IT NEWS

The ransomware landscape changes as fewer victims decide to pay

Fewer victims are choosing to pay their ransomware extorters, especially among large enterprises, according to a recent investigation from Coveware. As a result of this, and other circumstances, we can see some shifts in the way that ransomware groups and their affiliates work.

Large organizations

An encouraging trend among large organizations is that they refuse to consider negotiations when ransomware groups demand impossibly high ransom amounts. As a result, the threat actors are responding by shifting their focus to the mid-market. That may explain why the median cost of ransom payments fell by 51 percent from the previous quarter, down to $36,300.

Legislation

A contributing factor to the drop in payments is also the fact that some countries and states are banning municipal organizations from paying ransoms. Sanctions against Russia resulted in a decline of ransomware attacks and payments, but ransomware groups have taken measures to make attribution and branding harder. Groups like Conti were absorbed by existing and new Ransomware-as-a-Service (RaaS) groups such as Black Basta, BlackCat, Hive, and Quantum.

Law enforcement

Law enforcement cracking down on ransomware has created the necessity for ransomware groups to use a more flexible infrastructure and be more vigilant when accepting new affiliates. We’ve also seen how law enforcement was able to recover some major ransom payments in recent years—a feat that, until recently, was nearly impossible or at least unheard of. This could be another reason for ransomware groups shifting to a larger quantity of smaller victims—when they attack large enterprises, they attract the attention of law enforcement and at least sometimes lose out on their ill-gotten gains.

Insurance

Meanwhile, insurance companies are expecting the rise in premiums to continue. Their main problem is the inability to assess the cybersecurity level of their customers. A new market is developing where insurers will offer a reduction on pricing if you provide a quarterly report through a specific security platform, because they know it’s a good product that helps to improve cyberhygiene.

Data theft and extortion

The more advanced ransomware groups are already trying to extract as high a ransom as possible by using data extortion and leak sites as a means to increase the pressure on organizations. This sites publicly announce which companies have been hit by a ransomware group should the organization refuse to pay the ransom, tarnishing the company’s reputation and also threatening to publish its sensitive data online. More ransomware groups can be expected to use the tactics of extortion, shaming, and data leaks to convince their victims to pay.

Different targets

With the shift from large botnets as the initial foothold to targeted attacks, the affiliates can not only be more picky when it comes to their victims, some can also choose between RaaS providers or decide to proceed on their own. On the defense side this means we have to be ready for an increase in possible attack vectors as we can expect affiliates to specialize in exploiting certain vulnerabilities.

Another change in tactics is to increase the number of possible targets. Almost every RaaS variant has stable Windows, Linux and ESXI versions and as such are able to target every server, regardless of the operating system.

Branding

Branding used to be an important factor for ransomware groups. A strong brand could carry a reputation for effectively decrypting the files of victims that paid, and operating a leak site that punished non-paying victims. But brands make attribution easier, and all it takes is one high profile attack on a pipeline or hospital to foul the brand and draw geopolitical or law enforcement attention.

As a result, RaaS groups are keeping a lower profile and vetting both affiliates and their victims more thoroughly. That means affiliates are increasingly required to handle initial access, stolen data storage, and negotiations alone, which is likely to reduce their profits.

Not going away

Unfortunately there are no signs that ransomware is going away. But fewer and smaller payments will certainly reduce the damage it is doing. And the reduction of payments will bring down the investments of RaaS groups in development and infrastructure, as well as the desire for affiliates to become increasingly independent.

If you haven’t already, put up a fight against ransomware.

Stay safe, everyone!

The post The ransomware landscape changes as fewer victims decide to pay appeared first on Malwarebytes Labs.

To settle with the DoJ, Uber must confess to a cover-up. And it did.

Uber covered up the 2016 data breach that affected its 57 million customers and drivers. The confession came as part of the settlement between the DOJ (US Department of Justice) and the taxi company, which will see it avoid criminal prosecution.

In a press release from the DOJ, Uber “admits that its personnel failed to report the November 2016 data breach to the FTC despite a pending FTC investigation into data security at the company.”

If you may recall, cybercriminals breached Uber’s system years ago using stolen credentials. The cybercriminals accessed a private repository of source code where they got a private access key. They then used this key to access and copy data associated with Uber users (names, email addresses, and phone numbers) and drivers (license numbers).

The hackers used the stolen data to blackmail Uber. So, the company hid this from the public and paid the hackers $100,000 to delete the data and keep quiet.

The Uber hack came to light after new leadership took over the company in 2017, a year after the incident occurred.

Uber CEO Dara Khosrowshahi, who took over after the ousting of former CEO Travis Kalanick, along with the new leadership team, conducted an internal investigation on the breach. The outcome led to Khosrowshahi firing Joe Sullivan, Uber’s chief security officer at that time, for being complicit in the cover-up. It also led to Uber reporting the incident to their drivers, regulators, law enforcement, attorneys general, and the FTC (Federal Trade Commission).

Sullivan was charged with obstruction of justice for the cover-up from the FTC and Uber management. His case is scheduled to go on trial in September 2022.

The press release noted the FTC will not prosecute Uber because Khosrowshahi and the new management reported the breach. The rideshare company also entered an agreement with the FTC wherein it will maintain a “comprehensive privacy program” for 20 years and will continue reporting future breaches to the FTC.

Lastly, Uber paid $148M for civil litigation settlement.

The post To settle with the DoJ, Uber must confess to a cover-up. And it did. appeared first on Malwarebytes Labs.

“Orwellian in the extreme” food store installs facial recognition cameras to stop crime, faces backlash

A convenience shop chain is under fire and facing legal charges for installing cameras with facial recognition software in 35 of its branches across the UK.

The cameras analyze and convert video face captures into biometric data. The data is compared with a database of people who have committed crimes in the shop, such as theft or violent behavior. Southern told the BBC that it only placed cameras in shops where there is a history of crime.

But Big Brother Watch, a non-profit privacy campaigning organization based in the UK, said the Southern Co-op’s camera system “breaches data protection” and that people visiting the shops may find themselves unknowingly being placed on a watch list.

A Southern spokeswoman said the watch list isn’t a list of criminals, but of people whom the co-op has evidence of criminal or anti-social behavior. Should any of the people on their list turn up at the shop, they are asked to leave, or a staff member will approach them with an offer of help, making it clear that the shop knows they’re there.

Big Brother Watch questioned the legality of having these systems installed, asserting that biometric scans are “Orwellian in the extreme.”

Silkie Carlo, Director of Big Brother Watch, says, “The supermarket is adding customers to secret watch-lists with no due process, meaning shoppers can be spied on, blacklisted across multiple stores and denied food shopping despite being entirely innocent.”

“This is a deeply unethical and a frankly chilling way for any business to behave.”

The group added that the system is not necessary for preventing crime nor to “protect the public from harm in any meaningful way”.

“At best, it displaces crime, empowering individual businesses to keep ‘undesirables’ out of their stores and move them elsewhere,” the complaint further asserts.

Big Brother Watch raised a complaint with the Information Commissioner’s Office (ICO), and Southern said it welcomes constructive feedback.

“We take our responsibilities around the use of facial recognition extremely seriously and work hard to balance our customers’ rights with the need to protect our colleagues and customers from unacceptable violence and abuse,” Southern said.

Southern Co-op said its branches with the camera systems installed have appropriate signage on display.

“The safety of our colleagues and customers is paramount and this technology has made a significant difference to this, in the limited number of high-risk locations where it is being used.”

Facewatch, the provider of the system Southern Co-op uses, says: “Facial recognition may be used where it is necessary because other methods to prevent crime, such as policing, CCTV and manned guarding, have tried and failed.”

“Any privacy intrusion is minimal and proportionate. Facewatch is proven to be effective at crime prevention, and our clients experience a significant reduction in crime.”

The post “Orwellian in the extreme” food store installs facial recognition cameras to stop crime, faces backlash appeared first on Malwarebytes Labs.

TikTok owner ByteDance pushed a pro-China agenda to Americans, say former employees

Controversy over supposed pro-China messaging in apps from TikTok owner Bytedance continues to grow. Tales are emerging relating to a now shelved app called TopBuzz. Former employees have spoken to BuzzFeed, making claims of both pro-China content promotion and forms of censorship elsewhere.

Staying on message

Buzzfeed claims that former employees who worked on the TopBuzz app were instructed to place “specific pieces of pro-China messaging in the app”. There are claims of China-centric content being pinned to the top of the app, including videos about travel, as well as one about moving a start-up to China. The former employees say they had to take screenshots to prove that they had pinned the content.

Elsewhere, there are claims that certain types of content was being censored. This includes alleged removal of Hong Kong protest coverage, for example. Other “edge case” content resulted in liaisons with the Beijing team to decide its fate. There’s also references to outright removal of content related to Winnie the Pooh memes.

Bytedance didn’t respond to comments related to censorship, though the embattled organisation did object strongly to claims about pro-China messaging. There’s also additional claims of everything from scraped content to mass deletions of fake accounts “degrading the user experience“.

Rules and regulations

Travel videos and clips of pandas may sound harmless. But this is still a news issue due to fears of regulatory concerns. Apps and businesses walk a tightrope of concerns where any connection exists to a nation which may be at odds with the one they’re trying to do business in. It wasn’t so long ago that former US President Donald Trump tried (and ultimately failed) to force a TikTok ban. More than anything else, this attempt may have made issues of compliance in this realm front and center in the public eye.

This public pressure isn’t going away anytime soon when members of the FCC are demanding Google and Apple remove TikTok from their stores. FCC Commissioner Brendan Carr insists the company “can’t be trusted” with information given by users.

Of leaks and downplaying

It’s not just bad news for the now defunct app. There’s now also word of internal TikTok documents related to questions of ByteDance, China, and AI:

The main counterpoints referencing these subjects include:

  • TikTok not being available in China
  • Not sharing user data with the Chinese government, and refusing to do so if asked
  • Citing the “measures in place” to “significantly reduce access to user data”.

There’s many other unrelated topics in the document, including dealing with questions related to user demographics, user data generally, and children spending money on livestreaming gifts.

Given the non-stop debate over issues related to China, and the fairly restrictive guidance contained within for answering questions, it’s likely this is where the focus will remain over the coming days as the document continues to be analysed.

The post TikTok owner ByteDance pushed a pro-China agenda to Americans, say former employees appeared first on Malwarebytes Labs.

Radioactivity monitoring and warning system hacked, disabled by attackers

The Spanish police arrested two people under the accusation of tampering with the Red de Alerta a la Radiactividad (RAR). The RAR is part of the Spanish national security systems and in use to monitor gamma radiation levels across the country. The network is managed, operated and maintained by the General Directorate of Civil Protection and Emergencies (DGPCE) of the Ministry of internal affairs.

RAR

The RAR network contains more than 804 detection points across the country. Each detection point has at least one sensor plus a control unit. The detection points measure gamma radiation across the country. The network serves as a warning system if there’s a spike in radiation levels. Each sensor unit is connected to the central node located in the control center at the DGPCE headquarters. In addition, there are ten regional nodes and seven associated nodes that allow alternative access to the network, which have more limited management capabilities.

Spain has seven nuclear reactors which together generate about a fifth of the country’s power supply. The RAR system serves to measure radiation levels and raise an alert in case of a detected abnormal level.

The hack

The two suspects are accused of sabotage by disabling more than a third of the RAR sensors. The hackers attacked the computer system and caused the connection of the sensors to fail, reducing their detection capacity even in the close proximity of nuclear power plants.

The intrusion took place between the months of March and June,2021. The attack was directed at the two main components of the network. On the one hand, there was unauthorized access into the computer system itself, the purpose of which was to delete the RAR management web application in the control center. On the other hand, the threat actors attacked over 300 sensors, causing the failure of their connection with the control center and thus reducing the detection capacity of the network.

Inside job

While the motive behind the attack remains unclear, it has become clear that the two accused were responsible for the maintenance program of the RAR system, through a company contracted by the DGPCE. The intimate knowledge of the maintenance program enabled them to pull of this attack.

It also helped them to hide their involvement which made the investigation difficult and time consuming. The arrests came after a year-long investigation that involved raids in Madrid and San Agustín de Guadalix, and the seizure of numerous computer and communications devices related to the attack.

Critical infrastructure

While we tend to think about other things first while discussing critical infrastructure, this warning system qualifies as such because it’s intended to monitor a possible threat to the population. And if anything had happened during the time the system was under attack and only functioning in part, the consequences could have been disastrous.

The post Radioactivity monitoring and warning system hacked, disabled by attackers appeared first on Malwarebytes Labs.

In post-Roe US, experts share how to keep your data private

In the weeks since the Supreme Court of the United States removed a nationwide right to choose to have an abortion, millions of Americans have been forced to relearn what is and isn’t safe to do online, as their actions, words, and choices—many of which are tracked digitally—could potentially be used as evidence of wrongdoing in the future.

Complicating the matter is that, immediately after the Court released its decision on June 24, cybersecurity experts and novices alike flooded social media with a brand-new set of rules for those seeking and supporting abortions: Delete your period-tracking app, use a “burner” phone when attending a protest, change how you search for abortion providers, download a new secure messenger app, maybe download entirely new online tools altogether.

Pretty much, change your life.

But according to Cooper Quintin, senior staff technologist with Electronic Frontier Foundation, some of the more common pieces of advice that were first spread online, while well-intentioned, are not entirely practical or useful.

“The advice to delete your period-tracking app or use a burner phone, I think just completely misses the mark,” Quintin said on the latest episode of the Lock and Code podcast from Malwarebytes. “It’s somehow both an oversimplification and an over-complication, and [it] completely fails to understand the threats that people seeking abortions are actually facing.”

On Lock and Code last week, we discussed those exact threats with Quintin and his colleague, staff attorney Saira Hussain. The full discussion, which can be heard below, reveals how the Supreme Court’s most recent decision could impact data privacy practices for millions of people in the United States.

Underpinning much of this potential shift in data privacy is, of course, the new, legal uncertainty sweeping across the country.  

Myriad, statewide legislative efforts to ban abortion outright or to place new restrictions around it have moved forward, with neighboring states sometimes implementing different rules just miles apart. In Alabama, South Dakota, Arkansas, and Missouri, abortion is now banned with no exceptions for rape or incest, and in North Dakota, Tennessee, and Wyoming, similarly broad abortion bans are expected this summer. But in Louisiana, Kentucky, and Utah, wide-ranging abortion bans been challenged in court, with judges in each state placing temporary holds on those laws before they may go into effect.

How these laws will overlap, or how individual states will enforce their own laws across state lines—if at all—is unknown, Hussain said.

“This is what legal experts and reproductive rights experts have been warning about for years—that our system is not equipped to handle issues like this,” Hussain said on the podcast, explaining that the federal right to choose to have an abortion at least provided somewhat a bulwark against decades of state interventions to restrict and limit access to abortions. “Now, all of that has been undone, and the entire question of whether somebody can seek an abortion or somebody can help provide abortion services has been left entirely to the states.”

Succinctly, Hussain warned: “It’s essentially legal chaos.”

With few answers on what will and won’t be explicitly illegal, both Hussain and Quintin shared the following, key pieces of advice on Lock and Code for those who are worried about how to secure their reproductive choices:

  • Above all else, limit any sensitive information that you share with others and that you store on your own devices.
  • Practice extra caution on social media and don’t post about seeking or providing abortion services.
  • Use a privacy-preserving search engine that won’t record your history when looking up abortion services.
  • Use a secure messenger app with disappearing messages when discussing abortion with friends or family.
  • Read the resources on abortion and reproductive health privacy provided by Digital Defense Fund and Electronic Frontier Foundation.

The next year in America could include not only a test of legal theories, but of data privacy, as law enforcement agencies will potentially rely on forms of data that are everywhere around them but that, at least until now, have not been used at an immense scale to prove whether or not someone obtained or performed an abortion.

For Hussain, the lack of clarity is worrying.

“We don’t know what the landscape will look like in this post-Roe world, but as a privacy attorney, I’m deeply concerned about the surveillance tools that law enforcement will use to investigate alleged abortions.”

It’s about more than period-tracking apps

The weekend after the Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization, users of period-tracking apps scrambled to either delete their data or find a way to lock it down. The companies that make period-tracking apps themselves also responded to the new landscape, with at least one company promising to provide an anonymous mode for users so that any legal requests for user data could not meaningfully be fulfilled.

On Lock and Code, Quintin said that, while the supposed catch-all advice for users to delete period-tracking apps lacks some nuance, the concern around these apps makes sense.

“The reason that people are worried about period-tracking apps, in specific, is that these apps are collecting a ton of data about you, which, could potentially be used to prove that you were at some point pregnant, and then, at some point, stopped being pregnant, without actually having a child,” Quintin said.

But, Quintin added, “period-tracking apps aren’t the only apps that are problematic.”

“The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches.”

In recent years, this data has been used to not only reveal pregnancies and advertise around them, but to also target those who potentially considered receiving an abortion.

In 2012, the New York Times reported that a teenager’s pregnancy had been revealed to her father because of her shopping habits at Target. By analyzing the teenager’s recently purchased items, Target determined that she was likely pregnant and then, as a follow up, sent coupons to her home for things like cribs and baby clothes.

In 2015, the evangelical adoption agency Bethany Christian Services, which opposes abortion, found a way to send anti-abortion ads to the phones of women who physically visited Planned Parenthood locations.

In 2016, after a woman diligently tracked her pregnancy in a pregnancy-tracking app, she miscarried. But along the way, the app she used had been sharing her data with marketing groups. But her miscarriage, which she also reported, was not shared with those same groups, and so, weeks before what would have been her due date, she received a package of baby formula in the mail, under a likely assumption that all pregnancies end the same way, with a baby.

Though the stories could alarm people, Quintin and Hussain stressed that this type of algorithmic data matching is far from the norm for how most abortions are revealed. Instead of any behind-the-scenes technology, Hussain said that when law enforcement have investigated an allegedly illegal abortion, they have first been tipped off by an informant.

Quintin added:

“If you talk to the people on the front lines of the abortion fight, they’ll tell you that the way people are being prosecuted right now is first and foremost through informants. Friends, family, spouses, medical professionals—who disagree with their decision—deciding to notify law enforcement.”

Once an informant has shared information with law enforcement, then, Quintin said, will “secondary evidence come into play.” That includes things like Google search history, posts and direct messages on social media, text messages, and emails.

“Those pieces of information are what’s being used to build a case and convict somebody, typically after they’ve already been informed on,” Quintin said.

To limit that information, our guests offered several recommendations.

Limit your circle of trust

Both Hussain and Quintin emphasized that one of the most important things that people can do right now to secure their reproductive choices is to limit their circle of trust. That means that people should be careful with any online and digital interactions that could reveal whether or not they plan to get an abortion.

In practice, Quintin said that means not posting about getting an abortion or providing abortion services on social media. That also means not talking about the same topics over text messages.

But the information shared with other people isn’t the only type of information that should be locked down, said Quintin. People concerned with their digital privacy should also find ways to limit the data they have on their own devices that could be used as evidence by law enforcement.

For starters, people can look up abortion services using a search engine that does not record their search history, Quintin said, naming the service DuckDuckGo.

Second, people can also download a secure messenger app with disappearing messages, so that even if people are discussing abortion options with one another, the messages themselves will disappear. Here, Quintin named the end-to-end encrypted app Signal.

Quintin stressed that these are not necessarily easy changes to make, as many are based on changing a person’s behavior as much as they are about adopting new technologies. In a society that has trained the public to broadcast so many parts of their day-to-day lives, choosing silence can be unfamiliar, Quintin said, and that includes the many individuals who are merely trying to show support on social media even if they are not personally considering an abortion.

“I think part of the reason people are doing this, and part of what’s so hard right now, is that ever since social media has become ubiquitous in our culture, we’ve been incentivized into sort of shout about everything we do,” Quintin said. “The culture has shifted to be one of always saying what you’re doing.”

But Quintin stressed the importance of this moment to change habits and to opt for saying less online. Not only could these posts get people in trouble, Quintin said, but they could also make it harder for people to find help from the organizations that are already doing this work and have been doing it, quietly, for years.

“I think that shouting that you have a whisper network is not the way to go about this,” Quintin said.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post In post-Roe US, experts share how to keep your data private appeared first on Malwarebytes Labs.

Anti-vaxxer dating site exposes user data

An anti-vax dating site has been revealed as shockingly easy to compromise by security researchers. Many major aspects of the site, from membership subscriptions to support tickets, were found to be vulnerable.

The site, called Unjected, has been around since last year. It functions as a sort of social media/dating platform for folks averse to vaccinations. The site also offers a “blood and fertility match” directory, with some pretty personal details being entered as a result.

What’s interesting about this one is the potential for wider fallout. This is one attack which may not only impact authentic users. It seems many people also signed up to joke around, or mock the site and its users. They may well be caught up in any potential data leakage down the line.

What happened?

A researcher discovered that the site’s web application framework was set to debug mode. Debug mode is something you wouldn’t typically grant third party users access to. Depending on setup and program, it may reveal all sorts of information to the user. It could grant the user admin powers to remove bugs from the program, with all the site-wide power such a mode implies.

Think video games, where a debug mode is roughly equivalent to a cheat mode granting infinite lives or instant level completion. In short: this isn’t something you want people to stumble across.

Sadly for the site and its users, the site’s administration dashboard was openly accessible. Anyone with access could add, edit, or deactivate pages and user accounts. The researcher who discovered this was able to demonstrate their new-found admin powers on a test account set up by Daily Dot, enabling them to edit the private email address, username, and profile image, as well as the wording on a public post.

Site back ups? Downloadable. $15 a month subscriptions? Able to give them away like candy if so desired. Incredibly, help center tickets could be replied to. Given help tickets tend to contain more sensitive user data than what people post publicly, this is rather worrying.

When the fix fails

Once alerted, the people running the site applied fixes which may have made things worse. One user claims that their home address was “published” after registering a new account. Another said they were redirected to a page of code revealing “email address, IP address, browser information, and more”.

As mentioned earlier, sites such as this tend to attract lots of trolling, joke posts, and general mockery. While those people likely used disposable emails to sign up and post, they may well have exposed other data to a site which seems incredibly leaky and bug-riddled at time of writing. Whether legitimate user or not, everyone on the site could have had their data swiped without anybody knowing about it. They’re fortunate the researcher in question found the flaws when they did, or else the site would still be a huge, secret bullseye for people with bad intentions to plunder.

We’d strongly suggest not registering on the site at present. That goes for whether you’re looking to land a date or do some trolling instead. Given the baffling sequence of errors since the admins tried to fix things, it’s simply not worth the effort or the risk.

The post Anti-vaxxer dating site exposes user data appeared first on Malwarebytes Labs.

IIS extensions are on the rise as backdoors to servers

The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.

IIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.

IIS

IIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.

Exchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.

IIS modules

The IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.

Malicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.

IIS backdoors

IIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.

ProxyLogon and ProxyShell

Some of the methods used to drop malicious IIS extensions are known as ProxyLogon and ProxyShell. ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

The ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.

Malicious behavior

On its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What’s interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user’s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.

Credential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.

Given the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn’t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an IIS 6.0 vulnerability to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.

Mitigation, detection, and remediation

There are several thing you can do to minimize the risk and consequences of a malicious IIS extension:

  • Keep your server software up to date to minimize the risk of infection.
  • Use security software that also covers your servers.
  • Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.
  • Deploy a backup strategy that creates regular backups that are easy to deploy when needed.
  • Review permission and access policies, combined with credential hygiene.
  • Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.

Stay safe, everyone!

The post IIS extensions are on the rise as backdoors to servers appeared first on Malwarebytes Labs.

PrestaShop warns of vulnerability: Update your stores now!

A vulnerability affecting open source e-commerce platform PrestaShop could spell trouble for servers running PrestaShop websites. The 15-year-old organisation’s platform is currently used by around 300,000 shops worldwide. The exploit is very dependent on specific versions in use, so one PrestaShop customer may see different results to another.

What’s happening?

The exploit has its own CVE, known as CVE-2022-36408, and (from PrestaShop’s security advisory) relates to a “previously unknown vulnerability chain that we are fixing“. PrestaShop goes on to say that:

…this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities. Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.

If the shop is vulnerable to SQL injection exploits, then based on available information so far it’s almost certainly running old, outdated modules. There’s a possibility that vulnerable third-party modules may also be responsible. Assuming everything is in place for the attack to happen, it plays out like this:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

Once control is gained of the shop, a fake payment form is injected into the checkout page. At this point, shop customers submitting payment data will be sending their details to the attacker and not the genuine store owner. PrestaShop notes that this may not be the only tactic at play—it’s possible different file names, software modification, or even malicious code may be worked into the mix. The current level of uncertainty as to exact method used, or if third-party aspects are involved, is to the attacker’s advantage.

How to defend against this vulnerability

PrestaShop advises to ensure both shop and modules are running their latest versions. Users should also disable a rarely used feature called MySQL Smarty. This is disabled by default, but can be activated remotely by an attacker. The advise here is to physically disable it like so:

Locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6).

At the time of writing, PrestaShop suggests shop owners “contact a specialist” to perform a full audit of the site and ensure nothing has been modified or had malicious code added. Finally, shop owners are advised to download the latest release, PrestaShop 1.7.8.7 which addresses the vulnerability.

A note of caution: there’s uncertainty over whether this addresses all versions of the attack. Additionally, if your store has already been hacked then this update may not be enough to fix the lurking problem. The best remedy here is to get your update in early and try to beat the attackers to the punch.

The post PrestaShop warns of vulnerability: Update your stores now! appeared first on Malwarebytes Labs.

Simplifying the fight against ransomware: An expert explains

Fighting against ransomware can be difficult—especially if your organization has limited IT resources to begin with. But Adam Kujawa, security evangelist and director of Malwarebytes Labs, has a few tips for overburdened IT folks looking to simplify their fight against ransomware. 

In this post, we’ll break down Kujawa’s observations about ransomware and three tips on how businesses can have an easier time in preventing, detecting, and remediating ransomware.

The importance of “knowing thy enemy”

Most ransomware attacks are not sophisticated, state-sponsored cyber operations, Kujawa says. Instead, there’s a team of seven or eight people sitting behind computers, trying to break into your network. 

In other words, ransomware attackers are not usually using any advanced technology or tactics: a lot of times it’s simply an attack of opportunity. For example, your network might have had a vulnerability. Someone might have clicked on the wrong link. You might have misconfigured some port and there’s a brute-forcing campaign going on. 

“So rather than thinking of ransomware actors as these highly sophisticated super hackers, think of them as common thugs. They expect you to be unprepared for their attack, which they believe will lead to a payoff for them,” says Kujawa.

The key takeaway here is this: Even smaller businesses with fewer IT resources can easily prevent or stop ransomware attacks with the right amount of planning. You don’t need a dedicated SOC or crazy enterprise-grade cybersecurity to deal with “attacks of opportunity.”

3 tips to simplify the fight against ransomware

1. Choose an effective and easy-to-use Endpoint Detection and Response (EDR) software 

When it comes to ransomware, resource-constrained organizations with small-to-non-existent security teams are in greater need of EDR—but many EDR products are designed for large enterprises with large and highly-skilled security teams.

If we want to simplify the fight against ransomware, our EDR should not only be effective but simple and easy-to-use as well. 

On the effectiveness front, Kujawa says that there are four main things to look at when trying to determine an EDR platform to deploy to combat ransomware:

On the ease-of-use front, Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes, also has four suggestions when choosing an EDR platform:

  • Ask about the time required to set up the management console and whether it’s cloud-based.
  • Get proof of the time required to deploy the endpoint agent across a given number of endpoints. 
  • Have a “single pane of glass” and an intuitive UI that gives you visibility into all activity across your entire organization.
  • Easy, non-vendor-specific language describing the detected suspicious activity (MITRE ATT&CK)

2. Build out a comprehensive recovery plan

The simplicity in building out a comprehensive ransomware recovery plan isn’t in the development of the plan, but rather the plan itself makes things easier when an attack does occur.  

“A huge issue for many organizations, when hit with ransomware, is scrambling to figure out how to stop it or reduce the damage done by the threat,” Kujawa says. “A recovery plan provides detailed guidance on who to call, system data classifications, procedures for preserving evidence, who your incident response or law enforcement contacts are, etc.”

An idea on how to make the creation of this simpler, is to provide a list of questions that stakeholders should answer when producing this plan. Then, as a group, answer some of these questions: 

  • What do you want your company and your employees to do right after the ransomware attack is discovered?
  • What is the company’s policy on dealing with attackers? Is it going to try to pay the ransom, or is it just going to ignore the attackers? 
  • How do you restore from backups, and what backups are most important to restore from first? 
  • What data is most vulnerable, and how can you protect that data?
  • What systems need to be recovered first
  • How does the business continue to run if the systems are down? 
  • Do you have resources that can help you, such as law enforcement agencies or a cyber insurance firm? 

But who makes up this team that creates the recovery plan? 

“Start with your CISO, COO and all department heads, as well as any security staff you have,” Kujawa says. “When you have all those people together, they can get a clear picture of the readiness of departments in recovering from an attack, what data is most valuable to them and what it would take to disable or continue operations if an attack occurred.”

3. Avoid common mistakes in prevention, detection and response

Often, a customer who gets hit with ransomware has security software but they either have it disabled or it’s outdated or limited in its ability, thanks to poor configuration, Kujawa says.

Because of the inconvenience, or maybe because it’s not compatible with the businesses operations, some aspect of the security gets disabled and that leads to an infection.

“A lot of organizations don’t run regular penetration tests or security audits, and not everyone has the funds to hire a pen testing firm. I get that,” Kujawa says. “But you can make sure that all your outward-facing services are up to date and that every possible entry into the network–like RDP or SMB–has solid authentication requirements. We often see people just leaving those ports wide open.”

Another common mistake Kujawa has noticed is not running regular scans to look out for threats such as backdoors, even if you don’t see anything suspicious.

“Many organizations are not aware that a backdoor infection that occurred months ago can and likely will be used to install additional malware at some point,” he says. “A backdoor could sit there for six months without you knowing about it. It may not do anything until it launches the ransomware.”

Don’t make fighting ransomware harder than it needs to be 

Ransomware is a clear and present danger to organizations of all sizes–but fighting it doesn’t need to be complicated. Reducing ransomware can be as simple as leveraging an easy-to-use EDR, having a well-thought out recovery plan, and avoiding a few common mistakes. Even small-and-medium sized businesses with limited IT resources can simplify the fight against ransomware with these tips. 

See how Malwarebytes EDR can simply (and effectively) stop ransomware in our demo blog post!

Want to learn more about how to protect your business against ransomware? Check out our free Ransomware Emergency Kit.

The post Simplifying the fight against ransomware: An expert explains appeared first on Malwarebytes Labs.