IT NEWS

The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.

IIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.

IIS

IIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.

Exchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.

IIS modules

The IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.

Malicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.

IIS backdoors

IIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.

ProxyLogon and ProxyShell

Some of the methods used to drop malicious IIS extensions are known as ProxyLogon and ProxyShell. ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

The ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.

Malicious behavior

On its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What’s interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user’s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.

Credential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.

Given the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn’t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an IIS 6.0 vulnerability to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.

Mitigation, detection, and remediation

There are several thing you can do to minimize the risk and consequences of a malicious IIS extension:

• Keep your server software up to date to minimize the risk of infection.
• Use security software that also covers your servers.
• Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.
• Deploy a backup strategy that creates regular backups that are easy to deploy when needed.
• Review permission and access policies, combined with credential hygiene.
• Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.

Stay safe, everyone!

The post IIS extensions are on the rise as backdoors to servers appeared first on Malwarebytes Labs.

Fighting against ransomware can be difficult—especially if your organization has limited IT resources to begin with. But Adam Kujawa, security evangelist and director of Malwarebytes Labs, has a few tips for overburdened IT folks looking to simplify their fight against ransomware. 

In this post, we’ll break down Kujawa’s observations about ransomware and three tips on how businesses can have an easier time in preventing, detecting, and remediating ransomware.

The importance of “knowing thy enemy”

Most ransomware attacks are not sophisticated, state-sponsored cyber operations, Kujawa says. Instead, there’s a team of seven or eight people sitting behind computers, trying to break into your network. 

In other words, ransomware attackers are not usually using any advanced technology or tactics: a lot of times it’s simply an attack of opportunity. For example, your network might have had a vulnerability. Someone might have clicked on the wrong link. You might have misconfigured some port and there’s a brute-forcing campaign going on. 

“So rather than thinking of ransomware actors as these highly sophisticated super hackers, think of them as common thugs. They expect you to be unprepared for their attack, which they believe will lead to a payoff for them,” says Kujawa.

The key takeaway here is this: Even smaller businesses with fewer IT resources can easily prevent or stop ransomware attacks with the right amount of planning. You don’t need a dedicated SOC or crazy enterprise-grade cybersecurity to deal with “attacks of opportunity.”

3 tips to simplify the fight against ransomware

1. Choose an effective and easy-to-use Endpoint Detection and Response (EDR) software 

When it comes to ransomware, resource-constrained organizations with small-to-non-existent security teams are in greater need of EDR—but many EDR products are designed for large enterprises with large and highly-skilled security teams.

If we want to simplify the fight against ransomware, our EDR should not only be effective but simple and easy-to-use as well. 

On the effectiveness front, Kujawa says that there are four main things to look at when trying to determine an EDR platform to deploy to combat ransomware:

• Being able to quickly identify and isolate systems that are infected with ransomware.
• Detecting ransomware-like behavior and being able to automatically kill and remove the threat from the system.
• A solution that provides options for file recovery (in case something does get encrypted)
• Finally, these features are valuable for detecting and thwarting all malware, not just ransomware:
  • Exploit prevention
  • Behavioral detection of never-before-seen malware
  • Malicious website blocking
  • Brute force protection

On the ease-of-use front, Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes, also has four suggestions when choosing an EDR platform:

• Ask about the time required to set up the management console and whether it’s cloud-based.
• Get proof of the time required to deploy the endpoint agent across a given number of endpoints. 
• Have a “single pane of glass” and an intuitive UI that gives you visibility into all activity across your entire organization.
• Easy, non-vendor-specific language describing the detected suspicious activity (MITRE ATT&CK)

2. Build out a comprehensive recovery plan

The simplicity in building out a comprehensive ransomware recovery plan isn’t in the development of the plan, but rather the plan itself makes things easier when an attack does occur.  

“A huge issue for many organizations, when hit with ransomware, is scrambling to figure out how to stop it or reduce the damage done by the threat,” Kujawa says. “A recovery plan provides detailed guidance on who to call, system data classifications, procedures for preserving evidence, who your incident response or law enforcement contacts are, etc.”

An idea on how to make the creation of this simpler, is to provide a list of questions that stakeholders should answer when producing this plan. Then, as a group, answer some of these questions: 

• What do you want your company and your employees to do right after the ransomware attack is discovered?
• What is the company’s policy on dealing with attackers? Is it going to try to pay the ransom, or is it just going to ignore the attackers? 
• How do you restore from backups, and what backups are most important to restore from first? 
• What data is most vulnerable, and how can you protect that data?
• What systems need to be recovered first? 
• How does the business continue to run if the systems are down? 
• Do you have resources that can help you, such as law enforcement agencies or a cyber insurance firm? 

But who makes up this team that creates the recovery plan? 

“Start with your CISO, COO and all department heads, as well as any security staff you have,” Kujawa says. “When you have all those people together, they can get a clear picture of the readiness of departments in recovering from an attack, what data is most valuable to them and what it would take to disable or continue operations if an attack occurred.”

3. Avoid common mistakes in prevention, detection and response

Often, a customer who gets hit with ransomware has security software but they either have it disabled or it’s outdated or limited in its ability, thanks to poor configuration, Kujawa says.

Because of the inconvenience, or maybe because it’s not compatible with the businesses operations, some aspect of the security gets disabled and that leads to an infection.

“A lot of organizations don’t run regular penetration tests or security audits, and not everyone has the funds to hire a pen testing firm. I get that,” Kujawa says. “But you can make sure that all your outward-facing services are up to date and that every possible entry into the network–like RDP or SMB–has solid authentication requirements. We often see people just leaving those ports wide open.”

Another common mistake Kujawa has noticed is not running regular scans to look out for threats such as backdoors, even if you don’t see anything suspicious.

“Many organizations are not aware that a backdoor infection that occurred months ago can and likely will be used to install additional malware at some point,” he says. “A backdoor could sit there for six months without you knowing about it. It may not do anything until it launches the ransomware.”

Don’t make fighting ransomware harder than it needs to be 

Ransomware is a clear and present danger to organizations of all sizes–but fighting it doesn’t need to be complicated. Reducing ransomware can be as simple as leveraging an easy-to-use EDR, having a well-thought out recovery plan, and avoiding a few common mistakes. Even small-and-medium sized businesses with limited IT resources can simplify the fight against ransomware with these tips. 

See how Malwarebytes EDR can simply (and effectively) stop ransomware in our demo blog post!

Want to learn more about how to protect your business against ransomware? Check out our free Ransomware Emergency Kit.

The post Simplifying the fight against ransomware: An expert explains appeared first on Malwarebytes Labs.

It wasn’t so long ago that we were wondering what improvements Windows 11 would make in the security stakes. Well, we haven’t had to wait too long to find out.

Windows 11 build 22528.1000 and up will tackle one of the more common entry points for network intruders. Namely, trying to prevent the brute forcing of Remote Desktop Protocol (RDP) by adding a default RDP lockout policy:

Being able to access a computer remotely is a proverbial killer app for business. Unfortunately, this comes with several dangers if not configured correctly. Microsoft’s latest changes are designed to address these threats head on.

RDP: a hot target for network intrusion

RDP attacks are a prime tool for ransomware operators. Brute forcing a way into vulnerable machines is often the first step to total network compromise and data exfiltration. Microsoft’s own research in this realm is particularly illuminating with regard to giving a flavour of scale:

We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

The research goes on to say:

Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days.

To summarise: RDP attacks are not uncommon, and it’s important to be able to tell the difference between genuine failed sign-ins and actual brute forcing. In situations where brute forcing is taking place with few to zero security precautions for an organisation’s RDP setup, this can be fatal in giving attackers one foot in the door.

Microsoft battens down the hatches

Our own research shows how rate limiting the number of password attempts can hinder attackers enough that they leave empty-handed:

In our test, attackers were shut out for five minutes if they entered five incorrect passwords within the space of five minutes. Our attackers were persistent over several days and received, on average, about 150 bans per day.

To trigger 150 bans per day, our attackers must have made 750 incorrect guesses and incurred 750 minutes of bans, leaving them 690 minutes of the day in which to guess passwords. 750 guesses in 690 minutes gives us a guessing rate of about one password every 55 seconds, or about 1,500 guesses per day.

At that guessing rate, rate limiting reduced the number of daily password attempts from 1500 to 750, halving the effectiveness of the attack and doubling the time a security team would have to react.

What Microsoft is doing is setting the lockout to 10 failed attempts in 10 minutes. Some consideration has been given to the fact that not everyone is going to be running Windows 11, and older versions exist that could do with some lockout love. Ask and you shall receive, because these changes are also being applied to older versions of Windows:

Microsoft recently reversed a decision to undo the blocking of VBA Macros after uproar among Office users. Hopefully the people making security decisions will continue to clamp down on potential weak spots and easy routes to success for network intruders and malware authors. RDP is the opening salvo of choice for many intrusion attempts, and making these lockouts the default can only be a good thing.

The post Microsoft clamps down on RDP brute-force attacks in Windows 11 appeared first on Malwarebytes Labs.

Cybersecurity hardware company, SonicWall, recently released a public security notice about a critical SQL injection flaw affecting its GMS (Global Management System) and Analytics On-Prem products.

The flaw, which is tracked as CVE-2022-22280, is given a 9.4 critical rating. With the high capability of damage, this vulnerability has low attack complexity, meaning that anyone with little know-how of SQL injection can pull this off. CVE-2022-22280 can be exploited from the network without user interaction nor does it require any authentication.

“SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a proof of concept (PoC) have been made public, and malicious use of this vulnerability has not been reported to SonicWall,” said SonicWall in the security notice.

SonicWall PSIRT strongly suggests that organizations using the Analytics On-Prem version outlined below should upgrade to the respective patched version immediately.

~ SonicWall advisory

Clients using Analytics 2.5.0.3-2520 or earlier and/or GMS 9.3.1-SP2-Hotfix1 or earlier are advised to update to their patched versions, Analytics 2.5.0.3-2520-Hotfix1 and GMS 9.3.1-SP2-Hotfix-2, respectively.

While there are no workarounds for this vulnerability in both affected products, SonicWall advises clients to incorporate a Web Application Firewall (WAF) to protect their web applications from common exploits and vulnerabilities, including SQL injections.

An SQL injection (SQLi) is a well-known, old-school injection attack that has been around for more than 15 years. Threat actors normally use this attack to expose the security gaps in websites. An SQL injection can be done via the use of automated tools, such as Havij, or by manually inserting specific SQL codes in forms or text boxes, such as on a website’s search box.

SQLi has remained the number threat to websites for years, according to records from the Open Web Application Security Project (OWASP). This non-profit organization regularly puts out a list of top 10 threats against websites. Although broken access failure dethroned injection threats in 2021, the latter remains in the top 3.

The post SonicWall urges customers to patch critical SQL injection bug ASAP appeared first on Malwarebytes Labs.

It’s no secret that ransomware is one of the most pressing cyber threats of our day. What worse, ransomware gangs have increased their attacks on a range of vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion. 

With Malwarebytes Endpoint Detection and Response, however, you can fight—and defeat—advanced ransomware that other security solutions miss. 

In this post, we’ll walk through what it looks like to deal with a ransomware attack using Malwarebytes EDR.

• Part 1: Your data has been encrypted!
• Part 2: Pinpointing the ransomware
• Part 3: Isolating the endpoint infected with ransomware
• Part 4: Remediating the ransomware
• Accelerate and simplify your ransomware defense with Malwarebytes EDR
  

Part 1: Your data has been encrypted!

Prior to this demo, we ran a ransomware sample on the virtual machine (VM) that we’ll be demonstrating from. Below, you’ll see that the VM is currently in an infected state.

As you can see, our files have in fact been encrypted by the ransomware across multiple directories with the “.encrypt” extension.

Let’s start a ping to Google’s DNS server. The reason that we’re going to do this is to help demonstrate some of the functionality that Malwarebytes has later. 

Just keep in mind that right now we can effectively communicate out to the internet. But we’ll come back to that later.

Part 2: Pinpointing the ransomware

Now, let’s switch to our Nebula console. Below, you’ll see the dashboard for Malwarebytes Nebula, our cloud-hosted security operations platform that allows you to manage control of any malware or ransomware incident. 

Click into the Suspicious Activity section of the console.

Right at the top, we can see that activity, a process that ran today at 9:31am.

Let’s click on this executable and start diving into how an IT admin or security analyst could use Malwarebytes to help respond to a ransomware situation, as well as effectively contain it.

Up at the top here, we have categorization of rules to help a maybe newer or less savvy security expert understand what’s going on with this process.

At the bottom, we have a detailed process timeline as well.

Let’s expand here by clicking Show rules. 

What we see here is the actual categorization of behaviors that Malwarebytes witnessed in this process. Each of these little bubbles has been color coded to help you understand the severity of this issue. 

We follow a pretty simple mechanism: Red is high severity, orange is medium severity, yellow is low severity. All of these behaviors are things that Malwarebytes actually witnessed this process doing on our endpoint. 

As you can see, there’s a lot of questionable behavior here. Things like disabling Windows Firewall, turning off the control panel, turning off the desktop activity; lots of things that would be concerning to a security expert.

Now, for someone who is not as familiar with some of these behaviors, or maybe there’s a technique that you’re not aware of, you can hover over them for more details. 

So for example, if we hover over the disable Windows Firewall behavior that we saw, on the left, you’ll see that we’ve been partnering with the MITRE foundation and using its attack framework to give you context and a common set of terms that you can use to identify and understand these tactics.

On the right, we see the command line context for this process in our organization.

We can see the exact time that it ran and the file hashes, so if we needed to do further investigation, we have those available. And most importantly, we’ve highlighted below the command line actually used to execute this technique on our machine. 

So again, in the context of disabling the firewall, this might be something we do in testing or as part of our troubleshooting process.

We can use this context to help understand if this is something that we have done intentionally – or if it’s possibly something that an attacker is doing to compromise our environment.

Let’s navigate now down to the bottom half, where we can see the actual specific details of this process.

Clicking into any of these nodes, we get a lot of rich context information about what this process did. 

As a security analyst or an IT admin, the first question you typically ask when an incident occurs is: What happened? Do we know if it’s malicious? What is the actual extent of the potential damages? And so on.

So here, we can navigate through to see everything that’s happened on this machine. 

For example, if we click on File Write, we can see every artifact or file left behind by this process.

Similarly, we can click on Reg values to see what registry changes were made on that system. 

Part 3: Isolating the endpoint infected with ransomware

Now, as we’re continuing our investigation, we’re looking at this and deciding it looks pretty suspicious – it’s probably unwanted or a potentially damaging activity. So as a safeguard, we’re going to use the first response mechanism in Malwarebytes, which is our isolation capability.

From the Actions menu, let’s choose to isolate this machine with Isolate Endpoint.

We have three layers of isolation that we can provide: network isolation, process isolation, and desktop isolation. 

The network and process isolations are intended to give us the ability to quarantine that machine and prevent it from doing anything that is not authorized by Malwarebytes. 

What this means is, we can still use our Malwarebytes console to trigger scans to perform other tasks and to review data, but the machine otherwise can’t communicate or run anything else. 

For this demonstration, we’re just going to use network isolation so that we can simulate preventing this machine from spreading an infection laterally in the environment.

Notice as we send that isolation command, the ping to Google immediately begins to fail – showing that that machine can no longer communicate to the internet. 

Now that we’ve isolated this device, let’s continue our investigation further. 

Part 4: Remediating the ransomware

Below, we see a process here with a large amount of file activity, namely file renames. 

Let’s click into this. This is where Malwarebytes witnessed the ransomware attack actually occurring—so we see those files changing to not their normal versions, but to the .encrypted versions of the same file. 

What makes Malwarebytes unique in our EDR capabilities is when we see behavior like this (something that could compromise your files due to encryption or deletion or other types of malicious activity) we’ve actually created backups of all of the files that were targeted by this process stored locally on this machine. 

Now that we’ve identified that this is unwanted and malicious behavior, what we’re going to do is initiate a rollback action. 

Effectively, we’re telling Malwarebytes that we did not want this activity: this is something that happened on our machine that we never authorized and that we did not want. So when we go to Actions, and then Remediate, this will send a customized script to this endpoint and it will look at all of the behavior we witnessed in this process graph here.

This will create a customized remediation plan for this machine, where it will iterate backwards through the behavior, resolving any potential issues that might have arisen. 

One of the things that it’s going to do in this process is look for those backup versions of the files we created and restore those to the end user.

We can see on the right that our virtual machine received the command and it needs to restart to finish the process. Let’s restart it now so that we can see it carry out the backup!

After the machine reboots, we can open these folders and actually see that all of our files have been returned to their original version. 

Accelerate and simplify your ransomware defense with Malwarebytes EDR

In this post, we seamlessly looked at the activity that ransomware exhibited, found a recovery plan for it, then implemented that plan. 

In short, this is not a tool where you’re going to have to devise a customer mediation plan, where you’re going to have to iterate through hundreds of IOCs or complex readouts with an EDR solution to build a manual recovery solution – you simply need to tell Malwarebytes to resolve the issue. 

When it comes to ransomware mitigation, we’ll take the wheel from you – freeing up a lot of time in your day as an admin or an analyst. Read about how a leading automotive manufacturer and distributor used Malwarebytes EDR to simplify their ransomware remediation.

Looking for more demos of Malwarebytes EDR? Watch the webinar!

Read our eBook on ransomware best practices to detect and block ransomware attacks before they happen.

The post Demo: Your data has been encrypted! Stopping ransomware attacks with Malwarebytes EDR appeared first on Malwarebytes Labs.

The latest Google Chrome update includes 11 security fixes, some of which could be exploited by an attacker to take control of an affected system. Google Chrome’s Stable channel has been updated to 103.0.5060.134 for Windows, Mac, and Linux, and the new version will roll out over the coming days/weeks.

Vulnerabilities

Of the 11 security fixes five are use-after-free issues, including four that are marked with a severity of “high.” Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The four high-severity use-after-free vulnerabilities resolved with the latest Chrome update are tracked as follows:

CVE-2022-2477 is a use-after-free vulnerability in Guest View that could allow arbitrary code execution following interaction by the victim.

CVE-2022-2478 is a use-after-free vulnerability in Chrome’s PDF handling code. Not many details are available but the attacker needs the victim to engage in some kind of user interaction to exploit this vulnerability.

CVE-2022-2479 is caused by insufficient validation of untrusted input in File. No further details were given but successful exploitation requires user interaction by the victim.

CVE-2022-2480 is a use-after-free vulnerability in Chrome’s Service Worker API. (Service workers are specialized JavaScript assets that act as proxies between web browsers and web servers.)

CVE-2022-2481 is a use-after-free vulnerability in Views. The Chrome user interface is constructed of a tree of components called Views. These Views are responsible for rendering, layout, and event handling.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Android users will also find an update waiting.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update the version should be 103.0.5060.134 or later.

Stay safe, everyone!

The post Update Google Chrome now! New version includes 11 important security patches appeared first on Malwarebytes Labs.

Researchers at Intezer have published a technical analysis of Lightning Framework, a previously undocumented and undetected Linux threat. Lightning is a modular framework that is very versatile and something we don’t see very often in the Linux space.

The old argument that Linux systems (or Macs for that matter) don’t get malware has never been true. Linux servers often play a key role in corporate networks, and are also very popular in cloud-based systems, making them attractive targets for criminals.

The Lightening Framework

The Lightning Framework has a modular structure, consisting of a downloader (Lightning.Downloader) and a core module (Lightning.Core), with a number of plugins.

A modular architecture can make adding new capabilities or improvements easier, since an update to a plugin should not affect the core or any other plugins. It is also potentially useful to malware authors because if detection is based on one of the plugins then replacing the plugin that triggered the detection may allow the malware to go under the radar for a bit longer.

While some of the modules are known tools, it is rare to see such a complex and versatile framework target Linux systems.

How Lightening hides

The main function of the downloader module is to fetch the other components and execute the core module. The framework makes heavy use of typo-squatting and masquerading in order to remain undetected. Intezer reports that the downloader module is located in the working directory /usr/lib64/seahorses/ so anyone performing a quick inspection might think the directory belongs to the password and key manager software seahorse.

One of the tasks of the core module is to set up persistence. It does this by creating a script that gets executed upon system boot. The boot execution is achieved by first creating a file located at /etc/rc.d/init.d/elastisearch, an obvious attempt to typosquat elasticsearch.

The malware uses a timestomping technique to change the timestamp of the script so that it matches the timestamp of one of a few core Linux files. So that, without closer inspection an investigator might think it was created when the system was initially set up.

The framework also uses a rootkit to hide its Process ID (PID) and any related network ports. The rootkit can scrub any reference to files running in the framework.

Communication

Network communication in the core and downloader modules is performed over TCP sockets. The C2 server is stored in an encoded configuration file that is unique for every single creation.

The Linux.Plugin.Lightning.Sshd plugin is an OpenSSH daemon that includes hardcoded private and host keys, allowing the attacker to SSH into the machine with their own SSH key, creating a secondary backdoor.

For a deeper analysis of the malware and its plugins, and a list of IOCs, check out the full write up by Intezer.

The post Lightning Framework, modular Linux malware appeared first on Malwarebytes Labs.

Criminal hackers have been able to steal at least 50,000 credit cards from 300 restaurants in the US, after launching two Magecart campaigns that target the MenuDrive, Harbortouch, and InTouchPOS online payment platforms:

Magecart is a web-skimmer—malware that is injected onto a vulnerable website so it can steal credit card information as it’s entered into the site’s checkout. Because it does not interupt card payments, it just quietly siphons off users’ card details, it can be very difficult for both its victims and their users to spot.

Recorded Future’s Insikt Group recently identified two Magecart campaigns targeting the aforementioned online payment platforms. Stolen details were offered for sale in various underground marketplaces on the dark web.

“Online ordering platforms are a very attractive target since they deal with many vendors downstream, which also means a high number of customers are going to be entering payment data that could be skimmed,” said Jerome Segura, Senior Director of Malwarebytes’ Threat Intelligence Team, and an expert in web skimmers.

Although MenuDrive, Harbortouch, and InTouchPOS are not as popular as Uber Eats, Hungrrr, or DoorDash, many small, local restaurants across the US outsource their online ordering process to them as it’s cost-effective.

The Insikt Group discovered the first Magecart campaign on January 18 this year, affecting 80 restaurants via MenuDrive and 74 restaurants via Harbortouch. On both platforms, the skimmer was injected into the restaurant’s web pages, including the subdomain on the online payment service’s platform.

Skimmers deployed two scripts to MenuDrive, one built for stealing payment card details, the other made for stealing user details like the card holder’s name, email address, and phone number. On Harbortouch, however, only a single script is used to steal all personally identifiable information (PII) and card details.

The campaign against InTouchPOS started earlier than the other two—around November last year—but most skimmer injections didn’t happen until January 2022.

Instead of stealing data as it was entered into the site, the InTouchPOS skimmers overlaid the site with a fake payment form for users who are ready to checkout.

“Attackers routinely probe networks using automated tools or a more manual approach, especially if the target is deemed highly valuable,” Segura said. “Compromising a third-party site breaks the chain of trust already established between a provider and a merchant but on a scale of ‘one to many’.”

The post Malware spent months hoovering up credit card details from 300 US restaurants appeared first on Malwarebytes Labs.

Bad news for players of long-time virtual pet management title Neopets. Word is spreading of a compromise claimed to have accessed around 69 million user accounts. This compromise, posted to a hacking forum, is said to include both the database and around 460 MB of compressed source code from Neopets.com.

Data claimed to have been taken includes:

• Usernames
• Names
• Email address
• Date of birth
• Zip code
• Date of Birth
• Gender
• Country
• Registration email

Considering the young age of many Neopets players, this would be quite bad from a privacy and safety standpoint, if the breach turns out to be genuine. This wouldn’t be the first time Neopets has experienced a breach situation either. Back in 2014, “tens of millions” of Neopets accounts were said to have been traded on underground forums. The data in question had apparently been compromised prior to the current owners, Jumpstart, acquiring Neopets.

In 2020, there were claims of ways to potentially gain access to user accounts. Neopets also addressed this. Unfortunately, the current owners may now have a whole new incident to deal with.

Is this a genuine compromise?

There is currently no explanation of how the individual claiming to have done this managed to achieve their database swipe. BleepingComputer, who first reported this, has not been able to find independent verification of the breach. References to confirmation from the Neopets team on Discord actually came from volunteer moderators.

Nevertheless, there is some official recognition of something having happened behind the scenes. For example, the official Neopets twitter admits it “recently became aware that customer data may have been stolen” and has engaged the services of a forensics firm:

The main thing to note for now is that Neopets has acknowledged something has happened, and is looking into it. In the meantime: what can you do as a Neopets user, or as someone with a child in the house who plays it?

Tips to keep your Neopets account safe

1. Change your password, as Neopets suggests. Don’t use something you’ve used previously on the Neopets site, or on any other site. This may be time to start looking at a password manager, for added safety. No need to use easily guessed passwords if you can store complex logins inside a management tool instead!
2. Don’t tell anybody your password, whether they’re other Neopets users, or people on random forums or Discord servers. You won’t receive any free gifts or special in-game items for doing so; you’re just risking losing your account.
3. Be wary of Neomails phishing attacks, sent your way via the Neopet site’s private message system. The only official communication you’ll receive via Neomail would be from “theneopetsteam”, in the form of warnings.
4. Watch out for email phishing attempts via the mail you have registered to the site. If this data is truly out there, phishers will almost certainly try their luck. Gaming accounts of any kind are always juicy targets for scammers.

At this point, we’d typically suggest also making use of two-factor authentication to keep your login more secure. Unfortunately, Neopets doesn’t currently offer a way to do this. As a result, it’s even more important that you try and keep your Neopets logins safe with a strong password.

The post Lock down your Neopets account: Data breach being investigated appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Extortionists target restaurants, demand money to take down bad reviews
• The FTC will go after companies misusing location, health, and other sensitive data
• Roblox breached: Internal documents posted online by unknown attackers
• Warning for WordPress admins: Uninstall the Modern WPBakery plugin immediately!
• PayPal phishing campaign goes after more than just your login credentials
• Fraudulent cryptocurrency investment apps are duping investors
• Ring shares data with police without consent (but it’s in good faith), says Amazon
• Facebook gets round tracking privacy measure by encrypting links
• Another ransomware payment recovered by the Justice Department
• Google ads lead to major malvertising campaign
• Vulnerabilities in GPS tracker could have “life-threatening” implications
• The winding road to compliance
• The Wren Eleanor story: Why you should keep your kids’ images off social media

Stay safe!

The post A week in security (July 18 – July 24) appeared first on Malwarebytes Labs.