IT NEWS

Tor has a storied reputation in the world of online privacy. The open-source project lets people browse the Internet more anonymously by routing their traffic across different nodes before making a final connection between their device and a desired website. It’s something we’ve discussed previously on Lock and Code, and something that, sometimes, gets a bad reputation because of its relationship to the “dark web.”

But for all the valid discussion about online anonymity, encryption, and privacy, Tor has an entirely different value proposition for people who build and maintain websites, and that is one of security. As explained by our guest Alec Muffett on today’s episode of Lock and Code, hosted by David Ruiz, utilizing Tor can provide organizations with an entirely separate networking stack. And this isn’t just a boon for networking diversity, but also security, Muffett explains.

Under our current system that relies on TCP/IP and HTTP (and increasingly HTTPS), whenever a user types a URL into an address bar in their web browser, multiple security risks are present. A user’s traffic can be intercepted, redirected to another server, routed through another country and surveilled, and, as Muffett explained, for website operators, their DNS servers can be tampered with.

“There are so many security risks up the stack,” Muffett said. “Whereas with onion networking, with Tor networking, the thing that you type into the web browser bar is the cryptographic key of the website that you want to talk to.”

Muffett continued:

Today, on the Lock and Code podcast, we speak with Muffett about the security benefits of onion networking, why an organization would want to launch an onion site for its service, and whether every site in the future should utilize Tor.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes, resources, and credits:

Why and How you should start using Onion Networking: 

How WhatsApp uses metadata analysis for spam and abuse fighting:

Alec Muffett’s blog and about page

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

The post Tor’s (security) role in the future of the Internet, with Alec Muffett appeared first on Malwarebytes Labs.

Parental controls can be useful to limit the risks your children run into online, but you should know up front that they cannot eliminate every risk out there.

Parents and adults everywhere are understandably having a hard time keeping up with the favored social networks of children and adolescents, and that’s because the more “grown-ups” who sign up for these platforms, the less attractive they become for kids. So, even though you may be fully versed in Facebook, tough luck, because your children may have moved on without you knowing about it. Also, never underestimate the online skills of young ones—they almost certainly know a lot more about all things “cyber” than you did at that age.

Feeling the loss of control of your children’s digital lives can be hard to accept, which is why so many parents turn to parental controls to better understand what their kids are doing and how they can keep them safe.

Here’s what you can expect to accomplish with parental controls.

Blocking bad sites

The Internet is a place where misinformation, fake news, and scams are spread like nowhere else, and, as most of us know, not every site on the Internet is a safe, or even pleasant, place to visit. This is something that your child needs to understand.

Your first line of defense is some kind of blocklist that will prevent visits to known, unwanted sites. When you are looking for an anti-malware solution you will see that many of them will include some flavor of web protection. But for children-oriented web protection you will need a more extensive solution. After all, there is content that we consider suitable for adults, but not for children, and if we can block those as well, that is a step up.

Almost all Internet Service Providers (ISPs) give customers the option to use parental controls that filter the Internet right at the source. These controls can come free with your service, or may cost a little extra, but they can be a great resource to test and figure out. You will have to set up accounts for different users in your household, so you can create settings for each person so that the kids are protected, but you have full access.

There are ways around block lists which I will not discuss in detail here, but you should assume that your teens are familiar with proxy servers, VPNs, and probably even know how to access your account.

Keeping track

Communicate with your kids before implementing parental controls, especially online tracking. Your children deserve that you take their privacy seriously. Catching them red-handed is not a pleasant experience for either party, so it is better to prevent that from happening.

Access scheduling

Access scheduling is another very common part of parental controls. Some services let parents set a daily or weekly schedule for device usage. Others specifically restrict the amount of time your kid spends on the internet. Be aware that some of their homework needs to be done online. You do not want them to skip homework, so they have more online time for their game, right?

Social media monitoring

Social media monitoring is not a strong point of any parental control software that we have seen. One reason is that, as we said, it’s hard to keep up with what is popular right now and what is “old news” next month. Further, some of these platforms use some private messaging and are end-to-end encrypted—a boon to users everywhere seeking privacy and security in their communications in light of government oppression and censorship, but obviously a bit of a headache for parents who want to see if their child is engaging in risky or dangerous conversations.

As with many risks online, there is always more than one response to it in keeping your children safe. Lean off of technology and help your child avoid dangerous situations by teaching them to recognize the warning signs of unsafe conversations from strangers.

Education trumps all

You can expect the best result in the end from education rather than micro-management. Understanding why something is off limits tends to work better than blocking. Allow your children to use their own judgement, you may end up pleasantly surprised. Micro-management can be exhausting to both the child and the parent or guardian and sometimes it simply defeats the purpose. A site can be fully suited for children, but that doesn’t mean that predators may not also be lurking on those websites—particularly if they offer chat functionality. Worse, those predators may be looking to convince children into moving their conversations onto other platforms or, most dangerously, offline.

More than you staring over their shoulder, a child needs skills like critical thinking and resilience, so they know what do if they encounter risk. You want them to recognize and steer away from the danger.

For a more extensive guide on how to protect your children, and their devices, online, please read: Internet safety tips for kids and teens: A comprehensive guide for the modern parent.

The post Internet Safety Month: Parental controls—what they can and can’t do for you appeared first on Malwarebytes Labs.

Welcome to Internet Safety Month, a once-a-year event in which you, the public, are told that anywhere between three and 30 different best practices will simplify your approach to staying safe online.

Unfortunately, much of the well-intentioned advice surrounding Internet Safety Month ignores one basic fact about how people change their habits: We typically only correct our behavior after first making a mistake.

We buy rain boots after feeling the unique misery of drenched socks. We become sunscreen evangelists after getting burnt on the beach. We try on a different pair of jeans after a separate pair caused psychic damage to our egos.

This year, then, for Internet Safety Month, we’re packaging our advice a little differently.

Today, we’re going to share stories about the consequences of unsafe Internet practices. By focusing on this context, we hope that you’ll come away with a stronger understanding about, for instance, why you should use a password manager rather than that you should use a password manager.

Here’s what to avoid during Internet Safety Month, and every month after.

Don’t lose thousands upon thousands of dollars

In the world of online scams, criminals care about one thing: Your money.

That’s true for the criminals who send you phishing emails that ask you to fill out personal information on bogus webpages that spoof the legitimate sites of Netflix, or Facebook, or your bank. It’s also true of the criminals who prey on the elderly and the unassuming when pretending to develop a romantic relationship online, only to later ask for financial support and disappear.

None of these situations are hypotheticals.

Earlier this year, a woman in Tennessee was fooled in an online dating scam by a thief who stole $390,000 of her money. Just last month, after the Twitter account of a famous digital artist was hacked, cybercriminals abused the account to send promotions for a fraudulent collaboration between the artist and the luxury brand Lous Vuitton. By selling fake raffle tickets for the promotion, the scammers raked in $438,000 worth of cryptocurrency.

Staying safe in all of these situations can be difficult because, often times, the scammers on the other end are practiced, experienced professionals. Still, there are a few things you can do to best protect yourself from falling for an online scam.

• Do not click on links in emails or text messages from unknown senders. Even if a message looks like it came from a trustworthy source, like a store you often shop at, you should still be wary of any request to get you to hand over credit card or financial information online.
• Do not send money to anyone you haven’t met before. When we spoke with Cindy Liebes of the Cybercrime Support Network about romance scams, she said many victims of romance scams often sent money to people they had never met in person.
• Do not trust everything you see online. This may sound simple, but remember that even trusted sources of authority can have their online accounts hacked or spoofed—after all, why else do you think we see so many cryptocurrency scams centering on bogus Twitter accounts for Elon Musk? Because, at first blush, they look legitimate.

Don’t ruin your device

A true story from me, your author. In 2016, I bought a new smartphone that, as part of a promotion, came with an additional smart watch. Getting the smartwatch required sending a separate form and having the watch delivered to my home at a later date.

About a week after I’d sent the form, I received an email allegedly from the United States Postal Service. The email told me that an update on my package—which I believed to be my new smartwatch—could be read in the attached document, which I blindly downloaded and opened.

Lo and behold, the attachment contained ransomware. After just a few minutes, I’d ruined my work laptop. My files were encrypted and inaccessible and the only readable document remaining was a ransom note asking for money.

The worst part about ruining your work laptop is that you don’t even get to take the day off. Working as a reporter, I still had a story to file—I was on deadline! I spent the day reporting and writing an entire article on my phone. It was a nightmare that I recommend to no one.

Though my tale is just about ransomware, the truth is that much of today’s malware gets delivered either through malicious attachments or malicious websites. Here are some simple steps you can take to prevent these attacks from happening.

• Do not open email attachments from random senders. You never know if what you’ve just received is actually malware in disguise.
• Do scrutinize email attachments of all types. Even if you’ve received an attachment from someone or some organization that looks legitimate, remember that, in my case, I was fooled by an email that spoofed the USPS. In fact, a few years ago, threat actors managed to insert malicious attachments into ongoing email threads between two trusted parties.
• Do run security updates. Many malware campaigns rely on known vulnerabilities that have yet to be patched by individuals and organizations. The best defense you have to these types of attacks is to stay up to date on your software’s security patches.
• Do consider using a browser plugin that flags unsafe websites. Some browser plugins can warn you if you’re visiting a dangerous website or a website that has been associated with previous malware scams. Consider using one of these plugins if you’re not sure who you can trust online.
• Do use a cybersecurity app. A cybersecurity tool with real-time protection can stop malware before it has a chance to infect your device. This will provide you with the type of cover you need for when you aren’t remembering every best practice, which is okay. Sometimes you click a link you weren’t supposed to. Don’t beat yourself up about it—just get a cybersecurity app to back you up.

Don’t make it easy for criminals

A video of Kanye West from 2018 purportedly revealed that the rapper and producer’s iPhone passcode was 000000. Before you laugh, remember that every single year, a list of the top 10 or 20 most-used passwords (as determined through data breaches that revealed account credentials) typically includes “password” and “123456” near the top five placements. And, separately, though the reasons for the devastating SolarWinds breach are many, it’s hard to forget that, according to the company’s CEO, someone protected a critical, internal account with only the password “solarwinds123.”

The lesson here is simple: Don’t give cybercriminals a free pass.

The truth is, that in most cases, cybercriminals will only succeed against the least-defended targets. If you have any basic defenses in place, cybercriminals often won’t bother with a follow-up attempt to breach your device or steal your information—it’s simply too much trouble when they can move on to another potential victim.

Implement these practices—with the help of some tools—to ruin a cyberthief’s day.

• Do use strong passwords. The longer the password the better in today’s world, in which password-cracking is more a function of time than “complexity.”
• Do use unique passwords for every account.Repeat passwords are a huge risk to you because if your data is breached in an attack on one of the services you use, cybercriminals absolutely will try that password and username combo to access other popular services.
• Do use a password manager to help keep track of the dozens of unique passwords you have.
• Do use two-factor (also called multi-factor) authentication. With 2FA or MFA, even if your username and password are leaked, your account will still trigger a notification to your phone if a website recognizes that you are logging in from a different device or place. This can stop cyberthieves in their tracks even if they have your account credentials.
• Do use a VPN on public WiFi connections. A virtual private network, or VPN, will encrypt your traffic, which can be especially helpful when connecting to public WiFi networks which could be vulnerable to eavesdropping. To learn how to choose the best VPN for you, read our advice here.

Learn from the experiences of others

The Internet can be a risky place where you can legitimately lose thousands of dollars or entire days’ worth of work. Don’t wait until you’ve made your own mistake to course-correct. Start changing your behavior today to enjoy a safer, better Internet experience.

Learn more about our Malwarebytes Internet Safety Month promotions here.

The post Internet Safety Month: Avoiding the consequences of unsafe Internet practices appeared first on Malwarebytes Labs.

Researchers found a vulnerability in Atlassian Confluence by conducting an incident response investigation. Atlassian rates the severity level of this vulnerability as critical.

Atlassian has issued a security advisory and is working on a fix for the affected products. This qualifies the vulnerability as an actively exploited in the wild zero-day vulnerability.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-26134.

Confluence

Atlassian Confluence is a collaboration tool in wiki style. Confluence is a team collaboration platform that connects teams with the content, knowledge, and their co-workers, which helps them find all the relevant information in one place. Teams use it to work together on projects and share knowledge.

Confluence Server is the on-premises version which is being phased out. Confluence Data Center is the self-managed enterprise edition of Confluence.

The vulnerability

The description of CVE-2022-26134 says it is a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.

During the investigation, the researchers found JSP web shells written to disk. JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. JSP is similar to PHP and ASP, but uses the Java programming language.

It became clear that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.

After the researchers contacted Atlassian, Atlassian confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134. It confirmed the vulnerability works on current versions of Confluence Server and Data Center.

The attack

The researchers at Volexity were unwilling to provide any details about the attack method since there is no patch available for this vulnerability. However, they were able to provide some details about the shells that were dropped by exploiting the vulnerability.

A web shell is a a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

This web shell was identified as the China Chopper web shell. The China Chopper web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. The web shell has two parts, the client interface  and the small (4 kilobytes in size) receiver host file on the compromised web server. But access logs seemed to indicate that the China Chopper web only served as a means of secondary access.

On further investigation they found bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Bash is the default shell for many Linux distros and is short for the GNU Bourne-Again Shell.

Research showed that the web server process as well as the child processes created by the exploit were all running as root (with full privileges) user and group. These types of vulnerabilities are dangerous, as it allows attackers to execute commands and gain full control of a vulnerable system. They can even do this without valid credentials as long as it is possible to make web requests to the Confluence system.

After successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike.

Mitigation

There are currently no fixed versions of Confluence Server and Data Center available. In the interim, users should work with their security team to consider the best course of action. Options to consider include:

• Restricting access to Confluence Server and Data Center instances from the internet.
• Disabling Confluence Server and Data Center instances.
• If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk.

Note: ${ is the first part of a parameter substitution in a shell script

Affected versions

All supported versions of Confluence Server and Data Center are affected. And according to Atlassian it’s likely that all versions of Confluence Server and Data Center are affected, but they are still investigating and have yet to confirm the earliest affected version.

One important exception: if you access your Confluence site via an atlassian.net domain. This means it is hosted by Atlassian and is not vulnerable.

We will keep you posted about the developments, so stay tuned.

Update June 3, 2022

Atlassian has released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.

What You Need to Do

Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.

The post [updated]Unpatched Atlassian Confluence vulnerability is actively exploited appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.

Conti sleight of hand?

Although LockBit remained the most widely-deployed ransomware in May 2022, it was, typically, Conti that sucked all of the air out of the room.

Conti ransomware and the group that distributes it has been a dangerous, noisy presence in the ransomware ecosystem since 2020. It has been involved in hundreds of attacks, including the horrific disabling of Ireland’s Health Service Executive, and according to the FBI, it is “the costliest strain of ransomware ever documented”, having raked in over $150 million in ransom payments.

Recently, the group has had its troubles. On February 27, an individual with access to the group’s inner-workings started leaking a treasure trove of data that included source code, files, and tens of thousands of internal chat messages. Not long after, a hacking group began using the leaked source code to attack targets inside Russia, violating one of ransomware’s unspoken rules. And at the start of this month, the FBI put a $10 million bounty on the group’s head.

On May 8 the newly-inaugurated president of Costa Rica declared a national emergency across the country’s public sector, in response to the continuing effects of a devastating Conti ransomware attack carried out in April. On the same day, an inflammatory message appeared on the group’s leak site, alongside a leak of 672 GB of stolen data.

The message itself is the usual grandiose puffery: It took a swing at US President Joe Biden—”this old fool will soon die”, claimed the attack had been carried out by just two people, and threatened that Costa Rica was just a “Demo version” of what was to come.

You would be forgiven for thinking that despite recent travails, Conti is going strong.

But according to an in-depth analysis by Advintel though, that’s what it wants you to think. It says that far from being in rude health, the Conti brand is in the process of disbanding and that the attacks on Costa Rica were a deliberately showy act from an operation being run by a skeleton crew.

It seems that the decision to offer its “full support of Russian government” in February, following the invasion of Ukraine, may have been a fatal error. By aligning itself to the Russian state it had made ransom payments a potential sanctions violation, killing the group’s income.

Advintel asserts that as a result the Conti group has been “silently creating subdivisions that began operations before the start of the shutdown process.” These subdivisions—said to include KaraKurt, BlackByte, BlackBasta—are supposed to establish themselves before Conti disappears to avoid the kind of shallow and transparent rebrand some other groups have pursued.

Malwarebytes Threat Intel has been able to confirm that there was an internal announcement about the shutdown for affiliates, and that the group’s internal chat servers are down, although the leak site is still operational, and updated almost daily with additional data.

Ransomware attacks in May 2022

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In May, LockBit remained by far the most widely-used ransomware. Conti remained active, but its activity was significantly reduced compared to recent months. Notably, three of the four groups that have overtaken it—Black Basta, Hive, and ALPHV—are linked to the alleged Conti disbandment. Intriguingly, Hive was named as the ransomware used in an attack on Costa Rica’s national health service on May 31.

The USA remained far and away the country most badly affected by ransomware attacks in May, and services the industry sector more likely to be attacked.

Ransomware mitigations

Source: IC3.gov

• Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• Install and regularly update antivirus software on all hosts, and enable real-time detection.
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.
• Ensure routine auditing is conducted for all accounts.
• Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

The post Ransomware: May 2022 review appeared first on Malwarebytes Labs.

We’re happy to announce Malwarebytes DNS Filtering, a new module for the Nebula platform which helps block access to malicious websites and limit threats introduced by suspicious content.

But how exactly does it work, you ask?

In this post, we give a basic walkthrough of the module, starting off with how to create DNS filtering rules. We’ll then show you how to set exclusions to rules and filter by certain categories, as well as how to monitor and delete the rules that you create.

Let’s get into it!

Table of Contents

• Part 1: Accessing the module
• Part 2: Creating rules
• 2.1: Setting rule exclusions
• 2.2: Naming rules and setting policies
• 2.3: Filtering categories
• 2.4: Allowing and blocking domains
• Part 3: Monitoring

Part 1: Accessing the module

Once you add DNS filtering to your Nebula subscription, you can access the DNS filtering page on the left hand navigation.

Part 2: Creating rules

First, let’s take a look at the Rules tab.

2.1: Setting rule exclusions

Start by adding global exclusions. Add your private and local domains here to prevent them from being blocked by any DNS filtering rules you create.

2.2: Naming rules and setting policies

Give this DNS rule a name and then select the policies you want to include.

2.3: Filtering categories

By default, Use preconfigured settings is enabled for Categories.

For further customization click on the arrow to expand the categories. Each security category has an additional description and details.

Under Content categories, you can expand each one for a more granular level of customization.

2.4: Allowing and blocking domains

Under allow lists you can add domains to exclude from this DNS rule. For now we’ll leave it blank.

You can also add domains to block certain domains. Remember that while allowing or blocking the domain will include the subdomains, allowing or blocking subdomain will not include the full domain.

Part 3: Monitoring

Now all the endpoints under the selected policies will follow this new DNS rule. Back on the Rules tab, you can disable and enable and also clone and delete rules.

On the Activity page, you can monitor and export data based on the rules you create.

And at the bottom, there’s a table where you can review each individual block and allow. Just like you can already do in Nebula, you can use column filter filters to create group level filters.

Elevate threat prevention for safer web browsing today

Malwarebytes DNS Filtering module makes it easy to block websites and content, helping you align internet access with your organization’s cybersecurity and any published “acceptable use” policies.

The post Introducing Malwarebytes DNS Filtering module: How to block sites and create policy rules appeared first on Malwarebytes Labs.

We’re excited to announce our new EDR for Linux offering, which extends our advanced protection and response capabilities to Linux devices via Nebula and OneView.

In this post, we show you what remediating and isolating threats on Linux servers looks like with Malwarebytes EDR for Linux.

Let’s get started!

Table of Contents

• Part 1: Downloading the test tool
• Part 2: Remediating endpoints
• Part 3: Endpoint isolation
• Part 4: Removing endpoint isolation

Part 1: Downloading the test tool

Malwarebytes EDR for Linux provides a test tool to trigger suspicious activity.

Executing a shell script named trigger.sh, we downloaded Ncat from a Github repository and stored it in a temporary folder. We then ran Ncat from the temporary folder, trying to manipulate SSH authorized keys.

We can see that Ncat is now in our temporary folder.

Let’s head back to Nebula and check the “Suspicious activities” tab. At the top, we’ll see that on our DB-demo-2 endpoint, Ncat in our temporary folder is being flagged as suspicious.

You might be wondering though: why exactly is running Ncat from a temporary folder considered suspicious? To find the reason, we can click on the /TMP/NCAT alert and see what detection rule was triggered.

As you can see above, we find that the technique triggered is Command and Scripting Interpreter. The attempt to execute a process from the temp folder – which gives full privileges – has been detected.

We can learn more about this particular adversary behavior, as well as which groups leverage these sorts of attacks, by clicking on the “T1059 – Command Scripting and Interpreter” link. This takes us to a MITRE ATT&CK page on the topic.

Part 2: Remediating endpoints

Now, it’s time to remediate the threat!

Going back to the “Suspicious Activity” tab, we can bulk select the threats we want to remediate. Under the “Bulk Actions” tab on the upper-right, a drop-down menu appears with a “Remediate” option.

The remediation process takes about one to two minutes to complete. We can check on the status of our remediation by going to the “Tasks” tab and clicking on the threat, as shown below.

Let’s confirm by checking back on our temp folder. As you can see, Ncat has been removed by our remediation engine.

Part 3: Endpoint isolation

We can isolate an endpoint by going over to the “Endpoints” tab. After selecting the machine we wish to isolate, we go under the “Actions” tab in the upper-right, a drop-down menu appears with a “Isolate Endpoint(s)” option.

We’re given the option to toggle either “Block network connections” or “Block Processes’‘ for this device. For this example, we only want to do network isolation.

This blocks the endpoint from all outbound and inbound communication – except trusted communication, such as with Nebula servers or OpenVPN. And, as you see below, we are disconnected from the endpoint and no longer able to ping it.

Part 4: Removing endpoint isolation

While we are no longer able to connect to the machine, we are still able to manage it. Going back to the “Endpoints” tab, we’re able to see the status of our device by clicking on it and going to “Tasks”.

We see that the “Isolating Endpoint” task is successful. To remove the isolation, we start by clicking the lock icon in the upper-right corner, which will prompt a “Remove Isolation” button.

When we refresh the page, our “Remove Endpoint Isolation” task appears with a pending status. Again, give this another minute to resolve to complete.

Now, we have reestablished a connection with the endpoint and can ping it.

Learn more about Malwarebytes EDR for Linux.

The post Introducing EDR for Linux: Remediating and isolating threats on Linux servers appeared first on Malwarebytes Labs.

Today we took a look at a phishing mail pinning its hopes on a QR code linking to a bogus website. Scammers claim that your mail address has “not been registered for the 3D Secure Security Update”.

The mail reads as follows:

Dear Sir / Madam,

Our administration has shown that the data linked to this email address: {redacted} has not yet been registered for the 3D Secure security update. From May 30, 2022, the new security system has come into effect.
We therefore request that you activate the 3D Secure security.

Scan the QR code below with the camera of your smartphone to be redirected to the security form.

You can then use the new 3D Secure password for online payments with your credit card.

For even more payment convenience, you can download the ICS App. You can then approve your online payments via the app and no longer have to remember a password.

We wish you a lot of ease of payment with your Card!

What is 3D Secure?

3D Secure is an additional layer of security for online payments. The name “3D Secure” refers to the 3 domains which interact whenever you make use of the protocol: Merchant, issuer, interoperability domain. 3DS2 is due to replace 3DS sometime in 2022 as the original is slowly phased out.

Encouraging potential victims to strengthen their security by inadvertently walking into a trap is a common tactic. Tying it in with 3D Secure is arguably more original than most, especially as it’s perhaps a bit of a niche aspect of secure payments. Perhaps confusing victims with some very specific technobabble is the point.

The rogue website

Victims arrive on the site via a redirect URL.

The site emulates a well known organisation which issues credit cards in the Netherlands. It asks for name, date of birth, postcode and house number, mobile, and email.

After this, victims arrive on a “please wait while we check your details” notification. The details entered have already been sent, and they’ll be waiting on that page for a very long time. Curiously, no request for card details is made. We suspect whoever runs the site will follow up by mail or phone and finish the scam off by asking for payment information.

The QR Code factor

Quick Response (QR) code scams come around every so often. Sometimes rogue codes are pasted over, or close to, genuine codes. Other times, codes are tampered with. They’re also a feature of Bitcoin ATM scams.

Where phishing is concerned, it’s important to not misunderstand how these attacks work and cause unnecessary panic. Most QR code scanners on mobile devices will show you a preview of the URL you’re about to visit, so it boils down to being able to recognise the signs of a dubious URL, just as it would if the attackers had incldued a link. (This is probably why the attack used a redirect.)

As a result, best practices for regular phishing attacks still apply.

The post Phishing mail claims a 3D Secure upgrade is required appeared first on Malwarebytes Labs.

If you’re an SMB, chances are that you’re already well-aware of the fact that cyber threats can wreak havoc on your business. 

Everything from rootkits to ransomware threaten not just financial losses, but also significant network downtime and reputational damage as well. Couple this with the fact that many cyberthreats are web-based, and you might be stuck wondering how best to secure your business online. 

That’s where DNS filtering comes in. 

But first, DNS in a nutshell. So normally, every time your customer types in your web address, their computer makes a request to a DNS server. The DNS server, in turn, tells the computer where to go. If all goes well, then voila, your customer is at your website. 

A DNS filter stops you from accessing unsafe websites—including those posing a strong malware risk. But which web-based cyberthreats in particular does DNS filtering stop, you ask? 

In this post, we’ll break down three ways DNS filtering can help save your business from cyberattacks. 

1. Blocks phishing websites

Let’s say someone at your company gets an email from their “bank” asking them to update their password.  

Not knowing it’s a fake, this employee clicks a link taking them to a malicious website that looks exactly like the original. Your employee then fills in some  sensitive info, maybe even downloads a malicious file — and bam, just like that, criminals now have access to your network, allowing them to install malware, steal data and spread ransomware. 

You might recognize this as one example of phishing, an attack where cybercriminals trick potential victims into sharing sensitive information or giving the perpetrator privileged access to a network. 

Luckily, by blocking the domain names of phishing sites, a DNS filter can nip attacks in the bud. 

Here’s how it works: DNS filtering references databases of known nefarious domain names. Databases of malicious websites can also be sorted into threat categories, such as spyware, typosquatting, cryptomining, and so on. From there, your organization can block malicious sites like these sites to secure their environment against phishing attacks.  

In other words, if you have a DNS filter, as soon as that same employee clicks a link to a malicious website —they’re prevented from visiting it. 

2. Secures you against machine-in-the-middle attacks 

Imagine you’re at a cafe chatting with a trusted friend, sharing private details about your lives with one another. You probably wouldn’t appreciate it if some random stranger was tuning into the conversation, listening carefully to every word. 

Such a scenario roughly analogous to what a machine-in-the-middle attack (MITM, also referred to as a man-in-the-middle attack) is — except in a MITM attack, the stakes are much higher. Cybercriminals in MITM attacks can steal your personal information, passwords, or banking details by intercepting the data sent between you and an application.  

One type of man-in-the-middle attack businesses should worry about is DNS spoofing. 

In a DNS spoofing attack, a hacker sits in the middle of this process. So when the computer of that same customer makes a request to a DNS server, asking where your website is, a hacker can instead redirect your computer to a malicious website! 

From there, hackers can phish sensitive customer or business information — as described above. These types of attacks are where DNS encryption, included in any good DNS filter, is essential. It secures the connection between your computer and the DNS resolver, so that cybercriminals not sit between you and and feed you spoofed DNS entries.

3. Detects potential DDoS attacks 

The last thing any business wants is to suffer from a Distributed Denial of Service (DDos) attack. 

You can think of a DDos attack as being kind of like a zombie invasion. Using an army of bots called a botnet, a cybercriminal can use thousands or even millions of “zombie” computers to flood your website, ultimately overloading it and bringing it down. 

The end result? Brand damage, angry customers — and often even lost revenue. 

One type of DDos attack is called a DNS flood, where the cybercriminal uses their army of bots to overwhelm a DNS server and prevent it from directing legitimate requests to your website. 

And, as is the case with most cyberthreats, the earlier you spot a potential DNS DDos attack, the better. Being able to continuously monitor DNS activity is a great way to catch the warning signs of a DNS DDoS attack — and with a DNS filter, you can do exactly that. 

Protect your end users and your organization from web-based threats 

The web is full of dangerous corners.  

It’s a breeding ground for phishing attacks, spyware, common viruses and malware, not to mention ransomware. And as these attacks continue to increase in frequency and sophistication, it’s never been more important for SMBs to secure themselves online.  

But while having a DNS filter is great way to do that, many small and mid-size organizations don’t invest in one — leaving them exposed. 

The Malwarebytes DNS Filtering module for the Nebula platform helps block access to malicious websites and limit threats introduced by suspicious content. It blocks phishing sites, encrypts all DNS requests, and tracks website traffic to detect potential DDoS attacks. 

To top it all off, Malwarebytes DNS Filtering controls are available in the same platform used for powerful threat prevention and trusted remediation — including our Incident Response, Endpoint Protection, and Endpoint Detection and Response offerings. 

The post 3 ways DNS filtering can save SMBs from cyberattacks appeared first on Malwarebytes Labs.

German ISPs are considering the introduction of TrustPid, a new type of “supercookie” that comprises of a unique identifier which will be issued for each customer that will be able to track what that customer is doing online.

The providers are trying to sell this idea by telling the public that the identifier can never be tracked back to an individual and that something needs to be done to keep the internet free.

The end of the tracking cookie

Where does this attempt come from, you may ask. Advertisers are seeing the end of the tracking cookie on the horizon and it’s coming closer.

Google has announced that it will stop the use of third-party cookies in Chrome by the end of 2023, joining a growing list of browsers that are saying farewell to the tracking cookies. And Apple already blocks default tracking everywhere.

Social media and tech giants, including Google, are already looking at other business models to replace tracking cookies since they are the ones that benefited the most from targeted advertising, by providing the most useful information to the advertisers.

What makes supercookies different is that they are unique identifiers that are inserted into the HTTP header by a service provider. Unlike normal cookies they do not get stored in browsers or browser plug-ins.

Free internet

The idea of a free internet—as communicated by some of these companies—is not that they are signing you up as a customer free of charge. Wouldn’t that be nice? No, the idea is that websites that are providing content need to make a living. And the usual income for most of those sites comes from advertising. Why the ISP providers feel that it is part of their job description to enable targeted advertising escapes me. But undoubtedly the goal is to improve the bottom line.

Targeted advertising is more rewarding than regular advertising since it supposedly enormously enhances the effect of the advertisement. At least, that’s the idea that most advertisers live by, and sell to their customers. But here’s something to consider: According to research by Cloudflare, 20 percent of websites that serve ads receive visits almost exclusively by fraudulent click bots, and that bots comprise roughly 50 percent of all Internet traffic. Imagine how much money advertisers could save by effectively tackling ad fraud. Plus, that sounds a lot better than tagging another tracker on us.

Hiding consent

The worst bit of your ISP enabling the tracking is that every user has to sign some sort of agreement with them. In this agreement the ISP can hide the TrustPid consent in a long End-user License Agreement (EULA) that almost no-one ever reads and which can probably not be declined partially. It’s all or nothing if you want or need this provider. And if one provider successfully monetizes this idea, I’m afraid others will quickly follow suite.

Another advantage of an ISP is that they know if and when the IP of your home connection changes and for mobile devices they can even enumerate the users within a household by identifying the individual devices.

History

The idea of ISPs issuing supercookies is certainly not new. Verizon was the example that should have served as a history lesson here. In 2016, Verizon had to settle with the FCC over its use of a supercookie, which tracked the websites visited by phones on its network. They were fined because they forgot to inform the customers or give them an opt-out option. Verizon had to pay a fine of $1.35 million and was ordered to receive customer permission before sharing tracking data with other companies or even within its own organization.

How it works

The network provider will first combine your mobile number and IP address to generate a pseudonymous network identifier, after which using that identifier they will generate a pseudonymous unique token (TrustPid).

This TrustPid is used to create additional marketing tokens for the websites of advertisers and publishers you visit (website specific tokens). Advertisers and publishers aren’t (shouldn’t be) able to identify you as a person via the website specific tokens.

Where you have given consent, advertisers and publishers will use the website specific tokens to provide you with targeted online marketing, or conduct analytics. The advertisers and publishers that you’ve consented to could be drawn up in a list that will be in the hands of the ISP, but you can manage your consent for those parties at any time via the Privacy Portal.

I inserted the “shouldn’t be” since we are all too aware that many good intentions have unexpected consequences. Let’s suppose that you fill out your details on one of the websites that you decided to trust. Introduce one XSS vulnerability and all your personal details could be linked back to your TrustPid.

Mitigation

Because of the lack of technical details provided about TrustPid, we are not completely clear how a user can avoid being tracked. But I asked German privacy expert Andreas Dewes and he responded:

“a device level VPN with integrated DNS should be able to block this kind of tracking.”

Once we know more, there might be easier and simpler ways to get around this. We’ll keep you posted.

The post TrustPid is another worrying, imperfect attempt to replace tracking cookies appeared first on Malwarebytes Labs.