IT NEWS

Hogwarts Legacy, the much-anticipated Harry Potter video game, has finally landed on major gaming platforms. But, as with all games like this, it comes with a steep price tag, so it’s no surprise to suddenly see websites peddling “cracked” versions of the game for free.

These sites are easily accessible via a quick Google search.

“hogwarts legacy crack” sample search result by Google (Source: Malwarebytes | Stefan Dasic)

Cracked games are games that are rendered playable due to tampering or file modification. They’re also generally available for free. Essentially, they’re pirated games, which is illegal in some states. Malware Intelligence Analyst Stefan Dasic looked into the above websites claiming to share the cracked PC version of the game. 

One website, games-install[.]com, asks users for an activation key once they’ve downloaded the “game”. In order to access the key, the site says the user must verify themselves via a survey.

Everything falls apart at that point. Either the survey leads to a dead end, or ask users to enter their data, such as a phone number. Suffice it to say the website is a survey scam.

This is what happens when you try and download a “free” version of Hogwarts Legacy (Source: Malwarebytes | Stefan Dasic)

Dasic said the sites from the above screenshot all resolve to gameportpc[.]ru, which redirects to changing sites that are seen hosting a file named Hogwarts_Legacy_Setup.exe.

When users click the “Download” button, they find that they have downloaded a copy of the legitimate 7-Zip file compression program.

If you visit the same gameportpc URL, however, the downloaded filebecomes a Trojan dropper, which then drops adware.

Malwarebytes detects the Trojan and adware as Trojan.Dropper and Adware.Agent.Generic, respectively. We also block the websites we’ve seen pushing fake Hogwarts Legacy game cracks.

Malwarebytes protects all your devices and personal info from threats, including ones you find while gaming. Find out more about our home protection here.

Game on, and stay safe!

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Security researcher Yerodin Richards has found an authenticated remote code execution (RCE) vulnerability in Arris routers. This is the type of router that ISPs typically provide in loan for customers’ telephony and internet access.

After responsible disclosure Richards has published a Proof-of-Concept (PoC) that demonstrates how he, ironically used the verification against itself.

Affected devices

The Arris Router Firmware version 9.1.103 authenticated RCE exploit has been tested against the TG2482A, TG2492, and SBG10 models, devices that can be commonly found in the Caribbean and Latin America, says Richards.

According to Richards, when he contacted Arris (acquired by CommScope), the company said the devices running the vulnerable firmware are end-of-life (EOL) and are no longer supported by the company. This means that they are unlikely to ever get updated, even though the SBG10 is actively listed on its website.

Authenticated

An authenticated RCE means an attacker would need login credentials in order to exploit the vulnerability. However, it’s likely that a majority of users haven’t changed their default router credentials, because it is too complicated or they simply are not told clear enough that this is a necessary step in the setup process. So once an attacker knows the default credentials, they can happily exploit the vulnerability.

Richards added:

“It is also worth noting that there is no https setting to secure credentials in transit. I think this makes it a perfect target for botnets like Mirai that gained success using default credentials, and more experienced attackers may have more clever ways to circumvent this.”

How to protect yourself

Since we do not expect the vendor or the ISPs to patch this vulnerability, we asked the researcher for his advice.

“As for mitigation, an easy and effective way is to simply use a strong password, but still this does not stop an attacker from eavesdropping on the unprotected traffic containing the password or even manipulating the browser to gain access. A more desirable form of mitigation would be to change the firmware completely but as you said providers are lax about pushing updates and there is no easy way for an end user to do this themselves. They could run the exploit to gain a root shell and try to patch it from there but this is by no means a simple solution.”

The vulnerability

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This vulnerability will be listed under CVE-2022-45701.

While testing options to achieve shell script command injection, the researcher found that $ is accepted. That was promising, but when paired into $( it was neutralized. This implies that the developer was intentionally trying to prevent command injection this way. However, there is still a flaw in the verification. If any of the disallowed characters or $( is in the object, the object is not set and keeps its previous value. But, in the case of it is simply removed from the payload subsequent to verification. This allows us to set $() by inputting $(). This could have easily been prevented by also neutralizing $ or ( individually.

With this knowledge Richards was able to add a netcat reverse tcp shellcode and get a shell.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

The ransomware attack that hit Oakland on Wednesday February 8, 2023 is still crippling many of the city’s services a week later. In fact, the situation is so bad that the Interim City Administrator has now declared a state of emergency.

Tweet announcing the state of emergency

The ransomware attack initially forced the City’s Information Technology Department (ITD) to take all systems offline while it coordinated with law enforcement to investigate the attack.

The impact of the outage is far-reaching and ongoing. The network outage has impacted many non-emergency systems including the ability to collect payments and process reports, permits, and licenses. As a result, some of the city buildings are closed and the public is under advice to email ahead of any planned visit to one of the impacted departments.

Interim City Administrator G. Harold Duffey declared the state of emergency due to the ongoing impact of the network outages as a result of the ransomware attack. According to a spokesperson for the City:

“The declaration of a local emergency allows the City to Oakland to expedite the procurement of equipment and materials, activate emergency workers if needed, and issue orders on an expedited basis, while we work to safely restore systems and bring our services back online.”

Fortunately, the attack has not affected crucial infrastructure like the 911 dispatch and fire and emergency resources, but the Oakland Police Department (OPD) did say that response time has been delayed and asked the public:

If you don’t have an emergency or do not need an immediate emergency response, please consider the following means to report incidents:

•OPD Online Reporting: oaklandca.gov
•Oak 311: for urgent issues, call 311.
•OakDOT: call (510) 615-5566.

So far the City has not provided an indication of when the situation will be back to normal.

Attackers

At this point it’s not clear which ransomware group is behind the attack on the City of Oakland. None of them has claimed the attack and the leak sites of the major groups we checked don’t mention Oakland. This could be because the ransom negotiations have not been broken off yet.

With the investigation apparently ongoing there is no indication of which infection method was used. We’ll update this story if we learn more.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

They say you can’t have too much of a good thing. Unfortunately, this applies to ads, too, whether you think they’re a good thing or not. Soon, Europe’s four biggest telecommunication companies—Germany’s Deutsche Telekom (DK), France’s Orange, Spain’s Telefónica, and the UK’s Vodafone Group—will deliver targeted ads to their millions of subscribers while also observing European privacy laws.

Back in January, the quartet of telcos filed a proposal to offer a “privacy-led, digital identification solution to support the digital marketing and advertising activities of brands and publishers.”

Now, the joint venture has been approved “unconditionally” by the European Commission under the EU Merger Regulation. With the four giants merging, the commission concluded competition concerns wouldn’t be raised in the European Economic Area (EEA), meaning this merger can only compete with non-EU telcos.

“The joint venture will offer a platform to support brands and publishers’ digital marketing and advertising activities in France, Germany, Italy, Spain and the UK,” the press release noted. “Subject to the user’s consent, the joint venture will generate a unique digital code derived from the user’s mobile or fixed network subscription. Such code will allow brands and publishers to recognize users on their websites or applications on a pseudonymous basis, group them under different categories and tailor their content to specific users’ groups.”

Although the commission cleared the joint venture, this doesn’t mean the EU’s data protection regulators will give this a sign-off, too, as the press release further stated: “During its investigation, the Commission has been in contact with data protection authorities. Data protection rules are fully applicable, irrespective of the merger clearance.”

The still-unnamed adtech merger is set to operate in Belgium, with each of the four holding a 25 percent stake. It isn’t clear when this venture will begin operation.

Subscribers must opt-in

The hundreds of millions of subscribers of the four telcos will not automatically be subjected to the ads; they have to agree to this explicitly. Because this new ad platform, which they dubbed as a “counter-design to third-party cookies”, according to TechCrunch, was designed with the GDPR and ePrivacy directive in mind, the JV would have to create an opt-in mechanism for willing subscribers to submit their phone numbers to start receiving “communication from brands via publishers”. 

“The trial platform requires affirmative opt-in consent by the consumer to activate communications from brands via publishers,” said Vodafone about the venture’s platform. “The only data that is shared is a pseudo-anonymous digital token that cannot be reverse-engineered. Consumers are free to opt in or deny consent with a single click, as well as revoke any other consents given either on the brand’s or publisher’s website, or via a dedicated, easily accessible privacy portal.”

“The platform is specifically designed to offer consumers a step change in the control, transparency and protection of their data, which is currently collected, distributed and stored at scale by major, non-European players,” the company added.

Vodafone has already conducted a platform trial on its network and DK in Germany. In France and Spain, other trials are being considered “to further develop the platform”. Eventually, it is to be made available to every operator within Europe.

The JV will be outlining its vision and strategy, including plans for adopting the trial technology commercially in the future. The name of the trial platform is TrustPid.

Vodafone’s Privacy Portal, TrustPid, is where users can opt out of receiving targeted ads when they decide to. (Source: Trustpid)

Privacy concerns and dark patterns

When the name TrustPid started appearing in headlines in May last year, it quickly became synonymous with “supercookie”, an ad targeting technology (tracker) famously associated with American telco Verizon. What a supercookie does is track websites visited by users on a smartphone or other mobile device on its network, allowing sites to better target them with ads. The Electronic Frontier Foundation (EFF) put it this way: “It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors’ web browsing habits without their consent.”

Only in this case, explicit consent is required. However, it is not true consent—and this is a problem.

When the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) began receiving inquiries about TrustPid in June 2022, they revealed [source] [translated from the German] they flagged several “data protection problem areas” with the project, including relying on user consent for its legal basis to gather user information. As revealed in a recent study, to have true consent, the party must have (1) an understanding of corporate practices, policies, and legal protection regarding their data—something a lot of us would blindly agree to because no one reads the terms—and (2) autonomy to decide. Satisfying only one of these would make consent “illegitimate.”

When TechCrunch quizzed Simon Poulter, a senior spokesperson for Vodafone, about consent, he claimed participating partners must explicitly collect consent before processing any data. However, the media outfit noted quickly that participating mobile carriers themselves never proactively asked for user consent at any point, making the source of tracking look “obfuscated by design”.

“By outsourcing the gathering of consents to third party ad ‘partners,’ TrustPid’s approach looks intended to dodge denials — but by doing that it risks running counter to key principles baked into EU law,” TechCrunch added.

Poulter eventually confirmed the carriers had no intention to gather consent themselves.

A number of privacy advocates weighed in on the matter of TrustPid months ago. One of them was Aram Zucker-Scharff, the privacy engineering lead for the Washington Post:

Oh boy, it looks like Vodaphone is actively attaching unique user IDs based at the SIM-card level to subscriber network requests. https://t.co/IgGfmji0N8

— Aram Zucker-Scharff | @chronotope@indieweb.social (@Chronotope) April 12, 2022

Participant users who don’t want to be tracked anymore would have to opt out every three months since TrustPid tokens are designed to respawn every 90 days.

Mobile traffic data is generally untouched, and EU telcos have seen it as a significant fund source. Can they really allow advertising partners to collect this data even with consent?

“Companies that operate communication networks should neither track their customers nor should they help others to track them,” digital rights activist Wolfie Christl was quoted saying. “I consider the project an irresponsible abuse of their very specific trusted position as communication network operators. It is a dangerous attack on the rights of millions. It appears they want to legally justify it with the misleading and meaningless pseudo-consent banners we have to deal with on websites every day, which is irresponsible and outrageous.”

“The project undermines trust into communication technology and should be stopped immediately,” Christl further added. “I hope that European data protection authorities quickly team up and stop the project.”

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

WordPress is an immensely popular content management system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues.

But some people will take a shortcut to gaining traffic by engaging in legal but sometimes fraudulent practices. In this instance, we identified someone buying popunder traffic to promote their websites. A popunder is a very common occurrence online and consists of launching a secondary page under the current one. In itself, it could be considered simply an annoyance and is not malicious except when the website that is being launched uses various techniques to defraud advertisers.

We discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate.

In this post, we share the technical details behind this ad fraud scheme and any clues pointing to the developer of this WordPress plugin.

Key findings

• About 50 WordPress blogs have been backdoored with a plugin called fuser-master
• One of the blogs performing this ad fraud had 3.8 M visits in January, with an average visit duration of 24:55 minutes and 17.50 pages per visit
• This plugin is being triggered via popunder traffic from a large ad network
• The WordPress sites are being loaded in a separate page underneath and display a number of ads
• The plugin contains JavaScript code that mimics the activity of a real visitor: scrolls the page, clicks on links, etc.
• The code also monitors for real human activity (mouse movement) and will immediately stop the fake scrolling when that happens

Figure 1: Diagram summarizing ad fraud case

Fuser-master WordPress plugin

Recently we blogged about ad fraud involving a popunder as well, except in that case it was using an iframe to hide the ads. Here, there is nothing hidden at all and the ad fraud can only be deduced when the page is being scrolled down, and back up at random intervals. Because it is a popunder, anyone becomes an unwitting accomplice and does not see any of the fraudulent behavior.

In this investigation, we won’t be spending time on the ad network facilitating these popunders but we have a fairly good idea of which one it might be based on anti-debugging code that they used. What makes popunders particularly enticing for ad fraud is the fact they allow content to be loaded and remain until further action. Unlike the main browser window where a user can easily navigate away from the current website they are visiting, the popunder will remain open for several minutes or even hours, until it is closed.

We were able to trigger the popunder several times and noticed that the fraudsters were using several different blogs that all had the same thing in common, namely they used a plugin called ‘fuser-master’. There aren’t many references for this plugin such as where to download it or who its author might be. We were only able to find one mention from themesinfo.com which is a WordPress theme detector.

Figure 2: A list of websites using the fuser-master plugin

Not all the sites listed in the gallery still exist or are fully functional, but that still gave us a good indication of what was being used to turn standard blogs into ad fraud robots. It’s worth mentioning again that when visited at their homepage, all these blogs are static in nature, meaning we don’t see this kind of zombie activity where the page is scrolling by itself. In the next section, we will look at the URL entry point that triggers that specific behavior.

User check and redirect

All of these blogs appear typical when visited directly, so they would likely pass both a manual and human verification. However, when a special URL (the entry point) is entered with the corresponding parameters, they turn into ad fraud. Below you can see the URL path and its parameters that are being used on all the blogs where that plugin has been installed:

/wp-content/plugins/fuser-master/entrypoint.php?

• e
• Iptoken
• websiteid
• geo

First, the current user is checked to determine if they should be allowed to enter into the ad fraud scheme or not:

Figure 3: Pre-check for cookies

The fraudsters are using open redirects from Google and Twitter in an interesting way. A keyword from an array corresponding to related Google search terms is picked and added to a Google search URL:

Figure 4: SEO trick

That keyword is chosen randomly and makes up the dynamic redirect URL:

Figure 5: Keyword used in redirect

The next web request is the actual redirect code which also drops some cookies. The URL and code for the redirect will vary based on the different options set up previously:

Figure 6: Google open redirect 

Figure 7: Twitter open redirect

The popunder will effectively load the blog via the entrypoint, then immediately leave it to re-enter via a Google open redirect as if someone had clicked on one of the search results. This is what it looks like:

Figure 8: Animation showing open redirect mechanism

Faking user activity

As mentioned previously, the blogs will only exhibit their ad fraud nature when visited via the fuser-master plugin’s entry point. We know that this happens when a user was browsing the web, clicked on a page and a popunder was launched. The blog will open up in a new window behind the current window, which means the user is completely unaware of what is happening.

It becomes quickly obvious that there is something odd when the popunder is exposed. We notice some scrolling back and forth and somewhat randomly which truly mimics what a human would do when reading an article. When looking at the code we can see that it checks for user activity (more on that later) and only performs this scrolling activity if it has not detected real mouse movements on the page:

Figure 9: Code for automated scrolling

Had the popunder been the same blog without this fake scrolling there would be no reason to suspect mischief. Of course the fraudsters aren’t interested in a static page without any kind of user interaction as their goal is monetization via ads. This invalid traffic needs to look as valid as possible in order to not get flagged by anti ad fraud solutions:

Figure 10: Animation showing automated scrolling

Another interesting aspect of this fraud is how at regular intervals, a new article is being viewed. This makes sense in the context of a standard visitor to a blog continuing on the site by following other articles that they might be interested in reading. Looking at the fuser-master’s code, we see that it tries to get all internal URLs from the currently loaded page and places these links into an array. If we observe what’s happening, see that after a certain number of scrolling up and down, a different article gets loaded and the scrolling resumes. This fake activity could last from minutes to hours, until it is interrupted by the real human who’s currently at their computer.

Freeze game

At some point, the real user will close their browser or the page that was in front of the popunder. When that happens, all fake activity suddenly stops and the blog becomes static. This is a clever trick to avoid suspicion and reminds us of the ‘freeze’ game kids play. The fraudsters are able to detect when the mouse is being placed over the current page and can quickly stop the code from running.

Figure 11: Monitoring for real user activity

Figure 12: Stopping fake activity after real user is detected

Same web developer built those blogs

Looking through the Internet Archive, we identified an Indian web developer behind several of these sites. Some of the older posts were written by him and the layout such as the scroll bar style and test ads are also identical. There is nothing that definitely proves that this web developer created the ad fraud plugin although he had the technical skills to do so and based on his community WordPress identity was involved in a number of posts about various SEO plugins.

Figure 13: Demo blog using a similar template reused elsewhere

In addition, his own business website also features those blogs in his portfolio and while hovering over the thumbnails we can’t help but notice a scrolling technique very similar to what we saw previously with the ad fraud.

Figure 14: Portfolio showcasing some of the blogs

We contacted one of his supposed customers to let them know about the fuser-mater plugin running on their site. While we did not hear back from them, within about an hour the plugin had been removed from their WordPress installation.

Figure 15: Fuser-master plugin was deleted shortly after our notification

If the web developer wanted to earn from this ad fraud scheme, he would need to have his own publisher IDs and overwrite the ones used by his customers, however we could not immediately verify that this was the case. It’s also possible that the plugin is sold as an “add-on” and that some of his customers are fully aware of it, but we could not prove that either.

Contrary to the previous ad fraud case we looked at, this one does not simply use Google ads. Instead they are going through a number of ad platforms which makes their publisher ID and potential revenue more difficult to figure out. We do know that one of the websites featured in this investigation (momplaybook[.]com) had 3.8 million visitors in January, spending an average of 24 minutes and looking at 17 pages on the site (stats by SimilarWeb).

Figure 16: Malwarebytes Browser Guard

Visiting that same website, Malwarebytes Browser Guard blocked over a thousand ad trackers after a few minutes of sitting idle on the main page. The majority of requests came from Google’s DoubleClick and OpenX which we have informed.

Conclusion

While popunders are a legitimate form of advertising, their very format is susceptible to abuse. For ad fraud in particular, popunders allow websites to be loaded and serve ads that will never be viewed by real humans.

The plugin we identified during this investigation is relatively simple and allows anyone with an ordinary WordPress blog to increase their earnings dramatically. Because regular visitors will come to the blog via a different flow (standard search or referral link), none of the fraudulent behaviors will be shown. All that is needed is to purchase ad space via a large popunder distributor and use the special entry point URL that triggers the fuser-master plugin.

We have shared details about this invalid traffic case with other partners in the industry.

Indicators of Compromise

The Patch Tuesday roundup from Microsoft for February 2023 includes three zero-days. Not exactly what we had in mind for Valentine’s Day.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. As far as we can tell, only two of the vulnerabilities were actually exploited in the wild.

The zero-days patched in these updates are:

Graphics component

CVE-2023-21823: A Windows Graphics Component remote code execution (RCE) vulnerability. An attacker who successfully exploited this vulnerability could execute commands with SYSTEM privileges.

Important to note here that this update comes from the Microsoft Store. So users that have disabled automatic updates for the Microsoft Store have to get the update through the Microsoft Store by following the guide titled Get updates for apps and games in Microsoft Store. Be sure to select the tab for the operating system installed on your device to search for updates.

The Microsoft update guide for this vulnerability specifically mentions OneNote for Android. At Malwarebytes, we’ve recently seen ASyncRAT campaigns using malicious OneNote (.one) attachments, so we hope to see that this update puts an end to that method of infection.

Microsoft Publisher

CVE-2023-21715: A Microsoft Publisher security features bypass vulnerability. An attacker who successfully exploited this vulnerability could bypass Office macro policies in Microsoft Publisher which are used to block untrusted or malicious files. The attack itself has to be carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.

Although that makes it sound hard to abuse, Microsoft says it has detected exploitation of this vulnerability.

Windows Common Log File System Driver

CVE-2023-23376: A Windows Common Log File System Driver elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This means it can be very useful in a chain of vulnerabilities, but Microsoft gives no clues about any other vulnerabilities this EoP has been used in combination with.

Other patched vulnerabilities

Exchange Server: included are patches for three remote code execution flaws that are labelled as likely to be exploited. These vulnerabilities listed as CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529 all require authentication.

Microsoft Word: an RCE vulnerability listed as CVE-2023-21716 with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a malicious email containing a Rich Text Format (RTF) payload that would allow them to gain access to execute commands within the application used to open the malicious file.

Unpatched

Microsoft has also disclosed a vulnerability listed as CVE-2023-23378 in the end-of-life (EOL) application Print 3D. EOL is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. Print 3D was deprecated along with Windows 10 version 1903.

Microsoft has confirmed that it will not release a patch to fix the vulnerability and that customers should update to the 3D Builder app.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe published security updates for several of its products.

Apple released information about the new security content of macOS Ventura 13.2.1 and of iOS 16.3.1 and iPadOS 16.3.1.

Atlassian published a FAQ for CVE-2023-22501, an authentication vulnerability in Jira Service Management Server and Data Center.

Cisco released security updates for several of its products.

Citrix has released security updates to address high-severity vulnerabilities (CVE-2023-24486, CVE-2023-24484, CVE-2023-24485, and CVE-2023-24483) in Citrix Workspace Apps, Virtual Apps and Desktops.

Google released security updates for Pixel.

Mozilla has released security advisories for Firefox 110 and Firefox ESR 102.8.

Forta released a security update for the actively exploited GoAnywhere MFT zero-day flaw.

OpenSSH released details about version 9.2 which patches CVE-2023-25136.

SAP has released its February 2023 Patch Day updates.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

In a collaborative partnership, officials in the United States and the United Kingdom unmasked and imposed financial sanctions against seven members of the notorious Russian gang TrickBot (alias “TrickLoader”), a mainstream banking Trojan turned malware-as-a-service (MaaS) platform for other criminals.

Apart from taking over bank accounts, TrickBot has been instrumental in spreading ransomware across multiple healthcare organizations, and critical infrastructure in the US, especially during the height of the COVID-19 pandemic.

Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in a statement:

“Cybercriminals, particularly those based in Russia, seek to attack critical infrastructure, target US businesses, and exploit the international financial system. The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”

According to the sanctions notice, in one attack the group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing ambulances to divert.

“Members of the TrickBot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”

TrickBot debuted in 2016 after succeeding Dyreza (alias “Dyre”), another banking Trojan also operated by cybercriminals based in Moscow, Russia. TrickBot has since evolved into “a highly modular malware suite that provides the TrickBot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks”. Among the ransomware strains TrickBot collaborated with was Ryuk, which was then succeeded by or identified as related to the now-defunct Conti ransomware.

Sanctions

Coinciding with the US sanction notice, the UK’s Office of Financial Sanction Implementation (OFSI) released a guidance on ransomware and sanctions. Sanctioning generally has a two-fold effect. On the one hand, people (usually victim organizations of a ransomware attack) are prohibited from making ransom payments to a sanctioned entity (usually the organized ransomware gang behind the attack) as doing so is “a serious criminal offence” with imprisonment and fines. On the other hand, sanctioned entities have their assets frozen and are subjected to a travel ban.

Indeed, sanctions are powerful tools to deter and disrupt behaviors that would otherwise undermine national security. It has as much effect in the digital ecosystem as it has in the real world, yet it continues to be challenged by current technological innovations, such as digital currencies, alternative payment methods, and other ways to keep monetary transactions under the radar. It may not look like it, but the US Treasury asserts “the ultimate goal of sanctions is not to punish but to bring about a positive change in behavior”.

How to avoid ransomware

There is no doubt hospitals remain under a bullseye, and attackers can strike at any time. Thankfully, there are ways organizations can help reduce their risk of suffering from a ransomware attack.

• Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they’re the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
• Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
• Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
• Backup your files. Backups have saved a lot of organizations after a ransomware attack—provided they work. When you make a plan, ensure you also have provisions for backup testing.
• Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. In fact, we guarantee our Endpoint Detection and Response will stop a ransomware infection on your deployed systems, or we’ll refund your annual subscription fee. Try it here.
• Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has released information about the new security content of macOS Ventura 13.2.1 and of iOS 16.3.1 and iPadOS 16.3.1.

Most prominent is a vulnerability in WebKit that may have been actively exploited. In December, 2022, we warned our readers about another actively exploited vulnerability in Apple’s WebKit.

The currently patched vulnerability was a type confusion issue that Apple says has been addressed with improved checks. 

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. So let’s say you have a program that expects a number as input, but instead it receives a string (i.e. a sequence of characters). If the program doesn’t properly check that the input is actually a number and tries to perform arithmetic operations on it as if it were a number, it may produce unexpected results which could be abused by an attacker.

Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this could allow attackers to execute arbitrary code on a vulnerable device. So, an attacker would have to trick a victim into visiting a malicious website or open such a page in one of the apps that use WebKit to render their pages.

Mitigation

Updates are available for macOS Ventura, iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

The updates should all have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level.

How to update your iPhone or iPad.

How to update macOS on Mac.

Since the vulnerability we’ll discuss below is already being exploited, it’s important that you update your devices as soon as you can.

There may be one exception to this rule. Reportedly users of Google Photos on iPhone have noticed that the update causes Google Photos to break. These users may want to wait for Apple to fix this and in the meantime be extra careful when clicking links.

If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.

Vulnerabilities

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVEs patched in these updates are:

CVE-2023-23514: Apple addressed a use after free issue by implementing improved memory management. Use after free is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. This vulnerability could have allowed an app to execute arbitrary code with kernel privileges.

CVE-2023-23522: This issue only applies to macOS Ventura. Apple addressed a privacy issue by implementing improved handling of temporary files. An installed app could have observed unprotected user data.

CVE-2023-23529: This is the bug that was reported it might be actively exploited. It can be found in WebKit. WebKit is Apple’s web rendering engine that powers Safari and renders webpages in other apps.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

In what seems to be a typical arms race where one side responds to counter the progress the other side has made, the ransomware group behind the massive attack on ESXi Virtual Machines (VMs) has come up with a new variant that can no longer be decrypted with the recovery script released by the Cybersecurity & Infrastructure Security Agency (CISA).

New encryption routine

Victims have reported a new variant of the encryptor that no longer leaves large chunks of data unencrypted. This makes recovery next to impossible. The recovery script released by CISA for organizations that have fallen victim to ESXiArgs ransomware reportedly no longer works for this new variant. CISA compiled the ESXiArgs-Recover tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. The decryption tool uses the large and therefore mostly non-encrypted flat files, where the virtual machine’s disk data is stored, to recover the VMs.

Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB. This ensures that all files larger than 128 MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the old variant.

Ransom note

Victims can tell the variants apart by looking at the ransom note. The new variant no longer mentions the Bitcoin address in the ransom note, but tells victims to contact the threat actor on TOX, an encrypted messaging service. It is likely that this change was triggered by the fear of tracking payments through the blockchain which might eventually lead to the threat actor.

Attack vector

As we mentioned in our initial report about this attack wave:

“While all clues point to CVE-2021-21974 there are several critical vulnerabilities in VMware ESXi like CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699, that can potentially lead to remote code execution (RCE) on affected systems.”

Some victims have stated that they had SLP disabled, which was a workaround suggested by VMware for the two year old vulnerability that is the prime, but not the only, suspect in this case.

Please

According to CISA and the FBI, some 3800 servers have fallen victim to EXSiArgs globally.

So, either update ESXi, or probably even better, make your ESXi VMs inaccessible from the internet.

Many aspects of this attack remain unclear and when new details become known we will keep you posted.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Android developers have been given a taste of what’s to come in the next big step up in mobile land, thanks to Android 14 waiting on the horizon. The developer preview is a great way for those most familiar with the mobile operating system to see which changes they’ll enjoy and what ones they’ll have to endure.

As it happens, there’s quite a few security changes coming down the pipeline and developers will now be busy testing their apps. Not only are alarm permissions, system broadcasts, and language support experiencing alterations, but a wealth of security features will help ensure your device is as safe as can be.

Out with the old, in with the new

The biggest change is that old apps are on the way out. After a certain point, you will no longer be able to install them. These kinds of changes have been threatening to land for some time now, so developers will surely have been aware of this coming.

As Ars Technica notes, the current backward compatibility system allowed for older apps to still install but at the risk of malware developers simply targeting older Android versions.

Android 14, on the other hand, is simply bringing down the curtain and those old apps won’t install anymore. Now, don’t panic too much. Your favourite apps are almost certainly safe, especially if you’re still using them on a daily basis because there’s a strong chance they’re still being maintained and updated.

By “old apps”, we’re talking Android 6 and earlier which is a grand total of 8 years+. Given that apps not updated for two years have already started to be hidden from view on the Play store, there is a tiny chance you’ll be impacted by this. If you’re a side-loading hobbyist with a passion for ancient apps, then maybe this could cause you a few headaches. For most people, this is one of those changes you simply won’t notice. It’s a smart piece of house cleaning by Google and one which makes sense.

The first of what could be many security changes

Additional security features and alterations mentioned on the Android Developers Google blog are as follows:

Safer dynamic code loading

Dynamic code loading (DCL) introduces outlets for malware and exploits, since dynamically downloaded executables can be unexpectedly manipulated, causing code injection. Apps targeting Android 14 require dynamically loaded files to be marked as read-only.

Malware authors being hampered from malicious code injection can only be a good thing so this is good to see.

Runtime receivers

Apps targeting Android 14 must indicate if dynamic Context.registerReceiver() usage should be treated as “exported” or “unexported”, a continuation of the manifest-level work from previous releases.

Safer implicit intents

To prevent malicious apps from intercepting intents, apps targeting Android 14 are restricted from sending intents internally that don’t specify a package.

Both of the above have the intent of locking down data from other apps or the system itself. As Bleeping Computer points out, rogue apps and other malicious activities on an Android will have a much more difficult time if trying to intercept pieces of information intended for somewhere else.

A full rundown of what’s to expect (so far) can be seen on the official site. It’s worth noting that a complete reveal of what Android 14 will contain is not likely to be seen for some time yet, so all of this is subject to change to some degree.

Keeping your phone safe

This is all good news for the future, but what can you do in the here and now to keep harm at arm’s length?

• Update your apps, and your device. Keep your Android device up to date, and allow your apps to update automatically. Depending on your version, you should be able to tell your device to update when connected to your Wi-Fi as opposed to taking a bite out of your roaming data.
• Enable your lock screen. Whether you’re using a pattern, a PIN, a password, or even your thumbprint, it should be at the top of your list. Pay attention to how long your phone is unlocked before it reverts to the lock screen. This is a valuable window for criminals should you leave your phone unattended.
• Enable the “find my phone” service. This, combined with the lock screen, will help keep your data safe in cases where you need to delete all data from the device remotely.
• Install security tools on your phone. This will help provide you with maximum protection from rogue links, bad apps, and more.
• Only download from official stores. Bad things do end up on there, but it’s still safer than allowing installations from unknown sources via third party websites.
• Always read the reviews. You’ll not only gain insight into what the app is doing, but you’ll also make sure that the apps you’re using are still supported. This will keep you away from potentially exploitable software which has long since fallen into disrepair. Remember: there’s a two year expiry on abandoned apps before they’re removed from the Play store, so not everything put out to pasture will vanish right away.

Stay safe out there!

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.