IT NEWS

The government industry in the United States dealt with heavy hitting breaches against local, federal, and state government networks, primarily during the first quarter of 2021.

Our telemetry revealed a small spike in a generic backdoor detection, known as Backdoor.Agent, during March of 2021, mainly focused in Memphis, Tennessee. This data coincides with the attack on the Azusa Police Department in California; however, it reveals even more about the attacks observed the following month.  

During April of 2021, at least three notable attacks against government services made the news, this included the New York Metropolitan Transport Authority (MTA), the Illinois Attorney General’s office, and the Washington DC Police Department. During this same month, we also observed the beginning of a surge of exploits and AI detected threats that dominate the rest of 2021.

Our top spike for the period follows the detection of the exploit CVE-2021-21551 (Dell System Driver) and all the nasty threats it brought with it. Despite this, we were unable to correlate any newsworthy breach to this month. So, we can assume that the increase in detections was an onslaught of attempts to breach networks, shortly after the release of the Dell driver exploit. We can also make assumptions about this effort leading to numerous breaches and installations of backdoor malware, waiting dormant until later in 2021 and 2022 before launching a full attack.

Those most hammered by these exploit attempts were government organizations in Michigan and New Jersey.

The detection of this exploit slows as the year goes on, dwindling to almost nothing by May of 2022. This matches up with our detections of unidentified, AI detected malware. Despite that, a series of unspecific exploits battered the industry in late October, spiking in November and into December, when the Maryland Department of Health, the Virginia State Government and the Hawaii Timekeeping Services were all breached and disrupted, some due to ransomware, others to stolen data.

In addition to the push of exploits, the notorious TrickBot trojan has been lurking in the detections of this industry, staying mostly steady with only a 1.2 percent share of threats during the analyzed time period. Despite this, the small spikes of this threat in March, June, and November of 2021 seem to mostly align with major reported breaches.

Based on our data, there is a case to be made about government industry targeting, mainly taking place during the beginning and end of the year, a time notoriously known for vacation, reorganization, and reduced security staff.

Our best recommendation for this industry, beyond ensuring that proper patching and threat detection software are deployed on every endpoint, is to consider to major factors when planning for a cyber-attack. First is timing, the second is reducing operational disruption. 

Timing can be addressed by understanding not only when the attackers are coming after an organization, but also when an organization might be most vulnerable. For example, if you know that your staff will be reduce to only 25 percent during November, December, and January, for the holidays, you might not need to keep as many security staff on hand since there are fewer users.  This is a perfect opportunity for an attack that may have breached the network months prior, to finally achieve its purpose and attack the network while it’s less guarded.

So, by knowing the trends of government organization attacks, we recommend not reducing security staff during the holidays, if anything, you need to have more eyes on the network, looking for anything that might stand out as odd when the network is meant to be relatively quiet. This might be achieved by bringing in additional security staff for the season, allowing for security staff to take vacations around the usual holidays, if possible, and in some cases, making it possible for security and IT admin to remotely investigate threats through a cloud-based remote console.

The second recommendation is reducing operational disruption. When a restaurant gets hit by ransomware, it takes down the restaurant’s operations for a time, but the damage typically doesn’t go far beyond the restaurant’s walls. When a state or local government network is breached and hit by ransomware, because of the interconnected nature of government and public services, such an attack can disrupt entire cities and states, quickly creating chaos. It’s imperative to ensure that in the case of any type of cyberattack, there is some way to continue operations, be it at a backup site, using pen and paper, or having employees work remotely. The more pressure an organization is under to get things back to normal, the more leverage the attackers have against that organization.

Following these tips will not only reduce the damage done by these attacks, but likely increase the confidence that civilians have in the security of their government organizations.

When we say that attribution is always tricky, we are obviously only seeing the half of it. Apparently sometimes even the cybercriminals are not always clear on which company they breached.

Clop ransomware put out a statement that they breached Thames Water when in reality their victim was South Staffs Water. Fortunately nobody was deprived of water due to the incident.

Clop

Ransom.Clop was first seen in February of 2019. Besides encrypting systems, the Clop ransomware also exfiltrates data that will be published on a leak site if the victim refuses to pay the ransom. In February of 2021, ther group made headlines by targeting executives’ systems specifically to find sensitive data.

Hoax or not so much

After becoming aware of some reports, Thames Water made it clear that the whole thing was a hoax as far as they are concerned. It would be a hoax if there wasn’t a real victim of the attack.

On the website of South Staffs Water, we learned that South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, had been the target of a criminal cyberattack. But the incident has not affected their ability to supply safe water. According to the statement, they are experiencing disruption to their corporate IT network and they have teams working to resolve this as quickly as possible. Their customer service teams are operating as usual.

The breach

On their leak site, Clop claims to have spent months inside the company system and noticed many very bad practices. They also said they had contacted the company with information on how to fix the problem. But they never responded. So, after spending months, you contacted the wrong company and they never gave you the time of day? How quaint.

On their leak site Clop touts their accomplishments and rants about the victim company

Vital infrastructure

While we can joke about the mistaken identity and the following confusion in the media, the incident proves two points. Ransomware gangs do not shy away from attacking vital infrastructure, but you should also know that much of this infrastructure is robust enough to withstand such an attack. 

Clop claims they have not encrypted any files and that they could potentially change the chemical composition of the water, but all they did was exfiltrate 5 TB of data. As we learned from the Malwarebytes podcast with Lesley Carhart the chances of a critical infrastructure “big one” are remarkably slim. In fact, critical infrastructure’s regular disaster planning often leads to practices that can detect, limit, or prevent any wide-reaching cyberattack.

In other words, there are fail-safes in place that should reliably prevent any “chemically altered” water from ever reaching our homes, no matter whether you are a customer of Thames Water or South Staffs Water.

Clop corrects

At this moment, the Clop leak site displays “South-Staffs-water.co.uk,” not Thames Water, so they must have realized their mistake.

The exfiltrated data contain copies of passports and drivers licenses, a lot of schematics, email addresses, and a list of VM servers combined with login credentials. Certainly not 5TB worth of data, but probably an incentive to get the victim to pay the ransom.

Getting the victim wrong might be a case of miscommunication between the affiliate that compromised the victim and the ransomware operator combined with the poor grasp of English on one or both sides of the operation. Remember that ransomware groups now typically offer their ransomware as a service to other groups that have already infiltrated companies and organizations. By offering these cybercriminal breach teams access to their ransomware, the ransomware developers then get their ransomware into more targets than they could have by themselves, and they take a “cut” of whatever ransom gets paid. 

Importantly, though, misidentifying the victim and starting negotiations about the ransom with the wrong organization could leave the real victim clueless about what happened to them, or more to the point, who is responsible. Luckily it didn’t take too long in this case.

Google updated the Stable channel for Chrome to 104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows which will roll out over the coming days/weeks. Extended stable channel has been updated to 104.0.5112.101 for Mac and 104.0.5112.102 for Windows , which will roll out over the coming days/weeks.

This update includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild.

Vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). We discuss some of the CVE’s included in this update below.

CVE-2022-2852: a critical use after free vulnerability in FedCM. Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. The Federated Credential Management API (FedCM) allows the browser to understand the context in which the relying party (for example a website) and the identity provider (a third party authentication service) exchange information.

CVE-2022-2856: Insufficient validation of untrusted input in Intents. Chrome intents are the deep linking replacement for URI schemes on the Android device within the Chrome browser. Google’s Threat Analysis Group submitted the vulnerability and technical details will not be released until everyone has had ample opportunity to update.

Google is aware that an exploit for CVE-2022-2856 exists in the wild. A remote attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system.

CVE-2022-2854: a UAF vulnerability in SwiftShader. SwiftShader is a an open source library that provides a software 3D renderer. The attacker would have to trick the victim to visit a specially crafted website.

CVE-2022-2853: a heap buffer overflow in Downloads. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. The heap is the portion of memory where dynamically allocated memory resides.

How to protect yourself

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update the version should be 104.0.5112.101 or later.

Stay safe, everyone!

New findings following the Twilio phishing attack revealed that Signal, one of its high-value clients and a popular encrypted messaging platform, was particularly affected. 1,900 of its users had their phone numbers and SMS registration codes exposed. However, Signal reassured users that the attacker could not gain access to “message history, contact lists, profile information, whom they’d blocked, and other personal data” associated with the account.

Signal also claims that 1,900 comprises a small percentage of their user base, so a majority of their users were not affected. Nevertheless, they notified affected users this week via SMS and prompted them to re-register Signal on their devices.

The company revealed in a security notice that the attacker explicitly searched for three numbers among the 1,900 users affected. One user of the three numbers already reported that their account was re-registered. This means the attacker can now send and receive messages from that phone number.

When The Register asked Signal why an attacker would specifically target these three numbers, suggesting maybe they are people of note, the company responded: “To respect the privacy of those specific people, we are not sharing any details about them.”

Signal highlights the importance of enabling its app’s security features to fend off after-effects of attacks that may befall third-party providers it uses. Because of what happened to Twilio, the company is pushing more of its users to take advantage of registration lock and Signal PINs, which can only be activated manually.

Registration Lock prevents someone from registering a Signal user’s phone number to another device unless they know the PIN associated with the account. To enable Registration Lock, Signal users should go to Signal Settings (profile) > Account > Registration Lock.

“While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” Signal said.

Last week, Cloudflare revealed a similar phishing tactic that got Twilio breached also targeted their employees last month. The campaign didn’t work because Cloudflare employees were required to use physical security keys to access all applications they use in-house.

An incredibly popular digital item trading site has suffered a spectacular loss at the hands of wily attackers. According to Bleeping Computer, CS Money lost out on $6 million via just 20,000 pilfered items. How did this happen, and why are digital items so popular in the first place?

The digitized rewards of gaming

It’s important to know what, exactly, trading sites deal in and how they relate to gaming, so here goes.

Most major titles on prominent video game platforms offer skins, items, and in-game rewards. These items are often tradeable with other players. Some can be bought or sold through specific platforms, but, sometimes, depending on the game, certain items can’t be traded, which means that those items are tied to the owner’s account forever. Those items may lead to the account becoming a valuable target for phishing and scams.

Even accounts with regular tradeable items are potentially worth stealing. Those accounts may have hundreds or even thousands of items tied to them. A quick phish here, a stolen login there, and both the account and its items may never be seen again.

Where trading platforms come into this picture is that they often make it easier to sell, trade, whatever you want to do with your digital stock. Some people are content to use the trading section of a platform’s own service. These services may also have their own community market, where items can be bought and sold.

Other folks may branch out into using specific third-party websites for all their buying, selling, and trading needs. These sites may offer more specific features not available on the major platforms. Perhaps they have a reputation for niche items unobtainable anywhere else. Whatever the reason, these sites are very popular. Scammers will often imitate them in an effort to compromise people’s item cache. Sadly, sometimes the sites themselves come under fire. When that happens, you’d better hope everything is as locked down as can be.

Otherwise…

When a Counter Strike site is counter-stricken

No fewer than 20,000 skins were stolen after an attack on the CS Money site. CS in this instance stands for “Counter Strike,” long time favourite of the online shooter crowd. User skins vanished into the night after the attack, and at time of writing the skins have simply been blocked from further selling/trading/anything else. Good news for people who don’t enjoy large slices of video game digital skin fraud. There’s also not so good for the owners of said items, who don’t seem to have had any of them returned yet.

According to the rundown of events on Bleeping Computer, the attack was made up of several moving parts. First, they obtained authenticator files used to authorize Steam access. Then, 100 bots containing the skins were used in roughly 1,000 transactions to send the skins to accounts belonging to the attackers. Some of the items were then sent to “ordinary users, renowned traders, and bloggers.”

None of these people were involved in the attack. This appears to be the fraudster’s way of adding a little more publicity to their actions, or maybe just covering their digital paper trail.

Smash and grab

This all goes wrong at the point where authenticator files were apparently stolen. What’s interesting is pondering how the attackers came to obtain those files in the first place.

Some years ago, Steam phishers were asking victims to upload certain files from their Steam folder to the fake website. These files worked like a sort of password remembering cookie, except for Steam. Having the files on board meant you didn’t have to re-verify your identity through authentication every time you logged in. But if you sent them to someone else, they’d be able to log in as you as long as they had your username and password.

Has a similar tactic been used here? Only time will tell. For now, if you’re involved in skin trading or digital item selling: consider that the sites you use may not be 100 percent secure. If a scammer ram-raids your favourite marketplace of choice, a trip to customer support may be in the cards. As with no many forms of digital fraud, there’s often no guarantee of having your stolen items returned. Weigh up the safety pros and cons carefully with regard to the final destination of your sellable skins. Safe trading out there!

With the return to school fast approaching, it’s time to ready the things your kids will need to pass the next year with flying colors. Increasingly, that means computing devices, which means you’ll need to spend time thinking about the safety and security of what they will be using.

In our “Back to School” series we will talk about several types of devices you may encounter. This one is about Windows devices.

The basics

You know that when your kids are hard at work, they can’t be bothered with all the warnings, notifications, EULA’s and what not. They are relentless in their pursuit of high grades, and maybe some less admirable goals. To achieve these goals they will click “OK” on anything that stands in their way. So, what you need to set up for them is something that gives them enough room to be a bit reckless.

Not that it’s wrong to give them a certain amount of responsibility or at least inform them about what you did to keep them secure. If they know and understand the goal, most of them will be more than happy to keep their system operational.

With that in mind, here are some security basics that you should attend to just as you would on any Windows computer:

• Apply security updates promptly. All the software on the computer needs to be maintained by installing the latest security updates when they become available. Fortunately, Windows 10 will update itself automatically, as will popular modern web browsers like Edge, Chrome, and Firefox. We suggest that you turn on automatic updates for the Microsoft Store, which will take care of any software you download from there. Whatever software those steps don’t cover will need to be checked occasionally to see if there are newer versions available.
• Use security software. Modern versions of Windows have lots of helpful security features, but Windows is still the most popular target for malware, so we strongly recommend that you install a third-party security solution like Malwarebytes Premium.
• Start backing up. The only backup people ever regret is the one they didn’t make, so read Microsoft’s short guide to Backup and Restore in Windows, and get yours working on day one. Backups are your last line of defense against system-altering malware, like ransomware or wipers, as well as bad software updates, and hardware failure or theft. They will also protect your child’s work against the inevitable accident of your kid deleting their most important assignment the night before it’s due.
• Install a password manager. A password manager is software for creating and remembering strong passwords. Good ones also provide a safe way for users to share passwords with other people. Install one on your Windows computer and get your child using it as soon as possible. Proper password handling is something lots of adults struggle with, so get your kids doing the right thing from day one.
• Give your child a local user account. Even if your child is the only person using the computer, create a separate local user account for them with limited permissions. Use a different account with administrator privileges to make changes to the computer, like installing software. Don’t share the administrator account with your child and never use it for work, web browsing or email. Malware will typically use the same permissions as the account that runs it. If your child accidentally runs malware as a local user, it will be not be able to alter the machine.

Other considerations

If the device isn’t your property

If the Windows device is provided by the school or another organization, your options for implementing your own security ideas may be very limited, but that’s OK, it just means somebody is doing it for you. It’s usual for IT staff from the school to setup and manage this kind of computer and to give your child access to a standard local user account. That should be enough access for your child to do what they need to without getting into too much trouble.

Parental controls

Children search Google for the weirdest things and topics. Whether they searched for something on purpose or just because they didn’t know what it meant, search results for some phrases are best not seen by young children.

The parental controls included with Windows allow you to enforce restrictions on screen time; block apps, websites, and games; and provide reports on what your child has been doing with their device.

Parental controls can be useful to limit the risks your children run into online, but you should know up front that they cannot eliminate every risk out there. Read our article about parental controls to learn what they can and can’t do for you.

Social media, messaging, and games

Children are inclined to share their entire lives with their friends, and keen to get their hands on the phones, computers, and accounts that will let them do it online. Unfortunately, social media, messaging apps, and gaming come with risks: It is easy for predators to hide behind a picture of a child and a believable persona, there is no break at the end of the school day from the bullying and harassment that happens online, and gaming communities can be rough and unforgiving.

Like many other aspects of the adult world, children deserve to be introduced to these things in a careful, supervised manner, and many parents opt for some kind of digital oversight or restrictions. (It is worth noting too, that most social media apps have a minimum age requirement of 13, although as a recent Omegle investigation showed, you cannot assume a platform will enforce its age restrictions or that its moderators will keep your children safe).

Alongside whatever tools or techniques you use to keep children safe online, we recommend teaching them responsible digital citizenship from an early age, to help understand the dangers, and to recognize cyberbullying and harmful content. Establishing guidelines and teaching them responsible online communication and etiquette will help them to communicate respectfully, with responsibility and confidence.

Wi-Fi

By default, Windows 10 will connect automatically to Wi-Fi networks you have used at least once. With a device moving back and forth between home and school, this creates an opportunity for an attacker (perhaps another student) to set up a network with the same name. These so-called “evil twin” Wi-Fi network attacks simulate known networks and can be used to perform a machine-in-the-middle attack (MitM).

The only way to easily protect against these attacks is by disabling the auto-connect feature. You can do this by removing the check mark when you connect to the network or in the properties of the connection by turning the “Connect automatically” option off. After doing this you can manually check the available Wi-Fi networks on location and look if there are two identical SSIDs (network names). The evil twin will not have a lock symbol near the strength indicator.

Low maintenance

In the past we have posted suggestions about how to set up a computer that requires a minimum of attention afterwards, which we called minimum effort for maximum protection. While this may seem like an attractive solution for your children, it’s important to realize that it does require some degree of security awareness of the computer user.

While this may not be suitable for all ages, it is an approach you might want to take with older children if you are trying to involve them in the process of understanding and securing their own device.

The other side

Depending on their age and computer skills, you will want to talk your kids through what you did and why. A class full of determined teenagers will break through your defenses in no time at all. If they understand what you are trying to protect them from they may use those same skills to steer clear of those dangers.

We’re excited to announce Malwarebytes Cloud Storage Scanning, a new service that extends Nebula malware scanning options to include files stored on cloud storage repositories that are part of your organization’s digital ecosystem.

Today, the service supports scanning of files under 100Mb in size that reside on Box.com or on Microsoft’s OneDrive, and will extend to other popular file storage solutions in the coming quarters.

Malwarebytes Cloud Storage Scanning uses multiple anti-malware engines, using a combination of signatures, heuristics and machine learning to increase detection rates, decrease detection times and provide a comprehensive view to monitor and protect the health of all your enterprise data. 

Let’s dive in on how to make a scan!

Scanning for cloud malware

In Nebula, go to “Settings” and click “Cloud Storage Scans”. Here you can see existing scans and the providers being checked. Click “Add a Scan” to create a new scan.

Under “Settings”, name the scan and then select your cloud data storage provider.

Enter the configuration details from the storage provider to select and validate your account.  To initially check all existing files for malware, do not check this box and configure a scheduled or on-demand scan. In order to connect to your provider, you will need to provide a Tenant ID, Client ID and Client Secret.

If you select “Continuous scan”, Malwarebytes will only check for new and updated files from this point forward.

Click “Connect to provider” to provide access to your cloud storage location.

Once you see a success message, go to “Items to scan” to select the users or folders to scan. You can scan folders and the sub-folders.

If you have not selected continuous scan, go to “Scan frequency” to determine the cadence. Note that with scheduled scans, you will be scanning the contents of the selected folder(s) each time versus a continuous scan that only scans the changes.

Scans can be scheduled daily, weekly or monthly. Select “Scan now” for a one-time scan to occur immediately. Save for the scan to take effect and begin running on the cadence you chose.

In this example, we have a one time scan for existing malware in the folder and a continuous scan for future changes.

Review the results of scans with “Storage detections” on the left-side navigation bar. 

Here you can see a list of all detections from any cloud storage location. You can sort by “Threat name”:

Filter by cloud provider:

And “Add/Remove Columns”:

A report is also available to send a list of detections via email. Navigate to the “Reports” section on the nav bar:

Click “Cloud Storage Detections Summary”. You’ll be prompted with a window to configure the report.

Click “Save”. 

As you can see, the report was delivered to our email below!

An additional layer of security

While integrated cloud malware detection solutions (e.g. BoxShield for Box.com; MS Defender for OneDrive) can be useful, many businesses use multiple different cloud storage repositories, and due to lack of integration options, are unable to get a centralized view of all of their scan results, across multiple repositories, in a single security-focused pane of glass.

Malwarebytes Cloud Storage Scanning is easy and quick to deploy, centrally managed, and is seamlessly integrated with other Malwarebytes products and services that provide cloud security best practices.

Interested in reading about real-life examples of cloud malware mitigation? Read the case study of how a business used Malwarebytes to help eliminate cloud-based threats.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) about Zeppelin ransomware. The advisory contains indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware variants identified through FBI investigations as recently as June 21, 2022.

Zeppelin

Zeppelin, aka Buran, is a ransomware-as-a-service (RaaS) written in Delphi and built upon the foundation of VegaLocker. Due to the RaaS model there are several methods in use to gain initial access. The CSA mentions RDP exploitation, SonicWall firewall exploits, and phishing campaigns. In earlier days, Malwarebytes’ researchers found a malvertising campaign that dropped Zeppelin ransomware as one of the possible payloads.

Zeppelin uses the double extortion where they threaten to sell or publish exfiltrated data in case the victim refuses to pay the ransom.

While anyone can fall victim to these threat actors, the FBI noted that this malware has been used to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.

Mitigation

Besides IOCs, attack techniques, and a Yara signature, the CSA provides a lot of mitigation advice. Since the techniques used by the Zeppelin gang are far from unique, the advice is worth repeating because it works against a lot of similar ransomware operators.

But you should also realize that while it’s easy to say that you need reliable and easy to deploy backups for example, it’s not always easy to follow that advice. It is well worth pursuing though, since it may save your bacon at one time or another.

Backups

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.

Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

In a nutshell: Put your backups out of the reach of attackers, and make sure they work by testing that you can restore working systems from them.

Authentication

Require all accounts with password logins to meet the required standards for developing and managing password policies.

• Require multifactor authentication wherever you can—particularly for webmail, VPNs, and critical systems.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
• Implement time-based access for accounts set at the admin level and higher.
• Use long passwords (CISA says 8 characters, we say you can do better than that) and password managers.
• Store passwords using industry best practice password hashing functions.
• Implement password rate limits and lockouts.
• Avoid frequent password resets (once a year is fine).
• Avoid reusing passwords.
• Disable password “hints”.
• Require administrator credentials to install software.

Software

Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)

Networks

Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.

Email

Consider adding an email banner to emails received from outside your organization.

Disable hyperlinks in received emails.

Scripts

Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

Stay safe, everyone!

Last week on Malwarebytes Labs:

• KMSpico explained: No, KMS is not “kill Microsoft”
• Twitter data breach affects 5.4M users
• Can your EDR handle a ransomware attack? 6-point checklist for an anti-ransomware EDR
• Twilio breached after social engineering attack on employees
• Summer of exploitation leads to healthcare under fire
• Education hammered by exploits and backdoors in 2021 and 2022
• 5 cybersecurity tips for students going back to school
• Update now! Microsoft fixes two zero-days in August’s Patch Tuesday
• Now it’s BlenderBot’s turn to make shocking, inappropriate, and untrue remarks
• Slack flaw exposed users’ hashed passwords
• Thousands of Zimbra mail servers backdoored in large scale attack

Stay safe!

A group of security researchers have discovered a series of vulnerabilities in Electron, the software underlying popular apps like Discord, Microsoft Teams, and many others, used by tens of millions of people all over the world.

Electron is a framework that allows developers to create desktop applications using the languages used to build websites: HTML5, CSS, and JavaScript. It’s an open source project that has been used as the foundation for some extremely popular apps. Electron itself is built on the open source Chromium browser project (the basis of Google Chrome), and the NodeJS JavaScript runtime which is built on Chromium’s V8 JavaScript engine—a significant source of Chrome security problems.

Building blocks

It is not uncommon for developers to use other projects, frameworks and libraries as building blocks for their projects. Building on proven code makes sense: It saves time, it is easier for others to get involved, and everyone benefits from all the layers of solved problems in the existing codebase.

The problem with building software on existing foundations, provided by others, is that its developer may not fully understand the security implications of certain decisions or configurations. And they need to rebuild their own application whenever a security vulnerability is fixed in the software they’re building on top of, and then distribute that update to their users.

Probably the most famous example of such a building block vulnerability is Log4Shell. Log4Shell is a vulnerability that was found in Log4j, an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the impact of the vulnerability was enormous.

The chances of applications harboring out-of-date underpinnings are software are high. And the reservoir of known bugs that are fixed in, say, Chrome, but not yet fixed in Electron, or fixed in Electron but not yet fixed an application built on top of Electron, is something that criminals and researchers can exploit.

A group of researchers recently presented research into Electron vulnerabilities at the Black Hat security conference having done exactly that. For a peek into what they did, and a look at how complicated modern bug hunting is, read researcher s1r1us’s explanation of how they went about finding a remote code execution (RCE) vulnerability in Discord by chaining a new cross-site scripting vulnerability, a CSP bypass in Discord’s out-of-date Chrome version, and an exploit for an existing V8 vulnerability.

In the case of s1r1us’s Discord bug, what the researchers found could be exploited with nothing more than a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, an attacker would have been able to take control of their computers.

Mitigation

The most general and best advice in many cases is to avoid clicking on links that come in unexpected or in unusual ways. In an ideal world you would distrust them with the same vigor as the links in your mailbox and on social media. However, this can be very difficult in practice because many of these applications require you to click on links to join meetings, accept invitations and so on.

A more workable solution, suggested by the researcher, is to use apps like Discord or Spotify inside your browser, because then you have the protection afforded by Chrome, which is much larger than the one provided by Electron, and you have control whether it’s up to date or not.

Most of us though, will simply stick to downloading our security updates, and hoping the people who make the software are too.