IT NEWS

New findings following the Twilio phishing attack revealed that Signal, one of its high-value clients and a popular encrypted messaging platform, was particularly affected. 1,900 of its users had their phone numbers and SMS registration codes exposed. However, Signal reassured users that the attacker could not gain access to “message history, contact lists, profile information, whom they’d blocked, and other personal data” associated with the account.

Signal also claims that 1,900 comprises a small percentage of their user base, so a majority of their users were not affected. Nevertheless, they notified affected users this week via SMS and prompted them to re-register Signal on their devices.

The company revealed in a security notice that the attacker explicitly searched for three numbers among the 1,900 users affected. One user of the three numbers already reported that their account was re-registered. This means the attacker can now send and receive messages from that phone number.

When The Register asked Signal why an attacker would specifically target these three numbers, suggesting maybe they are people of note, the company responded: “To respect the privacy of those specific people, we are not sharing any details about them.”

Signal highlights the importance of enabling its app’s security features to fend off after-effects of attacks that may befall third-party providers it uses. Because of what happened to Twilio, the company is pushing more of its users to take advantage of registration lock and Signal PINs, which can only be activated manually.

Registration Lock prevents someone from registering a Signal user’s phone number to another device unless they know the PIN associated with the account. To enable Registration Lock, Signal users should go to Signal Settings (profile) > Account > Registration Lock.

“While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” Signal said.

Last week, Cloudflare revealed a similar phishing tactic that got Twilio breached also targeted their employees last month. The campaign didn’t work because Cloudflare employees were required to use physical security keys to access all applications they use in-house.

An incredibly popular digital item trading site has suffered a spectacular loss at the hands of wily attackers. According to Bleeping Computer, CS Money lost out on $6 million via just 20,000 pilfered items. How did this happen, and why are digital items so popular in the first place?

The digitized rewards of gaming

It’s important to know what, exactly, trading sites deal in and how they relate to gaming, so here goes.

Most major titles on prominent video game platforms offer skins, items, and in-game rewards. These items are often tradeable with other players. Some can be bought or sold through specific platforms, but, sometimes, depending on the game, certain items can’t be traded, which means that those items are tied to the owner’s account forever. Those items may lead to the account becoming a valuable target for phishing and scams.

Even accounts with regular tradeable items are potentially worth stealing. Those accounts may have hundreds or even thousands of items tied to them. A quick phish here, a stolen login there, and both the account and its items may never be seen again.

Where trading platforms come into this picture is that they often make it easier to sell, trade, whatever you want to do with your digital stock. Some people are content to use the trading section of a platform’s own service. These services may also have their own community market, where items can be bought and sold.

Other folks may branch out into using specific third-party websites for all their buying, selling, and trading needs. These sites may offer more specific features not available on the major platforms. Perhaps they have a reputation for niche items unobtainable anywhere else. Whatever the reason, these sites are very popular. Scammers will often imitate them in an effort to compromise people’s item cache. Sadly, sometimes the sites themselves come under fire. When that happens, you’d better hope everything is as locked down as can be.

Otherwise…

When a Counter Strike site is counter-stricken

No fewer than 20,000 skins were stolen after an attack on the CS Money site. CS in this instance stands for “Counter Strike,” long time favourite of the online shooter crowd. User skins vanished into the night after the attack, and at time of writing the skins have simply been blocked from further selling/trading/anything else. Good news for people who don’t enjoy large slices of video game digital skin fraud. There’s also not so good for the owners of said items, who don’t seem to have had any of them returned yet.

According to the rundown of events on Bleeping Computer, the attack was made up of several moving parts. First, they obtained authenticator files used to authorize Steam access. Then, 100 bots containing the skins were used in roughly 1,000 transactions to send the skins to accounts belonging to the attackers. Some of the items were then sent to “ordinary users, renowned traders, and bloggers.”

None of these people were involved in the attack. This appears to be the fraudster’s way of adding a little more publicity to their actions, or maybe just covering their digital paper trail.

Smash and grab

This all goes wrong at the point where authenticator files were apparently stolen. What’s interesting is pondering how the attackers came to obtain those files in the first place.

Some years ago, Steam phishers were asking victims to upload certain files from their Steam folder to the fake website. These files worked like a sort of password remembering cookie, except for Steam. Having the files on board meant you didn’t have to re-verify your identity through authentication every time you logged in. But if you sent them to someone else, they’d be able to log in as you as long as they had your username and password.

Has a similar tactic been used here? Only time will tell. For now, if you’re involved in skin trading or digital item selling: consider that the sites you use may not be 100 percent secure. If a scammer ram-raids your favourite marketplace of choice, a trip to customer support may be in the cards. As with no many forms of digital fraud, there’s often no guarantee of having your stolen items returned. Weigh up the safety pros and cons carefully with regard to the final destination of your sellable skins. Safe trading out there!

We’re excited to announce Malwarebytes Cloud Storage Scanning, a new service that extends Nebula malware scanning options to include files stored on cloud storage repositories that are part of your organization’s digital ecosystem.

Today, the service supports scanning of files under 100Mb in size that reside on Box.com or on Microsoft’s OneDrive, and will extend to other popular file storage solutions in the coming quarters.

Malwarebytes Cloud Storage Scanning uses multiple anti-malware engines, using a combination of signatures, heuristics and machine learning to increase detection rates, decrease detection times and provide a comprehensive view to monitor and protect the health of all your enterprise data. 

Let’s dive in on how to make a scan!

Scanning for cloud malware

In Nebula, go to “Settings” and click “Cloud Storage Scans”. Here you can see existing scans and the providers being checked. Click “Add a Scan” to create a new scan.

Under “Settings”, name the scan and then select your cloud data storage provider.

Enter the configuration details from the storage provider to select and validate your account.  To initially check all existing files for malware, do not check this box and configure a scheduled or on-demand scan. In order to connect to your provider, you will need to provide a Tenant ID, Client ID and Client Secret.

If you select “Continuous scan”, Malwarebytes will only check for new and updated files from this point forward.

Click “Connect to provider” to provide access to your cloud storage location.

Once you see a success message, go to “Items to scan” to select the users or folders to scan. You can scan folders and the sub-folders.

If you have not selected continuous scan, go to “Scan frequency” to determine the cadence. Note that with scheduled scans, you will be scanning the contents of the selected folder(s) each time versus a continuous scan that only scans the changes.

Scans can be scheduled daily, weekly or monthly. Select “Scan now” for a one-time scan to occur immediately. Save for the scan to take effect and begin running on the cadence you chose.

In this example, we have a one time scan for existing malware in the folder and a continuous scan for future changes.

Review the results of scans with “Storage detections” on the left-side navigation bar. 

Here you can see a list of all detections from any cloud storage location. You can sort by “Threat name”:

Filter by cloud provider:

And “Add/Remove Columns”:

A report is also available to send a list of detections via email. Navigate to the “Reports” section on the nav bar:

Click “Cloud Storage Detections Summary”. You’ll be prompted with a window to configure the report.

Click “Save”. 

As you can see, the report was delivered to our email below!

An additional layer of security

While integrated cloud malware detection solutions (e.g. BoxShield for Box.com; MS Defender for OneDrive) can be useful, many businesses use multiple different cloud storage repositories, and due to lack of integration options, are unable to get a centralized view of all of their scan results, across multiple repositories, in a single security-focused pane of glass.

Malwarebytes Cloud Storage Scanning is easy and quick to deploy, centrally managed, and is seamlessly integrated with other Malwarebytes products and services that provide cloud security best practices.

Interested in reading about real-life examples of cloud malware mitigation? Read the case study of how a business used Malwarebytes to help eliminate cloud-based threats.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) about Zeppelin ransomware. The advisory contains indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware variants identified through FBI investigations as recently as June 21, 2022.

Zeppelin

Zeppelin, aka Buran, is a ransomware-as-a-service (RaaS) written in Delphi and built upon the foundation of VegaLocker. Due to the RaaS model there are several methods in use to gain initial access. The CSA mentions RDP exploitation, SonicWall firewall exploits, and phishing campaigns. In earlier days, Malwarebytes’ researchers found a malvertising campaign that dropped Zeppelin ransomware as one of the possible payloads.

Zeppelin uses the double extortion where they threaten to sell or publish exfiltrated data in case the victim refuses to pay the ransom.

While anyone can fall victim to these threat actors, the FBI noted that this malware has been used to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.

Mitigation

Besides IOCs, attack techniques, and a Yara signature, the CSA provides a lot of mitigation advice. Since the techniques used by the Zeppelin gang are far from unique, the advice is worth repeating because it works against a lot of similar ransomware operators.

But you should also realize that while it’s easy to say that you need reliable and easy to deploy backups for example, it’s not always easy to follow that advice. It is well worth pursuing though, since it may save your bacon at one time or another.

Backups

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.

Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

In a nutshell: Put your backups out of the reach of attackers, and make sure they work by testing that you can restore working systems from them.

Authentication

Require all accounts with password logins to meet the required standards for developing and managing password policies.

• Require multifactor authentication wherever you can—particularly for webmail, VPNs, and critical systems.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
• Implement time-based access for accounts set at the admin level and higher.
• Use long passwords (CISA says 8 characters, we say you can do better than that) and password managers.
• Store passwords using industry best practice password hashing functions.
• Implement password rate limits and lockouts.
• Avoid frequent password resets (once a year is fine).
• Avoid reusing passwords.
• Disable password “hints”.
• Require administrator credentials to install software.

Software

Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)

Networks

Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.

Email

Consider adding an email banner to emails received from outside your organization.

Disable hyperlinks in received emails.

Scripts

Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

Stay safe, everyone!

Last week on Malwarebytes Labs:

• KMSpico explained: No, KMS is not “kill Microsoft”
• Twitter data breach affects 5.4M users
• Can your EDR handle a ransomware attack? 6-point checklist for an anti-ransomware EDR
• Twilio breached after social engineering attack on employees
• Summer of exploitation leads to healthcare under fire
• Education hammered by exploits and backdoors in 2021 and 2022
• 5 cybersecurity tips for students going back to school
• Update now! Microsoft fixes two zero-days in August’s Patch Tuesday
• Now it’s BlenderBot’s turn to make shocking, inappropriate, and untrue remarks
• Slack flaw exposed users’ hashed passwords
• Thousands of Zimbra mail servers backdoored in large scale attack

Stay safe!

A group of security researchers have discovered a series of vulnerabilities in Electron, the software underlying popular apps like Discord, Microsoft Teams, and many others, used by tens of millions of people all over the world.

Electron is a framework that allows developers to create desktop applications using the languages used to build websites: HTML5, CSS, and JavaScript. It’s an open source project that has been used as the foundation for some extremely popular apps. Electron itself is built on the open source Chromium browser project (the basis of Google Chrome), and the NodeJS JavaScript runtime which is built on Chromium’s V8 JavaScript engine—a significant source of Chrome security problems.

Building blocks

It is not uncommon for developers to use other projects, frameworks and libraries as building blocks for their projects. Building on proven code makes sense: It saves time, it is easier for others to get involved, and everyone benefits from all the layers of solved problems in the existing codebase.

The problem with building software on existing foundations, provided by others, is that its developer may not fully understand the security implications of certain decisions or configurations. And they need to rebuild their own application whenever a security vulnerability is fixed in the software they’re building on top of, and then distribute that update to their users.

Probably the most famous example of such a building block vulnerability is Log4Shell. Log4Shell is a vulnerability that was found in Log4j, an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the impact of the vulnerability was enormous.

The chances of applications harboring out-of-date underpinnings are software are high. And the reservoir of known bugs that are fixed in, say, Chrome, but not yet fixed in Electron, or fixed in Electron but not yet fixed an application built on top of Electron, is something that criminals and researchers can exploit.

A group of researchers recently presented research into Electron vulnerabilities at the Black Hat security conference having done exactly that. For a peek into what they did, and a look at how complicated modern bug hunting is, read researcher s1r1us’s explanation of how they went about finding a remote code execution (RCE) vulnerability in Discord by chaining a new cross-site scripting vulnerability, a CSP bypass in Discord’s out-of-date Chrome version, and an exploit for an existing V8 vulnerability.

In the case of s1r1us’s Discord bug, what the researchers found could be exploited with nothing more than a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, an attacker would have been able to take control of their computers.

Mitigation

The most general and best advice in many cases is to avoid clicking on links that come in unexpected or in unusual ways. In an ideal world you would distrust them with the same vigor as the links in your mailbox and on social media. However, this can be very difficult in practice because many of these applications require you to click on links to join meetings, accept invitations and so on.

A more workable solution, suggested by the researcher, is to use apps like Discord or Spotify inside your browser, because then you have the protection afforded by Chrome, which is much larger than the one provided by Electron, and you have control whether it’s up to date or not.

Most of us though, will simply stick to downloading our security updates, and hoping the people who make the software are too.

This blog post was authored by Jérôme Segura

Viral content shared on social media is highly coveted since it gets a lot of impressions and engagement. Unfortunately, the people who push this kind of content don’t always have the best of intentions.

We recently identified a malvertising campaign on Facebook that uses a cute story that gained attention last year. The fraudsters are luring potential victims into clicking on its link so that they are conditionally redirected to a fake tech support page.

This technique is far from being new but yet still works really well and deserves to be analyzed once again so that affected parties better understand how they are being abused.

Too cute to be true

The scam starts with the sweet story of a man who jumped out of his car at a traffic light to have his puppy meet another dog. This moment was shared on a number of platforms last year and could melt any animal lover’s heart.

We saw this post on Facebook and it has been viewed and shared since at least mid July. Yet, in this case, the link is a trap set to redirect potential victims to a malicious page known as a browser locker. While it does not actually ‘lock’ anything, the page displays fake messages about computer viruses and entices users to call for assistance. What follows after are the well-known tech support scams.

Cloaking games

In order to evade detection and remain active for as long as possible, these fraudulent schemes use a simple technique known as cloaking. The idea is to only display the malicious page in specific scenarios while showing legitimate content the rest of the time.

Here are some examples of filters that threat actors may use to their advantage:

• IP address
  • Geolocation (country and city)
  • Internet Service Provider (ISP)
• Browser user-agent
  • Operating system (Windows, Mac, Mobile)
  • Browser name and version
• Referer (the site visited just before)
• Cookies
• Time zone

In other words, for a given campaign a target may be: people living on the US’s west coast using Windows 10 and Google Chrome with a valid Facebook referer clicking on the link for the first time after 6 PM on weekdays. For the rest of the time and other visitors, a decoy page will be shown instead:

The proverbial ‘smoking gun’

When it comes to reporting such abuses, most registrars, hosting companies and platforms will require some hard evidence unless you have worked with them in the past and they already trust the information you pass along.

While a video capture is a pretty damning piece of evidence, it may not necessarily be enough to convince a provider especially if they aren’t able to reproduce the issue on their side. Because of cloaking, finding that smoking gun can literally take hours of frustrated attempts until finding the right combination of parameters. In fact, in some cases you may have to wait for when the scammers manually activate a redirect for a specific time window.

Running a web proxy is often invaluable to capture the event as it is happening as well as hard evidence of the suspected behavior. For example, what we see below are the request and response headers for the domain performing cloaking.

• The request headers show the host (fnbchecklagsin[.]com) the referer (Facebook) and the full URI we requested (GET)
• The response headers show that the server responded with the HTTP 302 code which indicates a redirect to a new location (browser locker)

Essentially, the malicious remote server did not even serve the decoy content but immediately redirected our browser to the tech support scam page.

We have reported this incident to the registrar (NameCheap), the hosting provider (DigitalOcean) and the platform (Facebook) abused to spread this scam. Malwarebytes users were already protected thanks to our Browser Guard extension.

If there is one thing we know about the people around us, even the perfect strangers, it’s that they almost all have smartphones. And those smartphones aren’t merely passive receivers, they’re broadcasting constantly, looking for things you might want to connect to.

Advertisers have exploited the electronic noise that smartphones make for years, using it to track people in places like shopping malls. But now a security researcher has used the same idea to detect if you’re being followed.

Matt Edmondson had the idea for the tool when a friend of his, who also works for the government, expressed concerns about being tailed when meeting a confidential informant who had ties to a terrorist organization. Although the friend is skilled at escaping those following them by car, he was looking for “an electronic supplement”.

“He was worried about the safety of the confidential informant,” Edmondson explained to Wired.

Edmondson wears many hats. He served as a federal agent for the US Department of Homeland Security for 21 years; he is the founder of an infosec consultation company; a hacker; a certified SANS instructor; and a digital forensics expert. Suffice it to say, he has the skills and experience to create something that would make someone safe using parts that don’t cost much, some open-source Python code, and a Raspberry Pi.

Edmondson presented his project at Black Hat on Thursday. His talk, Chasing Your Tail With a Raspberry Pi, touched on how he assembled the anti-tracking device, the challenges encountered when building it, and some best practices to consider, including creating an ignore list for friendly smartphones, and the importance of randomizing your MAC address (the rarely-changed identifier that allows others to track your smart phone).

The anti-tracking device works by scanning for wireless devices and checking if these have been present within the past 20 minutes. Unlike tools made to scan stationary devices, Edmonson’s machine was designed to scan moving ones. This is necessary as the act of tailing requires movement.

The device can fit in a shoebox and is in a waterproof case. It has a Wi-Fi card that runs Kismet (a popular wireless network detector), a portable charger, and a touchscreen where the user sees alerts. Each alert solidifies the possibility that one is being tailed.

“It’s purely designed to try to tell you that you’re seeing something now that you were also seeing a few minutes ago,” Edmondson says. “This isn’t designed to follow people in any way, shape, or form.”

Edmondson pleads with the tech community to take digital tracking and surveillance seriously. “It was really kind of disheartening and depressing to look at the ratio of tools to spy on people versus tools to help you not get spied on,” he says.

When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client’s offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.

Then he went to work.  

By hard-wiring his laptop into the company’s Internet, Miller’s machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company’s online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories. 

Miller’s work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn’t always go like this, he said that it isn’t uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story. 

“It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that.”

Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he’s seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Researchers at Volexity have discovered that a known vulnerability has been used in a large scale attack against Zimbra Collaboration Suite (ZCS) email servers. But the vulnerability was supposed to be hard to exploit since it required authentication. So they decided to dig deeper.

An incomplete fix

Zimbra is a brand owned by Synacor. Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes an email server and a web client. It is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software.

The initial investigations showed evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This vulnerability was patched by Zimbra in March 2022.

The description of the CVE informs us that Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

Zimbra patched the vulnerability, but, in the company’s own words, it would turn out to be an “incomplete fix for CVE-2022-27925”.

Mass exploitation

Mitigation

Zimbra has patched the authentication issue in its 9.0.0P26 and 8.8.15P33 releases. If you were late to patch for the RCE vulnerability, you should assume that your server instance has been compromised.

In order to verify the presence of web shells on a ZCS instance, one technique that can be used is to compare the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. Lists of valid JSP files included in Zimbra installations can be found on GitHub for the latest version of 8.8.15 and of 9.0.0.

Stay safe, everyone!