IT NEWS

A week in security (October 10 – 16)

Last week on Malwarebytes Labs:

Stay safe!

Android and iOS leak some data outside VPNs

Virtual Private Networks (VPNs) on Android and iOS are in the news. It’s been discovered that in certain circumstances, some of your traffic is leaked so it ends up outside of the safety cordon created by the VPN.

Mullvad, the discoverers of this Android “feature” say that it has the potential to cause someone to be de-anonymised (but only in rare cases as it requires a fair amount of skill on behalf of the snooper). At least one Google engineer claims that this isn’t a major concern, is intended functionality, and will continue as is for the time being.

MUL22-03

The Android discovery, currently named MUL22-03, is not the VPN’s fault. The transmission of data outside of the VPN is something which happens quite deliberately, to all brands of VPN, and not as the result of some sort of terrible hack or exploit. Although the full audit report has not yet been released, the information available so far may be worrying for some. According to the report, Android sends “connectivity checks” (traffic that determines if a connection has been made successfully) outside of whichever VPN tunnel you happen to have in place.

Perhaps confusingly, this also occurs whether or not you have “Block connections without VPN” or even “Always on VPN” switched on, which is (supposed) to do what you’d expect given the name. It’s quite reasonable to assume a setting which says one thing will not in fact do the opposite of that thing, so what is going on here?

The leakage arises as a result of certain special edge case scenarios, in which case Android will override the various “Do not do this without a VPN” settings. This would happen, for example, with something like a captive portal. A captive portal is something you typically access when joining a network—something like a hotspot sign-in page stored on a gateway.

Why? Because VPNs run on top of whatever Internet-connected network you are on, so you have to join a network before you can establish your VPN connection. Anything that happens before you establish your VPN connection can’t be protected by it.

As per Bleeping Computer, this leakage can include DNS lookups, HTTPs traffic, IP addresses and (perhaps) NTP traffic (Network Time Protocol, a protocol for synchronising net-connected clocks).

Mullvad VPN first reported this a documentation issue, and then asked for a way to “…disable connectivity checks while ‘Block connections without VPN’ (from now on lockdown) is enabled for a VPN app.”

Google’s response, via its issue tracker was “We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this.”

According to Google, disabling connectivity checks is a non-starter for four reasons: VPNs might actually be relying on them; “split channel” traffic that doesn’t ever use the VPN might be relying on them; it isn’t just connectivity checks that bypass the VPN anyway; and the data revealed by the connectivity checks is available elsewhere.

The rest is a back and forth debate on the pros and cons of this stance, which is still ongoing. At this point, Google is not budging.

iOS has entered the chat

It seems this isn’t something only confined to Android. There are similar things happening on iOS 16, with multiple Apple services claimed to be leaking outside of the VPN tunnel including maps, health, and wallet.

According to Mysk, the traffic being sent to Apple isn’t insecure, it’s just going against what users expect.

All of the traffic that appeared in the video is either encrypted or double encrypted. The issue here is about wrong assumptions. The user assumes that when the VPN is on, ALL traffic is tunneled through the VPN. But iOS doesn’t tunnel everything. Android doesn’t either.

They suggest that one way forward to stop this from happening would be to treat VPN apps as browsers and “require a special approval and entitlement from Apple”.

There probably won’t be much movement on this issue until the release of the full report on MUL22-03, but for now the opinion from those involved in testing seems to be that the risk is small.

FBI, CISA warn of disinformation ahead of midterms

In less than four weeks, the balance of power in the US House of Representatives and Senate will be up for grabs, along with a host of gubernatorial seats, and positions at the state and municipal levels.

With everyone preparing to cast their ballots, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have reminded people about the potential threat of disinformation.

Foreign actors may intensify efforts to influence outcomes of the 2022 midterm elections by circulating or amplifying reports of real or alleged malicious cyber activity on election infrastructure

It warns that forein actors may “create and knowingly disseminate false claims and narratives regarding voter suppression, voter or ballot fraud, and other false information intended to undermine confidence in the election processes and influence public opinion of the elections’ legitimacy.”

It’s not news that countries outside the US have engaged in disinformation operations before. And though we may immediately think of Russia, Iran, and China, it’s worth keeping the other 70-odd countries that are into disinformation campaigns in mind too.

Nation-backed threat actors use several methods to amplify fake narratives and false claims, incite anger, and mobilize angry voters. They use public online spaces, such as social media networks, they also use email, text messages, online journals and forums, spoof websites, and fake personas.

The agencies also warn that threat actors may claim they have successfully hacked or leaked election-related data, to sow distrust in the US system and undermine voter confidence. They also affirm that while threat actors might be making hay in the discourse that precedes elections, the actual election process have not been compromised.

No information suggesting any cyber activity against US election infrastructure has impacted the accuracy of voter registration information, prevented a registered voter from casting a ballot, or compromised the integrity of any ballots cast.

Americans are urged to examine both the information they receive, and its sources, with a critical eye, and to seek out reliable and verified news to share, react to, and discuss with others.

Potential election crimes, such as intentional disinformation about the manner, time, or
place of voting, should be reported to your local FBI Field Office, they say.

Android and Chrome start showing passwords the door

Google has announced that it’s bringing passkey support to both Android and Chrome. On May 5, 2022, it said it would implement passwordless support in Android and Chrome and the latest annoncement about passkeys is an important step in that journey.

Passkeys

Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure. Sounds good, right? So, why isn’t everybody using them already? Maybe because we do a bad job at explaining how easy they are.

Although they share four letters, passkeys are nothing like passwords. They use public-key cryptography, which requires a set of two cryptographic “keys”. One is public and one is private.

The public key is generated by the user and stored by whatever service the user is logging in to. When a user wants to log in, the service sends the user some data to “sign”, the user encryptes it with their private key and sends it back. The service then decrypts it with the public key. If the decryption works that’s proof that the owner of the private key signed the data and is therefore owner of the public key.

A user does not have to remember the public key or, heaven forbid, type it out in some form. That would only make matters worse. The public key also does not need to be kept a secret. Which means you don’t have to worry about data breaches, post-its, machine-in-the-middle attacks, or any other way it could be discovered or fall into the wrong hands, because the wrong hands are welcome to it: It is useless to them.

As long as your private key is safe, you are secure. And the private key stays on a device you own, such as a phone or hardware key, is never shared with anybody or any thing, and never leaves your possession. It’s job is to prove that the public key is really yours.

Authenticators

So, your private key is something you hold on to, but where do you keep it, what actually does the signing with it, and how is it secured? All of this happens on devices called “authenticators”.

An authenticator is a device that knows how to create and share the public key, knows how to store private keys, and knows how to use them to sign things. Authenticators can be hardware keys, phones, laptops, or any other kind of computing device. Best of all, authenticators can be a separate device from the one you’re logging in on. So you can log in to a website on your laptop and use a phone paired with your laptop as the authenticator.

Since passkeys are built on industry standards, this works across different platforms and browsers—including Windows, macOS, iOS, and ChromeOS. An Android user can sign in to a passkey-enabled website using Safari on a Mac, and a Windows user can do the same using a passkey stored on their iOS device.

Before an authenticator will share a public key or sign you into a site you have to authorise it to do so using a “gesture”. What constitutes a gesture is deliberately vague: It could be a button press, it could be a succesful Windows Hello face recognition, entering a PIN, or pressing a finger on your phone’s fingerprint sensor.

What’s important to remember here is that the gesture does not get sent to the website, it just permits the authenticator to do its work. So, if your authenticator uses a fingerprint scanner there is no need to worry your fingerprints will get sent to the website, exposed in a breach and re-used on a crime scene. Whether it’s a fingerprint, a facial scan, or anything else, the website knows nothing about the gesture at all.

Lost passkeys

Now your greatest worry is probably—what happens if I lose my private key or the device it’s on? This is where Google’s announcement comes in. (In my eagerness to explain, I almost forgot to tell you what it was exactly that Google announced.)

The announcement is:

  • Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager.
  • Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms.

Passkey synchronization makes it very hard to lose your private key: Passkeys are recoverable even in the event that all associated devices are lost.

This is similar to Apple’s ability to recover a keychain. To do so, a user must authenticate with their iCloud account and password and then respond to an SMS sent to their registered phone number. With the keychain in hand, passkeys can be recovered through iCloud keychain escrow.

Shift of responsibility

For years the responsibility for safe authentication has been put in the wrong hands: Users’. Since we all know that the strength of a chain is never greater than that of the weakest link, we’ve been trying to improve the strength of that link. Sometimes by educating users, or yelling at them, even lying to them, or anything else that we thought could invoke a more responsible use of passwords.

What we haven’t done, or at least not as loud, is wonder how threat actors got their hands on all these username-password combination they could use in credential stuffing attacks. The answer was breaches. Asking a visitor to come up with a unique and secure password and then having thousands or even millions of them stolen doesn’t make the user feel any better about password security, does it now?

If you will allow me another analogy: In the past we sent a canary down into the mines to warn the miners if the carbon monoxide level was too high. The gases would kill the canary before killing the miners, thus providing a warning to exit the tunnels immediately. To improve that method, we didn’t start breeding stronger canaries, we improved the methods of detecting toxic gasses.

Password less future

For years we’ve been asking when we can get rid of passwords for good? Not yet, but this is a step closer. Now that it is available, we just have to get everyone on board.

The good news is that every modern browser already knows how to handle their part, by supporting the WebAuthn standard, so all we need now is for websites and other online resources to support it, and for vendors to create compatible authenticators.

Last year Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services. Together with Google and Microsoft, Apple committed to expanded support for FIDO standard to accelerate availability of password less sign-ins.

Let us know in the comments whether you agree that a better understanding of how passkeys work will make the transition go faster.

Introducing Malwarebytes Managed Detection and Response (MDR)

With our Managed Detection and Response (MDR) service now generally available for businesses and MSPs, you may be wondering: What is MDR, how does Malwarebytes MDR work, and do I need it?

Underpinned by our award-winning EDR technology, Malwarebytes MDR offers powerful and affordable threat prevention and remediation services, provided by a team of cybersecurity experts that remotely monitors your network 24/7 to detect, analyze, and prioritize threats.

Learn more about Malwarebytes MDR 

Malwarebytes MDR

MDR is a service that provides proactive, purpose-built threat hunting, monitoring, and response capabilities powered by a team of advanced cybersecurity technicians, combined with the analysis of robust correlated data. It takes the guesswork out of your most complex cybersecurity threats by delivering 24/7 threat detection, rapid alerts, prevention, and remediation.

Malwarebytes MDR defends your network every day and all night, safeguarding your data, reputation, and finances with always-on dedicated protection.

While it’s technically possible for SMBs to build out their own MDR program in-house, doing so is a time, expense, and effort equivalent to starting an entirely new IT security department. You’ll need to build out your own SOC facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on. That’s why many SMBs opt to outsource their MDR to a service provider.

Our experts are your experts: With Malwarebytes MDR, our team of cybersecurity professionals acts as an extension to your security team, ensuring that you have the staff, skill, and experience you need to maximize your cybersecurity posture on a 24/7 basis.

easset upload file28003 241144 e
Malwarebytes MDR

Malwarebytes MDR workflow

To recap, the basic workflow for Malwarebytes MDR goes like this:

  1. The Malwarebytes MDR team monitors and analyzes your system, checking for IOCs and threat hunting, and finds something malicious.

  2. Our MDR team sends you an email alerting you to the threat and asking you to go to the MDR portal in Nebula.

  3. You log into Nebula and click on the MDR portal in the upper-righthand corner.

  4. In the main portal view you can see a basic log of everything that the analysts have done on that specific system. Click “Go to Case” for more details on specific threats.

  5. Clicking “Go to Case” will bring you back to Nebula for whatever suspicious activity or alert that the MDR team needs you to remediate.

  6. You do the remediation, go back to the MDR portal, and tell the MDR team that you’ve completed it.

  7. The MDR team closes out the alert.

How it works

Malwarebytes MDR
Malwarebytes MDR workflow

It all starts with contextual enrichments. EDR alerts are enriched with context from threat intelligence feeds:

  1. Customer telemetry data from all deployed Malwarebytes products ingested.

    1. EDR (including Brute Force Protection) and Cloud Security Modules

  2. Threat intelligence feeds from multiple sources ingested

    1. Premium external threat feeds

    2. Internal Malwarebytes feeds including crowd-sourced intelligence from the entire Malwarebytes customer base (B2B and Consumer)

    3. Open-source feeds

  3. Telemetry data and threat intelligence correlated with alert

    1. Generates additional context to the alert (e.g., more clues to the behavior and origin)

The MDR Analyst Team monitors endpoint alerts 24×7 to field incoming alerts:

  1. Artifacts of alert rapidly reviewed and prioritized for triage

    1. Automations sift through the artifacts (processes, actions, etc) to identify most interesting

  2. Case opened on each artifact requiring triage

    1. Notification provided to customer within MDR Portal

  3. Case analyzed by MDR Analyst team

    1. Deep analysis and review leveraging enriched alerts

    2. Escalation to Tier 3 analysts, 2nd opinions within the team

  4. ‘Best course of action’ decided and communicated

    1. MDR Analysts communicate one of two possible decisions via the customer portal:

      1. Customer verification of artifact required 

      2. Remediation required

Then comes the options for remediation:

  1. Malwarebytes managed 

    1. Malwarebytes automatically provides remediation by removing threats using EDR capabilities 

    2. Re-boot, re-imaging, and other onsite tasks will require customer involvement

  2. Collaborative

    1. Malwarebytes notifies customer who can authorize managed remediation or perform remediation themselves

    2. Work together to take care of it outside of biz hours, etc

  3. Manual (customer does it, guidance from MWB)

    1. Malwarebytes provides notification to customer with detailed guidance to perform remediation themselves

Finally, for case closure:

  1. Closure notification to customer within the MDR portal

  2. History of closed cases available for compliance and reporting needs

    1. Case event details available to customer

Want to learn more?

If you want to know more about MDR and if it’s right for you, check out these resources:

Only half of teens agree they “feel supported online” by parents

Not enough children and teenagers trust their parents to support them online, and not enough parents know exactly how to give the support their children need.

Those are some of the latest findings from joint research conducted this summer by Malwarebytes and 1Password, which we have published today in the report “Forever connected: the realities of parenting and growing up online.” The data from our two, parallel surveys—one for Generation Z respondents aged 13 to 25 and one for parents whose children are between 8 to 17 years old—revealed the need for parents to take an active, prolonged role in preparing their children for staying safe and private online.

But the task of raising kids online is, understandably, quite nuanced.

As revealed in our research, parents and children often have different ideas about what will keep them safe online. Complicating the matter is that many parents are passing down outdated or ineffective habits to their children, potentially creating a division between how well parents believe they’re supporting their kids and how well kids think they’re being supported.

Separate from cybersecurity, parents and teens also differ on how to stay private online, and even on what online privacy means and for whom. For example, while a majority of Generation Z members want their parents to ask for consent before sharing photos of themselves online, far fewer parents believe their children are owed that consideration. Compounding this is the fact that more than a third of parents said they felt it was okay to start sharing online images of their kids as soon as they were born.

These trends aren’t born of malicious intent, though. Mark Beare, general manager of consumer business for Malwarebytes, noted how parents will share images and videos of their children because they are proud of their kids and want to share these moments with others. Further, many parents—and non-parents—are sharing with an earlier understanding of the Internet.

“As more and more parents have also moved to social media they have begun sharing about their children in a much more public way. They are sharing without understanding the future ramifications on how this affects the digital profile of their kids as they come of age and manage their own digital profiles,” Beare said.

He continued:

“As a society we are all learning that the initial ‘free and open sharing’ that people did when social media was new has ramifications on our privacy and for the privacy of friends and loved ones.” 

In separately reviewing our report, Jason Kelley, associate director of digital strategy and activism at Electronic Frontier Foundation, stressed how important it is for families to learn about the Internet together.

“Whatever age you are, when you go online, you deserve security and privacy,” Kelley said. “It is essential that parents and young people learn how to protect those rights, because at least for now, many online platforms, bad actors, and in many ways the entire ecosystem of the Internet are working against them.”

In our full report, we explore several key themes and statistics:

Lacking parental support. Three quarters (74%) of parents are confident they are keeping their kids safe online, but only 51% of Gen Z respondents agree with the statement: “I feel supported online by my parents.” 

Absent antivirus: Though 76% of parents protect their children’s online experiences by installing antivirus software on devices at home, just 28% of Gen Z said their parents required them to use that software on their own devices.

Problematic security advice. A majority of Gen Z (70%) report that their parents taught them about password security in some way, including problematic security advice like: write down passwords on paper (33%), make easy-to-remember passwords (30%), and use the same password for everything (17%).

The dangers of the internet. 96% of parents and 93% of Gen Z say that using the internet can have harmful effects, with cyberbullying (73% of parents, 66% of Gen Z) and being influenced by misinformation (65% of parents, 64% of Gen Z) being the top two. 

Online since birth. Four out of five (79%) parents post images, videos, or personal information about their kids online. And 39% say it’s fine to start posting images of their children as soon as they’re born.

Clashing expectations for privacy. While 73% of Gen Z wish their parents would ask permission before posting pictures about them online at least some of the time, only 34% of parents ask permission and 39% feel they don’t need permission to post content related to their kids.

Conflicting sense of reality. 89% of parents say they monitor their child’s activity, yet 66% of teenagers say their parents have no involvement in their online accounts.

Stealthy workarounds. 72% of Gen Z admit to having tactics to avoid their parents’ monitoring. Some kids even go above and beyond to avoid detection, with 13% using a virtual private network, 9% having a secret device parents don’t know about, and 6% performing factory resets on their devices.

READ THE FULL REPORT HERE

Chinese APT’s favorite vulnerabilities revealed

In a joint cybersecurity advisory, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.

The advisory aims to “inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).”

The US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the DIB (Defense Industrial Base) sector, which is related to military weapons systems; and other critical infrastructure sectors.

It is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.

The advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.

Last year, CISA began publishing a catalog of actively exploited vulnerabilities that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of vulnerabilities favored by Russian state-sponsored threat actors.

If your organization’s intellectual property is likely to be of interest to China, this is list is for you. And if it isn’t, this list is still worth paying attention to.

The vunerabilities

Remote code execution (RCE)

RCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: CVE-2021-44228 (also known as Log4Shell or LogJam), CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-26084, CVE-2021-42237, CVE-2022-1388, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Arbitrary file read

The advisory identifies two arbitrary file read flaws—CVE-2019-11510 and CVE-2021-22005—which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.

Authentication bypass by spoofing

CVE-2022-24112 is an authentication bypass flaw that allows attackers to access resources they shouldn’t have access to by spoofing an IP address.

Command injection

CVE-2021-36260 is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.

Command line execution

CVE-2021-1497 is a command injection flaw that allows attackers to inject data into an affected system’s command line.

Path Traversal

Also known as “directory traversal,” these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. CVE-2019-19781, CVE-2021-41773, and CVE-2021-20090 are all forms of path traversal attack.

Mitigations

The NSA, CISA, and FBI urge organizations to undertake the following mitigations:

    • Apply patches as they come, prioritizing the most critical l flaws in your environment.
    • Use multi-factor authentication.
    • Require the use of strong, unique passwords.
    • Upgrade or replace software or devices that are at, or close to, their end of life.
    • Consider adopting a zero-trust security model.
    • Monitor and log Internet-facing systems for abnormal activity.

Top 5 ransomware detection techniques: Pros and cons of each

In the fight against ransomware, much of the discussion revolves around prevention and response. Actually detecting the ransomware, however, is just as important to securing your business. To understand why, just consider the following example.

Let’s say you’re a farmer taking care of a flock of sheep and you’re worried about wolves. You’ve installed a fence: that’s prevention. You have an air horn to scare away the wolf in the event of an attack: that’s response. Great! But what if you had an alarm system and could take action as soon as the wolf got through your fence, before it started attacking at all? That’s what detection is all about.

Detection sits right between both prevention and response, and it’s a critical first defense against ransomware. You see, ransomware will get through your systems one way or another. And when it does, we want to detect it right away so we can stop it from moving through your network and encrypting any valuable or sensitive files.

But detecting ransomware can be tricky. Attackers use obfuscation and evasion techniques to avoid detection, and new ransomware variants are being produced every day. As a result, businesses should be using multiple different ransomware detection techniques, fully aware of the pros and cons of each.

In this post, we’ll look at 5 ransomware detection techniques and their pros and cons.

  1. Static file analysis 
  2. Common file extensions blacklist
  3. Honeypot files / deception techniques 
  4. Dynamic monitoring of mass file operations
  5. Measure changes of files’ data (Entropy)

1. Static file analysis

Let’s say you’re on an IT or security team and an alert has triggered on a key server within the organization. The alert is rather vague but is reporting that the file is potentially malware.

Making matters worse, the hash of the file isn’t on VirusTotal and you can’t find any information on the Internet to determine if the file is malicious or not. 

To see if this file is potentially ransomware (or any malware for that matter), one option is to do static file analysis. Static file analysis is a type of malware analysis that looks at whether an executable file is suspicious without actually running the code.

In the context of ransomware, static file analysis looks for known malicious code sequences or suspicious strings, such as commonly targeted file extensions and common words used in ransom notes.

easset upload file9503 241200 e

Static malware analysis examines a malware sample without executing it. Source.

One of the free tools that you may find useful for this purpose is PeStudio. This free tool flags suspicious artifacts within executable files and can be used to examine the embedded strings, libraries, imports, and other indicators of compromise (IOCs) in a file.

Pros: 

  • Low false positive rate

  • Effective against known ransomware

  • Can stop attacks before execution so no files are encrypted

Cons:

  • Time consuming if conducted manually

  • Can be bypassed easily using Packers / Crypters or by simply replacing characters with digits or special characters

2. Common file extensions blacklist

With file access monitoring tools, you can blacklist file rename operations for well-known ransomware extensions, or be alerted as soon as a new file is created with such an extension. 

For example, a file-access monitoring tool by Netapp allows you to block certain types of extensions from being saved on the storage system and shares, such as the WannaCry ransomware (.wncry). Other ransomware blacklist solutions include ownCloud or Netwrix

There are a variety of lists on the Internet with lists of common ransomware extensions. One example is https://fsrm.experiant.ca/ (scroll down to “Raw List”).

Pros:

  • Low false positive rate

  • Effective against common ransomware

  • No damage is done

Cons: 

  • Trivial to bypass; ransomware with a new extension will manage to encrypt

  • It can be difficult to find a file-monitoring solution that has a extension blacklist feature

3. Honeypot files / deception techniques 

A honey file is a fake file intentionally put into a shared folder/location in order to detect the existence of an attacker, and when the file is opened, an alarm is set off. For example, a file named passwords.txt could be used as a honeyfile on a workstation.  

One popular way to create quick and easy honeyfiles is by using Canarytokens. Canarytokens is a free tool by Canary that embeds a token (unique identifier) into a document, such as Microsoft Word, Microsoft Excel, Adobe Acrobat, images, directory folders, and more. 

Any time a Canarytoken is accessed, Canary sends you a notification email to the address tied to the token. You can rename the Canary files to names that ransomware actors search for when looking for files on the victim network, such as “statement,” “policy,” or “insurance.” 

easset upload file49529 241200 e

Placing the Canarytoken in a folder where it will be seen by ransomware actors. Source.

Pros:

  • Can detect ransomware that static engines do not catch.

Cons: 

  • Some false positives, as programs and users may touch the bait files

  • Files will be encrypted until ransomware touches the decoy files

  • Bypass by skipping hidden files/folders, or by targeting specific folders

4. Dynamic monitoring of mass file operations

By monitoring the file system for mass file operations such as rename, write, or delete within a certain period of time, you can catch a ransomware attack happening in-real time and potentially even automatically block it (depending on your solution).

A File Integrity Monitoring (FIM) tool can help you detect ransomware in this way. A FIM verifies and validates files by comparing the latest versions of them to a known, trusted “baseline,” and alerts you when files have been altered, updated, or compromised. 

There are free open source FIM tools available, such as OSSEC and Samhain File Integrity, and others solutions feature real-time remediation capabilities so you can instantly block detected ransomware with an automated threat response.

Pros:

  • Can detect ransomware that static engines do not catch

Cons: 

  • Files will be encrypted until the defined limit is exceeded

  • Bypass easily by adding delay between encryptions or by spawning multiple processes to encrypt batches/groups of files

5. Measure changes of files’ data (Entropy) 

In cybersecurity, a file’s entropy refers to a specific measure of randomness called “Shannon Entropy,” where typical text files will have a lower entropy and encrypted or compressed files will have a higher entropy. In other words, by tracking files’ data change rate, we can determine whether the file was encrypted or not. 

Patrick Wardle’s free RansomWhere? tool uses file entropy to detect (and block!) untrusted processes that are encrypting your personal files. Tools that measure file entropy can also block processes after multiple flagged modifications with significant changes.

easset upload file96409 241200 e

Histogram of entropy of legitimate versus malicious files. Source.

Pros:

  • Can detect ransomware that static engines do not catch

  • Fewer false positives than previously mentioned dynamic techniques

Cons: 

  • High CPU utilization on the endpoint

  • Files will be encrypted until a level of confidence is reached, so not all damage is blocked

  • Bypass by encrypting only part of the file, or by encrypting in chunks. Using multiple processes to encrypt 

Getting creative with ransomware detection techniques

Having several methods for detecting ransomware is integral to incorporate in your organizations anti-ransomware strategy. Catching the ransomware early offers great insurance against lateral movement and further damage. But remember: always assume an attack will be successful. 

No matter what, make sure you have a ransomware prevention and recovery strategy in place. You can read our Defenders Guide to Ransomware Resilience for more on ransomware response. In terms of prevention, our Ransomware Prevention Checklist is a great place to start.

Malwarebytes EDR’s anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity. It features a dedicated real-time detection engine that does not use signatures, and doesn’t require updates. Our EDR also has multiple combined modes of endpoint isolation and gives you up to 72 hours of ransomware rollback. 

Check out a few case studies below to see how organizations used Malwarebytes EDR to fight against ransomware.

City of Vidalia gains a ransomware and vulnerability-free zone

Mike Carney Toyota tackles the rising ransomware threat

Alden Central Schools gains peace-of-mind protection against ransomware threats

Update now! October patch Tuesday fixes actively used zero-day…but not the one you expected

Microsoft fixed 84 vulnerabilities in its October 2022 Patch Tuesday updates. Thirteen of them received the classification ‘Critical’. Among them are a zero-day vulnerability that’s being actively exploited, and another that hasn’t been spotted in the wild yet.

The bad news is that the much-desired fix for the “ProxyNotShell” Exchange vulnerabilities was not included.

What was fixed

A widely accepted definition for a zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.

As such, a publicly known vulnerability is called a zero-day even if there is no known actively used exploitation for it.

The actively exploited vulnerability in this month’s batch is CVE-2022-41033, a vulnerability with a CVSS score of 7.8 out of 10. This is described as a ‘Windows COM+ Event System Service Elevation of Privileges (EoP)’ vulnerability, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold on a system. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

Another publicly disclosed vulnerability that gets a fix is CVE-2022-41043, a Microsoft Office Information Disclosure vulnerability. Affected products are Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac. Microsoft says attackers could use this vulnerability to gain access to users’ authentication tokens.

What wasn’t fixed

The Exchange Server “ProxyNotShell” vulnerabilities, CVE-2022-41040 and CVE-2022-41082, were not fixed in this round of updates. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.

Microsoft says it will release updates for these vulnerabilities when they are ready. In the meantime, you should read this blog post to learn about mitigations for those vulnerabilities.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones:

That should be enough to keep you busy, et patching!

UK government sounds alarm on tax scams

The UK government has issued a warning for people to be on their guard against fake tax rebate scams as they gearing up to fill out their 2021/22 tax returns.

Ensuring your self-employed documents are correct and accurate can be a complicated business at the best of times. Having to worry about scammers making it all worse can make it a nightmare.

During tax season, a wave of bogus emails, texts, and even phone calls, can find their way into your workspace as you arrange your receipts and spreadsheets. The department responsible for tax in the UK, known as HMRC, has this to say:

In the 12 months to August 2022, HMRC responded to more than 180,000 referrals of suspicious contact from the public, of which almost 81,000 were scams offering fake tax rebates.

Criminals claiming to be from HMRC have targeted individuals by email, text and phone with their communications ranging from offering bogus tax rebates to threatening arrest for tax evasion.

Facts and figures

HMRC is quite aggressive toward scam portals and fakeouts generally. According to its release, in the 12 months to August 2022 it:

  • Responded to 181,296 referrals of suspicious contact.
  • Responded to 55,386 reports of phone scams.
  • Reported 10,565 malicious web pages for takedown.
  • Helped remove 48 phone numbers used for scams.

That is indeed a decent slice of takedown action. If you want to contribute to this tally, you can take any or all of the below steps:

With all of this in mind: What can you do to keep yourself safe from fake HMRC-related messaging?

Avoiding scams in a taxing time

There are some common traits which show up time and time again in fake tax scam land. As you may imagine, much of it hinges on fictitious refunds. Often, it isn’t “just” your tax info or logins the scammers are hunting for. If they can drag more data of yours into the mix, they’ll do it without a moment’s hesitation. Here’s what you need to watch out for:

  • Be very suspicious of so-called refund attachments arriving by email. The attachment may be malware, or try to direct you to a phishing portal. HMRC does not issue refunds in this fashion.
  • Some fake refund portals will encourage you to “search” for your account by entering your email, date of birth, and other information. One fake search page later and you’ll be asked to hand over the rest of your information.
  • A number of HMRC phishing attacks will branch out into phishing for bank portal logins. Whether the landing page has a padlock or not, you should not trust sites which arrive alongside refund or tax assistance claims. If you want to visit your banking portal, navigate to the site directly. Following a chain of links from a “too good to be true” email is a recipe for tax and banking disaster. On a related note, they may go after your email logins too. The same rules apply: Do not visit these links, and if you do, avoid entering logins / bank details / personal information.
  • Treat urgent, out-of-the-blue phone calls with extreme suspicion. If they claim to be offering a refund but “only for a few more days” or even just the length of the call, this is incredibly suspicious behaviour. It’s designed to put the would-be victim off guard so they make a rash decision. No genuine call would prevent you from calling the official number yourself and following up. It’s a scam!

Stay safe out there!