IT NEWS

Microsoft has published a security blog about an investigation into an attack in which threat actors used malicious OAuth applications to abuse Exchange servers for their spam campaign.

The threat actor behind this attack has been active for many years, and has been running spam campaigns using various methods that provided them with high volume spamming opportunities.

Credential stuffing

As Microsoft notes, in the initial stage of the attack the threat actor launched credential stuffing attacks against high-risk accounts that were not protected by multi-factor authentication (MFA). Once in, the threat actor was able to gain access to administrator accounts. The authentication attempts were launched against the Azure Active Directory PowerShell application which was later used to deploy the rest of the attack.

OAuth application

The threat actor then proceeded to set up the malicious OAuth application. OAuth enables apps to obtain limited access to a user’s data without giving away a user’s password. The threat actor registered a new OAuth application and granted it global admin and Exchange admin roles.

The threat actor added their own credentials to the OAuth application, enabling them to access the application even if the owner of the compromised account changed their password.

Changing Exchange settings

The threat actor then used the privileged application to authenticate the Exchange Online PowerShell module and modify the Exchange settings of the compromised server.

One modification was to create a new inbound connector. Connectors are a collection of instructions that customize the way email flows to and from organizations using Microsoft 365 or Office 365. The threat actor set up a new connector that allowed mails from certain IPs related to the attacker’s infrastructure to flow through the victim’s Exchange server. This enabled them to send emails that looked like they came from the compromised Exchange domain.

Transport rules

Transport rules, aka mail flow rules, are sets of actions that can be performed on any mail that flows in the organization. The threat actor used this feature to delete specific headers from every mail that flowed in the organization. By deleting these headers, the attacker tried to prevent security products or email providers from detecting or blocking their emails.

Usage

This flow of preparations gave the threat actor all they needed to send out a spam campaign. Microsoft observed that the threat actor did not always use the application right after it was deployed. In some cases, it took weeks or months before the application was utilized.

After each spam campaign, the actor deleted the malicious inbound connector and transport rules to prevent detection, but they kept the application which could be used to prepare the next part of the attack. In some cases, the app remained dormant for months before it was reused by the threat actor.

Motive

The threat actor has been active in high volume spam campaigns for years. In this case, the objective was to send out sweepstakes spam emails designed to trick recipients into providing credit card details and signing up for recurring subscriptions under the guise of winning a valuable prize.

Image courtesy of Microsoft

As an extra precaution, the threat actor used cloud-based outbound email infrastructure like Amazon SES and Mail Chimp, both of which are routinely used for marketing and other legitimate purposes.

Mitigation

• As always, use MFA protection for all accounts, especially important administrator ones.
• Limit the amount of login trials, for example by implementing a timeout after a few failed login attempts.
• Implement conditional access policies that check the login attempt against other conditions like the originating IP address or device, which can flag unusual tries.

CISA (the Cybersecurity and Infrastructure Security Agency) recently added CVE-2022-35405—a remote code execution(RCE) vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier)—to its Known Exploited Vulnerabilities (KEV) Catalog, a list of known CVEs that carry significant risk to the federal enterprise. Doing this forces all Federal Civilian Executive Branch Agencies (FCEB) to patch this bug.

According to BleepingComputer, federal agencies that may be affected by CVE-2022-35405 have until October 13 to ensure they’re patched and their networks are protected from attacks leveraging this vulnerability.

CVE-2022-35405 is a critical vulnerability. When exploited, attackers can execute potentially malicious code on affected installations of ManageEngine software—without authentication for Password Manager Pro and PAM360, and with authentication for Access Manager Plus.

Researcher Vinicius Pereira first flagged this vulnerability in June 2022. Since then, several PoCs (proofs-of-concepts) and a Metasploit module for it have been made public.

ManageEngine “strongly recommends” that its clients upgrade their affected software as soon as possible. The company pointed to the following locations where customers can download updates:

• Access Manager Plus – https://www.manageengine.com/privileged-session-management/upgradepack.html
• PAM360 – https://www.manageengine.com/privileged-access-management/upgradepack.html
• Password Manager Pro – https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html

While private organizations don’t have a ruling requiring them to patch noteworthy flaws, CISA still urges them to patch as soon as they can.

TikTok is no stranger to controversy where data usage is concerned. Back in 2021, the social media dance extravaganza platform agreed to pay $92m to settle dozens of lawsuits alleging harvesting of personal data. There has also been concern with regard to whether or not settings were enough to keep children safe, leading to significant alterations to how those accounts are managed.

Unfortunately for TikTok, it’s back in the news again, and not in a good way. TikTok could be headed for a $28.91m fine, courtesy of the United Kingdom. The fine, related to how children are safeguarded on the app, is the result of a possible breach of the UK’s data protection laws.

The provisional findings of the ICO

The Information Commissioner’s Office (ICO) has issued a statement, which refers to TikTok potentially breaching UK data protection law between May 2018 and July 2020. The statement explains that the ICO has issued TikTok with a notice of intent, which is a legal document which may precede a legal fine.

The ICO claims TikTok may have:

• Processed the data of children under the age of 13 without appropriate parental consent;

• Failed to provide proper information to its users in a concise, transparent and easily understood way; and

• Processed special category data, without legal grounds to do so.

The statement notes that these findings are “provisional”, and that no conclusions should be drawn at this stage around whether “there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed. We will carefully consider any representations from TikTok before taking a final decision”.

In other words: all of these claims and statements come with a rather large “allegedly” tag applied, and TikTok will make a response to these concerns before anything else happens of a legal nature.

TikTok isn’t currently commenting, citing “confidentiality” which makes sense given the intent to formally respond to the ICOs findings.

Tackling the child data problem

This appears to be part of a much bigger drive to ensure children’s data is used safely and correctly by online services. According to the Guardian, The ICO Information Commissioner stated that the ICO is looking at “more than 50” online services to check for child-centric data compliance.

There’s a big push for child safety at the moment, especially with regard to making sure businesses are complying with regulations. Some of these drives are perhaps a little bit controversial, too. For the time being, you can certainly take some action yourself and help your child become a little bit more cyber-savvy in their social media dealings. Check out our articles on helping your child to manage their online reputation, and our five tips for keeping kids safe on social media platforms.

Last week, two Facebook users filed a class-action complaint against Meta in San Francisco’s federal court, alleging the company built a “secret workaround” to Apple’s safeguards that protect iPhone users from tracking. Facebook circumvents Apple’s privacy rules by opening in-app browsers within its apps instead of the iPhone’s default browser. By doing this, the users further allege Meta violated state and federal laws regarding the unauthorized collection of personal data.

The suit came after Felix Krause (@KrauseFx), a data privacy researcher and former Google engineer, released a report in August 2022 about iOS privacy, featuring a tool he created himself called the InAppBrowser. It can check if an in-app browser injects JavaScript (JS) code, which could be problematic for iOS and Android users as this causes potential security and privacy risks to users.

In the case of Meta, this JS code is Meta Pixel.

“The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser,” said Krause in his blog. “This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.”

Krause also included the following caveat: “Important: Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.”

In an email interview with Bloomberg, a spokesperson from Meta said that Krause’s allegations are “without merit” and it will defend itself.

“We have designed our in-app browser to respect users’ privacy choices, including how data may be used for ads,” the email statement said.

In February, Meta admitted that Apple’s App Tracking Transparency (ATT) feature would decrease its ad revenue by $10B. This admission, according to CNBC, is “the most concrete data point so far on the impact to the advertising industry” in terms of Apple’s privacy feature, which limits companies from accessing the data of iPhone users.

“This allows Meta to intercept, monitor, and record its users’ interactions and communications with third parties, providing data to Meta that it aggregates, analyzes, and uses to boost its advertising revenue,” the suit reads.

Facebook and Instagram weren’t the only apps mentioned in Krause’s report. TikTok, Snapchat, and Amazon were also mentioned.

Last week on Malwarebytes Labs:

• Hookup site targeted by typo-squatters
• American Airlines suffers data breach after phishing incident
• Grand Theft Auto 6 suffers grand theft
• EDR vs MDR vs XDR – What’s the Difference?
• Scammers send fake ‘Energy Bills Support Scheme’ texts
• Tax refund phish logs keystrokes to swipe personal details
• Kiwi Farms breached, user data potentially exposed
• 5 things to teach your kids about social media
• Vulnerable children’s identities used in tax fraud scheme
• 2K games helpdesk abused to spread RedLine malware
• Morgan Stanley’s years-long “extensive failure” to protect customer data ends in huge fine
• Welcome to high tech hacking in 2022: Annoying users until they say “yes”
• Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities
• Medtronic’s MiniMed 600 series insulin pumps potentially at risk of compromise, says FDA
• A first look at the builder for LockBit 3.0 Black
• Malwarebytes recognized as endpoint security leader by G2

Stay safe!

Twitter says it has fixed a bug that meant users weren’t logged out of active sessions on all devices after manually resetting their passwords. 

Writing on its blog, Twitter said:

“We want to let you know that we recently fixed a bug that allowed Twitter accounts to stay logged in from multiple devices after a voluntary password reset. In order to help ensure the safety and security of everyone that may have been affected, we’ve proactively logged people who may have been affected out of active sessions.”

Staying logged in on multiple devices after explicitly changing an account password is a huge security risk. If someone has breached an account already, that would leave them logged in and able to impersonate the user, rummage through DMs, change the password again, and more. 

Twitter says it has logged out all affected users, everywhere.

We fixed a bug that didn’t close all active logged in sessions on Android and iOS after an account’s password was reset. To keep your account safe, we logged some of you out. You can log back in to keep using Twitter.

For more details on what happened: https://t.co/OmjLKOe5bs

— Twitter Support (@TwitterSupport) September 21, 2022

Twitter says it has reached out to users who might have been affected by the bug. For everyone else, it’s business as usual.

Some new security additions and changes have been announced for users of Windows, but you’ll have to be using Windows 11 to get the most out of them. Windows 10 users may find that this is going to be a case of falling behind the herd ever so slightly.

Anti-phishing tools

Enhanced phishing protection, by way of Smartscreen, is the name of the game, and Microsoft is all too happy to explain the changes. Smartscreen is a Windows feature which helps ward off bogus sites phishing for personal data and payment information. People running IE8 and later will also find it attempts to protect against infectious files. It offers slightly different features depending on which flavour of Microsoft browser you’re using, but the overall end result is largely the same: A variety of protections against phishing portals.

In terms of features for Windows 11, enhanced phishing protection “automatically detects when users type their password into any app or site”. Windows knows “in real time” whether websites and apps have secure connections to trusted websites, notifying users of potential danger up ahead and also spreading word to other users when a phishing attack is blocked.

There is also mention of Windows analysing when and where password entry occurs, notifying users of potentially unsafe usage. This sounds a lot like how many password managers operate, popping a notification when (for example) password reuse is detected. One key difference here is that using passwords in an unsafe way is “reported to IT” for incident tracking purposes.

Friendly popups

There are some interesting additions to the user experience. Typing a password into a phishing site in a Chromium browser, or an application connecting to a phishing portal, presents the user with a popup which says:

This app made an unsafe connection that was reported to Microsoft for stealing passwords. Your organisation recommends changing your work or school password to keep your account safe.

Clicking the change password button takes users to sign-in options where they can alter the password as needed. Microsoft says that without this feature, credentials may be handed over to the fake site. On the other hand, popups that lead people from dangerous sites to password amendment options may encourage malicious imitations that trick unwary users. However, two sets of popups might increase the chances of something untoward being noticed, but the history of UX is littered with intolerant users blazing through that sort of thing.

Elsewhere, Windows will notify users who are typing passwords into notepad files and other programs that this is bad practice. As per the relevant popup:

It’s unsafe to store your password in this app. Your organisation considers it unsafe to store your password in this app and recommends removing your password from this file.

We’re not here today to discuss the merits and drawbacks of off-the-beaten-track password systems. However, it’s worth noting that this detection of typed passwords is raising some eyebrows:

The advice is good but it should come from a human, not the OS. How long has Windows been reading what I paste into Notepad? #privacy #security https://t.co/7iZNWDpzG7

— m (@tinymwriter) September 23, 2022

Windows 11, but not 10

Finally, we come to the part where our two operating system paths diverge.

Custom-made phishing alerts are available to Windows 11 users, but not to users of Windows 10. Organisations can configure Enhanced Phishing Protection to warn uses about password reuse, unsafe apps, and malicious activity, and can and switch the feature’s audit mode on and off, which determines whether sends telemetry about unsafe password events.

It’s to be expected that Windows 11 will eventually pull away from 10 in the security frontrunner stakes. Although adoption was low at the tail end of 2021, numbers will slowly ramp up over time as the Windows 10 end-of-life approaches, and organisations catch up with the stringent hardware requirements.

Only a few months back, we saw Microsoft tackling RDP intrusion with rate limiting for login attempts. We also now have upgrades to kernel protection, more support for hybrid work operations, and new default limits for SMB server authentication. It’s inevitable that we’ll continue to see this happening, and so the gulf will widen between the OS siblings.

No matter which version you’re running, ensure you keep your OS fully up-to-date and enable the security options most relevant to you. There’s enough choice available to hopefully configure your devices the exact way you need them to be running at any given time.

Stay safe out there!

Ransomware can send any company into crisis. 

Immediately following an attack, the notoriously disruptive malware can spread across networks and machines, locking up important files and rendering vital data almost useless for all employees. As we learned in a previous episode of Lock and Code, a ransomware attack not only threatens an organization’s clients and external customers, but all the internal teams who are just trying to do their jobs. When Northshore School District was hit several years ago by ransomware, teacher and staff pay were threatened, and children’s school lunches needed to be reworked because the payment system had been wiped out. 

These threats are not new. If anything, the potential damage and fallout of a ransomware attack is more publicly known than ever before, which might explain why a new form of ransomware response has emerged in the past year—the ransomware negotiator.

Increasingly, companies are seeking the help of ransomware negotiators to handle their response to a ransomware attack. The negotiator, or negotiators, can work closely with a company’s executives, security staff, legal department, and press handlers to accurately and firmly represent the company’s needs during a ransomware attack. Does the company refuse to pay the ransom because of policy? The ransomware negotiator can help communicate that. Is the company open to paying, but not the full amount demanded? The negotiator can help there, too. What if the company wants to delay the attackers, hoping to gain some much-needed time to rebuild systems? The negotiator will help there, too. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kurtis Minder, CEO of the cyber reconnaissance company GroupSense about the intricate work of ransomware negotiation. Minder himself has helped clients with ransomware negotiation and his company has worked to formalize ransomware negotiation training. In his experience, Minder has also learned that the current debate over whether companies should pay the ransom has too few options. For a lot of small and medium-sized businesses, the question isn’t an ideological one, but an existential one: Pay the ransom or go out of business.   

“What you don’t hear about is the thousands and thousands of small businesses in middle America, main street America—they get hit… they’re either going to pay a ransom or they’re going to go out of business.”

WhatsApp has fixed two remote code execution vulnerabilities in its September update, according to its security advisory. These could have allowed an attacker to remotely access a device and execute commands from afar.

These versions of WhatsApp are affected by at least one of the vulnerabilities:

• WhatsApp for Android prior to v2.22.16.12
• WhatsApp Business for Android prior to v2.22.16.12
• WhatsApp for iOS prior to v2.22.16.12
• WhatsApp Business for iOS prior to v2.22.16.12

WhatsApp for Android prior to v2.22.16.2 and WhatsApp for iOS v2.22.15.9 are affected by both.

How to make sure you’re protected

There are no indications that these vulnerabilities have already been exploited. The vulnerabilities were found by the WhatsApp internal security team and silently fixed, so there is a good chance that your WhatsApp has already been updated. However, it never hurts to check.

Note: the methods described below may be slightly different based on the brand, type, and model of your phone, but should give you a good general idea of where to look.

If you have an iPhone, go to the App Store and tap Updates. When you find WhatsApp, tap the Update button next to the app. Your phone should then start installing the update.

If you own an Android phone, click on Play Store, then on the menu button. Under My apps and games, tap Update next to WhatsApp Messenger.

Stay safe, everyone!

Technical details

CVE-2022-36934: An integer overflow in WhatsApp could result in remote code execution (RCE) in an established video call. An integer overflow occurs when an integer value gets assigned a value that is too large to store in the reserved representation that can be represented with a given number of digits. Usually this will be higher than the maximum, but it can also be lower than the minimum representable value. By writing a larger value into the memory an attacker could overwrite other parts of the systems memory and abuse that ability to remotely execute code.

This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

CVE-2022-27492: An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file. Integer underflow errors are usually errors that occur when a number that should always be positive gets assigned a negative value. A perfect example of an integer underflow error is when array index errors are used with a negative value. This type of weakness will lead to undefined behavior and often crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

This RCE bug affects an unspecified code block of the component Video File Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.

A few months after the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, the builder for it has been leaked by what seems to be a disgruntled developer. LockBit has been by far the most widely used ransomware in 2022 and the appearance of the builder could make things worse. It is likely to be popular, so we could see new gangs appear that aren’t affiliated with the LockBit group but use its software, for example. We also expect to see fake packages offered online that infect the person running the builder, rather than building ransomware for them.

The builder turned up in two different places and was leaked using two different online identities. But where it came from and why isn’t really that interesting, certainly not for people looking to defend against it. For that, what it can do and what the implications are, are far more interesting.

Testing

Malwarebytes ransomware researchers managed to get their hands on a copy of the builder and found that, sadly, building your own ransomware has never been easier.

The whole builder actually only holds four files: An encryption key generator, keygen.exe, the actual builder.exe, a modifiable configuration file, config.json, and a batch file to build all of the files called build.bat.

The builder offers a high level of customization. In the included example of the configuration file the ransomware operator can choose their own C2 server, choose the processes they want to terminate, modify the ransom note, and so on.

Once the operator has set the configuration they can start a batch file that produces all of the files they need to start a new ransomware campaign.

A blessing in disguise is that thie Lockbit 3.0 Black fixes a decryption bug that was present in previous versions. The new version encrypts and decrypts flawlessly. You absolutely don’t want to infected with ransomware, but if you are, you want the process to be reliably reversible.

Mitigation

We recommend reading an expert view on simplifying the fight against ransomware, but to some it up in a few bullet points:

• Stop initial access by turning off or hardening RDP, having a plan for how and when you’ll do your security updates, and training users to spot malicious emails.
• Make privilege escalation and lateral movement as hard as possible by using the principle of least privilege, segmenting your network, and deploying EDR.
• Use an anti-malware solution that can identify ransomware and can roll back infections.
• Keep your data safe with offsite, offline backups that are out of the reach of attackers.
• Accept that even with the best defences, breaches can still happen. Prepare a distaster recovery plan.