IT NEWS

The king of tricks is dead. Long live the new king. Or will it make a comeback?

While we already assumed TrickBot was dead in the water, the shutdown of the server infrastructure on February 24, 2022, did not go unnoticed. Is this really the end of one of the most active botnets in the last decade?

History

The rise of TrickBot started when it was a banking Trojan designed to steal personal financial data. Initial development started in 2016, with many of its original features inspired by Dyreza which was another banking Trojan.

Fast forward a few years to 2018, and due to its modular build and the capabilities to move laterally in a network TrickBot has become the top-ranked threat for businesses. Back then, the authors of TrickBot were agile and creative, regularly developing and rolling out new features. The separate modules made it easier to develop new capabilities and use the malware for several purposes. For example, in 2019 researchers found a new feature in TrickBot that allows it to tamper with the web sessions of users who were on certain mobile carriers. Other features such as disabling real-time monitoring from Windows Defender were also added at some point.

In 2021, a number of arrests were made that provided some insight into the scale and complexity of the TrickBot group. These arrests also seem to have been some of the starting points that marked the end of the group. Some might have felt insecure, even with all the safety guards they deployed to keep their true identity secret, seeing some of their co-workers getting indicted.

Cooperation

The ransomware scene can be compared to any legitimate business vertical in more than one way. You will see short lived cooperation, fusions, and staff moving from one company to another. Some of the malware peddlers and ransomware gangs have established a relationship that can be described as being in league with each other. Given their nature and the amount of money that goes around in these ransomware groups, they are sometimes referred to as (cyber)crime syndicates.

Over the years we’ve seen several campaigns where Emotet acted as a dropper for the TrickBot trojan. TrickBot then stole the financial information it was after, and downloaded the Ryuk ransomware. This Emotet-TrickBot-Ryuk supply chain was feared worldwide and turned out to be extremely resilient. After Ryuk’s rebranding to Conti this did not change. But Conti has grown over the years and expanded to the point that it can now be considered one of the major players in this ”industry” in its own right.

Its relationship with TrickBot was one of the primary reasons for the rapid rise of Conti. At some point, Conti turned into the sole end-user of TrickBot’s botnet product. By the end of 2021, Conti had essentially acquired TrickBot, with multiple elite developers and managers making the move to join Conti.

The end(?)

There are a few contributing factors that indicate that this may really be the end of TrickBot.

• The move of developers and managers to Conti, and possibly other gangs.
• The high detection rate for TrickBot. A less actively developed malware becomes an easy target for detection and remediation routines.
• The rise of the BazarLoader which used to be a part of Trickbot’s toolkit, but has now been developed into a fully autonomous tool. It seems the likely candidate for Conti to develop further.
• The voluntary shutdown of the servers and the fact that they hadn’t set up any new servers for months.
• The lack of new TrickBot email spam campaigns in the year 2022.

Renowned researchers expect this to be the end of TrickBot as we know it.

That doesn’t mean it can’t rise like a Phoenix from the flames with a new label or under different management. Most of the people who have led and developed TrickBot throughout its long run will not simply disappear from the scene, but find new employers, like Conti.

Whether we will notice that TrickBot is gone remains to be seen. Plenty of new infiltration methods are available to the ransomware gangs and their affiliates. And it will probably even take years before we stop seeing TrickBot detections, dormant or not, on some system.

The post TrickBot takes down server infrastructure after months of inactivity appeared first on Malwarebytes Labs.

Last month, Politico reported that Crisis Text Line, a national mental health support nonprofit whose volunteers help people through text-based chats, was sharing those chats with a for-profit company that Crisis Text Line spun-off in an attempt to boost funding for itself. That for-profit venture, called Loris.AI, received “anonymized” conversational data from Crisis Text Line, which Loris.AI would use to hone its product—a customer support tool.

The thinking behind this application of data went a little something like this: Companies all over the world have trouble dealing with difficult customer support conversations. Crisis Text Line had trained an entire volunteer force on having broadly difficult conversations. What if the lessons from those conversations could be gleaned from the data trails they left behind? What if the lessons could be taught to a product, which would in turn help customer support representatives deal with angry customers?

But that setup, once exposed by Politico, infuriated many members of the public. Some thought it was wrong to keep conversational data, period. Some thought it was wrong to allow outside researchers to study the data of texters and the volunteers who support them. And some were primarily upset with the application of this data to bolster a for-profit venture.

Today, to help us understand that anger and to dive into data privacy principles for crisis support services, we’re speaking with Courtney Brown, the former director of a suicide hotline network that was part of the broader National Suicide Prevention Lifeline.

Interestingly, during her time with her suicide hotline network, Brown consulted with Crisis Text Line on the evaluation of its volunteer training program in their first year.

For Brown, the problems with Crisis Text Line are clear: The use of the data was not proven to help anyone in any way that hadn’t already been discovered in prior suicide research.

“[Crisis Text Line is] acting like there is a social good, that there must be—there must be a social good somewhere in here. But seriously, what is it. Tell me what it is. Maybe I’ll reevaluate it if you can tell me how using this data is different from using all of the other data that’s been collected about suicide prevention.”

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post How Crisis Text Line crossed the line in the public’s mind: Lock and Code S03E05 appeared first on Malwarebytes Labs.

The UK’s data watchdog has issued a reprimand to both the Scottish government and NHS National Services Scotland about their Covid Status app. The Information Commissioner’s Office (ICO) urged both to act swiftly to address its concerns about the app that, according to the ICO, failed to provide people with clear details about how their personal information was being used.

Covid Status app

The NHS COVID Pass shows the holder’s Covid vaccination details, test results, and recovery information. The holder can use the app to prove their Covid status when travelling abroad or when visiting venues that require proof of a Covid status. The app can be used to display a QR code rather than details of the vaccination or test results, which can then be scanned by someone using a verifier app. They will need to see a green tick that confirms the person’s Covid status in order to allow them the requested access.

The displayed information is inherently personal because it says something about your medical history so it should be treated with the greatest care. However, the ICO said there were only three days between it receiving the full details on how the NHS Scotland Covid Status app would be using people’s information and the rollout of mandatory status checks. This did not provide authorities and users with ample time to review the privacy details.

Sharing information

Originally, there were plans to let the app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind it, but this technology wasn’t necessary for the app to function and served no benefit to the user. The ICO concluded it would have been unlawful in these circumstances to share information with the software company in order to help them improve the facial recognition software.

As a result, the Scottish government and NHS National Services Scotland halted plans to share personal data with the software company. However, the ICO said the app was launched as planned without fully addressing its wider concerns about compliance with data protection law.

The investigation

The ICO followed up with an investigation and has now concluded that both parties failed to initially provide adequate information to users about how personal information would be used. They also didn’t correct this by failing to provide concise privacy information so the average person could realistically understand how the app was using their information. The ICO decided to make its ruling public due to the significant public interest in the issues raised.

The defense

Ministers accepted that the privacy information could have been clearer, but the Scottish government said the NHS Scotland Covid Status app was an important tool in their response to COVID-19, and served as a vital public health role during the pandemic. They went on to stress that at all times people’s data was held securely and used appropriately.

“Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work.”

Other Covid apps

Given the limited timeframe to come up with an acceptable solution and the sensitive data held, it was almost inevitable there would be flaws in some of the apps that were designed for this purpose. The NHS Scotland Covid app was not alone.

Numerous tracing applications have been developed or proposed, with official government support in some territories and jurisdictions. These tracing apps are designed to notify users if they have been in close contact with a COVID-19 victim. Privacy concerns have been raised, especially about systems that are based on tracking the geographical location of app users.

The Dutch CoronaMelder-app got shut down for days because there were privacy issues with the Google layer of the app that potentially leaked data to standard apps on the Android platform. Later it was criticized again because public health service employees of the GGD would be able to link app data to a specific patient.

The Singapore TraceTogether-app, also a tracing app, was summoned to update its privacy conditions to reflect the fact that location data from the app could be used in criminal investigations.

In France, a researcher found that the contact tracer app collects more data than originally understood. His findings show that all cross-contacts are sent to the central server, contrary to the government guidance which states that only the app users who had been in contact for 15 minutes, closer than one meter away from a person who tested positive for COVID-19 would be stored, meaning that the app processes more data than necessary or specified, and is not compliant with the data minimization principle. The French Government has not denied the comments.

Stay safe, everyone!

The post Covid app’s privacy information ruled not clear enough appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Potential cybersecurity impacts of Russia’s invasion of Ukraine
• Cyber lures and threats in the context of the war in Ukraine
• CISA warns of cyberespionage by Iranian APT “MuddyWater”
• Google and Microsoft accused of feeding smaller search engines spam ads
• Cyclops Blink malware: US and UK authorities issue alert
• Yik Yak “cyberbullying”: What can be done?
• How to update your drivers and when you need to
• Hive ransomware: Researchers figure out a method to decrypt files
• “Ethnicity recognition” tool listed on surveillance camera app store built by fridge-maker’s video analytics startup
• Xenomorph banking Trojan downloaded over 50,000 times from Play Store
• CISA offers guidance on dealing with information manipulation
• Facebook sued for siphoning facial recognition data without consent

Stay safe!

The post A week in security (February 21 – February 27) appeared first on Malwarebytes Labs.

Google and Microsoft appear to have been flooding their smaller search engine rivals with spam ads, to limit the number of higher-value ads that appear on them, according to data viewed by POLITICO.

Ads are considered “spam” if they appear in search results but have little to no relevance to the search terms a user has entered, and may direct users to less reputable sources. Such ads generate little value to search engines overall.

Pushing spammy ads to their smaller partners tilts the scales in favour of the bigger search engines in two ways. Firstly, it limits how much money smaller search engines can make, and gives Google and Microsoft a greater share of the more profitable ads. Secondly, users of alternative search engines like DuckDuckGo may be turned off by the poor ad choices when they search. This could encourage them to use Google and Bing instead, if they think those sites offer better and more reliable ads.

POLITICO reports that the findings come from data compiled by adtech researchers who wish to remain anonymous for fear of damaging their relationship with either Google or Bing.

Smaller search engines rely on the results of Google and Microsoft—so-called “gatekeeper search engines”—as they have the lion’s share of the search market. Google, of course, has by far the biggest share, with 90 percent, and up to 600 billion websites indexed. On the other hand, Bing has a 7 percent share but indexes more or less 150 billion web pages. POLITICO explains that these alternative search engines often have agreements with Google or Microsoft. This means that these two companies also supply the ads that appear on top of search result pages.

Readers may be surprised to discover that the privacy-focussed search engine DuckDuckGo uses Microsoft for its ads. According to DuckDuckGo “…your searches cannot be tied back to you”, however, that protection stops when you click on an ad: “When you leave our site, you are subject to other sites’ policies, including their data collection practices. For ads from Microsoft, you also pass through Microsoft Advertising’s platform.”

In its article, POLITCO compares the ads shown by DuckDuckGo and Bing for the search term “depression”, with DuckDuckGo showing obviously lower-quality ads. Search ads are subject to all kinds of factors so we thought we’d try it ourselves. We saw the same result.

According to Marc-André Rousseau, a lawyer at the German law firm Schalast, the findings are in parallel with the Google Shopping saga as Google, once again, has conducted self-preferencing practices.

A spokesperson from Google told POLITICO that all ads signed up to search engine partners can appear on both Google’s and partner’s search results; however, the company “has certain algorithms in place that put controls on the types of ads shown.”

On the other hand, alternative search engines have reacted differently to the findings. DuckDuckGo said that it’s “constantly working to improve the quality of its results.” Qwant, a search engine that relies on Microsoft’s indexes, has started to study the advertising area in more detail in recent months. Startpage, a privacy search engine like Qwant, admits to using Google Ad Network for its ads but argues that the low-quality ads result from less user tracking. POLITICO, however, dispels this as the same ads appear on new machines that never used Bing or Google when they conducted their experiment.

The post Google and Microsoft accused of feeding smaller search engines spam ads appeared first on Malwarebytes Labs.

Cybersecurity agencies in the US and UK have issued a joint cybersecurity advisory (CSA) on MuddyWater, a government-sponsored Iranian advanced persistent threat (APT) actor. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), and the National Security Agency (NSA), together with the UK’s National Cyber Security Centre (NCSC), have detailed operations by this APT against a range of governments and private organizations around the world.

MuddyWater, also known as Earth Vetala, MERCURY, Seedworm, Static Kitten, and TEMP.Zargos, has its eyes set on the telecommunications, defense, local government, and oil and natural gas sectors—among others—in Africa, Asia, Europe, and North America.

“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS),” the advisory briefs its readers. “This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.”

“MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions.”

The full advisory can be read in this CISA web page. It can also be downloaded as a PDF file.

The advisory lastly reminds readers to take mitigating steps to protect themselves from malicious MuddyWater campaigns. Ensure that software is patched, prioritizing applications and operating systems with known, exploitable vulnerabilities. Back it up with an effective antivirus solution, EDR and SIEM. Use multifactor authentication (MFA) wherever you can. Limit access to resources according to the principle of least privilege.

Lastly, ensure that emplyees are trained to be alert for suspicious emails or social media posts—they could be the start of a phishing attack.

The post CISA warns of cyberespionage by Iranian APT “MuddyWater” appeared first on Malwarebytes Labs.

The conflict between Ukraine and Russia goes a long way back, but it took a dramatic turn after the 2014 Ukrainian revolution. Since then, the war in the Donbas region has resulted in a number of casualties as well as a constant feeling of insecurity among the population.

In recent months, Russia increased its pressure on Ukraine by placing more and more troops along its Eastern border. At the same time, a number of destructive cyber attacks against government websites and other organizations took place.

On February 24, Russia invaded Ukraine and started a full military conflict across that nation. While the kinetic war is by far the most pressing issue, cyber threats against Ukraine and Western countries are increasing as well.

In this blog, we will review some of the threats that have primarily targeted Ukraine but could also spill over globally.

Constant APT attacks

The Russian APT group Gamaredon has been actively targeting Ukraine for a number of years. However in recent months the interest has reached a new level and this was observed in campaigns using a number of lures. We caught one such sample recently that displays a decoy PDF of 40 pages supposedly detailing Russian military training:

Наставление по физической подготовке в Вооруженных Силах Российской Федерации разработано для командиров (начальников) всех степеней, специалистов физической подготовки, содержит указания и требования по вопросам физической подготовки личного состава. 

The Manual on Physical Training in the Armed Forces of the Russian Federation is designed for commanders (chiefs) of all degrees, specialists in physical training, contains instructions and requirements for physical training of personnel.

The malicious archive not only contains a decoy, but also a VNC server that allows the attacker to gain access to the victim’s computer. The command and control server (licensecheckout[.]com) is hosted on 45.139.186[.]190 (Russia).

Destructive malware

In January, a new destructive malware dubbed WhisperGate was unleashed against Ukrainian targets. It was followed in February by HermeticWiper, a piece of malware that is meant to render a machine unusable by corrupting the MBR partition.

Our Threat Intelligence team is currently analyzing this threat and will publish a technical report.

Retaliation threats

The infamous Conti ransomware group announced on February 25 that it will retaliate against any cyber (or physical) attack against Russia.

The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.

This was followed by another clarification:

If there ever was any doubt that some of the world’s most damaging ransomware groups were aligned with the Kremlin, this sort of allegiance will put an end to it.

Since several countries have announced severe economic sanctions against Russia, we should expect retaliation via cyber means. Russia will perceive those sanctions as a direct attack against its economy, and they know how to respond in kind, not with sanctions but with cyber intrusions on critical infrastructure.

Uncertain times

Organizations have already faced the global ransomware threat for a number of years, and in many ways the same security recommendations continue to apply. What might be different is the intensity of attacks as well as the sheer determination from the adversary. For this reason, we would recommend following best practices outlined by CISA and your country’s CERT.

More than ever, individuals and organizations should be extremely vigilant to phishing attempts and preemptively hunt for possible threats within their environment. Remember to not only deploy but also properly configure your endpoint detection and response (EDR) solution.

At Malwarebytes, we are tracking those cyber threats and ensuring that our customers continue to be protected. According to AV-Comparatives, Malwarebytes Consumer and Enterprise versions were able to protect the system effectively against multiple variants of the Hermetic Wiper malware.

The post Cyber lures and threats in the context of the war in Ukraine appeared first on Malwarebytes Labs.

On Thursday night, Russia launched a military invasion of its neighbor and former Soviet Union member Ukraine, drawing a broad rebuke from international leaders, along with significant protest from the Russian public.

The toll of human life from this war is unknown, and, like the many international acts of aggression that have preceded it, future figures and statistics will not, alone, make sense of it. The threats and dangers posed by this conflict will be borne by the combatants and the people of Ukraine, and they are in our thoughts. Our collective priority must be people’s physical safety, but Russia’s assault could also produce a range of cybersecurity-related risks that organizations and people will need to protect themselves against, starting today.

Here are some of the ways in which Russia’s invasion of Ukraine may impact cybersecurity, and what organizations can do to stay safe in a continually evolving crisis.

The risk of increased stakes

In tandem with the physical strikes against Ukraine, a piece of wiper malware first detected by researchers at Symantec and ESET had already begun targeting organizations in Ukraine. Analyzed by SentinelOne, this wiper malware has been given the name HermeticWiper and it differentiates itself from typical malware in one, important way: Those responsible for it aren’t looking for any payment—they just want to do damage.

(AV-Comparatives quickly tested several known anti-malware and antivirus products against HermeticWiper and its variants and found that Malwarebytes, among others, detected the malware.)

Current analyses of HermeticWiper reveal that the malware is being delivered in highly-targeted attacks in Ukraine, Latvia, and Lithuania. Its operators seem to leverage vulnerabilities in external-facing servers while utilizing compromised account credentials to gain access and spread the malware further.

These tactics are nothing new, and familiar cybersecurity best practices around privileged access hold true. But here, the stakes have changed. Even in the worst-case-scenario of any ransomware attack, there’s at least a promise (which could admittedly be false) of a decryption key that can be purchased for a price. With a wiper malware, there is no such opportunity.

As described by Brian Krebs on his blog:

“Having your organization’s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with ‘wiper’ malware that simply overwrites or corrupts data on infected systems.”

The risk of collateral damage

Russia’s proclivity for cyber warfare is well recorded. In the past, the country has been credibly blamed or proven responsible for several cyberattacks against Ukraine and its surrounding neighbors, including DDoS attacks in Estonia in 2007, Georgia in 2008, and Kyrgyzstan in 2009. Russia is also believed to have been responsible for an email spam campaign against Georgia in 2008, and also for the delivery of the “Snake” malware against Ukraine’s government in 2014. And in 2015 and 2017, when Ukraine’s power grid suffered two separate shutdowns because of the malware variants BlackEnergy and Industroyer/CrashOverride, much of the evidence reportedly pointed back to Russia.

Though these attacks, like the current attacks involving HermeticWiper, were highly targeted, the idea of “tidy” cyber warfare is a farce.

In June 2017, Russia—as concluded by the CIA just months later—unleashed a cyberattack on Ukraine that spilled out into the world. The cyberattack involved a piece of malware reportedly developed by Russia’s military intelligence agency the GRU, called NotPetya. Though it presented itself as a common piece of ransomware, it actually worked more like a wiper, destroying the data of its victims, which included banks, energy firms, and government officials.

But the attack, which was reportedly carried out to harm Ukraine’s financial system, spread out, hitting networks in Denmark, India, and the United States.

It was at the time the most devastating cyberattack in history, costing the shipping company Maersk a reported $300 million, and the pharmaceutical giant Merck a reported $870 million.

Though it’s impossible to predict what type of collateral damage could occur, the US Cybersecurity and Infrastructure Security Agency has released a cybersecurity guide for all organizations in the US to follow during this turbulent time. You can read that guide, called Shields Up, here.

The risk of escalation

As Ukraine defends itself against Russian forces, world leaders are faced with a difficult decision. Should they deliver support to Ukraine in any material way, Russia may then retaliate against them with its own cyber-attacks, and these attacks are unlikely to be borne by world leaders. Instead, the “crossfire” between national cyber-fronts will likely inflict harm on everyday individuals and businesses.

Already, this decision has produced a wrinkle, as world leaders are not just defending themselves against Russia’s cyber-offensive regimes, but also against known ransomware gangs that have quickly sworn allegiance to Russia’s cause.

On February 25, the Conti ransomware group announced that it would retaliate against any known physical or cyberattacks against Russia. As we wrote on Malwarebytes Labs:

“Any doubt that some of the world’s most damaging ransomware groups were aligned with the Kremlin, this sort of allegiance will put an end to it.”

Despite a clarification about an hour later, which attempted to reframe the group’s “full support of Russian government” into “we do not ally with any government”, there can be no doubt about the threat the group poses.

Unfortunately, the risk of escalation seems likely, as countries ramp up economic sanctions against Russia, and as the US is walking a delicate balance about its own cyber initiatives. On February 24, multiple White House officials denied, as NBC News had earlier reported, that the Biden Administration was considering multiple “options” of cyber engagement “on a scale never before contemplated.”

According to White House Press Secretary Jen Psaki, who wrote on Twitter, NBC’s “report on cyber options being presented to @POTUS is off base and does not reflect what is actually being discussed in any shape or form.”

These denials, however, preceded a more recent statement made by President Joe Biden this week, in which he said that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond. For months, we’ve been working closely with the private sector to harden our cyber defenses [and] sharpen our response to Russian cyberattacks.”

The risk of misinformation

Already, countless videos have begun circulating online that either make unproven claims or make claims that have specifically been debunked. Earlier today, a video that purports to show a Ukrainian fighter pilot shooting down Russian air forces in the sky was proven to be fake—a product of a simulation game called Digital Combat Simulator.

Though that video was developed as an “homage” to the so-called “Ghost of Kyiv,” social media companies have been combatting a Kremlin-backed disinformation campaign taking place on Twitter, Facebook, YouTube, and TikTok.

According to recent reporting from Politico:

“Russia-backed media reports falsely claiming that the Ukrainian government is conducting genocide of civilians ran unchecked and unchallenged on Twitter and on Facebook. Videos from the Russian government — including speeches from Vladimir Putin — on YouTube received dollars from Western advertisers. Unverified TikTok videos of alleged real-time battles were instead historical footage, including doctored conflict-zone images and sounds.”

Users should digest any viral videos and news with caution, particularly during this conflict, as the primary aggressor has a proven history with information warfare. It is also worth remembering that during wartime even reporting from reputable sources may be based on innaccurate, incomplete or out-of-date information.

The risk of scams

In 2020, as infections of COVID-19 dramatically increased to the point of officially creating a global pandemic, online scammers pounced, sending bogus emails asking for donations to fake charities and registering thousands of COVID-19-related domains to trick unwitting victims into swiping their money or their account credentials.

With Russia’s invasion of Ukraine, the same strategy will likely happen, as online scammers constantly seek the latest crisis to leverage for an attack.

When asked on Twitter for advice on which organizations to donate to in order to help Ukraine, the user @RegGBlinker said that, after she’d read through a list of such organizations, she found many that raised suspicions.

The same Twitter user has already compiled a thread that links to multiple other Twitter users who have personally offered their cybersecurity help to small-to-medium-sized businesses (SMBs) affected by the attacks in Ukraine.

At the same time, several companies and organizations have begun offering their own support. F-Secure, for example, is offering its VPN tool for free to anyone in Ukraine, and The Tor Project has released a support channel for Russian-speaking users who want help in setting up Tor.

The full thread on support can be found here.

For any other donation offers that users think might be a scam, trust the same rules that apply to phishing emails—are there any misspellings, grammar mistakes, unknown senders, or unknown charities involved in the request? Check yourself before handing over any money.

The risk of focusing too heavily on Ukraine

While Ukraine is in crisis, several online threat actors have continued their own assault campaigns.

On February 24, multiple outlets reported that a ransomware gang that the cybersecurity firm Mandiant tracks as “UNC2596” was exploiting vulnerabilities in Microsoft Exchange to deliver its preferred ransomware, colloquially dubbed “Cuba.” On the same day, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that it had spotted “malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.” Those attacks were targeting both government and private-sector organizations in Asia, Africa, Europe, and North America.

An international human crisis is in no way a cause for inaction from online threat actors. Organizations should follow the same guidance they have before in protecting themselves from the most common online threats.

As CISA Director Jen Easterly warned on Twitter:

“Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners.”

The post Potential cybersecurity impacts of Russia’s invasion of Ukraine appeared first on Malwarebytes Labs.

The bizarre promotional video promises “Face analysis based on best of breed Artificial Intelligence algorithms for Business Intelligence and Digital Signage applications.” What follows is footage of a woman pushing her hair behind her ears, a man grimacing and baring his teeth, and an actor in a pinstripe suit being slapped in the face against a green screen. Digitally overlayed on each person’s face are colored outlines of rectangles with supposed measurements displayed: “F 25 happiness,” “caucasian_latin,” “M 38 sadness.”

The commercial reel advertises just one of the many video analytics tools available for download on an app store monitored by the Internet of Things startup Azena, itself a project from the German kitchen appliance maker Bosch.

Bosch, known more for its line of refrigerators, ovens, and dishwashers, also develops and sells an entire suite of surveillance cameras. Those surveillance cameras have become increasingly “smart,” according to recent reporting from The Intercept, and to better equip those cameras with smart capabilities, Bosch has tried to emulate the same success of the smart phone—offering an app store through Azena where users can download and install new, developer-created tools onto Bosch camera hardware.

According to Bosch and Azena, the apps are safe, the platform is secure, and the entire project is innovative.

“I think we’re just at the beginning of our development of what we can use video cameras for,” said Azena CEO Hartmut Schaper, in speaking with The Intercept.

Facial recognition’s flaws

Many of the available apps on the Azena apps store claim to provide potentially useful analytics, like alerting users when fire or smoke are detected, monitoring when items are out of stock on shelves, or checking for unattended luggage at an airport. But others veer into the realm of pseudo-science, claiming to be able to scan video footage to detect signs of “violence and street fighting,” and, as The Intercept reported, offering up “ethnicity detection, gender recognition, face recognition, emotion analysis, and suspicious behavior detection.”

Such promises on video analysis have flooded the market for years, but their accuracy has always been suspect.

In 2015, the image recognition algorithm rolled out in Google Photos labeled Black people as gorillas. In 2018, the organization Big Brother Watch found that the facial recognition technology rolled out by the UK’s Metropolitan Police at the Notting Hill carnival registered a mismatch 98 percent of the time. And in the same year, American Civil Liberties Union scanned the face of every US Congress member against a database of alleged criminal mugshots using Amazon’s own facial recognition technology and found that the technology made 28 erroneous matches.

When it comes to analyzing video footage to produce more nuanced results, like emotional states or an unfounded calculation of “suspicion,” the results are equally bad.

According to a recent report from the organization Article 19, which seeks to maintain a global freedom to expression, “emotion recognition technology is often pseudoscientific and carries enormous potential for harm.”

One need look no further than the promotional video described earlier. In the span of less than one second, the actor being slapped in the face goes from being measured as “east_asian” and “M 33 sadness” to “caucasion_latin” and “M 37 sadnesss.”

Of equal concern for the apps are the security standards put into place by Azena on its app store.

Security and quality concerns

According to documentation viewed by The Intercept, Azena reviews incoming, potential apps for their “data consistency” and the company also “performs ‘a virus check’ before publishing to its app store. ‘However,’ reads the documentation, ‘we do not perform a quality check or benchmark your app.’”

That process is a little different from the Apple App Store and the Google Play Store.

“When it comes to Apple, there’s definitely more than just a virus scan,” said Thomas Reed, director of Mac and Mobile at Malwarebytes. “From what I understand, there’s a multi-step process designed to flag both App Store rule violations and malicious apps.”

That doesn’t mean that junk apps don’t end up on the Apple App Store, Reed said—it just means that there’s a known, public process about what types of apps are and are not allowed. And that same premise is true for the Google Play Store, as Google tries to ensure that submitted apps do not break an expansive set of policies meant to protect users from being scammed out of money, for example, or from invasive monitoring. In 2020, for instance, Google implemented stricter controls against stalkerware-type applications.

According to The Intercept’s reporting on Azena though, the company’s review process relies heavily on the compliance of its developers. The Intercept wrote:

“Bosch and Azena maintain that their auditing procedures are enough to weed out problematic use of their cameras. In response to emailed questions, spokespeople from both companies explained that developers working on their platform commit to abiding by ethical business standards laid out by the United Nations, and that the companies believe this contractual obligation is enough to rein in any malicious use.

At the same time, the Azena spokesperson acknowledged that the company doesn’t have the ability to check how their cameras are used and doesn’t verify whether applications sold on their store are legal or in compliance with developer and user agreements.”

The Intercept also reported that the operating system used on modern Bosch surveillance cameras could potentially be out of date. The operating system is a “modified version of Android,” The Intercept reported, which feasibly means that Bosch’s cameras could receive some of the same updates that Android receives. But when The Intercept asked a cybersecurity researcher to take a look at the updates that Azena has publicized, that researcher said the updates only accounted for vulnerabilities patched as late as 2019.

In speaking with The Intercept, Azena’s Schaper denied that his company is failing to install necessary security updates, and he explained that some of the vulnerabilities in the broader Android ecosystem may not apply to the cameras’ operating system because of features that do not carry from one device to another, like Bluetooth connectivity.

A bigger issue

Malwarebytes Labs has written repeatedly about invasive surveillance—from intimate partner abuse to targeted government spying—but the mundane work of security camera analysis often gets overlooked.

It shouldn’t.

With the development of the Azena app platform and its many applications, an entire class of Internet of Things devices—surveillance cameras—has become a testing ground for video analysis tools that have little evidence to support their claims. Emotional recognition tools are nascent and largely un-scientific. “Ethnicity recognition” seems to forever be stuck in the past, plagued by earlier examples of when a video game console couldn’t recognize dark-skinned players and when a soap dispenser famously failed to work for a Facebook employee in Nigeria. And “suspicious behavior” detection relies on someone, somewhere, determining what “suspicious” is, without having to answer why they feel that way.

Above all else, the very premise of facial recognition itself has failed to prove effective, with multiple, recent experiments showing embarrassing failure rates.

This is not innovation. It’s experimentation without foresight.

The post “Ethnicity recognition” tool listed on surveillance camera app store built by fridge-maker’s video analytics startup appeared first on Malwarebytes Labs.

Files encrypted by ransomware can’t be recovered without obtaining the decryption key, if the encryption has been done properly. But that doesn’t seem to be the case for Hive ransomware. Researchers from the Kookmin University in Korea have published a method for decrypting the data scrambled by Hive.

Under normal circumstances, victims have to pay a ransom to get the private key that enables them to decrypt their encrypted files. But the researchers managed to exploit a flaw in the encryption routine which allowed them to recover the master key, making it possible to decrypt all the files of a victim that were encrypted in the same session.

Hive ransomware

Hive ransomware has been around since June 2021 and is a typical targeted ransomware-as-a-service (RaaS) which uses the threat to publish exfiltrated data as extra leverage to get the victims to pay. The ransomware group is known to work with affiliates that use various methods to compromise company networks.

In August 2021, the FBI published a warning about Hive ransomware sharing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation advice.

The flaw

The cryptographic vulnerability identified by the researchers lies in the mechanism by which the master keys are generated and stored. A master key is generated as one of the first steps in the encryption process. This master key is then used to generate a keystream for the data encryption process.

The ransomware only encrypts select portions of the file instead of all content using two keystreams derived from the master key.  Those two keystreams from the master key are generated using two random offsets from the master key and are combined and XORed to create the encryption keystream. When the file is encrypted, pointers to the keystreams in the master key are stored in the filename.

Since the keystreams get partially reused for every encrypted file, the researchers figured out that with enough data they could “guess” the keystreams. But to successfully decrypt the files they also needed:

• Some of the original files corresponding to encrypted files; or
• Several encrypted files with known signatures, such as .pdf, .xlsx, or .hwp.

If the researchers had either of those, the keystreams could be collected and the master key recovery initiated. Finding corresponding unencrypted files is easier than you would think, because unlike other ransomware, Hive encrypts the Program files, Program files (x86), and ProgramData directories, which commonly store software files that are not related to the operating system, but instead other software. These software packages and installation files could easily be obtained on the Internet.

Decryption success rate

By running some experiments, the researchers made an estimate about the accuracy with which they could reconstruct the master key and how many encrypted files could be recovered with such a partially known master key.

When 92% of the master key was recovered, the researchers succeeded in successfully decrypting approximately 72% of the files. When 96% of the master key was restored, the researchers successfully decrypted around 82% of the files, and when 98% of the master key was restored, approximately 98% of the files were successfully decrypted.

Using the method proposed by the researchers, usually more than 95% of the master key used for generating the encryption keystream was recovered, and a majority of the encrypted files could be recovered by using the recovered master key.

How does this help victims?

The researchers said:

“The decryption method is feasible without access to the attacker’s information, using just encrypted files. We obtained the master key by solving numerous equations for XOR operations acquired from the encrypted files. We expect that our method will be helpful for individuals and enterprises damaged by the Hive ransomware.”

This research may seem very theoretical for now, but you can rest assured that other researchers are figuring out ways to use the theoretical work done by these researchers and turn it into a working decryptor that victims of the Hive ransomware can use to get their files back.

Often, you can find working decryptors posted on the NoMoreRansom website. This is a project where law enforcement and IT security companies have joined forces to disrupt cybercriminal businesses with ransomware connections.

We will keep you updated if a working decryptor is created based on this research.

The post Hive ransomware: Researchers figure out a method to decrypt files appeared first on Malwarebytes Labs.