NEWS

In a joint advisory the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warn that advanced persistent threat (APT) cyber-actors may be exploiting a vulnerability in ManageEngine’s single sign-on (SSO) solution.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in questions is listed under CVE-2021-40539 as a REST API authentication bypass with resultant remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus version 6113 and prior.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network.

In-the-wild exploitation

When word of the vulnerability came out it was already clear that is was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat-actor. Yesterday’s joint advisory seems to support that, telling us that APT cyber-actors are likely among those exploiting the vulnerability.

They find this of high concern since this poses a serious risk to critical infrastructure companies. CISA recognizes 16 critical infrastructure sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The joint advisory points out that  the suspected APT cyber-actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors—including transportation, IT, manufacturing, communications, logistics, and finance.

It also warns that successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

According to the advisory, the JavaServer Pages web shell arrives as a .zip file “masquerading as an x509 certificate” called service.cer. The web shell is then accessed via the URL path /help/admin-guide/Reports/ReportGenerate.jsp.

However, it warns:

Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.

Please consult the advisory for a full list of IOCs.

Mitigation

A patch for this vulnerability was made available on September 7, 2021. Users are advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urge organizations to make sure that ADSelfService Plus is not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations. It also has information about how you can reach out to support if you need further information, have any questions, or face any difficulties updating ADSelfService Plus.

Stay safe, everyone!

The post FBI and CISA warn of APT groups exploiting ADSelfService Plus appeared first on Malwarebytes Labs.

For years, people have accused social media, and particularly image-driven sites like Instagram, of being bad for young people, particularly young women. It turns that Instagram’s owner, Facebook, agrees.

Thirty-two percent of teen girls said that when they felt bad about their bodies, Instagram made them feel worse.

This was one of the findings of internal Instagram researchers which was included in a presentation slide posted to Facebook’s internal messaging board in March 2020. It continues:

“Comparisons on Instagram can change how young women view and describe themselves.”

The Wall Street Journal (WSJ) has reviewed and revealed the contents of such slides in its latest instalment in the The Facebook Files, a WSJ series of investigative articles based on “internal Facebook documents, including research reports, online employee discussions and drafts of presentations to senior management.” Sometimes, included in these reports are findings from other companies the social network giant owns, like Instagram and WhatsApp.

Concerned parents and carers who may have observed or heard something from their teen who is being affected by Instagram would likely get confirmation on what they already know: Instagram is not helping with their body issues and sense of self at all. What may be more shocking to them, is that Facebook knows this too.

What Facebook knows

Facebook has been conducting internal studies of how Instagram affects its young users for three years, but had never shared any of its findings until three days ago, in response to the WSJ investigation.

According to the Journal, more than 40 percent of Instagram users are 22 years old or younger, with about 22 million teens logging on to Instagram in the US each day. The social media giant is said to have repeatedly found that Instagram is harming its young users, especially teenage girls.

It reports that the research conducted by Facebook revealed that Instagram makes body image issues worse for about one in three girls; that teenagers blame Instagram for increases in the rate of anxiety and depression; and that one in five teenagers said that Instagram makes them feel worse about themselves. The slides also revealed that a percentage of female teens in the US and UK have suicidal thoughts over what they see on Instagram.

Teen girls aren’t the only ones affected though. In Facebook’s 2019 research report, it found that 14 percent of boys in the US had said that Instagram made them feel bad about themselves. The following year, they found that 40 percent of teen boys experienced negative social comparisons. This, the researchers have concluded, is a problem specific to Instagram.

“Social comparison is worse on Instagram,” is what Facebook noted after doing a deep dive into body image issues in teen girls in 2020. What Instagram users tend to do is share only the best and most perfect photos and moments, which can trigger negative reactions, and may even lead to eating disorders, an unhealthy outlook towards themselves, and depression.

According to the researchers, young Instagram users who are struggling with mental health are aware that the app is affecting them in a negative way and need to spend less time on it, but admit they couldn’t stop themselves.

Facebook executives are stumped

The Journal claims that Facebook’s internal documents reveal that it has done little to address these issues, and even downplays these in public. For example, Adam Mosseri, head of Instagram, has told reporters that the research suggests the app’s effects on teen well-being is, “quite small”.

“In no way do I mean to diminish these issues…. Some of the issues mentioned in this story aren’t necessarily widespread, but their impact on people may be huge,” Mosseri further said in an interview with the Journal.

In another example, Mark Zuckerberg, CEO of Facebook, said at a March 2021 congressional hearing that, “The research that we’ve seen is that using social apps to connect with other people can have positive mental-health benefits,” which only highlights one side of the story while failing to mention the other.

Instagram’s response to the WSJ, written by Karina Newton, head of public policy on Instagram, says the Journal focusses on “a limited set of findings and casts them in a negative light”. She stands behind the company’s research and efforts to make things better for every teen user on Instagram, writing that “It demonstrates our commitment to understanding complex and difficult issues young people may struggle with, and informs all the work we do to help those experiencing these issues.”

In other words, as so many Facebook profiles say: It’s complicated. “The research on the effects of social media on people’s well-being is mixed, and our own research mirrors external research. Social media isn’t inherently good or bad for people. Many find it helpful one day, and problematic the next. What seems to matter most is how people use social media, and their state of mind when they use it.”

The Journal claims that Facebook executives are struggling to find ways to reduce Instagram’s harm while keeping people on the platform. Project Daisy, for example, was a pilot program created as a potential solution to keeping kids from feeling anxious and having negative feelings, based on a focus group feedback, when they see “like” counts. In Project Daisy, “like” counts are hidden. However, the results of the program have revealed that it didn’t improve teens’ lives.

Project Daisy was rolled out, nonetheless, with executives noting in an internal discussion that this, essentially, is just for show. “A Daisy launch would be received by press and parents as a strong positive indication that Instagram cares about its users, especially when taken alongside other press-positive launches.”

Mosseri acknowledges in an interview with the Journal that he doesn’t think there is a clear-cut solution to fixing Instagram. “I think anything and everything should be on the table,” he said, “But we have to be honest and embrace that there’s trade-offs here. It’s not as simple as turning something off and thinking it gets better, because often you can make things worse unintentionally”.

In an comparison that might not have come across in the way he hoped it would, Mosseri recently equated social media to cars in a podcast interview with Peter Kafka on the Recode Media podcast. “Cars have positive and negative outcomes. We understand that. We know that more people die than would otherwise because of car accidents. But by and large, cars create way more value in the world than they destroy. And I think social media is similar.”

However, Kafka, and some helpful users on Twitter, pointed out that they are not the same at all: Cars are heavily regulated, licensed, policed, regularly tested for problems, are not accessible to teens who are 16 years old and below, and have meaningful safety measures in place.

This is a call for help

Perhaps what stands out most from the reporting is not a single statistic, or how negatively Instagram has been affecting teens for years, or even that Facebook is well aware of the negative side of its social media empire, but the fact that the teens who are reporting problems are finding it really difficult to unplug or quit the app.

Parents and carers: Do not expect Instagram or Facebook to do this for you any time soon, because these online services were engineered to make users want to come back for more, even when they know it’s not good for them.

As computer scientist Dr. Cal Newport said in his memorable TED Talk, Why you should quit social media, social media is designed to provide a constant flow of small, intermittent rewards, just like a slot machine. Newport: “It’s one thing to spend a couple of hours at a slot machine in Las Vegas, but if you bring one with you, and you pull that handle all day long, from when you wake up to when you go to bed: We’re not wired for that”.

Kids cannot be expected to handle the social media slot machine alone—parents, family members, and our childrens’ friends all have a role to play in helping our kids overcome this.

Recommended reading:

• How to delete your Instagram account

The post Facebook’s own research reveals the harm that Instagram can inflict appeared first on Malwarebytes Labs.

The Krita digital painting application is currently being targeted by ransomware authors. Available on Steam and other platforms, it’s a powerful tool with a very cheap purchase price and great reviews. A perfect bit of bait to start reeling in potential victims, in other words.

How does the scam work?

Ransomware scammers send out mails to artists. Those mails claim to be from the team behind the Krita tool, and contain links which redirect potential victims to the real domain. This is to make everything look above board and legitimate.

The mails seen so far read as follows:

Hello dear, please give me a moment of your time. Krita team is eager to collaborate with you.

After this follows a generic promo text for the program. They follow this up with:

We would like to consider integrating a 30-45 second ready-made promo into your media space (Facebook, Instagram, Youtube), can we consider that?

Other mails claim that once the registration process is done and dusted, an email address, payment information, and phone number are required. Yes, there’s a bit of data grabbing alongside the malware slinging.

The aim of the game is revenue generation, and this is always going to be an attractive proposition for artists.

The bogus mediabank zip makes its entrance

Regardless of how the emails present themselves, there’s one common factor. They claim to link to a “mediabank” which contains icons, screenshots and previous video campaigns. The contents are “confidential”, which is a sneaky way to prevent potential victims telling anybody about it.

Some folks have reported the contents of the zip as .scr files masquerading as images/videos.

Why an scr file?

Any scam which involves images has a good chance of falling back on scr files. It’s a very old technique. Folks unfamiliar may think it means “screenshot”. This is especially the case where they’re opening up zips expecting to see imagery. Sadly, this isn’t the case. An scr is a screen saver file, and it runs on your system like a program. If it contains bad things, then bad things will be headed your way in an instant.

Tricking visual artists with scr files seems like a particularly cruel trick, whether intentional or not.

What happens next?

Krita previously reported this as ransomware, and as you can see, the mails are still going strong:

They look pretty convincing, which certainly won’t hurt the scammers one bit. If you’re going to trick people who work with visuals, it pays to look as good as possible.

Forward on any dubious messages you receive to the Krita team, and delete the mails afterwards. Don’t trust zip attachments, and give any scr file extensions a wide berth. Showing file extensions is also helpful, both for this and any other potential attacks generally. It appears a lot of the domains used for these mails are down, but it’s easy enough to put up replacements. Be careful out there!

The post Ransomware scammers target artists with fake Krita revenue deals appeared first on Malwarebytes Labs.

HP has released a patch to fix a flaw in the HP OMEN driver.

As far as we know the flaw isn’t being actively exploited, but it’s worth applying the patch as soon as you can.

The flaw, the fix

The driver vulnerability, which is tracked as CVE-2021-3437, was found by Kasif Dekel, a senior security researcher at SentinelLabs.

If exploited, the vulnerability could allow a malicious threat actor to escalate privileges to kernel mode. This would enable the actor to perform tasks within affected systems, such as disabling security solutions, running malicious code in kernel mode, and elevating privileges of other users, and more. Exploiting this flaw could also allow the actor to trigger a denial-of-service (DoS) condition, which prevents traffic from going to the device.

The driver, HpPortIox64.sys, is used by the HP OMEN Gaming Hub (previously called HP OMEN Command Center), software that comes pre-installed in HP OMEN systems. Although this SYS file is created by HP, according to Dekel, it is actually “a partial copy of another problematic driver, WinRing0.sys, developed by OpenLibSys.”

HpPortIox64.sys essentially inherited the privilege kernel-mode problem from WinRing0.sys.

“It’s worth mentioning that the impact of this vulnerability is platform dependent,” continues Dekel in the report, “It can potentially be used to attack device firmware or perform legacy PCI access by accessing ports 0xCF8/0xCFC. Some laptops may have embedded controllers which are reachable via IO port access.”

The flawed HP driver accepts IOCTL (Input/Output Control) requests from non-privileged users, who aren’t subjected to access control rules. Because of this, such drivers can be abused, “by design.”

Road 96 and OMEN

It’s worth mentioning that HP’s first official video game, Road 96, gives its video game players and fans the option to download the OMEN Gaming Hub in a section of the game.

Although we can’t say for sure if the driver problem will pose a threat to non-HP users should they agree to install the Hub, we do note another threat to consider. According to Chris Boyd, lead malware intelligence analyst for Malwarebytes, “Certain games offer additional skills or abilities in return for installing OMEN, such as the award-winning, Road 96. As a result, many people will have it on their system even if they have no intention of ever using it. Where updates aren’t taking place, this could be dangerous should an exploit arise in the wild.”

The post HP OMEN users, update your driver now! appeared first on Malwarebytes Labs.

Jay Tipton, chief executive for the Managed Service Provider (MSP) Technology Specialists, remembers his Fourth of July weekend this year like many MSP employees likely remember theirs: As a bit of a nightmare.

“That’s like the worst feeling you’ll ever have,” Tipton said about his initial impressions about a fast-moving ransomware attack that he originally thought hit just his company. His Microsoft Outlook instance closed down unexpectedly, his phone rang and he learned about a customer having trouble connecting to some software tools, and then, just minutes later, his phone rang again. The number of customer problems had already multiplied.

As Tipton and the world would soon learn, his Fort Wayne, Indiana-based MSP was just one of up to 1,500 companies ensnared in what was is probably the largest ransomware attack ever, when threat actors poisoned the remote monitoring and management software tool Kaseya VSA—a favorite for many MSPs—with ransomware.

The attack, which actually led to grocery stores shuttering their doors in Sweden, proved so detrimental because of its cascading nature. By attacking Kaseya VSA, threat actors not only managed to compromise the software, but also the MSPs that used the software, and the small- to medium-sized businesses that were supported by those same MSPs.

Recovery for Tipton’s company has been slow but hopeful. Technology Specialists retrieved data for its customers, maintained strong customer relationships, and even received an outpouring of support from ex-employees and clients themselves.

But in speaking with MJ Shoer, executive director for the nonprofit CompTIA’s Information Sharing and Analysis Organization, Tipton revealed that even the best recovery plans will hit unforeseen obstacles.

Take, for instance, Technical Specialists’ efforts in recovering their clients’ data. Their backups worked, Tipton said, but the process itself happened slower than expected.

“We’ve had some restoring issues, and part of it had to do with download speeds, because everyone was trying to hit the same data centers at the same time,” Tipton told Shoer. “That’s part of the problem. You can’t plan for that.”

Through this process, Tipton compiled a long list of things he’d like to change moving forward, most of it on a large Post-It note covering much of one of his walls. Here’s what Tipton is focusing on moving forward. His lessons are relevant to all organizations, not just MSPs.

Ransomware recovery lessons

1. Put passwords and disaster recovery plans on paper

If the worst happens, you’ll wish you had made a recovery plan. Recovery plans typically identify the key systems and data inside your organization, and the shortest path to restoring critical business functions.

Following the Kaseya VSA ransomware attack, Tipton said that he is focusing on a way to provide “paper printouts” for his company and his clients’ disaster recovery plans. He also added that he wants to find a way to “securely print out passwords” because the attack also seemingly affected Technical Specialists’ password vault.

“We had to wait almost 36 hours to get our password vault restored so we could get passwords out of it,” Tipton said.

Both ideas have immediate value for any business, big or small. A disaster recovery plan is only as useful as it is accessible, and an inaccessible password vault could slow down literally every single part of a data recovery effort if administrators simply cannot access their accounts.

2. Say goodbye to public whitelists

Allowing MSPs to manage some or all of their IT and security makes sense for lots of small businesses, but it comes with its own risks. MSPs act as administrators, so any tools they use get administrator privileges too. MSPs also need to make their toolchain work across all the various customer environments they work with too.

A common practice for MSP software vendors is to advise users of directories that should be “whitelisted” against antivirus software, so that their software can work without interference from cybersecurity tools. This practice is understandable—attackers try hard to disguise themselves as administrators and security tools have the difficult job of letting legitimate remote administration go ahead while stopping malicious remote administration—but it is ill-advised.

These whitelist guides are available for anyone to view online, but, according to Tipton, Technical Specialists is asking for more control into how to actually treat some directories. Tipton said some of what he’s doing moving forward is “not allowing the software vendors to push us into whitelisting directories. That’s not happening anymore.”

“Give me control of which directory it is and how far down I can bury it—I’ll consider it, because then I can control how it’s working, what’s going on in there, and where it’s at so it’s not public knowledge that directory exists,” Tipton said. “But this open whitelisting of programs and directories isn’t going to happen.”

3. Insist that software is digitally signed

In speaking with Shoer, Tipton mentioned that one of the vendors that Technical Specialists use has the annoying habit of changing its DLLs (the software libraries that their product uses) quite regularly. Tipton said he will not allow that anymore unless the vendor starts digitally signing the DLLs.

Why? Because this is another situation where legitimate behavior and malicious behavior can look very similar. If a DLL changes and it hasn’t been signed by the vendor, Tipton has no way of knowing if the new DLL is legitimate or if it has been tampered with by an attacker.

“I’ve got a vendor that likes to keep changing their DLLs, and I think some of them change on the fly and it causes all kinds of problems,” Tipton said. “You’re going to have to sign your program with a cert because I’m going to block it and it’s not optional.”

Moving on

People are often understandably reluctant to talk about their experiences with ransomware, so we applaud Tipton for being open and transparent, and giving us all the opportunity to benefit from his experience.

All of Tipton’s goals seem to be focused on giving Technical Specialists more visibility and capability into how it supports its clients. And perhaps that’s the right mindset—Tipton shared with Shoer that his business lost very few clients after the attack, and of the clients he did lose, seemingly all of them misplaced blame on the MSP itself.

“There are a few that don’t get it, won’t ever get it, will never understand, and say it’s all our fault,” Tipton said. “I can’t change their minds, so I’ll just shake their hands, part as friends, and go on with life.”

Ransomware podcasts

Ransomware recovery is an important subject that benefits enormously from the real-world perspective and experience of those who have been through it. Several recent episodes of Malwarebytes Labs’ Lock and Code podcast have dealt with different aspects of recovering from ransomware.

Racing against a real-life ransomware attack

At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against Northshore School District in Washington state. Early the next morning, Northshore systems administrator Ski Kacoroski arrived on scene. Kacoroski explains what happened next, and what Northshore did to recover from the attack and prevent it from happening again.

Listen to Racing against a real-life ransomware attack

“Seven or eight” zero-days: The failed race to fix Kaseya VSA

The Dutch Institute for Vulnerability Disclosure (DIVD) discovered “seven or eight” zero-days in Kaseya VSA before the REvil ransomware group did. DIVD chair Victor Gevers explains why that wasn’t enough to stop the biggest ransomware attack in history, and reveals that Kaseya VSA’s vulnerabilities represent just one data point in a far larger and more worrying trend.

Listen to “Seven or eight” zero-days: The failed race to fix Kaseya VSA

Why backups aren’t a “silver bullet” against ransomware

Any cybersecurity expert will tell you that the last line of defense against ransomware is backups. But if they’re so important, why are we still so bad at getting them right? Host David Ruiz speaks with VMware’s Matt Crape about why making good backups is so hard, and what missteps you should watch out for.

The post 3 security lessons from an MSP that survived the Kaseya VSA attack appeared first on Malwarebytes Labs.