benefits of saving energy:

• Devices can stay longer in the
  body without having to be replaced
• Batteries can be smaller, so easier
  to insert and less obtrusive

But depending on the nature and particularly the sensitivity of the transmitted data, other considerations might come into play. Unfortunately BLE devices have also been found to be impacted by SweynTooth vulnerabilities.

Recommendations

Developers of medical devices who intend to use Bluetooth as the technology to connect devices with each other and with Wi-Fi should consider carefully which Bluetooth protocol is right for their system. To do this, it is important to have a clear understanding of the needs for the system and the available options.

Medical devices should be easily updatable for those circumstances where new vulnerabilities are found and patches or other important updates need to be applied.

Maybe the healthcare industry should even consider designing a new protocol similar to Bluetooth. Combining the Low Energy properties with some extra security measures might pay off in the long run.

Cloud solutions that are used to store
sensitive personal and medical data deserve to be held against a high security
standard.

We recommend only giving up your DNA
samples to trusted organizations and only for reasons of utmost importance like
your health.

Machines are not without fault or as smart as we might think. Blind trust in machines when it comes to healthcare can end in a catastrophy. There is an area where personal attention does a lot more good than the fully automated application of medicine can ever do.

Stay safe, and stay healthy!

The post Biotech health care innovations meet security challenges appeared first on Malwarebytes Labs.

With the threat landscape becoming more hostile to businesses, small- and medium-sized businesses (SMBs) are often finding it difficult to cope. Hence, they turn to managed service providers (MSPs) for help, not only to keep their businesses going—the concept known as business continuity—but also to offer salve to known pain points that encompass all industries.

Short-staffed

One of the recognized pain points for SMBs is the apparent lack of skilled security professionals who can implement processes and procedures that snap back businesses to their original state of operations after experiencing a disruptive or business-ending event. With the cybersecurity industry experiencing a stunning zero percent unemployment rate with millions of opened positions, SMBs often have a hard time finding, or affording, “the right candidates.” Unfortunately, this staffing challenge is foreseen to continue through 2021. This could spell bad news for SMBs.

This doesn’t mean that there is no talent out there, however. Positions aren’t filled because many employers are underpaying for skilled specialists. More remain open because employers and recruiters are looking inside a small bubble of candidates instead of exploring candidates with similar training and many of the appropriate “soft” skills, whose importance should not be overlooked in running IT and security teams. In addition, many current employees suffer from burnout, quitting their jobs after feeling overworked and underappreciated.

Conventional hiring trends, such as requiring experience and certifications at entry-level positions, plus a near-unreachable wish list of skills candidates must possess are other potential causes contributing to the shortage.

If an organization lacks the manpower to address their need to be resilient in the face of a threat landscape that is becoming more hostile toward business growth and evolution, a fully vetted MSP that offers tools and services that address an organization’s unique needs should step in to lighten the load.

Short budgets

SMBs are not known to set aside budget for security—another pain point. Unlike enterprises, we know that SMBs normally lack the resources they need to defend against cyberattacks. Whether that’s hiring the appropriate number of skilled staff, paying them a competitive salary, investing in security infrastructure, or purchasing enterprise-grade antivirus, network, and firewall protection, tight budgets typically mean corners must be cut.

Cybercriminals know this, and they are keen to pluck the low-hanging fruit. Therefore, it’s not a surprise to see an uptick of threat actors, particularly those behind ransomware campaigns, targeting SMBs—another reason why SMBs might consider using MSPs as an affordable alternative to full-blown security software suites to combat sophisticated malware attacks on-demand.

No training

Some businesses may be lucky enough to have the manpower, but still lack the foresight to provide staff with the knowledge and training in cybersecurity they will need and use throughout their entire tenure. While it is understandable to a degree, it’s also disconcerting to know that some organizations in industries severely targeted by malware attack campaigns, such as hospitals, schools, and government bodies, have little to no knowledge of what a phish looks like. And while it’s concerning that companies with IT security teams may not be as prepared as we expect them to be, even more worrying is the faith organizations put into their cybersecurity readiness, when it may not be as good as they thought.

Staff unskilled in cybersecurity cannot provide organizations the help they need to prevent security incidents. Time may be the key factor in deciding whether an organization should get some outside help or not. While they recognize the need to address the lack of training in their workforce, MSPs can help take charge and get things moving with little overhead.

Compliance, compliance

Cybersecurity standards are in place for a reason. Companies of all sizes need to know what it takes to build up their cybersecurity efforts, which in turn, makes a positive dent in their business resilience plans. MSPs may just be the answer they’re looking for.

MSPs are subject to well-known compliance regimes. This means that they don’t just follow one standard but many, and they likely overlap one another. For example, an organization based in New York who deals with clients in EU countries are subject to both the GDPR and regulations under the New York Department of Financial Services (DFS).

Helping take charge

SMBs have been feeling the pressure for years to respond to serious cybersecurity challenges their businesses face on a regular basis. They also know that such problems take time to address—they cannot be solved overnight. In the meantime, well-vetted MSPs can step in and help. Their fully qualified and trained staff can bridge the skills gap until a larger society shift happens (if it does); their resources, processes, and procedures make organizations they service compliant to known standards; and their overall service makes it easier for organizations to implement and manage in the long run.

The post Why managed service providers (MSP) are critical for business continuity appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we highlighted the benefits and concerns of identity-as-a-service (IDaaS), an identity management scheme deployed from the cloud; reported on scammers and squatters taking advantage of Rudy Giuliani’s Twitter typos; and gave a high-level overview of RobbinHood, the latest ransomware baddie to specifically target organizations.

Other cybersecurity news

• Hundreds of Israeli soldiers’ mobile phones were compromised after Hamas cyber militants catfished them into downloading malware. (Source: Forbes)
• LokiBot was found impersonating Epic Games’ client installer. (Source: Trend Micro Security Intelligence Blog)
• Almost half of Internet-connected medical devices suffer from the BlueKeep vulnerability. (Source: ZDNet)
• Voatz, a voting app, was found to be insecure and vulnerable to hacking, according to MIT researchers. (Source: MeriTalk)
• Unsigned peripheral firmware in Wi-Fi adapters, USB hubs, track pads, and cameras put Windows and Linux systems at risk of attack, according to researchers from Eclypsium. (Source: Bleeping Computer)
• Researchers from Cisco and Jamila Kaya have found hundreds of fraudulent Chrome extension apps that were only designed to capture user information. (Source: Inc.com)
• Evolutionary ransomware was seen targeting a pipeline operator. Experts signal this as potential change in the way ransomware will behave in the future. (Source: Fifth Domain)
• A popular video gaming channel on YouTube got hacked by crypto scammers to collect Bitcoin from its 1.8 million subscribers. (Source: HackRead)
• Speaking of crypto, scammers are at it again on Twitter—with some compromising legitimate accounts while others are inserting themselves into conversations before dropping the fake giveaway. (Source: Tenable Security Blog)
• A politician in India was found using deepfakes technology to reach different linguistic voter bases during their current election campaign. Videos of this politician went viral on WhatsApp. (Source: Vice)

Stay safe, everyone!

The post A week in security (February 17 – 23) appeared first on Malwarebytes Labs.

Despite their name, the RobbinHood cybercriminal gang is not stealing from the rich to give to the poor. Instead, these ransomware developers are more like big game hunters—attacking enterprise organizations and critical infrastructure and keeping all the spoils for themselves.

In 2019, the RobbinHood ransomware creators successfully attacked and received ransom payouts from the cities of Baltimore, Maryland, and Greenville, North Carolina. Not ones for humility, they now mention those successes in revised ransom notes, pointing out to victims that it’s useless to try recovering their files in any other way than paying the ransom.

And the ransom isn’t exactly cheap. RobbinHood ransom demands can range from 3 Bitcoins for a single computer up to 13 Bitcoins for a complete network, which translates to tens of thousands of dollars.

How RobbinHood ransomware works

Like many other ransomware families, RobbinHood, which Malwarebytes detects as Ransom.RobbinHood, has been observed gaining access to organizations’ networks through brute force of Remote Desktop Protocols (RDP) or by using other Trojans that provide access to the attackers.

Once the attacker has gained sufficient access to the system, researchers found that in some cases they introduce a vulnerable kernel driver from Gigabyte. This driver is signed by the motherboard manufacturer and will be accepted by Windows because of the digital signature. But the driver has a long-standing vulnerability listed as CVE-2018-19320, which allows a local attacker to take complete control of the affected system.

The attacker uses this vulnerability to stop 181 specific services, disabling many protective programs, backup software, and deleting files that would normally be locked. System services often keep critical files in use, so they can’t be deleted or modified. Being able to stop these services from the kernel driver level makes taking full control of a system much easier.

Before the actual encryption begins, RobbinHood also disconnects all network shares, deletes all shadow copies, clears event logs, and disables Windows automatic repair.

For the encryption process itself, it fetches a public key from the file pub.key in the Windows temp folder. While encrypting files, an AES key is created for each separate file. The ransomware will then encrypt the AES key and the original filename with the public RSA encryption key and append it to the encrypted file. Each encrypted file will then be renamed using the format:

Encrypted_[randomstring].enc_robbinhood

During encryption, these folders are skipped:

• ProgramData
• Windows
• bootmgr
• Boot
• $WINDOWS.~BT
• Windows.old
• Temp
• tmp
• Program Files
• Program Files (x86)
• AppData
• $Recycle.bin
• System Volume Information

Four different ransom notes are dropped in every folder that contains encrypted files. Most of the notes contain information similar to the one below:

What happened to your files?
All your files are encrypted with RSA-4096, Read more on https://en.wikipedia.org/wiki/RSA_(cryptosystem)
RSA is an algorithm used by modern computers to encrypt and decrypt the data. RSA is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography, because one of the keys can be given to anyone:
1 -We encrypted your files with our “Public key”
2 -You can decrypt, the encrypted files with specific “Private key” and your private key is in our hands ( It’s not possible to recover your files without our private key )
Is it possible to get back your data?
Yes, We have a decrypter with all your private keys. We have two options to get all your data back.
Follow the instructions to get all your data back:
OPTION 1
Step 1: You must send us 3 Bitcoin(s) for each affected system
Step 2: Inform us in panel with hostname(s) of the system you want, wait for confirmation and get your
OPTION 2
Step 1: You must send us 13 Bitcoin(s) for all affected system
Step 2: Inform us in panel, wait for confirmation and get all your decrypters
Our Bitcoin address is: xxx BE CAREFUL, THE COST OF YOUR PAYMENT INCREASES $10,000 EACH DAY AFTER THE FOURTH DAY
Access to the panel ( Contact us )The panel address: hxxp://xbt4titax4pzza6w[.]onion/
Alternative addresses
hxxps://xbt4titax4pzza6w.onion[.]pet/
hxxps://xbt4titax4pzza6w.onion[.]to/
Access to the panel using Tor Browser
If non of our links are accessible you can try tor browser to get in touch with us:
Step 1: Download Tor Browser from here: https://www.torproject.org/download/download.html.en
Step 2: Run Tor Browser and wait to connect
Step 3: Visit our website at: panel address
If you’re having a problem with using Tor Browser, Ask Google: how to use tor browser
Wants to make sure we have your decrypter?
To make sure we have your decrypter you can upload at most 3 files (maximum size allowance is 10 MB in total) and get your data back as a demo.
Where to buy Bitcoin?
The easiest way is LocalBitcoins, but you can find more websites to buy bitcoin using Google Search: buy bitcoin online

 Decrypting may not be enough

As a warning to those who might consider paying the ransom, as Baltimore and Greenville did: Simply decrypting the files may not be enough to bring systems back online. The introduction of the vulnerable kernel driver and changing the behavior of the kernel may cause other problems on affected systems, which may result in deprecated performance or BSODs.

Reportedly, the recovery from the ransomware attack cost the city of Baltimore over US$10 million, which dwarfs the paid ransom of 13 Bitcoin (roughly US$80,000).

How to prevent RobbinHood ransomware

As with all ransomware families, the best method of protection is preventing the infection from happening in the first place. Since RobbinHood targets organizations, IT and security teams should take the following common precautions to secure against its attack:

• Secure your Remote Desktop Protocol (RDP) access
• Disable or block unused ports in general
• Apply the latest Microsoft updates
• Keep your anti-malware software up to date

Recommended reading: How to protect your RDP access from ransomware attacks

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against RobbinHood ransomware in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the RobbinHood binary itself. Detections can happen in real time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

IOCs

Files (SHA256 hashes):

• 791c32a95f401f7464214960e49e716656f6fd6fff135ac2a6ba607236d3346e
• 99c3cc348f8ee4e87bce45b1dd185d31830c370ac43fd3e39ac50340f029ef79
• e9188ace227b00cbf1f6fba3ceb32af8e4d456c3a0815300a224a9d9e00778a8
• 47d892da6a49b02a2904bdc0d03ecef66c076481d19ab19251d86d11be494765

Ransom notes:

• _Decrypt_Files.html
•  _Decryption_ReadMe.html
• _Help_Help_Help.html
• _Help_Important.html

Extension of encrypted files:

.enc_robbinhood

Stay safe everyone!

The post Threat spotlight: RobbinHood ransomware takes the driver’s seat appeared first on Malwarebytes Labs.

Former cybersecurity czar Rudy Giuliani has been targeted by typosquatters on Twitter, thanks to copious misspellings and other keyboarding errors made in a number of his public tweets. In a tweet sent out on Sunday, Giuliani meant to send his 650,000-plus followers to his new website, RudyGiulianics.com. Instead, a space added after “Rudy” sent users on a redirection quest that ultimately landed on a web page laced with adware.

Typosquatting has long been used as a way to capitalize on mistakes made by those with clumsy fingers. A mistyped URL, which would normally lead users to a 404 error page, is instead redirected to a completely unrelated site—often one designed for ill intent. For example, let’s say you enter yotube.com into your browser’s address bar instead of youtube.com. Rather than seeing the normal YouTube portal, you will instead be redirected via a few ad networks and most likely end up to a scam page, thanks to the handy work of enterprising typosquatters.

Typosquatting can be a profitable business, as threat actors will register domains lexically close to big brand names or popular websites for heavy traffic gains. The end goal isn’t always to monetize via malvertising redirections—it could be phishing, data theft, or even hacktivism.

In Giuliani’s case, a public political figure has been identified by cybercriminals for his tendency toward typo-laden tweets. In fact, Giuliani’s Twitter account contains numerous tweets with misspellings around his personal website that sometimes lead to trolling attempts or redirect to malvertising schemes. We examine a few of these instances.

Typo leads to political trolling

Here’s a tweet sent from Giuliani’s account using an iPad. Whoever composed that tweet forgot to add a space between the word “Watch” and “rudygiulianics.com”.

As a result, the website becomes Watchrudygiulianics.com which was registered a day after the tweet:

Domain Name: watchrudygiulianics.com
Registrar: GoDaddy.com, LLC
Creation Date: 2020-02-16T05:23:50Z

Visiting the site immediately redirects users to https://www.drugrehab.com/treatment/, a site for help with substance abuse.

In another example, we see a much more subtle typo for Giuliani’s website, where a single ‘i’ is missing in RUDYGIULIANCS.com (the correct site is rudygiulianics.com).

The domain rudygiuliancs.com was also registered recently (but before the tweet came out, so it either was preemptive registration for a forthcoming typo or perhaps the typo had been made already).

Domain Name: rudygiuliancs.com
Registrar: Wild West Domains, LLC
Creation Date: 2020-02-07T16:30:38Z

This time, visiting this link redirects visitors to a Wikipedia page for the Trump-Ukraine scandal:

Malvertising and other traffic schemes

As mentioned earlier, typosquatters will typically watch popular domain names and register new ones that are likely going to be a result of a typo. Because Giuliani has over 650,000 followers on Twitter and is a well-known political figure regularly in the headlines, scammers know he’s a good source of potential web traffic purely from typosquatting.

In Sunday’s example, a typo led to a malvertising scheme. This time, a space was inserted between “Rudy” and “Giulianics.com”.

This typo resulted in a link to Giulianics.com, a domain registered at the end of January.

Domain Name: giulianics.com
Registrar: GoDaddy.com, LLC
Creation Date: 2020-01-31T20:29:50Z

As seen in the image above, a series of redirects will happen once you visit that domain. This is typical for malvertising chains that fingerprint your browser and other settings in order to deliver the appropriate payload.

In this instance, visiting from the United States via Google Chrome, we were served a browser extension called Private Browsing:

Although we did not examine the extension in detail, several comments from the Google Play Store say the extension was forced while browsing the web.

Among other capabilities, it can read your browser history, the data you enter on sites, and can change your default search engine. As a rule of thumb, it is generally recommended to refrain from installing too many browser extensions, especially when they are promoted via unwanted redirects.

In late January, there was a report that visiting Giuliani’s website distributed malware. We weren’t able to confirm it at that time, but in light of the current typo situation, we believe it’s more likely that one of the tweets containing the wrong link led to a malvertising chain, and possibly to a browser locker.

Monitoring popular accounts for mistakes

Many attacks we see in the wild are opportunistic, praying on the latest news or events likely to draw attention. There’s also always been great interest in popular social media accounts, but typically by hacking them directly. In this case, opportunistic actors are waiting for the next typo to happen in order to push out their own message or to monetize on it via malicious redirects.

This serves as a reminder that even well-known or verified social media accounts can send users in unintended directions leading to scams or malware. In a sense, any kind of communication can be abused for an attacker’s own gain by recognizing a pattern of predictable mistakes and immediately acting upon them.

For those wanting protection against such redirections and other malicious website activity, Malwarebytes offers a free browser extension that takes an aggressive stance on blocking malvertising and other dubious schemes.

The post Rudy Giuliani’s Twitter mishaps invite typosquatters and scammers appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we explained how to battle online coronavirus scams with facts, discussed the persistent re-infection techniques of Android/Trojan.xHelper and how to remove it, provided cyber tips for safe online dating, and showed how Hollywood teaches us misleading cybersecurity lessons.

We also released the 2020 State of Malware Report describing the threat landscape of the year in detail, including top threats for Mac, Windows, Android, and the web, as well as the state of data privacy in commerce and legislation.

Other cybersecurity news

• Medical transportation vendor, GridWorks experienced a burglary that resulted in a laptop stolen, which contained the personal identifiable information (PII) of 654,362 members. (Source: Security Boulevard)
• Four members of China’s military were charged on with hacking into Equifax and stealing trade secrets and the personal data of about 145 million Americans in 2017. (Source: The New York Times)
• Critical vulnerabilities addressed in the Accusoft ImageGear library could be exploited by remote attackers to execute code on a victim machine. (Source: Security Week)
• Dell has copped to a flaw in the pre-installed program SupportAssist that allows local hackers to load malicious files with admin privileges. (Source: TheRegister)
• The owner of the Helix Bitcoin Mixer was charged with laundering over $310 million in Bitcoin cryptocurrency while operating the dark web mixer between 2014 and 2017. (Source: BleepingComputer)
• Emotet has found a new attack vector: using already infected devices to identify new potential victims that are connected to nearby Wi-Fi networks. (Source: The Hacker News)
• A digitally signed Gigabyte driver has been discovered to be in use by Ransom.RobbinHood to fully encrypt the files on a computer. (Source: Guru 3D)
• Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress resulting in an average tenure of only 26 months. (Source: ZDNet)
• The Czech data protection authority announced an investigation into antivirus company Avast for harvesting the browsing history of over 100 million users. (Source: Vice.com)
• Hackers are demanding nude photos to unlock files in a new ransomware scheme targeting women. (Source: FastCompany)

Stay safe, everyone!

The post A week in security (February 10 – 16) appeared first on Malwarebytes Labs.

Sometimes, consumers have it easy.

Take, for example, when they accidentally lock themselves out of their personal email. Their solution? Reset the password. With one click, they’re able to change their old, complicated password with a new, more memorable one.

Self-service password reset is awesome like this. For users on a business network, it’s not so simple. That is, unless they’re using identity-as-a-service (IDaaS).

What is IDaaS?

IDaaS—pronounced “ay-das”—stands for identity-as-a-service. Essentially, it is identity and access management (IAM)—pronounced “I-am”—deployed from the cloud.

Organizations use IAM technology to make sure their employees, customers, contractors, and partners are who they say they are. Once confirmed via certain methods of authentication, the IDaaS system provides access rights to resources and systems based on permissions granted. And because it’s deployed through the cloud, business entities can request access securely wherever they are and whatever device they’re using.

Giving its own users self-service access to portals is just one of the ways an IDaaS system can provide support for businesses. In fact, the need to better engage with customers while securing their data and conforming to established standards has become the main driving force behind the move to IDaaS.

IDaaS vs. traditional IAM

While traditional, on-premise identity management systems offer levels of self-serve access for employees at the office, their benefits are limited in comparison to cloud-based options. This is because IAMs are:

• Expensive to create and maintain. It costs more if the organization supports global users due to complexity of infrastructure. IAMs can also be unsustainable overall as the business grows. Both cost and infrastructure complexity increases, making IAMs more difficult to support.
• Inefficiently managed, security-wise. IAMs that must be placed on legacy systems, for example, put organizations at risk because patching these systems is a challenge, leaving the door open for vulnerabilities at access points.
• Time-consuming. Upgrading IAM hardware is time-consuming. Sometimes, the upgrade doesn’t happen if it means long downtimes and lost productivity. Also, IT teams are faced with significant time-consuming (and patience-testing) tasks, from password resetting to user provisioning.
• Not future-proofed. Although some traditional IAMs can provide limited cloud support, they’re essentially designed to handle on-premise resources. Since IAMs inherently lack support for modern-day tech (mobile devices, IoT) and business disruptors (Big Data, digital transformation), they don’t address what current users need and want.

Benefits of IDaaS

Businesses can benefit from IDaaS in so many ways. For the sake of brevity, keep in mind these three main drivers for adapting IDaaS: new capabilities, speed of implementation, and innovation. Not only would these make them more attractive to potential customers, but also helps to retain current ones.

New capabilities, such as single sign-on (SSO), gives business customers the ease and convenience of accessing multiple resources using only a single login instance. Logging in once creates a token, which the IDaaS system then shares with other applications on behalf of the customer, so they would not need to keep logging in.

SSO also removes the burden of remembering multiple login credentials from users, which usually drives them to create memorable but also easily breakable passwords. Needless to say, SSO—and other protocols like Security Assertion Markup Language (SAML), OAuth (pronounced “oh-auth”), and OpenID Connect (OIDC)—will greatly enhance an organization’s security.

Since IDaaS is cloud-based, implementing it in your organization is a lot quicker. For one thing, hardware provisioning is already with the IDaaS provider. What usually takes a couple of years to realize will only take several months—sometimes even a few weeks.

Organizations that are still unsure of whether they want to fully embrace IDaaS but are curious to try it out can temporarily use the solution as a subset of their applications. Should they change their minds, they can pull back just as easily as they pushed on.

And finally, IDaaS removes the barriers that inhibits organizations from moving forward on innovation. Understaffed IT teams, the mounting costs surrounding IT infrastructure that only gets more complicated over time, and insufficient support for modern technologies are just a few of problems that hold modern businesses back from innovating in their own workforce processes, product offerings, and marketing and sales techniques.

Business leaders need to get themselves “unstuck” from these problems by outsourcing their needs to a trusted provider. Not only will doing so be lighter on their pockets, but they can also customize IDaaS’s inherent capabilities to fit their business needs and improve their customer engagement. It’s a win-win for all.

Note, however, that a pure IDaaS implementation may not be for every organization. Some organizations are simply not ready for it. In fact, the majority of enterprises today use hybrid environments—a combination of on-premise and cloud-based applications. This is because some organizations believe that there are some resources best kept on-premise. And when it comes to IDaaS adoption, utilizing the best of both worlds is increasingly becoming the norm.

My organization is small. Is IDaaS still necessary?

Absolutely. Small- and medium-sized businesses experience many of the same IAM issues enterprise organizations face. Every employee maintains a set of credentials they use to access several business applications to do their jobs. An SSO feature in IDaaS will significantly cut back on the number of login instances they have to face when switching from one app to another.

It’s a good question to ask if your business needs IDaaS. But perhaps the better—or bigger—question is whether your business is compliant enough to established security and privacy standards. Thankfully, having IDaaS will help with that issue as well. The caveat is that organizations, regardless of size, must evaluate potential IDaaS providers based on their maturity and their capability to offer a great solution. No two IDaaS offerings are the same.

Mike Wessler and Sean Brown, authors of the e-book “Cloud Identity for Dummies”, propose some questions to consider when deciding:

• Are they a new company on a shoe-string budget catering to lower-end clients with cost as the primary driver?
• Are they relatively new in either the cloud or IAM field where they gained those capabilities via recent acquisitions and are simply rebranding someone else’s products and services?
• Do they have legitimate experience and expertise in cloud and IAM services where offering IDaaS is a logical progression?

What are the possible security problems?

Despite the good that IDaaS could bring to your organization, it is no cure-all. In fact, some security researchers have already noted concerns on some of its key capabilities. Using our previous example, which is the SSO, it is argued that this has become a “single point of failure” should the authentication server fails. Or it can also act as a “single breach point,” waiting to be compromised.

The cybersecurity sector has a dizzyingly long laundry list of use cases where organizations are breached due to compromised credentials. Australia’s Early Warning Network, which was compromised a year ago, was caused by the misuse of stolen credentials. And there are many ways credentials can be leaked or stolen. Organizations can thwart this by requiring the use of multi-factor authentication (MFA).

The bottom line is this: IDaaS or no, businesses still have to adopt and practice safe computing habits to minimize their attack surface.

If you’d like a more in-depth reading on IDaaS, please visit the following:

• Top 8 identity and access management challenges with your SaaS application
• Have you found the real cost of IDaaS?

Stay safe!

The post Harnessing the power of identity management (IDaaS) in the cloud appeared first on Malwarebytes Labs.