IT NEWS

In a new critical security advisory, VMSA-2022-0021, VMWare describes multiple vulnerabilities in several of its products, one of which has a CVSS score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.

Vulnerabilities

VMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to ‘root’ on unpatched servers.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.

CVE-2022-31656

CVE-2022-31656 is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher Petrus Viet with discovering this vulnerability.)

CVE-2022-31659 and CVE-2022-31658

The same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10—CVE-2022-31658 and CVE-2022-31659. CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.

CVE-2022-31665

CVE-2022-31665 is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.

Other privilege escalation vulnerabilities

Besides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664 which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to ‘root’.

Mitigation

Even though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.

To fully protect yourself and your organization, please install one of the patch versions listed in the VMware Security Advisory, or use the workarounds listed in the VMSA.

Stay safe, everyone!

The post Update now! VMWare patches critical vulnerabilities in several products appeared first on Malwarebytes Labs.

Managed Service Providers (MSPs), organizations that allow companies to outsource a variety of IT and security functions, are a growing market. Because they are a potential gateway to lots of company networks they make a very attractive target for cybercriminals.

In a recent threat advisory Huntress noticed that an increasing number of Initial Access Brokers (IAB) are focusing on MSPs. In a recent example, a US-based MSP called NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services.

NetStandard

On July 27, 2022 NetStandard reported a cyberattack on some of its hosted services to its customers. However, details are sparse, and the MSP is staying silent on the issue. The firm’s website was down at first but it moved it to the cloud relatively fast. But I could find no mention of the attack there.

The information it shared with its customers said:

“As of approximately 11:30 AM CDT July 26, NetStandard identified signs of a cybersecurity attack within the MyAppsAnywhere environment. Our team of engineers has been engaged on an active incident bridge ever since working to isolate the threat and minimize impact.”

MyAppsAnywhere is an integrated suite of cloud-based hosted services including Dynamics GP, CRM, Exchange, and SharePoint.

Other targets

Huntress reports that it also noticed a cybercriminal using the handle “Beeper” looking for help to process an MSP. It concluded that the cybercriminal had probably gained initial access to an MSP and found that it was more than they can handle on their own. Their, translated, forum post says:

“I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1000+ servers.

All companies are American and approximately in the same time zone. I want to work qualitatively, but I do not have enough people.”

Around the same time another threat actor going by “vesiyr” posted they had found RDP access to UK companies with an expected revenue of $5 million plus. They were willing to sell that access. The multiple RDP access could mean that vesiyr also gained initial access to an MSP.

Why MSPs are targets

While these incidents are very likely unrelated, they show the interest that IABs have in breaching MSPs. Hardly surprising, since it provides them with an opportunity for supply chain attacks or orchestrated attacks on a multitude of victims.

MSPs are an attractive target because a succesful breach can give the attacker enormous leverage, as well as access to some or all of the computer systems of the MSP’s customers. Those customers often rely on the same MSP for security as well, so there is one less hurdle to clear when the threat actor focuses on the MSP’s clients.

Attacks on MSPs are nothing new. In 2018 the Cybersecurity & Infrastructure Security Agency (CISA) released an alert saying it was aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).

The holy grail of MSP attacks are unpatched vulnerabilities in software used by MSPs to perform security or administration tasks on customers’ computers. The 2021 attack on Kaseya VSA—an attack that leveraged a vulnerability in a tool used by MSPs to launch ransomware on hundreds of MSP customers’ networks simultaneously—is widely regarded as the worst ransomware attack of all time.

In another ransomware attack, threat actors gained access to an MSP’s ConnectWise control tool and took down operations in 22 small Texas cities in a coordinated attack.

Mitigation

MSPs should be aware of both the trust invested in them by their clients and the heightened attention they are likely to receive from IABs.

MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP.

The post NetStandard attack should make Managed Service Providers sit up and take notice appeared first on Malwarebytes Labs.

It pays to be careful where cold calls from someone claiming to work for your bank are concerned. Scam callers are impersonating bank staff, with suggestions of dubious payments made to your account. One unfortunate individual has already lost around $1,000 to this slice of telephone-banking based fraud. With a little press intervention they were lucky enough to get it back. Sadly most people don’t get that far.

What’s happening, and how can you avoid it?

An unauthorised payment: A scammer’s steps to success

This attack has several steps. Here’s how it plays out:

• The scam begins with a call from a supposed fraud team. This is a common confidence trick, it sounds convincing and it has a sense of urgency built in. The call also spoofs the caller ID of the bank, another easy-to-pull-off tactic which makes the call look more plausible.
• Setting the recipient of the call off-balance is the aim of the game. And what better way to have them second guess themselves than by referring to technology they may not have used before? In this case, the scammer claims the victim’s bank account has made a fraudulent Zelle transfer of $1,000 to somebody in Texas. Zelle is a US based digital payments network. To the recipient of such a call, it may well just sound like a big scary thing has happened to their money which they don’t fully understand.
• Adding some time-based pressure is the final blow. “Hurry up and follow my dubious instructions or you lose all of your money” is a very successful tactic. Victims are dissuaded from calling their bank directly because they would just be “redirected back to the fraud team”. In this case, the victim was told to reverse the transaction by punching in a code given to them by the fraudster. After the first $1,000 vanished, the scammer risked it all on another claim of $5,000 in fraudulent transfers. Thankfully, the victim was having none of it and more losses were averted.

Am I protected?

It’s trickier than ever to deal with a case of banking fraud. Banks and payment systems increasingly put the onus on the individual to not get caught out by deception. If you bank online and send people money, you’ll likely have gone through a fraud check flow.

This is where the site asks you to confirm who you’re sending money to and why. If you select “romance” (for example), you’ll be warned about romance scams and eventually you’ll tick a box to confirm that you recognise the risks. If something goes wrong, on your own head be it.

This is almost note for note what happened to the person in the news story above. The bank said that because the victim “authorised” the payment, no protection was in place. This is clearly not an accurate reading of what happened, and the money request was clearly fraudulent. Even so, this is what you may have to contend with should you wander into a fraud situation.

Watch out for red flags

There’s several aspects of this attack common to many others which may indicate a fraud attempt.

• They don’t want you to call the bank back. If you do this, the fraud falls to pieces. A genuine member of staff would have no issue with you calling them yourself.
• Pressure tactics. If a bank calls you out of the blue and claims that they’re powerless to stop something without your assistance, be very cautious. Is your bank really unable to perform a basic banking action?
• Knowing your date of birth, address, and other information doesn’t mean the caller is genuine. They may have obtained the data from a phish, or a security breach.
• Referencing third party payment apps may be another red flag, especially if they talk about technology you’ve not used before.

The post Bank fraud scammers trick victims with claims of bogus Zelle transfers appeared first on Malwarebytes Labs.

This blog post was authored by Ankur Saini and Hossein Jazi

The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.

This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.

Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK.

In this blog post, we will analyze Woody Rat’s distribution methods, capabilities as well as communication protocol.

Distribution methods

Based on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.

The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.

The following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:

Archive files

In this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:

• anketa_brozhik.doc.zip: It contains Woody Rat with the same name: Anketa_Brozhik.doc.exe.
• zayavka.zip: It contains Woody Rat pretending to be an application (application for participation in the selection.doc.exe).

Follina vulnerability

The threat actor is using a Microsoft Office document (Памятка.docx) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called “Information security memo” which provide security practices for passwords, confidential information, etc.

Woody Rat Analysis

The threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:

A lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.

As we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request.

Deriving the Cookie

The malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.

A combination of GetAdaptersInfo, GetComputerNameA and GetVolumeInformationW functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.

Data encryption with HTTP requests

To evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the BCryptImportKeyPair function.

The malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using BCryptGenerateSymmetricKey which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses BCryptEncrypt and BCryptDecrypt respectively.

C2 HTTP endpoint request

knock – This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.

The data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.

submit – This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. Data sent via submit API includes:

• OS
• Architecture
• Antivirus installed
• Computer Name
• OS Build Version
• .NET information
• PowerShell information
• Python information (Install path, version etc.)
• Storage drives – includes Drive path, Internal name etc.
• Environment Variables
• Network Interfaces
• Administrator privileges
• List of running processes
• Proxy information
• Username
• List of all the User accounts

The malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.

ping – The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with “_CRY” then the malware proceeds to send the knock request again but if the C2 responds with “_ACK” the response contains additional information about which command should be executed by the malware.

The malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.

C2 Commands

The malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.

_SET Commands

• PING – This command is used to set the sleep interval between every ping request to the C2.
• PURG – Unknown command
• EXIT – Exit the command execution thread.

_REQ Commands

• EXEC (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using ReadFile from the named pipe and then “_DAT” is appended to this data before it is AES encrypted and sent to the C2.

• UPLD (Upload) – The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file.
• INFO (Submit Information) – The INFO command is similar to the “submit” request above; this command sends the exact information to the C2 as sent by the “submit” request.

• UPEX (Upload and Execute) – This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.
• DNLD (Download) – The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.
• PROC (Execute Process) – The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.
• UPPR (Upload and Execute Process) – This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.
• SDEL (Delete File) – This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.
• _DIR (List directory) – This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are:
  • Filename
  • Type (Directory, Unknown, File)
  • Owner
  • Creation time
  • Last access time
  • Last write time
  • Size
  • Permissions
• STCK (Command Stack) – This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.
• SCRN (Screenshot) – This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.
• INJC (Process Injection) – The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.

• PSLS (Process List) – Calls NtQuerySystemInformation with SystemProcessInformation to retrieve an array containing all the running processes. Information sent about each process to the C2:
  • PID
  • ParentPID
  • Image Name
  • Owner
• DMON (Creates Process) – The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.
• UPDM (Upload and Create Process) – Allows the C2 and upload a file and then execute it using DMON command.

SharpExecutor and PowerSession Commands

Interestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named WoodySharpExecutor and WoodyPowerSession respectively. WoodySharpExecutor provides the malware ability to run .NET code received from the C2. WoodyPowerSession on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.

WoodyPowerSession makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs:

We will look at the commands utilising these DLLs below:

• DN_B (DotNet Binary) – This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character.
• DN_D (DotNet DLL) – This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.
• PSSC (PowerSession Shell Command) – Allows the malware to receive a Base64 encoded PowerShell command and execute it.
• PSSS (PowerSession Shell Script) – This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.
• PSSM (PowerSession Shell Module) – This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.

Malware Cleanup

After creating the command threads, the malware deletes itself from disk. It uses the more commonly known ProcessHollowing technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using NtWriteVirtualMemory. The entry point of the thread is set by using the NtSetContextThread method and then the thread is resumed. This leads to the deletion of the malware from disk.

Unknown threat actor

This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, nased on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor.

Malwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.

IOCs

Woody Rat:

• 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0
• 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b
• b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
• 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce
• 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
• 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834
• 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80
• 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3
• 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d

C2s:

• kurmakata.duckdns[.]org
• microsoft-ru-data[.]ru
• 194.36.189.179
• microsoft-telemetry[.]ru
• oakrussia[.]ru

Follina Doc:
Памятка.docx
ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb
Follina html file:
garmandesar.duckdns[.]org:444/uoqiuwef.html
Woody Rat url:
fcloud.nciinform[.]ru/main.css (edited) 

The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.

In no time at all, kids will be going back to school or starting college. And while gearing up for this, it’s very important to be aware of the threat from device loss in the school environment.

Maybe you are away at university for the first time and have a new place to live, or maybe your kids have devices they take into school. Whatever the reason, if you lose a device or it gets stolen, the end result can be quite serious—from loss of sensitive data, wasted time and misplaced work, to blackmail or harassment if the data is unencrypted.

And it’s not just one piece of technology to worry about. Students are likely to own tablets, laptops, and mobile phones at the bare minimum. It’s tricky to juggle all the potential privacy and security pitfalls when dealing with so many pieces of technology…but it can be done!

How to protect yourself against mobile device theft

A phone is much easier to lose track of in school or on campus than a much larger device like a laptop. It’s also a great target for thieves for precisely the same reason. Depending on the model, your device likely contains a wealth of security options. Here’s what you can do in advance to take the sting out of a mobile theft.

• Lock your device. Your lockscreen should serve as the barrier between you and your data. This is because it’ll also serve as the barrier between your device and other people. Protect it with a passcode, or biometrics (such as your thumbprint, your faceprint, or even a scan of your eye). Should someone steal your phone or simply pick it up off the ground after you drop it, they won’t be able to access your data.
• Encrypt your data. If your device isn’t encrypted, the information on it is potentially at risk if the phone is stolen. Once encrypted, everything on the device is scrambled in a way which requires the correct PIN to access the secured data. Older versions of Android used something called Full-Disk encryption. Newer versions use File-based encryption. iPhones and iPads have encryption as standard when using Face or Touch ID, or a passcode. You can check by going to Settings > Face ID/TouchID & Passcode. If you scroll to the bottom you should see “Data Protection is enabled”
• Turn on Find my phone. This option is hidden away in the security settings of most Androids, and you may need to dig around a little to find it. It does what it suggests, using a combination of several forms of technology to locate the missing device. On Apple products, it’s likely to be turned on by default, but you can check by navigating to the “Find My” app.

How to protect yourself against laptop theft

Laptops aren’t quite as easy to make disappear as a mobile device, but it does happen! Here are some of the ways you can prevent laptop theft while on campus or out and about between classes.

• Don’t neglect physical security. Never leave your laptop bag unattended, even for a second. Going back to the counter for another coffee? Take it with you. Need to go to the bathroom? Pack your laptop away, and take it with you. Sitting at a table with your bag on the floor? Put one foot through the laptop bag’s strap, so if someone tries to snatch it they won’t be able to.
• Observe campus rules. If the laptop you’re using is campus supplied, the device may be encrypted by default. There may well be security tools present to help fend off potential malware infections, but there may be nothing available to remedy loss or theft, such as location tracking. While it may be tempting to install a third-party tracking tool, your school or university will have policies with regard to what you can, or cannot, install. If in doubt, ask IT for assistance.
• Encrypt your device (again). If you’re using a Windows operating system, you have a couple of options available. You could, for example, make use of BitLocker. If you’re running Windows Home, you may well have to consider using a third-party alternative because BitLocker isn’t available. On Macs, you can use FileVault to encrypt your device.
• Turn on Find your device. This works in a similar fashion to trace tools for lost mobiles and should be set up when you first get your device. On Windows, navigate to Start > Settings > Update & Security > Find my device, and then select “Change” to finish configuring. On Mac, navigate to System Preferences > AppleID > iCloud. Select Find My Mac and click Allow.

A tip for both mobiles and laptops

No matter what you’re taking on campus, remember to backup your data. Device loss is bad enough, but losing everything on the device makes it even worse. Get into the routine of backing up data daily.

Your mobile may also have the option of cloud backups. Take care to check how the data is stored, if it’s encrypted, and if it eventually expires. There may well be a limited amount of space available, or it could eat into some of your data allowance.

There are more options on the desktop. You could use removable storage, additional hard drives, local desktop backups, and more. There are also various cloud-based options available like Dropbox and Google Drive, and it’s worth noting that many of these services will also work on mobile too.

The post How to protect yourself and your kids against device theft appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Update Google Chrome now! New version includes 11 important security patches
• Lightning Framework, modular Linux malware
• Malware spent months hoovering up credit card details from 300 US restaurants
• Lock down your Neopets account: Data breach being investigated
• Demo: Your data has been encrypted! Stopping ransomware attacks with Malwarebytes EDR
• Microsoft clamps down on RDP brute-force attacks in Windows 11
• SonicWall urges customers to patch critical SQL injection bug ASAP
• T-Mobile agrees to pay customers $350 million in settlement over data breach
• Simplifying the fight against ransomware: An expert explains
• PrestaShop warns of vulnerability: Update your stores now
• In post-Roe US, experts share how to keep your data private
• Anti-vaxxer dating site exposes user data
• IIS extensions are on the rise as backdoors to servers
• “Orwellian in the extreme” food store installs facial recognition cameras to stop crime, faces backlash
• TikTok owner ByteDance pushed a pro-China agenda to Americans, say former employees
• Radioactivity monitoring and warning system hacked, disabled by attackers
• Google delays Chrome third party cookie sunsetting…again
• Criminals using compromised social media accounts to “post indecent images of children” says UK cybercrime organization
• The ransomware landscape changes as fewer victims decide to pay
• To settle with the DoJ, Uber must confess to a cover-up. And it did.

Stay safe!

The post A week in security (July 25 – July 31) appeared first on Malwarebytes Labs.

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we’re bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court’s decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google’s all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

The outlook, according to our guests, is bleak, and that isn’t just because so much of our data is tracked today, but that we currently don’t know whether the data that is tracked today could, sometime in the future, become data that is valuable in entirely new ways—much like how period-tracking data suddenly became far more sensitive following the overturning of Roe v. Wade in the United States.

That’s a big, big danger with this. That you can’t, you just can’t predict where your data is going to end up in the future, or how it mights be used against you. And the more data that is collected on you, and the more it’s aggregated, the more compounded that danger becomes.

Mark Stockley, Malwarebytes Labs writer

Tune in to the latest episode of Lock and Code to hear about today’s fight to preserve data privacy, what the future of data privacy could look like, and what our guests are doing today to preserve the data privacy of those around them, even if the forecast looks dim.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

The post Have we lost the fight for data privacy? Lock and Code S03E16 appeared first on Malwarebytes Labs.

One of the biggest wrestling stars around, Mick Foley, had his Twitter account hijacked in an attempt to legitimize a very popular scam. When a well known individual has their social media accounts compromised, disaster looms, as everything from phishing to malware distribution waits in the wings for potential victims.

But this time, we traded messages with the scammer to see what was up.

The fake Mick Foley PS5 giveaway extravaganza

At some point in the last 24 hours, Mick Foley lost control of his Twitter account. It’s now playing host to multiple Tweets offering up PS5 giveaways. Well, I say “giveaway.” There is a catch, of the financially shaped variety.

Mick’s Twitter account is selling these PS5 consoles “for retail price,” with the proceeds going directly to charity. Note that there is no word of which charity will be receiving the money. I’ve never known a celebrity wrestler to get involved in charity work of some kind and not explain at length who is benefitting.

Some of the other tweets throw in the promise of “free tickets” to his next show as an incentive to paying up. Every tweet related to these PS5s has the replies turned off, which means people can’t easily question the legitimacy of this offer.

At the very least, you’d think Mick would take some photos of the supposed PS5s sitting in front of him. Did Mick take this picture in one of the many tweets promoting the PS5 sale, for example?

Hold that thought, because here is the same photo being used on a totally unrelated seller listing. An unexpected PS5 sale, replies turned off, and stolen images used for the consoles in question? This isn’t a few red flags, it’s a parade.

Asking the important questions

The person running Mick Foley’s account asked would-be buyers to contact him via direct message. I always wanted to hang out with a WWE wrestler, so off I went to see how this scam plays out. I asked how to obtain the PS5, and whoever is running the account seemed oddly reticent to explain where to send my money.

Eventually I was told to organise a Zelle payment for $540 USD through Mick’s definitely-real-and-not-at-all-fictional assistant. Considering Foley has 2 million followers on social media, this has the potential for an awful lot of stolen payments. Scammers targeting verified accounts is a popular tactic, and helps to give their fraudulent activities a sheen of legitimacy.

Lock it down

You may not have the social media reach of a WWE superstar, but you can still do your bit for a safer social experience. Here’s what Twitter recommends to keep things secure where your social experience is concerned:

• Use a strong password that you don’t reuse on other websites.
• Use two-factor authentication.
• Require email and phone number to request a reset password link or code.
• Be cautious of suspicious links and always make sure you’re on twitter.com before you enter your login information.
• Never give your username and password out to third parties, especially those promising to get you followers, make you money, or verify you.
• Make sure your computer software, including your browser, is up-to-date with the most recent upgrades and anti-virus software.
• Check to see if your account has been compromised.

The post Wrestling star Mick Foley’s Twitter compromised, selling PS5 consoles appeared first on Malwarebytes Labs.

Security researcher Derek Abdine has published an advisory about vulnerabilities that exist in the MIT-licensed muhttpd web server. This web server is present in Arris firmware which can be found in several router models.

muhttpd web server

muhttpd (mu HTTP deamon) is a simple but complete web server written in portable ANSI C. It has three major goals: Be simple, be portable, and be secure. Simplicity was the main goal for muhttpd, but because of its simplicity and broad use, it also must prioritize security.

ISP customer premise equipment (CPE) often uses this web server, and ISP subscribers will typically get these routers in loan for telephony and Internet access.

Path traversal

A path traversal attack aims to access files and directories stored outside the web root folder. These attacks are sometimes referred to as dot-dot-slash attacks since they manipulate variables that reference files with “dot-dot-slash (../)” sequences and variations of them to access arbitrary files and directories.

The muhttpd server 1.1.5 (last official release 2010) has a path traversal vulnerability. The latest release of muhttpd is version 1.1.7 (released June 1, 2022). Unfortunately the Arris firmware is based on the vulnerable version of muhttpd.

Vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Derek Abdine found several vulnerabilities, one of which is:

CVE-2022-31793: Path traversal from the filesystem root. Simply prepending a single character that is not a dot (“.”), forward slash (“/”) or question mark (“?”) before the requested path is sufficient to obtain any regular file on the device. This vulnerability allows an unauthenticated remote attacker (in cases where remote administration is enabled) or any local (LAN) party to obtain:

• The contents of the md5crypt (salted/hashed) passwords in /etc/passwd.
• The SSID and plaintext password of the 2G and 5G Wi-Fi networks broadcast by the device.
• The usernames and (sometimes encrypted) passwords of all administration accounts on the system.
• Configuration information including the TR-069 protocol in use by an internet service provider (ISP).
• Session Initiation Protocol (SIP) usernames (phone numbers) and passwords, including SIP endpoint URLs.
• Port forwarding configuration information.
• Other sensitive network information, such as established TCP connections.
• Various system and firewall logs.
• A complete list of the LAN IP address, hostname, MAC, uptime, and device characteristics such as the operating system and known applications of every device on the LAN.
• The router serial number.
• The certificate and private key for the web management portal.
• Router process information.

Other vulnerabilities

The researcher found two more vulnerabilities which are not so easy to exploit:

NULL pointer dereference: The muhttpd server receives HTTP requests on a non-blocking socket. Socket connections are accepted and fed to a forked process to execute. When data is received, the server reads in a loop until a sequence of two carriage return/newline characters are received. Processing is then handed off to another method which attempts to parse the request method. Injecting a NULL byte into the request steam will cause the request process (forked from the server process) to segfault. A segmentation fault (aka segfault) is a common condition that causes programs to crash.

Buffer over-read when defanging URLs: The muhttpd server contains a buffer over-read when dealing with percent-encoded values. When encountering a percent “%” in the URL, the server attempts to decode the next two characters without checking the bounds. As a result, if the URL consists of “%” with no following characters, the decode_url function will read past the URL data and into the parts of the request buffer containing the HTTP protocol version string. While not practically exploitable, safeguards should be made to prevent accessing unintended address space.

Affected devices

The affected muhttpd server is used in fiber and DSL-based Arris router products (NVG), as well as whitelabel/OEM products by other vendors. Internet Service Providers (ISPs) around the world typically loan these routers out to their collective millions of subscribers. In 2017 for example, experts discovered easily exploitable flaws in Arris modems distributed by AT&T.

Arris router models that were found to be vulnerable are NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320. Please note that Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05, and SBR-AC1200P 1.0.5-B05 are vulnerable to another vulnerability listed as CVE-2022-26992 which allows attackers to execute arbitrary commands via a crafted request.

Internet searches revealed 19,000 vulnerable routers directly connected to the internet. The owners were informed and most of the devices have been patched by now. Both Arris and muhttpd have issued patched versions but since the firmware is widespread and every ISP manages their own firmware updates independently, it’s likely that this issue will persist for years.

Mitigation

At the moment there are no reports of these vulnerabilities being used in the wild, but now that the vulnerabilities are known and proof of concept code is available, it might only be a matter of time until an attack is carried out.

If your router uses a vulnerable version of muhttpd you are advised to disable remote administration since that limits exploitability of the vulnerabilities to LAN attacks. Also, either get a patched version as soon as possible or replace the device.

The post Millions of Arris routers are vulnerable to path traversal attacks appeared first on Malwarebytes Labs.

When Katie Yates suddenly started receiving nude photos of her friend, Natalie Claus, over on Snapchat, she instantly recognized that Claus had just become a victim of a sextortion attack. She also knew how Claus should respond.

This happened in December 2019 when Claus was a sophomore. Both were students at the State University of New York.

Yates has a story of her own, too. Months before receiving those messages from Claus, she was herself a victim of sexual assault. After reporting the abuse, Yates started receiving abusive messages on social media. Seeing the lack of support from anyone on campus, she explored ways to identify her harasser.

This vigilanteism—Yates taking the matter into her own hands because she’s not getting any help—proved beneficial for Claus. So when Yates asked Claus if she wanted to catch her hacker, Claus said, “Yeah.”

Hacker posed as “Snapchat Security”

The case of Claus’s hacker, David Mondore (a chef), actually made headlines around 2020 and 2021. Claus is not his sole victim, and a press release revealed that Mondore was involved in a string of Snapchat hijacking activities from July 2018 to August 2020. During this period, the hacker gained unauthorized access to at least 300 Snapchat accounts, including Claus’s.

This Bloomberg article mentioned that Mondore posed as a “security employee” who warned Claus of an alleged breach of her Snapchat account. The Office of the US Attorney of New York provided more detail on the ruse that tricked Claus into handing over her account to Mondore.

According to Claus, whom the press release refers to as Victim 1, she received a Snapchat message from an acquaintance, whom the press release refers to as Acquaintance 1. The person messaging Victim 1 is actually Mondore using Acquaintance 1’s account.

Acquaintance 1 asked Victim 1 for her Snapchat credentials, so they can use the account to check if another user blocked them. In Snapchat, you can’t see anyone who’s blocking you even when you search for their username or full name. It appears the only way to see who’s blocking who is using another account. Several sites use this tactic.

Clearly, Mondore took advantage of this.

After Victim 1 sent her credentials to Acquaintance 1, Mondore sent Victim 1 a text message via an app anonymizing his actual phone number. The message he sent purportedly came from Snapchat Security, requesting Victim 1 to send the passcode for her “My Eyes Only” folder to verify that Victim 1’s account has been legitimately accessed.

“My Eyes Only” is a secure, encrypted, and private folder within Snapchat where users can save potentially sensitive photos and videos. This can only be accessed with a passcode.

After gaining access to Victim 1’s Snapchat account and her “My Eyes Only” folder, Mondore rinses and repeats. He contacted Victim 1’s contacts using her account, asking for their credentials under the pretense of checking who blocked them.

Mondore also used Claus’s private photos, which she had taken for herself as she attempted to recover from a rape, to gather compromising material from her Snapchat contacts. The message sent out with her nude images says, “Flash me back if we’re besties.” It was sent to 116 people, four of whom responded with explicit photos of themselves.

“Gotcha”

Claus hatched a plan to trap her hacker with Yates’s help. Using her own Snapchat account, Yates sent a message to Claus’s account, which Mondore had already controlled by then, saying she had nude images to share, with a URL link made to look like a porn site.

The URL, once clicked, collected the IP address of anyone who accessed it using the Grabify IP Logger website. Not only that, Yates and Claus set up the URL to redirect Mondore to the Wikipedia page for the word “gotcha” instead of the porn site he probably expected.

Mondore, upon seeing the Wikipedia redirect, messaged Yates saying, “What the hell is this?” She then blocked Claus’s account after collecting Mondore’s IP: he was in Manhattan and using an iPhone without a VPN.

Claus sent her police report to the campus police, who then forwarded it to the New York state police. One of the officers then knew who to contact within the FBI. The tip eventually led to Mondore’s arrest. He received a sentence of 6 months jail time.

“It was him being an idiot that did it,” Claus said of her hacker. “When I passed all that information to the FBI, they said, ‘There’s a really good chance that we wouldn’t have caught him without this.’”

Despite what happened to her and the “too light” punishment Mondore received, Claus believes he’s not a monster. “He’s a human,” she told Bloomberg. “That’s what makes it scary.”

The post When a sextortion victim fights back appeared first on Malwarebytes Labs.