IT NEWS

Spying on the spies. See what JavaScript commands get injected by in-app browsers

Developer and privacy expert Felix Krause aka KrauseFx announced this week that he had introduced a simple tool to list the JavaScript commands executed by iOS apps when they deployed an in-app web browser to render webpages. He already shared some eye-opening results on his Twitter feed.

By opening Krause’s tool—new website inappbrowser.com—in a designated app, the website checks for one of many hundreds of attack vectors, which is JavaScript injection from the app itself. Disclaimer: a green checkmark is no guarantee that there is no JavaScript injection going on.

The reason

According to his announcement the development of the tool was triggered by his own report on the risks of mobile apps using in-app browsers. Instead of opening links to external websites in the default browser of the device, many apps render these links inside their own app. More importantly, those apps rarely offer an option to use a standard browser as default, instead of the in-app browser. Since it would be a lot easier for a developer to implement the use of an already present browser, there must be a reason they want you to open the links inside the own app.

Well, one of those reasons is that they can inject their own code into the website they just opened, which allows them to collect all the taps on a webpage, keyboard inputs, website title, and more. This is a privacy risk as such data can be used to create a digital fingerprint of a person. App-makers also claim, with some truth, that users do not like to hop from app to app—leaving their current environment only to be brought to another environment, like a separate web browser, when, for instance, shopping online. 

How to use

If you would like to check on some of the apps you are using, here’s how. First, you open an app that you want to analyze. Then you share the URL “https://InAppBrowser.com” somewhere inside the app (you can send it as a DM to a friend). Tap the link inside the app to open it and get a report about the JavaScript commands. Below you can find some results for apps that Krause tested.

Meta

Unsurprisingly, Instagram and Facebook have the ability to track interactions like searches, clicks, screenshots, and “form inputs.” Form inputs are a big deal since they can include things like passwords and credit card numbers. According to Meta’s response to Krause’s report, the injected script helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.

One small bonus point for Facebook and Instagram is that they offer you the option to open third-party links in another browser (use that option!), which is more than we can say for TikTok.

TikTok

This should not come as a surprise, given that the FCC already called TikTok an unacceptable security risk. When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. There is no alternative. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click. There is no way to know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites. TikTok confirmed that those features exist in the code, but said that it is not using them.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience—like checking how quickly a page loads or whether it crashes,” said spokesperson Maureen Shanahan in a statement offered to Forbes.

Legitimate reasons

There are some legitimate reasons for apps to use an in-app browser, but these should be limited to first party content. In which case the publisher still should offer the user the option to open the content in another browser or an explanation as to why that is not possible. Such reasons do not exist when it concerns third-party content and such content should always be opened in the browser that the user prefers to use.

Incomplete

The inappbrowser tool is unable to show you everything that is going on for a couple of reasons, so a green checkmark is no guarantee.

  • With iOS 14.3 (December of 2020), Apple introduced the support of running JavaScript code in the context of a specified frame and content world. JavaScript commands executed using this approach can still fully access the third party website, but can’t be detected by the website itself, like InAppBrowser.com.
  • The tool cannot detect other app tracking that may occur, such as custom gesture recognition, screenshot detection, or tracking of web request events.

The article and the tool are focused on iOS, because the developer feels he is not knowledgeable enough to talk about the Android side of things, but you can rest assured that the apps you shouldn’t trust will be the same on either platform.

Business Services industry targeted across the country for backdoor access

The presence of so many hacking tools in the detections for the Business Services industry tells a story about these organizations being targeted for not only infection, but to establish backdoors and likely gain access to customers of the organizations through the victim’s network.

Just like everyone else, the Business Services industry dealt with heavy detections of exploit attempts using the CVE-2021-21551 Dell driver vulnerability. The trend line followed by these exploit blocks also follow the trend of our heuristic engine detecting never-before seen malware, likely a result of successful exploit attempts during the same period. At the same time we observed this spike, the insurance company CNA Financial was breached in a ransomware attack.

A subsequent spike of this threat in August 2021 coincides with three major attacks, likely achieved because of the success of CVE-2021-21551.These were the Kaseya Breach which spread REvil to hundreds of networks, the ransomware attack on insurance firm Accenture, which demanded $50 million in payment, and the T-Mobile data breach which exposed the information of 50 million people.

easset upload file89949 228375 e

Tools meant to compromise or hack an endpoint were discovered in numerous places throughout the year. This includes PortScanner slowly gaining traction through 2021, then spiking during January and February of 2022. Around this same period, the tire-marker Bridgestone was attacked by the LockBit ransomware gang. Our telemetry reveals these attacks focused on organizations in Georgia and Arizona. 

Next, OpenPort is a hacking tool that had most of its traction in May and August of 2021 against companies in California and New Jersey, matching up with spikes in detections of the Dell driver exploit.

In addition, the RemoteAdmin tool was detected primarily in Tucson, Arizona and saw a spike in November 2021, which never let up through the rest of the period, meaning that there are likely existing infections of this threat that have yet to be caught.

Wrapping up hacking tools, Business Services in Massachusetts fought off multiple attempts to launch malicious PowerShell scripts on their systems. This was observed throughout the entire period but spiked in December of 2021, coinciding with the hack against the business scheduling provider FlexBooker.easset upload file21578 228375 e

Folks in California and Ohio have been dealing with increasing detections of the notorious Emotet trojan. A massive increase was observed in October 2021 and has continued until the end of the period.

Recommendations to the Business Services industry

Our recommendation is to ensure security staff can push updates and force regular scans on all endpoints, ideally remotely. Regular scanning goes beyond just checking for malware though. We recommend utilizing a traffic monitoring tool to identify any malicious or suspicious traffic coming both in and out of the network. Also, take the time to do regular audits of open ports on all endpoints, looking for possible backdoors.

Considering the desire to utilize these tools from inside of the network, ensure that individual user rights don’t extend to the point of being able to scan the entire network, open ports, or establish remote connections without the permission of IT. This effort will reduce the success these actors have and make their lives a lot harder.

How IT teams can prevent phishing attacks with Malwarebytes DNS filtering

Phishing attacks are a persistent threat to businesses globally. 

According to Verizon, 82 percent of data breaches in 2021 involved the human element—with phishing attacks making up over 60 precent of these. And if it ain’t broke, don’t fix it: threat actors have only continued to use phishing to attack businesses in 2022, with the Anti-Phishing Working Group (APWG) recording a 15 percent increase in phishing attacks in Q1 2022 compared to Q4 2021.

With Malwarebytes DNS filtering, however, you can prevent a large swath of phishing attacks. Our DNS filtering module extends our Nebula platform to help prevent risks introduced from nefarious websites and downloadable web content.

In this post, we’ll walk through what it looks like to block phishing attacks with Malwarebytes DNS filtering.

How to block phishing domains with DNS filtering 

Let’s say one of your employees gets an email like the one below. 

easset upload file72859 227193 e

Photo credits: Phishing.org

Without some kind of phishing protection in place, after clicking on a link in the email there’s a chance the employee might give up some sensitive information or be tricked into downloading a malicious program.

Obviously, we want to prevent that. 

Let’s press pause here and go back in time to set up our DNS filter in Nebula. easset upload file36212 227193 e

Above, you’ll see the dashboard for the DNS Filtering module in Nebula.

Let’s navigate to the “Rules” section and hit “New”.

easset upload file73574 227193 e

Here, we’re prompted to name the rule and also select a policy to which the rule should be applied. 

I’m naming mine “Phishing block” and applying it to four of my endpoints.easset upload file28101 227193 e

Heading over to the “Categories” page, we see that “Use preconfigured settings” is enabled by default. This automatically blocks each subcategory in the “Security” category.easset upload file32429 227193 e

For demonstration purposes, we’ll leave this untoggled. Just know that each of these security subcategories are available (and recommended to use)!

Let’s scroll down to the “Phishing” option and toggle it.

easset upload file4827 227193 e

Ieasset upload file44213 227193 e

Under allow lists you can add domains to exclude from this DNS rule. We’ll leave it blank: we don’t want to allow any phishing sites!

easset upload file58337 227193 e

You can also add domains to block certain domains. We’ll also leave this blank!

easset upload file5159 227193 e

Let’s flash forward in time to our employee who received the phishing email. Unfortunately, they clicked a URL in it—but no need to worry. 

Our DNS filtering kicked in and blocked the site, the outcome of which you can see below.easset upload file94541 227193 e

This is the default page, but can even customize it to your liking by going to the “Global Settings” tab.easset upload file86750 227193 e 

How does it work?

It works because Malwarebytes DNS filtering is powered by Cloudflare, which has a massive database of known phishing sites to which we can instantly block access using the intuitive Nebula UI.

But what happens if a phishing website somehow gets through and a malicious program (ransomware, for example) is installed on an endpoint? 

The answer is part of what makes our DNS filtering solution so holistic: because it is an add-on to our Endpoint Detection and Response product, a threat that gets through can be detected and mitigated using our EDR’s isolation and remediation capabilities

In other words, DNS filtering helps you filter the easily-blocked known threats, giving time back to your organization to focus on remediating the threats that do get through with our EDR.

Block threats from infiltrating browsers and web-based apps

Malwarebytes DNS Filtering module for Nebula helps block access to malicious websites and limit threats introduced by suspicious content. 

While we focused on preventing phishing threats in this post, the story doesn’t end there. You can also block access to spyware, DNS tunneling, crypto mining sites, and many other websites and domains that pose a security risk. 

Interested in learning more? Read the Malwarebytes DNS filtering datasheet. 

Further reading

What is DNS filtering?

3 ways DNS filtering can save SMBs from cyberattacks

DNS security for your small business

Introducing Malwarebytes DNS Filtering module: How to block sites and create policy rules

Attackers waited until holidays to hit US government

The government industry in the United States dealt with heavy hitting breaches against local, federal, and state government networks, primarily during the first quarter of 2021.

Our telemetry revealed a small spike in a generic backdoor detection, known as Backdoor.Agent, during March of 2021, mainly focused in Memphis, Tennessee. This data coincides with the attack on the Azusa Police Department in California; however, it reveals even more about the attacks observed the following month.  

During April of 2021, at least three notable attacks against government services made the news, this included the New York Metropolitan Transport Authority (MTA), the Illinois Attorney General’s office, and the Washington DC Police Department. During this same month, we also observed the beginning of a surge of exploits and AI detected threats that dominate the rest of 2021.

easset upload file17739 228182 e

Our top spike for the period follows the detection of the exploit CVE-2021-21551 (Dell System Driver) and all the nasty threats it brought with it. Despite this, we were unable to correlate any newsworthy breach to this month. So, we can assume that the increase in detections was an onslaught of attempts to breach networks, shortly after the release of the Dell driver exploit. We can also make assumptions about this effort leading to numerous breaches and installations of backdoor malware, waiting dormant until later in 2021 and 2022 before launching a full attack.

Those most hammered by these exploit attempts were government organizations in Michigan and New Jersey.

The detection of this exploit slows as the year goes on, dwindling to almost nothing by May of 2022. This matches up with our detections of unidentified, AI detected malware. Despite that, a series of unspecific exploits battered the industry in late October, spiking in November and into December, when the Maryland Department of Health, the Virginia State Government and the Hawaii Timekeeping Services were all breached and disrupted, some due to ransomware, others to stolen data.

easset upload file7478 228182 e

In addition to the push of exploits, the notorious TrickBot trojan has been lurking in the detections of this industry, staying mostly steady with only a 1.2 percent share of threats during the analyzed time period. Despite this, the small spikes of this threat in March, June, and November of 2021 seem to mostly align with major reported breaches.

Based on our data, there is a case to be made about government industry targeting, mainly taking place during the beginning and end of the year, a time notoriously known for vacation, reorganization, and reduced security staff.

Our best recommendation for this industry, beyond ensuring that proper patching and threat detection software are deployed on every endpoint, is to consider to major factors when planning for a cyber-attack. First is timing, the second is reducing operational disruption. 

Timing can be addressed by understanding not only when the attackers are coming after an organization, but also when an organization might be most vulnerable. For example, if you know that your staff will be reduce to only 25 percent during November, December, and January, for the holidays, you might not need to keep as many security staff on hand since there are fewer users.  This is a perfect opportunity for an attack that may have breached the network months prior, to finally achieve its purpose and attack the network while it’s less guarded.

So, by knowing the trends of government organization attacks, we recommend not reducing security staff during the holidays, if anything, you need to have more eyes on the network, looking for anything that might stand out as odd when the network is meant to be relatively quiet. This might be achieved by bringing in additional security staff for the season, allowing for security staff to take vacations around the usual holidays, if possible, and in some cases, making it possible for security and IT admin to remotely investigate threats through a cloud-based remote console.

The second recommendation is reducing operational disruption. When a restaurant gets hit by ransomware, it takes down the restaurant’s operations for a time, but the damage typically doesn’t go far beyond the restaurant’s walls. When a state or local government network is breached and hit by ransomware, because of the interconnected nature of government and public services, such an attack can disrupt entire cities and states, quickly creating chaos. It’s imperative to ensure that in the case of any type of cyberattack, there is some way to continue operations, be it at a backup site, using pen and paper, or having employees work remotely. The more pressure an organization is under to get things back to normal, the more leverage the attackers have against that organization.

Following these tips will not only reduce the damage done by these attacks, but likely increase the confidence that civilians have in the security of their government organizations.

Urgent update for macOS and iOS! Two actively exploited zero-days fixed

Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:

Kernel privileges

CVE-2022-32894: An out-of-bounds write issue was addressed with improved bounds checking. The vulnerability could allow an application to execute arbitrary code with kernel privileges. The kernel privileges are the highest possible privileges, so an attacker could take complete control of a vulnerable system by exploiting this vulnerability.

Apple points out that they are aware of a report that this issue may have been actively exploited.

WebKit

CVE-2022-32893: An out-of-bounds write issue was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. Since the vulnerability exists in Apple’s HTML rendering software (WebKit). WebKit powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.

Apple points out that they are aware of a report that this issue may have been actively exploited.

More details

Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. And even then, it depends on the anonymous researcher(s) that reported the vulnerabilities whether we will ever learn the technical details. Or when someone is able to reverse engineer the update that fixes the vulnerability.

That being said, it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32892 could be exploited for initial code to be run. This code could be used to leverage CVE-2022-32894 to obtain kernel privileges

Mitigation

Users are under advice to implement the updates as soon as possible, by upgrading to:

  • iOS 15.6.1
  • iPadOS 15.6.
  • macOS Monterey 12.5.1

Details can be found on the security content for macOS page. And instructions to apply updates are available on the Apple Security Updates page.

Stay safe, everyone!

Bad rhythm: Janet Jackson song resonates poorly with some old hard drives

Janet Jackson’s Rhythm Nation music video would have caused quite the commotion back in the old Windows XP days. If you’re still running a certain model of an OEM hard drive from the Windows XP days, you may still be liable to experience the same thing today. However, said commotion was not solely down to the choreography or phenomenal beats.

Rythym Nation by Janet Jackson came with a peculiar quirk. That quirk involved crashing the hopes and dreams of the person watching it, along with their hard drive.

Microsoft writer Raymond Chen reveals the somewhat bizarre tale of Janet’s computer stomping abilities in a recent blog post.

What was happening here?

Back in the olden times, it turns out that specific flavours of hardware running Windows XP did not like Janet busting a move. Some different models of laptop, from competitors of the first brand, would also crash. Even more spectacularly: simply playing the song on one device could make a second device nearby crash.

Old style mechanical hard drives are slowly being replaced by SSD drives. You may find them being used by gamers for cheap and easy excess game storage, but the mechanical hard drive’s time in the sun is over.

Mechanical drives have a whole lot of vibration going on inside, and this is where the drives become vulnerable to very peculiar forms of frequency based risk. Indeed, using the resonant frequency of the drive itself to make it stop working properly is not a new concept. Low frequency noise was used in tests during 2018 to break CCTV and prevent a laptop’s operating system from working.

Dancefloor devastation for your hard drive

Janet, ever the innovator, was clearly one step ahead of security researchers. By chance, it turns out that Rhythm Nation matched a resonant frequency for the hard drive used in these particular types of laptop.If you run into a mechanical drive in a device these days, there’s a good chance it’ll be a 7,200 RPM drive (RPM is the number of revolutions the drive’s platter makes per minute). The drives struck here, smooth criminal style,were specific models clocking in at 5,400RPM.

Custom filters were added by manufacturers in the audio pipeline. These filters swung into action at the first sign of a Rhythm Nation intro and removed the frequencies as the audio played.

A CVE: better late than never

This rhythm-based tale of woe seemingly has no end. The Register noticed an entry on the list of Common Vulnerabilities and Exposures (CVEs), listed as CVE-2022-38392. From the description, surely Janet’s finest hour:

A certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005, allows physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video.

From further down the page, a rather relevant warning:

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

As I close the lid on my 2005 Windows XP laptop for the last time, never a truer word was spoken. 

How to secure a Windows PC for your kids

With the return to school fast approaching, it’s time to ready the things your kids will need to pass the next year with flying colors. Increasingly, that means computing devices, which means you’ll need to spend time thinking about the safety and security of what they will be using.

In our “Back to School” series we will talk about several types of devices you may encounter. This one is about Windows devices.

The basics

You know that when your kids are hard at work, they can’t be bothered with all the warnings, notifications, EULA’s and what not. They are relentless in their pursuit of high grades, and maybe some less admirable goals. To achieve these goals they will click “OK” on anything that stands in their way. So, what you need to set up for them is something that gives them enough room to be a bit reckless.

Not that it’s wrong to give them a certain amount of responsibility or at least inform them about what you did to keep them secure. If they know and understand the goal, most of them will be more than happy to keep their system operational.

With that in mind, here are some security basics that you should attend to just as you would on any Windows computer:

  • Apply security updates promptly. All the software on the computer needs to be maintained by installing the latest security updates when they become available. Fortunately, Windows 10 will update itself automatically, as will popular modern web browsers like Edge, Chrome, and Firefox. We suggest that you turn on automatic updates for the Microsoft Store, which will take care of any software you download from there. Whatever software those steps don’t cover will need to be checked occasionally to see if there are newer versions available.
  • Use security software. Modern versions of Windows have lots of helpful security features, but Windows is still the most popular target for malware, so we strongly recommend that you install a third-party security solution like Malwarebytes Premium.
  • Start backing up. The only backup people ever regret is the one they didn’t make, so read Microsoft’s short guide to Backup and Restore in Windows, and get yours working on day one. Backups are your last line of defense against system-altering malware, like ransomware or wipers, as well as bad software updates, and hardware failure or theft. They will also protect your child’s work against the inevitable accident of your kid deleting their most important assignment the night before it’s due.
  • Install a password manager. A password manager is software for creating and remembering strong passwords. Good ones also provide a safe way for users to share passwords with other people. Install one on your Windows computer and get your child using it as soon as possible. Proper password handling is something lots of adults struggle with, so get your kids doing the right thing from day one.
  • Give your child a local user account. Even if your child is the only person using the computer, create a separate local user account for them with limited permissions. Use a different account with administrator privileges to make changes to the computer, like installing software. Don’t share the administrator account with your child and never use it for work, web browsing or email. Malware will typically use the same permissions as the account that runs it. If your child accidentally runs malware as a local user, it will be not be able to alter the machine.

Other considerations

If the device isn’t your property

If the Windows device is provided by the school or another organization, your options for implementing your own security ideas may be very limited, but that’s OK, it just means somebody is doing it for you. It’s usual for IT staff from the school to setup and manage this kind of computer and to give your child access to a standard local user account. That should be enough access for your child to do what they need to without getting into too much trouble.

Parental controls

Children search Google for the weirdest things and topics. Whether they searched for something on purpose or just because they didn’t know what it meant, search results for some phrases are best not seen by young children.

The parental controls included with Windows allow you to enforce restrictions on screen time; block apps, websites, and games; and provide reports on what your child has been doing with their device.

Parental controls can be useful to limit the risks your children run into online, but you should know up front that they cannot eliminate every risk out there. Read our article about parental controls to learn what they can and can’t do for you.

Social media, messaging, and games

Children are inclined to share their entire lives with their friends, and keen to get their hands on the phones, computers, and accounts that will let them do it online. Unfortunately, social media, messaging apps, and gaming come with risks: It is easy for predators to hide behind a picture of a child and a believable persona, there is no break at the end of the school day from the bullying and harassment that happens online, and gaming communities can be rough and unforgiving.

Like many other aspects of the adult world, children deserve to be introduced to these things in a careful, supervised manner, and many parents opt for some kind of digital oversight or restrictions. (It is worth noting too, that most social media apps have a minimum age requirement of 13, although as a recent Omegle investigation showed, you cannot assume a platform will enforce its age restrictions or that its moderators will keep your children safe).

Alongside whatever tools or techniques you use to keep children safe online, we recommend teaching them responsible digital citizenship from an early age, to help understand the dangers, and to recognize cyberbullying and harmful content. Establishing guidelines and teaching them responsible online communication and etiquette will help them to communicate respectfully, with responsibility and confidence.

Wi-Fi

By default, Windows 10 will connect automatically to Wi-Fi networks you have used at least once. With a device moving back and forth between home and school, this creates an opportunity for an attacker (perhaps another student) to set up a network with the same name. These so-called “evil twin” Wi-Fi network attacks simulate known networks and can be used to perform a machine-in-the-middle attack (MitM).

The only way to easily protect against these attacks is by disabling the auto-connect feature. You can do this by removing the check mark when you connect to the network or in the properties of the connection by turning the “Connect automatically” option off. After doing this you can manually check the available Wi-Fi networks on location and look if there are two identical SSIDs (network names). The evil twin will not have a lock symbol near the strength indicator.

Low maintenance

In the past we have posted suggestions about how to set up a computer that requires a minimum of attention afterwards, which we called minimum effort for maximum protection. While this may seem like an attractive solution for your children, it’s important to realize that it does require some degree of security awareness of the computer user.

While this may not be suitable for all ages, it is an approach you might want to take with older children if you are trying to involve them in the process of understanding and securing their own device.

The other side

Depending on their age and computer skills, you will want to talk your kids through what you did and why. A class full of determined teenagers will break through your defenses in no time at all. If they understand what you are trying to protect them from they may use those same skills to steer clear of those dangers.

Ransomwater confusion, does the criminal know who the victim is?

When we say that attribution is always tricky, we are obviously only seeing the half of it. Apparently sometimes even the cybercriminals are not always clear on which company they breached.

Clop ransomware put out a statement that they breached Thames Water when in reality their victim was South Staffs Water. Fortunately nobody was deprived of water due to the incident.

Clop

Ransom.Clop was first seen in February of 2019. Besides encrypting systems, the Clop ransomware also exfiltrates data that will be published on a leak site if the victim refuses to pay the ransom. In February of 2021, ther group made headlines by targeting executives’ systems specifically to find sensitive data.

Hoax or not so much

After becoming aware of some reports, Thames Water made it clear that the whole thing was a hoax as far as they are concerned. It would be a hoax if there wasn’t a real victim of the attack.

On the website of South Staffs Water, we learned that South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, had been the target of a criminal cyberattack. But the incident has not affected their ability to supply safe water. According to the statement, they are experiencing disruption to their corporate IT network and they have teams working to resolve this as quickly as possible. Their customer service teams are operating as usual.

The breach

On their leak site, Clop claims to have spent months inside the company system and noticed many very bad practices. They also said they had contacted the company with information on how to fix the problem. But they never responded. So, after spending months, you contacted the wrong company and they never gave you the time of day? How quaint.

Clop's claims

On their leak site Clop touts their accomplishments and rants about the victim company

Vital infrastructure

While we can joke about the mistaken identity and the following confusion in the media, the incident proves two points. Ransomware gangs do not shy away from attacking vital infrastructure, but you should also know that much of this infrastructure is robust enough to withstand such an attack. 

Clop claims they have not encrypted any files and that they could potentially change the chemical composition of the water, but all they did was exfiltrate 5 TB of data. As we learned from the Malwarebytes podcast with Lesley Carhart the chances of a critical infrastructure “big one” are remarkably slim. In fact, critical infrastructure’s regular disaster planning often leads to practices that can detect, limit, or prevent any wide-reaching cyberattack.

In other words, there are fail-safes in place that should reliably prevent any “chemically altered” water from ever reaching our homes, no matter whether you are a customer of Thames Water or South Staffs Water.

Clop corrects

At this moment, the Clop leak site displays “South-Staffs-water.co.uk,” not Thames Water, so they must have realized their mistake.

Leak site header (partial)

The exfiltrated data contain copies of passports and drivers licenses, a lot of schematics, email addresses, and a list of VM servers combined with login credentials. Certainly not 5TB worth of data, but probably an incentive to get the victim to pay the ransom.

Getting the victim wrong might be a case of miscommunication between the affiliate that compromised the victim and the ransomware operator combined with the poor grasp of English on one or both sides of the operation. Remember that ransomware groups now typically offer their ransomware as a service to other groups that have already infiltrated companies and organizations. By offering these cybercriminal breach teams access to their ransomware, the ransomware developers then get their ransomware into more targets than they could have by themselves, and they take a “cut” of whatever ransom gets paid. 

Importantly, though, misidentifying the victim and starting negotiations about the ransom with the wrong organization could leave the real victim clueless about what happened to them, or more to the point, who is responsible. Luckily it didn’t take too long in this case.

Update Chrome now! Google issues patch for zero day spotted in the wild

Google updated the Stable channel for Chrome to 104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows which will roll out over the coming days/weeks. Extended stable channel has been updated to 104.0.5112.101 for Mac and 104.0.5112.102 for Windows , which will roll out over the coming days/weeks.

This update includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild.

Vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). We discuss some of the CVE’s included in this update below.

CVE-2022-2852: a critical use after free vulnerability in FedCM. Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. The Federated Credential Management API (FedCM) allows the browser to understand the context in which the relying party (for example a website) and the identity provider (a third party authentication service) exchange information.

CVE-2022-2856: Insufficient validation of untrusted input in Intents. Chrome intents are the deep linking replacement for URI schemes on the Android device within the Chrome browser. Google’s Threat Analysis Group submitted the vulnerability and technical details will not be released until everyone has had ample opportunity to update.

Google is aware that an exploit for CVE-2022-2856 exists in the wild. A remote attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system.

CVE-2022-2854: a UAF vulnerability in SwiftShader. SwiftShader is a an open source library that provides a software 3D renderer. The attacker would have to trick the victim to visit a specially crafted website.

CVE-2022-2853: a heap buffer overflow in Downloads. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. The heap is the portion of memory where dynamically allocated memory resides.

How to protect yourself

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome up to date

After the update the version should be 104.0.5112.101 or later.

Stay safe, everyone!

Nearly 2,000 Signal users affected by Twilio phishing attack

New findings following the Twilio phishing attack revealed that Signal, one of its high-value clients and a popular encrypted messaging platform, was particularly affected. 1,900 of its users had their phone numbers and SMS registration codes exposed. However, Signal reassured users that the attacker could not gain access to “message history, contact lists, profile information, whom they’d blocked, and other personal data” associated with the account.

Signal also claims that 1,900 comprises a small percentage of their user base, so a majority of their users were not affected. Nevertheless, they notified affected users this week via SMS and prompted them to re-register Signal on their devices.

The company revealed in a security notice that the attacker explicitly searched for three numbers among the 1,900 users affected. One user of the three numbers already reported that their account was re-registered. This means the attacker can now send and receive messages from that phone number.

When The Register asked Signal why an attacker would specifically target these three numbers, suggesting maybe they are people of note, the company responded: “To respect the privacy of those specific people, we are not sharing any details about them.”

Signal highlights the importance of enabling its app’s security features to fend off after-effects of attacks that may befall third-party providers it uses. Because of what happened to Twilio, the company is pushing more of its users to take advantage of registration lock and Signal PINs, which can only be activated manually.

Registration Lock prevents someone from registering a Signal user’s phone number to another device unless they know the PIN associated with the account. To enable Registration Lock, Signal users should go to Signal Settings (profile) > Account > Registration Lock.

“While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” Signal said.

Last week, Cloudflare revealed a similar phishing tactic that got Twilio breached also targeted their employees last month. The campaign didn’t work because Cloudflare employees were required to use physical security keys to access all applications they use in-house.