IT NEWS

A thief has been stalking London. 

This past summer, multiple women reported similar crimes to the police: While working out at their local gyms, someone snuck into the locker rooms, busted open their locks, stole their rucksacks and gym bags, and then, within hours, purchased thousands of pounds of goods. Apple, Selfridges, Balenciaga, Harrod’s—the thief has expensive taste. 

At first blush, the crimes sound easy to explain: A thief stole credit cards and used them in person at various stores before they could be caught. 

But for at least one victim, the story is more complex.  

In August, Charlotte Morgan had her bag stolen during an evening workout at her local gym in Chiswick. The same pattern of high-price spending followed—the thief spent nearly £3,000 at an Apple store in West London, another £1,000 at a separate Apple store, and then almost £700 at Selfridges. But upon learning just how much the thief had spent, Morgan realized something was wrong: She didn’t have that much money in her primary account. To access all of her funds, the thief would have needed to make a transfer out of her savings account, which would have required the use of her PIN. 

“[My PIN is] not something they could guess… So I thought ‘That’s impossible,'” Morgan told the Lock and Code podcast. But, after several calls with her bank and in discussions with some cybersecurity experts, she realized there could be a serious flaw with her online banking app. “But the bank… what they failed to mention is that every customer’s PIN can actually be viewed on the banking app once you logged in.”

Today on the Lock and Code podcast with host David Ruiz, we speak with Charlotte Morgan about what happened this past summer in London, what she did as she learned about the increasing theft of her funds, and how one person could so easily abuse her information. 

Tune in today to also learn about what you can do to help protect yourself from this type of crime. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Cisco has published a security advisory for a vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) that could allow an authenticated, remote attacker to read and delete files on an affected device. The bug, with a CVSS score of 7.1 has no patch and no workaround. Cisco plans to provide a fixed release for version 3.1 in November, and a fixed release for version 3.2 in January, 2023. Release 3.0 and earlier are not vulnerable.

Cisco advises that hot fixes are available on request.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most urgent patch in this update is aimed at CVE-2022-20822.

CVE-2022-20822 is a path traversal vulnerability in the web-based management interface of Cisco ISE that could be exploited by an authenticated, remote attacker. Path traversal vulnerabilities allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths.

An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system. A successful exploit could allow the attacker to read or delete specific files on the device that they should not have access to.

Also in the advisory

The Cisco advisories page mentions another vulnerability in the ISE. The CVE-2022-20959 vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by persuading an authenticated administrator of the web-based management interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

And then there is a vulnerability worth noting because it is rated as high impact. CVE-2022-20933 is a vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart.

A patch is available for both.

Insufficient validation

The clear pattern here then it is insufficient validation of input on remotely accessible services.

Missing or improper input validation is a major factor in many web security vulnerabilities, including cross-site scripting (XSS) and SQL injection. While customers are entitled to expect proper input validation, it is a problem that haunts all web interfaces, and has done for decades.

So, instead of relying on the input validation provided by the vendor, users should consider adding extra measures, such as only allowing connections from trusted IP addresses, a limited numbers of authentication requests, and disabling access from the internet where it’s appropriate.

Last week on Malwarebytes Labs:

• Thermal cameras could help reveal your password
• How to spot a scam
• Warning: “FaceStealer” iOS and Android apps steal your Facebook login
• Criminal group busted after stealing hundreds of keyless cars
• Fake tractor fraudsters plague online transactions
• DeadBolt ransomware gang tricked into giving victims free decryption keys
• Why Log4Text is not another Log4Shell
• Ransomware attack freezes newspaper printing system
• Man scammed IRL for a phone he sold online
• 5 essential security tips for SMBs
• Microsoft fixes driver blocklist placing users at risk from BYOVD attacks
• Microsoft breach reveals some customer data
• New PHP-based Ducktail infostealer is now after crypto wallets
• Venus ransomware targets remote desktop services
• Suspected LAPSUS$ group member arrested in Brazil
• Third-party application patching: Everything you need to know for your business
• Gas, a positive social network for teens (no, really)
• Looking for student debt relief? Watch out for scammers says the FBI
• Former cop abused unrevoked system access to extort women
• Large typosquatting campaign delivers tech support scams

Stay safe!

Advocate Aurora Health has disclosed that by visiting its websites users may have shared personal information, and possibly protected health information (PHI), with Google and Meta (Facebook).

Advocate Aurora Health is the 11th largest not-for-profit, integrated health system in the US and provides care for about 3 million patients. The company used tracking technology provided by Google and Meta to understand how patients and others interact with its websites.

The questions Advocate Aurora Health wanted to answer were no different than any other website owner: How do visitors use its website, what draws them here, and which pages do they visit? That is very useful information if you want to optimize your website, attract more visitors, and build something that actually fits users needs.

And their solution was no different either: They turned to Google and Meta, who provide website owners with this information through the use of tracking “pixels”. The code behind a tracking pixel can give a website owner useful information about their visitors, such as the type of device they are using, their approximation location (which can be worked out from a user’s IP address), and how they move from page to page across a website. It can also reveal if visitors are coming from a paid ads on Google, Twitter, or Facebook, so companies can tell whether their marketing dollars are being spent productively.

How data can be leaked

What the Advocate Aurora Health’s disclosure doesn’t reveal is how the information was shared, or whether or not Google and Meta were aware of it. We note that the language it uses is “disclosed” rather than “gathered”, suggesting the website over-shared rather than an overreach by the trackers.

Although both Google and Meta have, rightly, earned repuations for rapacious data gathering, the details of how their pixels work, and what they do and don’t care about, are important where health information is concerned. It is possible that neither were aware of the nature of the data being shared, and that neither would want the legal or compliance headaches that come with handling it.

If that is the case, it wouldn’t be the first time. Just two months ago North Carolina-based Novant Health notified 1.3 million patients that using the Meta pixel code may have led to unauthorized disclosure of PHI.

In 2015, when the Affordable Care act’s healthcare.gov website first launched, it was also found to be leaking data to third parties, and it provides a useful lesson in how it can happen.

Simplistically, web analytics and web ad tracking systems want to know the number of indvidual visitors to the different URLs on a website, and how those visitors got there. Each time a visitor lands on a page a tracking pixel sends the URL (along with some extra information, such as the browser type, screen resolution, IP address etc) to Google, Meta, or whoever, so that they can add +1 to the count for that URL.

The healthcare.gov site used URL parameters to pass information from page to page as people moved through the site. The parameters included the user’s age, zip code, income, and whether or not they were a smoker or pregnant. Since the URLs contained that information, and the URLs were sent to third party trackers to be counted, the third parties found themselves inadvertently receiving and storing privileged information.

Research done by TheMarkup in June of 2022 showed that Meta’s pixel could be found on the websites of 33 of the top 100 hospitals in America.

What was disclosed

For Advocate Aurora Health customers, the following information may have been involved:

• IP address
• The dates, times, and/or locations of scheduled appointments
• Their proximity to an Advocate Aurora Health location
• Information about their provider
• The type of appointment or procedure
• First, last name, first name of a proxy, and medical record number
• Information about whether they had insurance

According to Advocate Aurora Health, no social security number, financial account, credit card, or debit card information was involved in this incident.

Stop tracking me

Advocate Aurora Health disabled and/or removed tracking pixels on patient websites and applications. Luckily, not every website has to worry about that type of private information. Full disclosure, even this site uses tracking technology, but we do understand that you wish website owners didn’t.

There are several things you can do to stop this kind of tracking or limit the consequences.

• Use a browser that values your privacy. Unfortunately there is a low correlation factor between what most people find the best browsers and what are the best browsers when it comes to privacy and security.
• You can frustrate tracking by blocking and deleting cookies and making sure you log out of Facebook and Google before you visit other sites. However, this requires your full attention and in some of these cases you are relying on technology provided by Google and Facebook.
• Anti-tracking software is your easy way out. We at Malwarebytes, recommend Malwarebytes Browser Guard. You can keep on using Chrome, Firefox, Edge, or Safari and after the install you can set and forget about trackers. Our  browser extension blocks tech support scams, hijackers, pop-up ads, trackers, and more to keep users secure and free from online harassment.

Someone with a gift for technology but a nasty habit of using it for very bad things has been spared from going to jail with a suspended sentence. Peter Foy, 18 at the time of his antics, racked up a remarkable, and slightly peculiar, list of compromises before being brought before the court.

A strange combination

According to Brighton and Hove news, his spree began in 2019 with the initial purchase of a laptop from Amazon, bought with “fake Honey gift vouchers”. I would love to know more about how this initial foray into system compromise worked, as one would imagine purchasing anything with fake vouchers would be a bit of a tall order. Nevertheless, he did it, and from here a somewhat short life of crime beckoned.

From the South East Regional Organised Crime Unit:

The court heard that on 13 October, 2019, Foy committed fraud in that he made a false representation to Amazon—that he was entitled to use gift vouchers to buy an Acer laptop. It was using this laptop that Foy committed further offences.

From this report, it’s hard to tell if the vouchers were indeed fake, or obtained without permission. His compromise modus operandi was a combination of breaking into networks run by food retailers, and breaking into networks containing confidential patient records. That’s quite a peculiar mixture.

On the one hand, he was “arranging food deliveries” at a cost of thousands to the affected businesses. On the other, he was accessing patient records of a third party company providing services to the National Health Service. As the release notes, this is during the COVID-19 pandemic, where the last thing we needed was people potentially breaking health record services. Food delivery services also played an important role during lockdown, so any disruption here would also be potentially very disruptive for those most at risk. A strange combination, then, but not a very pleasant one.

Not quite Robin Hood

Eventually, he was grabbed by the long arm of the law. None of the available information explains how this happened, but it’s likely that a trail was left across the compromised businesses. Even a pro can slip up! One last roll of the dice for the defendant remained in the form of claiming that he was notifying and helping the organisations he compromised.

However, he “demanded financial rewards” from the victims, which isn’t how legitimate help works. If this was his version of a bug bounty program, it isn’t a very good one.

The attempt to downplay the crimes didn’t impress the judge much, and he was sentenced to 18 months’ custody, suspended for two years. In addition to this, he’ll also have to perform 300 hours of unpaid work. There’s no word if any sort of ban from using digital technology is included in any of this.

A hopefully short-lived impact

The details released on this set of attacks are unfortunately sparse, and perhaps not as specific as you’d expect. Detective Inspector Rob Bryant had this to say:

This case also serves as a timely reminder to anyone using their financial details online to check the security of the data. Foy was able to gain access to many victims’ accounts as they often used the same passwords across more than one account.

The Detective Inspector also went on to suggest making use of two-factor authentication (2FA), which is great advice.

If you’re notified in the near future that you’ve been impacted, or indeed have been contacted already, here’s what you can do:

• Take the advice on 2FA. Options include SMS, various apps, or even a physical hardware key. A FIDO2 hardware key is the best option.
• Grab yourself a password manager. They create and remember strong passwords to prevent reuse, and many will refuse to sign in to bogus websites.
• The various attacks outlined above likely resulted in the attacker seeing personal data he shouldn’t. This could put those people at an increased risk of social engineering or identity theft.

The FBI believes that scammers may be after people applying for the One-Time Federal Student Loan Debt Relief, a program announced by the Biden-Harris Administration in August 2022 that provides up to $20,000 in student loan debt relief. In a recent public service announcement, the agency warned of fraudulent websites, emails, texts, or phone scams aiming to defraud applicants.

Debt relief is open to people with an income of less than $125,000. Qualified Pell Grant recipients can get up to $20,000, while non-recipients can get up to $10,000.

That’s huge money, so scammers are likely to be paying attention. The FBI wants people to be on their guard for scammers pretending to be working on behalf of the program:

Cybercriminals and fraudsters may purport to offer entrance into the Federal Student Loan Forgiveness program, contacting potential victims via phone, email, mail, text, websites, or other online chat services

It warns that fraudsters may attempt to charge users for services that are free (entrance into the student loan relief program is free and never requires payment), or use the program as an excuse for collecting personal information from victims.

Keeping away from scammers

Here are some to-dos to remain vigilant against scammers who are after student loan relief applicants:

• Only use official US government websites.
• Remember that the US government doesn’t charge processing fees.
• Use your common sense: Think twice before clicking links in emails, downloading attachments, or entering data into webites.
• Be wary of emails, texts, or phone calls from individuals claiming to be from the government and offering assistance on how to qualify or apply for student loan relief.
• When you have questions about loan repayments, talk directly with the financial institution or company providing the loan.

If you think you’ve been defrauded, file a report with the FBI’s Internet Crime Complaint Center (IC3), the Department of Education, and the Consumer Financial Protection Bureau (CFPB); call your financial institution to stop or reverse the transaction; and monitor your accounts and credit reports for fraud activity.

Stay safe!

When Bryan Wilson, a former Louisville Metropolitan Police Department (LMPD) officer in Kentucky, pleaded guilty to cyberstalking charges in June, details of his crime weren’t revealed. Now they have.

A new court document discloses facts about how he stole sexually explicit photos and videos from private Snapchat accounts, and what he did with them.

Wilson used his privileged access to Accurint, a powerful data-combining software, to retrieve information about his potential targets. He then shared this information with a criminal hacker, who broke into the womens’ accounts to get their nude photos and videos. After acquiring explicit photos and videos, he then attempted to involve their owners in a sextortion scheme.

The FBI defines sextortion as “a serious crime that occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money”.

An example of how Wilson did this is provided by the court document:

The document doesn’t reveal if any of Wilson’s victims complied, but it said he posted the explicit content online and bragged about his exploits. In one case, Wilson sent a victim’s photos to her employer, which almost resulted in her termination.

Furthermore, Wilson conspired with others to engage in cyberstalking and extorting young women online. They would give Wilson a target by reaching out to him via his Kik account. Once he had successfully hacked the victim’s account, Wilson shared the stolen media with them.

“Wilson caused his victims untold psychological trauma, not only by extorting them and publishing their explicit photographs and videos online, but also by demeaning and insulting them during his text exchanges, calling them sluts, whores, and bitches,” the document states.

What wasn’t included in the court document but Courier Journal touched on was the fact that Wilson was no longer an LMPD officer when he stalked and extorted his victims. Two months after his resignation in July 2020, Wilson still had access to the Accurint system until it was disabled sometime in October 2020, when his crime spree officially ended.

“Upon discovering this, LMPD immediately disabled the Accurint access,” a statement from the department said. “A review was performed, and procedures have been put in place to ensure all access is suspended once a member separates from LMPD.”

Wilson faces a maximum penalty of 15 years in prison. This includes the sentence for a separate case wherein he violated the civil rights of Louisville pedestrians by throwing beverages at them while in uniform.

A new social network is currently in the news, billed as a positive space for teens to enjoy themselves. I’m all for positive spaces online, but what is it, and will teens really be happier there than (say) Instagram, or even just hanging out in WhatsApp groups?

Pump the gas

Launched in August of this year, Gas is an iPhone app aimed at teens. When you sign up, you use location services to allow the app to figure out which schools are nearby. During sign-up you add friends, and according to this review, it requests access to your contacts.

Once all of this is done, it allows users to share polls (with four options for each, based on what I’ve seen so far) and these happy, friendly polls let you “see who secretly likes you”, or feel a dopamine rush as you find out you’re most likely to do a really cool thing at band practice.

That seems to pretty much be it. The Gas app team refer to it as “The only wholesome place left on the internet” on their TikTok profile. In fact, with the app being very region restricted, it’s one of the first times I’ve had to figure out what something actually does by trawling through TikToks in the first place.

How restricted? We’re not talking about countries. We’re talking about individual states in the US, with Michigan being the initial launchpad, with several more added since.

A little too exclusive

This is the very definition of a super exclusive Internet club, but often to the app’s detriment if you’re trying to find out what it does and does not do. For example, I had to find out about location tracking and messaging policies through a TikTok video.

For reference, the TikTok clip states that messaging is not allowed; all that you can do is “answer polls about friends”. It also says that Gas “only uses your rough location to join a school and never saves it”. Even so, it’s not unreasonable to think that even if rough locations are never saved, having a user associated with a physical object (the school) means an association to location as far as the users are concerned, even if the app has no interest in such things. Generally speaking, school buildings don’t move around very much!

On the flip slide, this is something very unlikely to cause an issue given how limited the app is in terms of functionality. There isn’t much scope for social engineering when there’s no messaging allowed and only polls to click on.

A neutered net?

There don’t appear to have been any major complaints in relation to the app so far, and as far as we can tell, users’ experiences have been consistent with the developers’ claims. Even so, there are still a lot of unknowns here. Are you able to create custom polls, or is everything done via pre-selected polls which you can lightly customise? We don’t know, and poll creation isn’t touched on in the news.

Is there a possibility of Fear of Missing Out (FOMO) if children aren’t selected in polls? Perhaps, but as the developers mention, children who haven’t been picked “recently” will find themselves automatically dropped into other polls more frequently to give them a chance. How online can we consider these teens to be if all of their possible routes for interaction with other people is clicking one of four options in a poll? And how online will they feel, if their peers are using Instagram, SnapChat, WhatsApp, and TikTok?

Perhaps they’ll grow bored of Gas, or use it alongside their usual haunts. There isn’t enough data available yet, so we’re just going to have to see where it goes. Cyberbullying is an awful thing to have happen to your child, and the increasingly long list of things you need to do in these situations is always a cause for concern.

If the app is doing what it claims and kids are getting a positive buzz from interactions from a fairly closed circle, who am I to argue?

Patch management that is consistent and efficient has never been more critical in keeping your security infrastructure up to date and secure. Although today’s endpoint management solutions include patch management functionalities, third-party patching is an area that shouldn’t be forgotten.

In this post, we will cover the importance of third-party application patching and the challenges it can address for your organization.

What is a third-party application?

A third-party application is a type of software designed by an independent vendor other than the initial manufacturer of the device. Common examples of third-party app vendors, include Google Chrome, Adobe Acrobat Reader, TeamViewer, and others.

What is third-party patching and why is it important?

Third-party patching involves applying patch updates to third-party applications that have been installed on your business endpoints, which includes desktops, laptops, servers, and other devices. Third-party patch management patches vulnerabilities that, if exploited, can jeopardize the security and functionality of software. Vulnerabilities expose your company’s attack surfaces to malicious actors looking for opportunities to access your network.

So, why is patching third-party applications important to your business?

Patching software vulnerabilities is a key driver for preventing future cyberattacks on your organization. The vulnerabilities found in your business’s third-party apps opens the flood gates for hackers.

These malicious adversaries spread in your systems through techniques such as privilege escalation and lateral movement, seeking out sensitive information and valuable data. Patching third-party vulnerabilities reduces the likelihood of an attack while also fixing the bugs to improve software functionality. Another reason your organization should consider third-party patching is that it can help your business satisfy necessary compliance regulations.

The risks to your business when neglecting to patch third-party applications

In 2021, 93% of companies experienced a cybersecurity breach of some kind due to third-party vendors or supply chain weakness. With the average cost of a data breach in the US at an astounding $9.4 million, the repercussions of a cyber incident caused by unpatched vulnerabilities are detrimental. Consequentially, an attack of such magnitude causes disruption to daily workflows, productivity, and in cases causes reputational harm. Neglecting to patch third-party apps is a risk your company can’t afford.

When security teams choose not to consistently patch endpoints, your risk of exposure to potential cyberattacks increases. In 2021 for instance, Log4Shell, a software vulnerability in Apache Log4j 2, took the world by storm. For more information on Log4Shell, read the Malwarebytes blog post – What SMBs can do to protect against Log4Shell attacks.

What can businesses learn from vulnerabilities like Log4Shell? The third-party application patch management process is essential. Although third-party app vendors don’t strictly adhere to a patch release schedule, they normally do this when a vulnerability is discovered with a patch being released to address it. Read our article on Security vulnerabilities: 5 times businesses (and governments) got hacked for more information on how hackers exploited vulnerabilities like Log4Shell to attack organizations.

It’s challenging for organizations to keep up with all the software updates and available patches for third-party apps. More companies rely on third-party applications for their day-to-day business operations. Adhering to patch management best practices can help alleviate your security team’s load and enhance your organization’s cyber prevention.

What is automated third-party patching?

Automated patch management allows businesses to automatically scan endpoint devices for patches that are needed and automate the distribution of patches. In some situations, automated patching allows businesses to flexibly schedule patching deployments so that the third-party patching process doesn’t interrupt daily workflows. This automation eliminates the grunt work of manual patching where system admins would otherwise spend hours applying software patches themselves.

What are the drawbacks of automated patch management software?

Automated patch management can help minimize manual workloads and improve your company’s security posture. But it should be noted that automating the patch management process comes with increased operational risk depending on the situation.

Depending on the type of security infrastructure your organization has, implementing automated patch management software to a system that relies heavily on manual infrastructure deployment and managing may not be the best option. Security architecture that’s legacy-application heavy is not ideal for automated patch management. This is especially the case for integral applications – a minute of downtime causes dramatic organizational losses.

A common misconception is that automated third-party patching means your systems are more secure. While automatic patching helps your company maintain strong security posture, it is not a cure-all for security and is limited to its pre-programmed policies used to scan and identify missing patches. As more companies adopt cloud-native security infrastructure, the easier it will be to automate third-party patching.

Third-party patch management vs vulnerability management – Let’s compare the two processes

Third-party software patch management is centralized on grouping, prioritizing, and identifying missing patches in third-party applications. Patch management vendors created patch management solutions to tackle patches, but not all patches will resolve security flaws. For this reason, patch management products alone can’t effectively secure your organization.

Vulnerability management addresses your security risks by identifying security vulnerabilities in your systems. These vulnerabilities include a range of security issues where in some cases deploying a patch is not the solution to a particular vulnerability. Other vulnerabilities could involve security training for staff, configuring firewall policies, or making changes to your network.

Third-party Patch Management and Compliance

Timely and consistent third-party patching reinforces your cybersecurity prevention.

Third-party applications need to be continually updated to decrease your risk of infection. Leaving third-party apps unpatched or out of date can hinder your organization from achieving patch compliance requirements. Cybersecurity regulatory compliance such as PCI (Payment Card Industry Security Standards Council), GDPR (General Data Protection Regulation), and HIPAA (Health Insurance Portability and Accountability Act), all set standards for patch deployment and security patching protocols.

Interested in learning more about cyberattack prevention with vulnerability assessment and patch management tools? Visit our Vulnerability and Patch Management Modules and explore related content below.

Vulnerability response for SMBs: The Malwarebytes approach

Listen to Lock and Code – Why software has so many vulnerabilities, with Tanya Janca

Malwarebytes’ modernized bug bounty program – here’s all you need to know

5 technologies that help prevent cyberattacks for SMBs

Request a demo of our Vulnerability Assessment and Patch Management module 

It’s time for another tale of remote desktop disaster, as a newish form of ransomware carves out a name for itself. Bleeping Computer reports that individuals behind Venus ransomware are breaking into “publicly exposed Remote Desktop services”, with the intention of encrypting any and all Windows devices. Since at least August 2022, Venus has been causing chaos and has become rather visible lately.

This “Venus” is some skidware ransomware. For example samples:
One from July/August: 2e2cef71bf99594b54e00d459480e1932e0230fb1cbee24700fbc2f5f631bf12
And one from September: 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05

— MalwareHunterTeam (@malwrhunterteam) October 6, 2022

Venus brings bad remote tidings

It seems these attacks very much follow the typical Remote Services/Remote Desktop Protocol (RDP) gameplan. Break into the network via insecure access, stop processes and services according to the whims of the ransomware authors, and then encrypt the desired files. Confused people on the network will now find their filenames end with the .venus extension, and additional file markers with no currently obvious purpose placed inside the encrypted files.

The incredibly overt ransom note, which is somewhat difficult to read given it sports white text on a bright orange background, reads as follows:

“We downloaded and encrypted your data. Only we can decrypt your data. IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.”

You know, as opposed to being the victim of this scam instead.

A risk whether at home or in the office

Bleeping Computer notes one victim on their forum made several posts about being struck by this particular slice of ransomware. This individual found their home network under attack, external drives compromised, and a PC elsewhere in the house being used as a server receiving similar treatment.

In this case, the issue was RDP left running as a way to access a computer remotely. The victim notes that RDP was password protected, but it seems the password may not have been enough. This—and the timeless classic of having backup devices available but not getting round to doing the actual backing up—proved to be a dreadful combination blow.

Tips for avoiding the RDP to ransomware pipeline

RDP specifically continues to be a sore point for networks whether at home or in the office. Even with password protection, it may not be enough, as we’ve just seen to devastating effect for one unlucky individual.

If you’re running Windows 11, you’ll be pleased to know that Microsoft is taking action to help shore up the ways attackers can use RDP to break in. This has been achieved by limiting the number of times you can attempt to login, as per our article from back in July. If you’re interested in locking down your RDP in other ways, we have a long list of tactics for you to try out. The full list of tricks and tips from March can be seen here. Some of the key actions you should consider taking right now include:

• Use multifactor authentication for your RDP access. Attackers may crack your password, but without that second form of authentication to hand they’re going to find it a lot harder to get in.
• Rate limiting may now be somewhat redundant if you’re using Windows 11 considering recent security changes, but if not, this will slow down the speed that attackers can keep trying to guess your login.
• Place your RDP behind a VPN, but make sure you focus on keeping the VPN login secure as this is now your new point of access. This can be done by using multifactor authentication for login, and ensuring any email address tied to your account is similarly protected. If you’re able to use rate limiting alongside your VPN login too, then so much the better.

Stay safe out there!