IT NEWS

This blog post was authored by Jérôme Segura

Viral content shared on social media is highly coveted since it gets a lot of impressions and engagement. Unfortunately, the people who push this kind of content don’t always have the best of intentions.

We recently identified a malvertising campaign on Facebook that uses a cute story that gained attention last year. The fraudsters are luring potential victims into clicking on its link so that they are conditionally redirected to a fake tech support page.

This technique is far from being new but yet still works really well and deserves to be analyzed once again so that affected parties better understand how they are being abused.

Too cute to be true

The scam starts with the sweet story of a man who jumped out of his car at a traffic light to have his puppy meet another dog. This moment was shared on a number of platforms last year and could melt any animal lover’s heart.

We saw this post on Facebook and it has been viewed and shared since at least mid July. Yet, in this case, the link is a trap set to redirect potential victims to a malicious page known as a browser locker. While it does not actually ‘lock’ anything, the page displays fake messages about computer viruses and entices users to call for assistance. What follows after are the well-known tech support scams.

Cloaking games

In order to evade detection and remain active for as long as possible, these fraudulent schemes use a simple technique known as cloaking. The idea is to only display the malicious page in specific scenarios while showing legitimate content the rest of the time.

Here are some examples of filters that threat actors may use to their advantage:

• IP address
  • Geolocation (country and city)
  • Internet Service Provider (ISP)
• Browser user-agent
  • Operating system (Windows, Mac, Mobile)
  • Browser name and version
• Referer (the site visited just before)
• Cookies
• Time zone

In other words, for a given campaign a target may be: people living on the US’s west coast using Windows 10 and Google Chrome with a valid Facebook referer clicking on the link for the first time after 6 PM on weekdays. For the rest of the time and other visitors, a decoy page will be shown instead:

The proverbial ‘smoking gun’

When it comes to reporting such abuses, most registrars, hosting companies and platforms will require some hard evidence unless you have worked with them in the past and they already trust the information you pass along.

While a video capture is a pretty damning piece of evidence, it may not necessarily be enough to convince a provider especially if they aren’t able to reproduce the issue on their side. Because of cloaking, finding that smoking gun can literally take hours of frustrated attempts until finding the right combination of parameters. In fact, in some cases you may have to wait for when the scammers manually activate a redirect for a specific time window.

Running a web proxy is often invaluable to capture the event as it is happening as well as hard evidence of the suspected behavior. For example, what we see below are the request and response headers for the domain performing cloaking.

• The request headers show the host (fnbchecklagsin[.]com) the referer (Facebook) and the full URI we requested (GET)
• The response headers show that the server responded with the HTTP 302 code which indicates a redirect to a new location (browser locker)

Essentially, the malicious remote server did not even serve the decoy content but immediately redirected our browser to the tech support scam page.

We have reported this incident to the registrar (NameCheap), the hosting provider (DigitalOcean) and the platform (Facebook) abused to spread this scam. Malwarebytes users were already protected thanks to our Browser Guard extension.

Researchers at Volexity have discovered that a known vulnerability has been used in a large scale attack against Zimbra Collaboration Suite (ZCS) email servers. But the vulnerability was supposed to be hard to exploit since it required authentication. So they decided to dig deeper.

An incomplete fix

Zimbra is a brand owned by Synacor. Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes an email server and a web client. It is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software.

The initial investigations showed evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This vulnerability was patched by Zimbra in March 2022.

The description of the CVE informs us that Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

Zimbra patched the vulnerability, but, in the company’s own words, it would turn out to be an “incomplete fix for CVE-2022-27925”.

Mass exploitation

Mitigation

Zimbra has patched the authentication issue in its 9.0.0P26 and 8.8.15P33 releases. If you were late to patch for the RCE vulnerability, you should assume that your server instance has been compromised.

In order to verify the presence of web shells on a ZCS instance, one technique that can be used is to compare the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. Lists of valid JSP files included in Zimbra installations can be found on GitHub for the latest version of 8.8.15 and of 9.0.0.

Stay safe, everyone!

Slack, the workplace communication platform, has notified some of its users that their hashed passwords have been subject to exposure for the last five years. The company wasn’t specific in its notice, but Wired said that the flaw was in one of its “low-friction features”. The flaw exposed hashed passwords of users when creating or revoking shared invitation links for workspaces.

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members,” the company said in a notice. “It affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.”

Putting a plaintext password through a hashing algorithm changes it to a cryptographically scrambled or obfuscated version of itself, now called a “ciphertext”. It is a unique string of characters with a fixed length. Adding “salt”—essentially random data—when hashing would further protect the password from getting easily extracted by threat actors.

The exposure only occurs behind the scenes, though, as Slack users who were sent these invitations couldn’t see the passwords. However, they weren’t completely inaccessible, although seeing the exposed passwords required actively monitoring encrypted traffic from Slack’s servers.

“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users’ Slack passwords.”

Slack warned that hashes are “secure, but not perfect.” Hashed passwords could still be revered by brute force methods.

Slack promptly patched the flaw after an independent security researcher reported it to Slack last month. It then notified the approximately 0.5 percent of all its users who may have been affected, 

The company also took this opportunity to advise its users to enable 2FA (two-factor authentication) on their accounts and create strong and unique passwords. It also advised users to check access logs, which they can find here, for their accounts.

Microsoft has published fixes for 141 separate vulnerabilities in its batch of August updates, fixing a total of 118 CVEs in multiple products. This is a new monthly record if you look at the CVE count.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that jumped out at us.

Microsoft Support Diagnostics Tool

CVE-2022-34713: is a Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability. This is a known to be exploited vulnerability which requires the target to open a specially crafted file. This CVE is a variant of the vulnerability publicly known as Dogwalk.

CVE-2022-35743: is another MSDT RCE vulnerability. Neither technical details nor an exploit are publicly available, but we do know that user interaction is required and the attack vector is local, so this is very likely another case where a specially crafted file needs to be opened by the victim.

Microsoft Exchange

CVE-2022-30134: is a Microsoft Exchange Information Disclosure vulnerability. This vulnerability is publicly disclosed but has not yet been detected in attacks. Affected products are Microsoft Exchange Server 2019 CU 11, Microsoft Exchange Server 2016 CU 22, Microsoft Exchange Server 2013 CU 23, Microsoft Exchange Server 2016 CU 23, and Microsoft Exchange Server 2019 CU 12. Users vulnerable to this issue would need to enable Extended Protection in order to prevent exploitation of this vulnerability. More details can be found on the Exchange Team Blog.

CVE-2022-24477: is a Microsoft Exchange Server Elevation of Privilege (EoP) vulnerability. Affected products are Microsoft Exchange Server 2016 CU 23, Microsoft Exchange Server 2019 CU 12, Microsoft Exchange Server 2019 CU 11, Microsoft Exchange Server 2016 CU 22, and Microsoft Exchange Server 2013 CU 23. Users vulnerable to this issue would need to enable Extended Protection in order to prevent exploitation of this vulnerability. More details can be found on the Exchange Team Blog.

CVE-2022-24516: is another a Microsoft Exchange Server EoP vulnerability. Affected products are Microsoft Exchange Server 2016 CU 23, Microsoft Exchange Server 2019 CU 12, Microsoft Exchange Server 2013 CU 23, Microsoft Exchange Server 2019 CU 11, and Microsoft Exchange Server 2016 CU 22. Users vulnerable to this issue would need to enable Extended Protection in order to prevent exploitation of this vulnerability. More details can be found on the Exchange Team Blog.

Windows Point-to-Point Protocol

CVE-2022-30133: is a Windows Point-to-Point Protocol (PPP) RCE vulnerability with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS) server, which could lead to remote code execution (RCE) on the RAS server machine. This vulnerability can only be exploited by communicating via port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable.

Windows Network File System

CVE-2022-34715: is a Windows Network File System (NFS) RCE vulnerability with a CVSS score of 9.8 out of 10. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has also released security updates for many of its products, including Acrobat, Reader, Adobe Commerce, and Magento Open Source. More details on the Adobe security site.

Cisco released security updates for numerous products this month.

Google released Android security updates.

SAP released 5 new Security Notes.

VMware released Security Advisory VMSA-2022-0022 and warned that a recently disclosed auth bypass flaw is now actively exploited.

Twitter has confirmed that it was breached last month via a now-patched 0-day vulnerability in Twitter’s systems, allowing an attacker to link email addresses and phone numbers to user accounts. This enabled the attacker to compile a list of 5.4 million Twitter user account profiles.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously, and it is unfortunate that this happened.”

When a person submits a publicly known email address or phone number to Twitter, the system tells this person what Twitter account the email or phone number is associated with. The attacker took advantage of this and created a list containing 5.4 million Twitter users with scraped publicly available details of the accounts, including whether the account was verified.

This is especially worrying for users who want to remain anonymous on the platform. It’s a bit late now, but Twitter recommends anyone trying to stay anonymous should not tie a publicly known phone number or email to their Twitter account.

If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

According to BleepingComputer, the attacker sold the data on twice, saying that “the data would likely be released for free in the future.”

Twitter introduced the vulnerability after updating its code in June 2021. A threat hunter reported this vulnerability in January 2022, with Twitter eventually awarding the researcher for the find as part of its bug bounty program.

While the company says no passwords were compromised, it continues to encourage users to enable two-factor authentication (2FA) for their accounts, either in the form of authentication apps or hardware keys.

Most cybersecurity experts agree that having Endpoint Detection and Response software is essential to fighting ransomware today—but not every EDR is equal.

Businesses, especially small-to-medium sized ones with limited budget or IT resources, need to make sure that their EDR is cost-effective, easy-to-use, and able to reliably stop the growing ransomware threat. So precisely what features should SMBs be looking for in an anti-ransomware EDR, and why?

In this post, Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes, gives his 6-point checklist of features your EDR should have to stop ransomware.

Table of contents

How should EDR address ransomware?

At its core, ransomware is an exploitation of trust, Zamani says.

“We place our trust in applications to perform only the functions we intended, Operating Systems to perform functions we authorized, and that our credentials (user ID/password) are used only by authorized personnel. Stolen credentials, phishing attacks, zero-day applications, and OS vulnerabilities exploit our trust in endpoints. And since ransomware stems from exploitation of trust, then EDR is not optional when it comes to mitigating a detected threat.”

A risk management strategy states that we cannot eliminate all system vulnerabilities or block all cyberattacks. In other words, your EDR should be optimized to “prevent what you can and mitigate the rest.”

“Since ransomware stems from exploitation of trust, then EDR is not optional when it comes to mitigating a detected threat.”

Robert Zamani, Regional Vice President, Americans Solutions Engineering

1.   Multi-vector Endpoint Protection (EP) is built-in

The base functionality of any EDR is to notify you of any suspicious activity that is taking place on your systems and offer “response” capabilities to mitigate the detection. However, EDR doesn’t inherently do any prevention: It won’t stop the threat from breaching your environment in the first place. 

Relying solely on EDR as a prevention solution will overwhelm your staff and increase operational costs.

That is why anti-ransomware starts with preventing the known bad, Zamani says. Enter Endpoint Protection (EP), an advanced threat prevention solution for endpoints that uses a layered approach with multi-vector detection techniques.

Many EDR vendors will offer EP as a separate offering—usually, these are just file-based scanners looking for possible clues to malware in binary files. This is the minimal functionality of EP and insufficient because there is more that can be prevented, Zamani says.

EP must reduce the attack surface of ransomware through a combination of comprehensive web protection, application hardening, and other “first-layers of defense”. Since most ransomware attacks start with a phishing email, this primary ‘preventative’ type of endpoint protection is essential.

For a budget-friendly way to get the first layer of ransomware protection, look for an EDR with full-stack Endpoint Protection.

EP gives you a “first-layer of defense” against known and unknown malware, ransomware, and other threats.

2. Maintains visibility and patching regularly

Patching is not just system maintenance, Zamani says. According to the Ponemon Institute, 57% of cyberattack victims report that their breaches could have been prevented by installing an available patch. 

“Application and OS vulnerability assessment and patch management solutions are preventative and reduce the ransomware attack surface on endpoints. A good application and OS, vulnerability management solution must automate inventory and severity classification based on CVSS scoring,” Zamani says. “The sorting by severity and grouping by the asset (endpoint) will allow you to prioritize patching the most valuable endpoints.”

In short, make sure your EDR has some sort of vulnerability and patch management component to make it more difficult for ransomware attackers to breach your systems.

3. Has machine learning (ML) to recognize ‘goodware’ instead of malware

A good EDR is looking for a deviation from good behavior, Zamani says. When an application launches and performs in an expected way, we call that an example of good behavior—and when it doesn’t, the administrator gets an alert notifying them of suspicious activity warranting investigation.

Contrast this with an ML model trained to recognize “bad behavior,” where the model finds patterns in datasets of known malware code. On the low side, there are tens of billions of unique malware, so we can safely assume “bad behavior” is seemingly endless.

The larger the dataset of bad behavior, the greater the chances of misinterpreting good behavior as bad, leading to many false positives.

“Indicators of Compromise (IOC) and Indicators of Attack (IOA) are ill-suited for EDR detections. IOC and IOA define bad, and ‘bad’ mutates, creating 100s of billions of possibilities,” Zamani says. Therefore, a modern EDR heuristics engine must be trained on the good behavior of known-good applications.

Dealing with too many false positives costs time and manpower, distracting you from actual security issues like ransomware. Make sure you choose an EDR that detects deviations from known-good applications to reduce false positives that could distract you in your fight against ransomware.

4. Uses standard reference language and forensic analysis

So your EDR has EP and is looking for deviation from known-good behavior to lower false positives—now, it has sent you a notification of a ransomware threat. The next piece of an anti-ransomware EDR is that the information that comes to you should be standardized both in summary and in detail.

“Traditional, older style EDR will use vendor-specific verbiage for describing the attack,” Zamani says. “But in your EDR, you want the TTPs (tools, techniques, and procedures) of threats to be described in plain English with a common reference number.”

The reference number is necessary for documentation purposes, Zamani says. At the same time, the plain-English description is necessary for you to know at what stage an endpoint was ransomed (because a hacker could have exploited a vulnerability in a still-running application).

“In your EDR, you want the TTPs (tools, techniques, and procedures) of threats to be described in plain English with a common reference number.”

Robert Zamani, Regional Vice President, Americans Solutions Engineering

To avoid unnecessary complexity in figuring out the origin of a ransomware threat, your EDR solution should have an industry standardized way of describing the attack—such as MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge).

“Your EDR needs to tell the story of what happened using the standard reference language of MITRE with direct links to the MITRE ATT&CK reference library,” Zamani says. “It should provide a summary using a Kanban board and a separate process graph with detailed forensics of what and how it happened.”

Your EDR should show you alerts that are standardized both in summary and in detail.

5. Thorough containment, eradication, and recovery options

Look to an EDR to mitigate unforeseen threats and ultimately a new method of ransomware (exploitation of trust), says Zamani.

If one of your endpoints gets infected with ransomware, we want to stop the spread as fast as possible, which NIST defines as “containment” in its “Computer Security Incident Handling Guide.”

Containment prevents lateral movement of an attack by allowing you to contain individual machines, processes, or user-IDs and continue active response activities—making quick and easy containment features a must for your EDR.

But the fight doesn’t stop at containment, says Zamani.

“So you’ve contained and studied a threat with your EDR. That’s great,” says Zamani. “But now you want to do remediation. You want to remotely eradicate the ransomware and restore the endpoint to a known-good state free of malware, virus, unwanted programs including unwanted modification.”

But you may ask: Aren’t eradicating and recovering from ransomware the same thing? Not quite, Zamani says.

“Just because you deleted the artifacts does not restore the endpoint into a state where the machine can function. For example, a registry key says the startup sequence is ‘malware first, and then boot.’ So we remove the nasty registry key ‘malware first’, but if you say nothing else, the system won’t boot!”

In other words, your EDR needs instrumentation that not only eradicates ransomware but actually recovers and restores the machine’s state into a functioning state where it can be returned to the network.

“Your ransomware rollback should store changes to data files on the system in a local cache for 72 hours (no ransomware actually exceeds 24 hours), which can be used to help revert changes caused by ransomware,” Zamani says.

6. Searches for ransomware indicators across all your managed endpoints

What if you want to see if the same ransomware threat you discovered on one of your endpoints is in the early stages of the attack on other endpoints?

“Your EDR should have a search engine that can look at any of the TTPs and search across your network,” Zamani says. “Because you want to see if you can catch something early enough before it hits the point of ransom.”

Look for an EDR that can search data like files, registry, processes, and networking activity so you can threat hunt or analyze how a ransomware compromise occurred in your environment.

Businesses need an EDR that immediately detects and responds to ransomware threats

In this post, cybersecurity expert Robert Zamani explained the features SMBs should look for in an anti-ransomware EDR and why.

Of course, the fight against ransomware doesn’t stop at EDR: you still good cyber hygiene with a well-written and practiced Incident Response Plan (IRP). Looking to further empower your business in the fight against ransomware?

Read our “A Defender’s Guide to Ransomware Resilience” eBook!

More resources

Ransomware protection with Malwarebytes EDR: Your FAQs, answered!

Simplifying the fight against ransomware: An expert explains

Demo: Your data has been encrypted! Stopping ransomware attacks with Malwarebytes EDR

Cloud-based communication platform provider Twilio has announced a breach via a social engineering attack on employees.

On August 4, 2022, Twilio says it became aware of unauthorized access to information related to a limited number of Twilio customer accounts, through the social engineering attack which was designed to steal employee credentials.

Text messages

A number of current and former employees received text messages that appeared to come from Twilio’s IT department. The messages said either the recipient’s password had expired, or that their schedule had changed, and that they needed to log in. To increase the credibility of the URLs they contained words including “Twilio,” “Okta,” and “SSO” (short for single sign-on) to try and trick users to click on a link which led to a fake log in site. At this site, the attacker could intercept the login credentals and use those to access the compromised accounts.

The attackers must have put in some effort to link the Twilio employees to their phone numbers. It seems likely they used data from another breach, or breaches, and searched for Twilio employee names with their phone numbers. It would be easy to assume that it might have been one of the LinkedIn data breaches from 2021, because employer data would be needed, but unfortunately there are many other options to combine data from other breaches.

It certainly does add a layer of credibility to the attack, since most people don’t give their telephone number to just anyone, but their employer would know it.

Take down

Once Twilio confirmed the incident, its security team revoked access to the compromised employee accounts to mitigate the attack and a forensics firm was engaged to aid the ongoing investigation.

The text messages originated from US carrier networks, and Twilio says it worked with these carriers to shut down the numbers, and worked with the hosting providers serving the malicious URLs to shut those accounts down. It’s possible, however, that the attackers will continue to rotate through carriers and hosting providers to resume their attacks.

Twilio customers

Twilio has notified the affected customers. If you were not contacted by Twilio, then it means there is no evidence that your account was impacted by this attack.

Protection

By providing employees with mobile devices or allowing them to use personal smartphones for work, organizations have increased the possible number of targets for phishing campaigns.

Since employees’ phones are usually outside of the scope of an organizations security software, protection against this sort of attack is not easy.

The massive use of smartphones, tablets and mobile applications in our daily lives, for personal and professional purposes, turns them into essential tools that we trust maybe a tad too much.

And it’s not just text messages you need to worry about. Social media, messaging apps, and even dating apps have created many other channels to deliver an attack.

Providing your employees with software that blocks malicious text messages and URLs will only be effective against long-running campaigns, so it’s likely that this one would have made it through.

The most effective strategy is education. Users need to learn that text messages are to be treated with the same amount of suspicion as unexpected emails. Especially if the text message contains a link.

Stay safe, everyone!

The new school season is just around the corner. And while you are getting ready to go back to school, now is a good opportunity to check you are doing all you can to stay as safe as possible online.

Make sure you are doing these five things:

1. Use multi-factor authentication (MFA)

MFA has become a necessary security measure in a world where passwords still rule. It’s added security for your school-related accounts—and actually any online accounts you have, including social media.

MFA is an additional layer of security, after you enter your username and password. This could be a code generated by an app, a push notification you need to accept, a physical key you plug into your computer, or similar.

Use it wherever it is offered to you. Yes, it makes logging in take slightly longer, but it really does make your accounts safer.

2. Use strong passwords

By “strong”, we mean the best possible password string you can come up. If, for example, your school IT administrator sets a maximum password length of 10 and allows a mix of alphabets and numbers, then make your password 10 characters long with the maximum complexity you can.

And while we’re on the subject of passwords, remember to use a unique password for each of your online accounts. If you use the same email and password combination for every account, then if one gets breached you have to assume they have all been breached.

Of course, it’s impossible to remember a strong password for every account you have. This is where password managers come in. They can generate passwords for you, and will remember them all too. Just make sure you use a super strong password for your password manager itself, and protect it with MFA.

Lastly, never share passwords with anyone.

3. Be wary of links and attachments

When it comes to phishing and malware campaigns, danger doesn’t just lurk in emails. It’s on social media, SMS, chat platforms, gaming platforms, and other online watering holes, too.

Remember: if someone sends you an unsolicited link or attachment, you’re right to be suspicious. Treat it as suspect, and always verify with the sender if they’re someone you know, preferably via other means than the medium with which you received the link or attachment.

4. Share with caution

Students can do this in (at least) three ways:

1. Limit what you share. Don’t give away personal details on social media, including those which tie you to your school.
2. Be smart about what information you allow apps to access. Does that calendar app really need access to your location?
3. For high school and college students, think twice before sharing private photos with someone. Consider that they may be shared with others, and how you might feel if that happened.

5. Lock down your files

The school does its part to secure your most important data, but you have a part to play, too.

You can start by locking down the devices you bring to school, such as your smartphone and laptop. Make sure there’s at least a password or code that stops anyone from casually picking up your device, and then opening it.

If you use the cloud to store files, learn how to secure that properly—the cloud-of-your-choice will have a guide on that. Remember, the cloud can only be as secure as you, the user, makes it.

It’s easy when you know how

Thankfully, securing data doesn’t get any more complicated for regular users than the five tips we have listed above. Remain vigilant and remind yourself that cybersecurity and privacy are shared goals and responsibilities. Students should do their part in the same way that your school’s IT team is doing theirs.

Stay safe, and have a pleasant, risk-free school year ahead!

Last week on Malwarebytes Labs:

• Have we lost the fight for data privacy? Lock and Code S03E16

• Wrestling star Mick Foley’s Twitter compromised, selling PS5 consoles

• Millions of Arris routers are vulnerable to path traversal attacks

• When a sextortion victim fights back

• How to protect yourself and your kids against device theft

• For months, JusTalk messages were accessible to everyone on the Internet

• Update now! VMWare patches critical vulnerabilities in several products

• NetStandard attack should make Managed Service Providers sit up and take notice

• Bank fraud scammers trick victims with claims of bogus Zelle transfers

• Woody RAT: A new feature-rich malware spotted in the wild

• Ransomware protection with Malwarebytes EDR: Your FAQs, answered!

• Ransomware review: July 2022

• FCC warns of steep rise in phishing over SMS

• Phishy calls and emails play on energy cost increase fears

• Patch now! Cisco VPN routers are vulnerable to remote control

Stay safe!

Thanks to Pieter Arntz and the Threat Intelligence Team who contributed to the research.

A hack tool is a program that allows users to activate software even without a legitimate, purchased key. Hack tools are often used to root devices in order to (among others) remove barriers that stop users from using apps from other markets. This is why the term “hack tool” is often interchanged with “crack tool” and “rooting program.”

Many seek such tools in the hopes of getting more control over their devices, or out of necessity if the software they want to use requires them. In this post, we’ll focus on one hack tool that has been a trusted tool for activating pirated copies of Microsoft products for free: KMSPico.

What is KMSPico?

KMSPico (often stylized as KMSPICO or KMS Pico) uses an unofficial key management services (KMS) server to activate Microsoft products—although several hack tools already do the same. Here are some of Malwarebytes’ detection of such tools:

• RiskWare.AutoKMS
• AutoKMS.HackTool.Patcher.DDS
• RiskWare.KMS
• HackTool.KMS
• HackTool.Agent.KMS
• HackTool.IdleKMS
• HackTool.AutoKMS
• HackTool.WinActivator

KMSPico is one of the most (if not the most) popular software activation tools for Windows and Office Suite, with millions of global users and endorsers. Funnily enough, it also seems to have a lot of “official websites.”

Searching for “official KMSpico site” on your favorite search engine will yield thousands of results, including pages of posts from various portals warning internet users not to download KMSPico from Website A or Website B as its malware. And they’re right.

Whatever KMSPico “official” website you find in your search results is undoubtedly fake, which leaves people wondering—or probably even believing—that KMSPico is a myth. This tool, however, is far from mythical. It does exist, and the latest version, 10.2.0, can only be downloaded from a members-only forum posted almost a decade ago.

How does it work?

To understand how KMSPico works, we should first understand how a KMS activation works.

KMS is a legitimate way to activate Windows licenses in client computers, especially en masse (volume activation). There is even a Microsoft document on creating a KMS activation host.

A KMS client connects to a KMS server (the activation host), which contains the host key the client uses for activation. Once KMS clients are validated, the Microsoft product on those clients contacts the server every 180 days (6 months) to maintain its validity. However, a KMS set-up is only viable for large organizations with Volume Licensed (VL) Microsoft products.

This is what KMSPico is trying to exploit. Once installed onto user clients, it changes a user’s retail version of their Microsoft to a “Volume Licensed” one by simply changing the key into a generic VL key. KMSPico then changes the default KMS server to an unofficial KMS server set up by the hack tool’s developer. 

Note that if the KMSPico developer decides to kill the server, then whoever their users are would no longer have an activated version of their Microsoft product.

Why we don’t recommend it

Hack tools can be qualified as riskware, a category of software that may be risky to install on your computer or device. This is because a legitimate copy of the software may be bundled with adware, or it’s actually malware named after popular software. Such is the case for KMSPico.

On top of that, using KMSPico violates Microsoft’s ToS (terms of service) for its products.

Our 2021 State of Malware report found that hack tools plagued our consumer and enterprise clients for the previous two years. 

Perhaps the most critical data we have of KMS hack tools are that they are ranked as a top threat for consumers (with a 2,118 percent growth) and enterprises (with a 2,251 percent growth). We attributed this to the sudden change in work life due to many moving to a work-from-home (WFH) set up during the COVID-19 pandemic. Many employees—and potentially even employers—resorted to using cracked versions of Microsoft products.

Finally, regarding software updates or patching, it’s also likely that KMSPico blocks any activated Microsoft product from “calling home.” If it does, then that would stop these products from getting updates or patches, and KMSPico users would be left with very vulnerable Microsoft software.

Does Malwarebytes detect KMSPico?

Yes. We detect components from the same toolset. So if you have downloaded the KMSPico tool, expect your Malwarebytes product to alert you of files detected as HackTool.KMSpico, CrackTool.KMSPico, or both.