IT NEWS

Dutch research group DIVD has identified multiple vulnerabilities in ITarian products. In cooperation with DIVD, ITarian has made patches available to deal with these vulnerabilities for its SaaS platform.

Software as a service (SaaS) is a software distribution model in which a cloud provider hosts applications and makes them available to end users over the internet.

ITarian

ITarian is a remote access and IT management solution, which helps organizations connect and communicate with their clients and employees. It’s typically the sort of tool that Managed Service Providers (MSPs) use to remotely manage their clients.

DIVD

The Dutch Institute for Vulnerability Disclosure (DIVD) reports vulnerabilities it finds in digital systems to the people who can fix them. It has a global reach, and tries to resolve the vulnerabilities by collaborating with the affected parties. Its services are free and most of the staff work in their free time.

You may have heard about DIVD in our reports about the Kaseya supply chain attack, or when Victor Gevers, chair of DIVD, appeared as a guest in our Lock and Code podcast about Kaseya.

Affected products

The vulnerabilities affect the following products:

• ITarian SaaS platform (version < 3.49.0): CVE-2022-25151,  CVE-2022-25152 and a Cross-Site Scripting (XSS) vulnerability in the helpdesk function.
• ITarian on-premise (version 6.35.37347.20040): CVE-2022-25151 and CVE-2022-25152.
• Endpoint Manager Communication Client (version < 7.0.42012.22030): CVE-2022-25153

The vulnerabilities

CVE-2022-25151: Within the Service Desk module of the ITarian platform (both SaaS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful XSS attack on a user.

CVE-2022-25152: The ITarian platform (both SaaS and on-premise) offers the possibility to run code on agents via a function called procedures. It is possible to require a mandatory approval process. Due to a vulnerability in the approval process, present in any version prior to 6.35.37347.20040, a malicious actor, with a valid session token, can create a procedure, bypass approval, and execute the procedure. This results in the ability for any user with a valid session token to perform arbitrary code execution and full system take-over on all agents.

CVE-2022-25153: The ITarian Endpoint Manage Communication Client, prior to version 6.43.41148.21120, is compiled using insecure OpenSSL settings. Due to this setting, a malicious actor with low privileges access to a system can escalate his privileges to SYSTEM abusing an insecure openssl.conf lookup.

OpenSSL is an open source implementation of the SSL/TLS protocol. Applications use this library to secure communications over computer networks against eavesdropping, or to identify the party at the other end.

Cooperation and responsible disclosure

The consequences of these vulnerabilities could have been severe. By chaining the XSS in the helpdesk function with CVE-2022-25152, an attacker would theoretically be able to create a service desk ticket that, when viewed by a user with a valid session token, would execute a workflow on all clients with superuser privileges.

It took a bit of back and forth, but once the DIVD researchers and ITarian’s software engineering team connected directly, a solution for the issues quickly came about. On 18 Feb 2022, the vulnerability in the Endpoint Manager Communications Client was resolved. The other vulnerabilities saw a solution come to live on May 19, 2022.

Planning for the full disclosure by DIVD indicates a date of July 1, 2022. The waiting time before full disclosure is to give users enough time to take appropriate measures.

Mitigation

Version v3.49.0 includes patches for the vulnerabilities in the SaaS service. ITarian controls the upgrade to this version, so it requires no user action.

It is important to note that CVE-2022-25151 and CVE-2022-25152 are still present in the on-premise version of the ITarian platform. Even though ITarian still offers the software for download, this version of the software was discontinued over 2 years ago and ITarian has informed DIVD that it will not be updated. Given the severity (9.9 out of 10) of the vulnerability listed as CVE-2022-25152, users of the on-premise version should look for alternative solutions since this solution has reached end-of-life (EOL).

The post Serious vulnerabilities found in ITarian software, patches available for SaaS products appeared first on Malwarebytes Labs.

Users of Chrome have been advised to apply updates as soon as possible related to seven security vulnerabilities. CISA has also warned that the vulnerabilities could be used to take control of affected systems. Although no detailed explanation of how these vulnerabilities work has been released, there is enough out there to encourage users to apply the patches.

Chrome 102.0.5005.115 is due to roll out over the coming days/weeks. This is for all users regardless of whether they use Windows, Linux, or Mac.

The vulnerabilities

Four of the seven issues have been rated as high risk.

CVE-2022-2007: Use after free in WebGPU. This can allow manipulation of the memory layer of the browser, with the possibility of remote code execution as per an older example.

CVE-2022-2008: Out of bounds memory access in WebGL.

CVE-2022-2010: Out of bounds read in compositing. According to reports, the attack may be initiated remotely and no form of authentication is required for exploitation, but some form of user interaction is required.

CVE-2022-2011: Use after free in ANGLE. Almost Native Graphics Layer Engine (ANGLE) is an “open source, cross-platform graphics engine abstraction layer” which was developed by Google.

Next steps

More details likely won’t be forthcoming for a while yet, so it’s crucial to apply updates as soon as possible.

In Chrome, click the More icon, then Help -> About Google Chrome. From here, you’ll be able to see your current update status and apply the update as required.

This should be all you need to do to keep the above security vulnerabilities at bay.

The post Update Chrome now: Four high risk vulnerabilities found appeared first on Malwarebytes Labs.

Tech support scams follow a simple business model that has not changed much over the years. After all, why change a recipe that continues to yield large profits.

We see countless such campaigns and block them indiscriminately to protect our customers from being defrauded by a fraudulent tech support agent over the phone. Every now and again, our attention is caught by one that is larger in volume due to upstream traffic.

Their modus operandi is as classic as it comes: To target users to adult sites and redirect them to fake warning pages via malicious ads. The threat actors behind this malvertising business appear to have been quite successful at following the same pattern over and over.

In this blog, we break down what we call the IP2Scam tech support scheme, by going back in time to track previously used infrastructure. We highlight that these fraudsters have been active for quite some time and how we found a way to track them more closely and identify their next move.

Why bother with domain name registration?

This tech support scam campaign has been seen by many people (victims and scambaiters alike) and can be recognized by its URL scheme because it always consists of an IP address, instead of a registered domain name.

http://155.138.141[.]187/systemerror-win-chx/?phone=.&

Everything is a commodity when it comes to malicious infrastructure and scammers know quite well that their domain names will be blacklisted pretty quickly. In this case, they simply buy a new virtual server and rotate ad infinitum.

There is nothing particular about this fake notification also known as a ‘browlock’, for browser locker. It is customized based on the browser’s user agent to display a slightly different template for Windows, Mac and the choice of Chrome or Firefox.

Browlocks IP space

We took about 10 months’ worth of telemetry and sorted all the servers’ IP addresses associated with this scam. This gave us a better idea of where the scammers like to host their infrastructure. We have shared our data with both Digital Ocean and The Constant Company (Choopa) and thank them for their help in this effort.

New servers come up as needed and are pushed dynamically via ongoing malvertising campaigns.

Malvertising flow

As with many other malvertising campaigns, the scammers prey on visitors to adult websites and perform a very simple cloaking technique to hijack traffic and redirect it to their browser locker.

The cloaking part consists of a decoy website named after a known brand whose purpose is to filter traffic and redirect if the user matches a certain set of criteria. For example we see bongaecams[.]xyz impersonating BongaCash and being used to redirect to the browlock

Other impersonated brands include Tom’s Guide and the New York Post. When a potential mark is identified, they are redirected to the browlock, otherwise they simply see some other content.

Those cloaking sites tend to remain active for longer periods of time probably because they aren’t malicious in and of themselves. One way to track this campaign is to follow these domains and simply attempt to get the redirect to the browlock IP du jour. We also identified another mechanism (that we won’t share publicly as to not give it away) that can programmatically retrieve new browlock server IP addresses as they come.

Reporting and take down

Tech support scammers are well aware that a number of people are after them and yet they often feel safely out of reach.

While not as good as actual arrests by local police, we hope to make it as difficult as possible for them to bring up new servers and defraud victims by disrupting their lead generation flows.

We would like to thank DigitalOcean and the Constant Company for their help.

Indicators of Compromise

Cloaking domains

Browlock IPs by ASN and timestamp

DigitalOcean
Choopa

The post Taking down the IP2Scam tech support campaign appeared first on Malwarebytes Labs.

Father’s Day in the UK (June 19) is almost upon us, and scammers are taking advantage of it—and the fractional possibility of some nice weather—using a barbeque-themed lure.

A mysterious WhatsApp message

The barbeque bait arrives out of the blue, from a somebody who has your number, as a random message bringing word of a supposed “B&Q Father’s Day Contest” with what looks like a very nice barbeque set up for grabs. What could go wrong? (B&Q is a British multinational DIY / home improvement company and exactly the kind of place someone in the UK might buy a nice barbeque set from.)

The message is plausible, and the only clue that something is amiss, other than it being unsolicited, is the Russian .ru domain name.

Regular readers would know to steer clear of this missive, perhaps even ask the sender via other means if they meant to send the message. The problem with this one is that they probably did intend to send it (you’ll see why later).

If your name’s not down, you’re not coming in

The linked site really does not like you visiting from anything other than a mobile browser. Try to access from a desktop, and you’ll be told “Access Denied”. Firing up VPNs or Tor Browser, designed to help keep your online activities anonymous, seem to have a similar end result. All they want you to do is click the original link from your mobile.

As it happens, there is a reason for this. It wouldn’t be cost-effective for promotions to allow non-mobile visitors onto a mobile themed offering. This is because said mobile offerings want to take advantage of something your desktop won’t have. It could be a feature specific to Android or iPhone, or perhaps they have a certain app in their sights.

Click the link on your mobile from the correct geographic region and you’ll make it to the landing page. If not, you’ll probably be turned away.

The Father’s Day Contest landing page

Visitors are greeted by what appears to be a B&Q-themed page.

The site says

Welcome to the B&Q Father’s Day Contest!

Take the quiz, find the hidden prize and win the new Weber gas barbeque

The Weber is a fancy bit of kit, retailing for around $1,200. Small wonder that people would be happy to take the quiz. The quiz itself is a collection of 4 questions including:

• Do you know of B&Q?
• How old are you?
• How would you rate B&Q?

With these out of the way, it’s competition time.

Best out of 3?

Visitors are presented with 9 gift boxes, and have 3 chances to select the correct one.

Sadly I failed on my first box opening, but hit the barbeque-shaped jackpot on my second attempt. Do I get my barbeque set? Not yet:

First, the scammers tell you to “share with 5 groups / 20 friends on WhatsApp” to claim your gift, with the offer only being valid for 500 seconds. This is why you get the message from a friend, and this is how it spreads.

Try as I might, the site wouldn’t let me progress past this stage. If you refresh the page, the number of gifts resets to the original amount of 250 and then stops at a low number. Just enough to make you think there’s a few left. Does anybody really think they’re giving away around $300,000 of barbeque equipment every few minutes?

There’s also multiple Facebook-style comments at the bottom of the page, complete with inactive Like and Reply options underneath each one of the other supposed winners.

Based on how these things usually go, you probably have to hand over personal information to an advertiser. There’s no FAQ, EULA, competition rules, or privacy policy on the landing page; merely a copyright notice at the bottom listed as “Advertorial”.

As tempting an offer as this sounds, we’d advise anyone looking for a gift this Father’s Day to keep shopping around.

The post WhatsApp spam offers up “B&Q Father’s Day Contest 2022” appeared first on Malwarebytes Labs.

Facebook is once again the launchpad for a large-scale phishing campaign, according to researchers at PIXM. The campaign, which first shows signs of life back in September 2021, has generated millions of page views and ad referral revenue “estimated to be millions of USD at this scale of operation”.

Credential harvesting on a grand scale

Researchers claim the threat actors stole one million credentials in four months to help achieve the above potential level of revenue. Aspects of the phish campaign are fairly typical of what you can expect to see from a Facebook phish, and the tactics used to spread bogus links are not particularly original. What matters most of all is that it works. When basic phishing tactics pull in so many accounts and clicks, there’s no need to overcomplicate things.

One of the scam pages from 2021 attracted no fewer than 2.7 million users, with the number rising to about 8.5 million in 2022. This is a huge ramp-up of already significant numbers, and also perhaps a little surprising that the site avoided being taken down for abuse.

This is one phishing campaign that isn’t messing around.

How the phish worked

Unfortunately specifics are absent in a few areas, but it works as follows.

A Facebook user receives a notification in Messenger. This is, at its most basic, a rogue link. There’s no information around whether a message accompanies it, and if so, what it says. However, something as simple as the below messages are routinely used in Facebook scams:

• Seen this?
• Is this you in the photo?
• Guess who died?
• Check this out!

The link is shortened to help bypass any Facebook spam filters. The shortening services used are commonplace, popular and entirely legitimate. This makes it trickier for Facebook to figure out if the link is potentially good or bad.

The link takes potential victims to a variety of sites but a phishing page will be the primary destination. Once phished, the victim is sent elsewhere. It could be a promotion, a survey scam, or pretty much anything else that’s ad-centric. There’s also the mention of potential malvertising pages, on top of the threat of being phished. All these links have ad trackers and other ad-related forms of revenue generation buzzing away in the background.

Current state of play

According to PIXM, the campaign is still alive and kicking. Many of the sites involved have been taken down, and one website listed in the landing page code has been “seized” in relation to an investigation. What that investigation is, and who is doing it, isn’t clear.

What is clear, is that without dedicated resources and probable law enforcement involvement, something like this will never fully go away. It’s simply too easy to keep creating spam domains, signing up as an affiliate, and generating endless shortened URLs. The (potentially exaggerated) claims of $150 for every thousand visits from the US alone from the threat actor is all the incentive they need to keep doing it. As researchers note, this figure would result in a theoretical revenue of $59M from the end of 2021 to now.

Tips to avoid Facebook phishing

• Be wary of messages which don’t follow the natural flow of a conversation. Messages sent at unusual hours or out of the blue with a link should be treated with caution.
• If you’re presented with a “Login to view content” box, take a deep breath before going any further. If you’re already logged in, there should be no reason why you’d be asked to login again. Check the URL. Are you on Facebook.com, or an unrelated website?
• If you’re able to, ask the sender about their message away from Facebook. Their Facebook account may have be compromised, but you probably don’t have to worry about sending them a text.
• Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. Keep in mind that some phishing sites will also try to steal your 2FA codes.
• Add login alerts to your Facebook account. If someone does compromise your login credentials and access your account, you’ll be notified by Facebook as soon as this happens.

The post Facebook users targeted in massive phishing campaign appeared first on Malwarebytes Labs.

Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.

We are now halfway through 2022 and Malwarebytes’ Security Evangelist Adam Kujawa has been updating attendees at this year’s RSA Conference on what the report contains, and what’s happened since it was published.

This is what he had to say about how the trends in detections and email threats have changed in the months since the Threat Review data was compiled.

The “Covid bounce”

The 2022 Threat Review detailed the remarkable rebound in detection numbers for malware, adware and Potentially Unwanted Programs (PUPs) in 2021.

Detections of all three went down during 2020, as pandemic restrictions created a huge increase in the number of people working from home. As cybercriminals adapted and restrictions eased, detection numbers surged again in 2021, on Windows business machines and home computers, and on Macs.

Kujawa has now updated the chart to include the first five months of 2022, and it shows that the trend of the last year has broadly continued into this one. Business detections are currently on course to be slightly ahead of 2021’s numbers, and consumer detections slightly behind, perhaps reflecting a reduction in working from home and an increase in office work.

Looking in detail at what’s been detected this year further strengthens the idea that 2021’s patterns are extending into 2022. After a radical shake up in 2020, the types of malware being detected have settled down somewhat, with only small changes in the ten most commonly detected threats in the first half of 2022.

Dramatic change in email detections

Last year saw a significant evolution in email threat detections, and that change has accelerated dramatically in the first half of 2022.

At the end of the last decade, the email threat landscape was dominated by vast numbers of Emotet, TrickBot, and Dridex detections—complex and sophisticated threats with multiple tools designed to attack corporate networks. All three were banking trojans that were later used to deploy ransomware.

In each year from 2018-2020, these malware families accounted for between 75 percent and 90 percent of all email detections.

That picture changed in 2021. The pandemic restrictions introduced in 2020 had seen an enormous rise in working from home, necessitating a switch in tactics by threat actors. The dominant trio of Emotet, TrickBot, and Dridex were less widely used, perhaps because they were a poor fit for home networks.

Between them, they made up just 42 percent of detections in 2021, and the space they vacated was filled by six other malware families operating at a similar scale.

One of the newcomers was AsyncRat, a Remote Access Trojan (RAT) that hadn’t featured at all in previous years but made up 13 percent of detections in 2021.

In the first half of 2022 AsyncRat accounted for a massive 62 percent of malicious email detections, with Dridex the next most prevalent at 12 percent, Trickbot at six, and Emotet at just two.

It appears that the “changing of the guard” first identified in the 2022 Threat Review is now complete.

The post ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat appeared first on Malwarebytes Labs.

Just about anywhere you look, organizations are using the cloud in some form—and they’re not all large enterprises.

Small and medium businesses (SMBs) are also reaping the many benefits that the cloud offers over on-premise software, especially the lowered IT costs, increased scalability, and large storage capacity that come along with it. No doubt, with a cloud provider like AWS or Azure taking the wheel of some (or all) of your infrastructure, you have less to worry about.

But cloud services are delivered online, which can make it easier for threat actors to get a hold of sensitive data—and SMBs are wary of their cloud storage security as a result.

In this post, we’ll break down the four big threats to cloud storage security that SMBs should be ready to address.

1. File-based malware

Most cloud storage providers today feature file-syncing, which is when files on your local devices are automatically uploaded to the cloud as they’re modified.

File-syncing is great for businesses since it allows for a “central hub” of files for teams across different devices to access and work on. But it’s great for file-based malware for the same reason.

Cloud storage providers like OneDrive or DropBox are mounted to a local folder on your computer, and files stored in the cloud are synchronized with it. As far as your device is concerned, those cloud folders are just like any other folder. So, if you download a malicious file on your local device, there’s a route from there to your business’ cloud—where it can access, infect, and encrypt company data.

This kind of ransomware attack is also known as “Ransomcloud”. Check out our “File-sharing and cloud storage sites: How safe are they?” article for tips to keep you safe.

2.   Weak IAM policies

Each user in a cloud environment has their own roles and permissions governing the access they get to certain parts of the cloud, and because cloud workloads are accessed online, all hackers need are your credentials to get the “keys to the kingdom”.

This is why strong identity and access management (IAM) policies are so essential to cloud security.

Identity and access management is a means of controlling the permissions and access for users of cloud resources. You can think of IAM less as a single piece of software and more of a framework of processes, policies, and technology.

According to Palo Alto Networks, most known cloud data breaches start with misconfigured IAM policies or leaked credentials.

Specifically, researchers found that IAM misconfigurations cause 65% of detected cloud data breaches, with the runners up being weak password usage (53%) and allowing password reuse (44%).

3.   Insecure APIs

Many businesses use Application Programming Interfaces (APIs) to connect applications and data to the cloud. At a high level, APIs allow different applications to communicate with each other over a network.

Since APIs provide a means of querying, accessing, and modifying important data, cloud threat actors are constantly searching for vulnerabilities in them. And lo and behold: In a 2021 analysis of its impacted clients, IBM’s X-Force IR team found that two-thirds of cloud data breaches were caused by misconfigured APIs.

4.   Misconfiguration

In VMware’s 2021 State of Cloud Security report, 1 in 6 companies surveyed experienced a cloud data breach due to a misconfiguration in the past year. Researchers elsewhere found that, of all cloud services, cloud storage has one of the highest misconfiguration rates.

Given this, it’s not surprising that there have been many cloud storage data breaches in recent years.

Just last year, misconfigured Amazon S3 buckets exposed more than 1,000 GB of data and over 1.6 million files from dozens of municipalities in the US. Microsoft Azure hasn’t fared much better: In 2021, misconfigured Azure storage accounts exposed millions of files containing sensitive information.

Cloud storage security remains a top concern for SMBs

While there’s no denying that the pros of the cloud generally outweigh the cons, businesses still have many cloud threats to address. The good thing is that we don’t need to reinvent the wheel to lessen our chances of a cloud data breach.

For example, anything as simple as employee phishing education can help prevent file-based malware. Similarly, good “password hygiene” and multi-factor authentication can improve weak IAM policies. Lastly, conducting regular vulnerability assessments and patching can help you find and address weak points before threat actors do.

To learn more about privacy and security best practices, read our tips to protect your data, security, and privacy from a hands-on expert.

The post Cloud data breaches: 4 biggest threats to cloud storage security appeared first on Malwarebytes Labs.

After a decent amount of pressure, Owl Labs has finally released updates for vulnerabilities in Meeting Owl, and Whiteboard Owl cameras. The vulnerabilities were reported to Owl Labs in January,

One of the vulnerabilities, CVE-2022-31460 has been added to the Known exploited vulnerabilities catalog by the Cybersecurity & Infrastructure Security Agency (CISA) and needs to be updated by June 22, 2022.

Owl Labs

Owl Labs makes 360-degree video conferencing equipment for classrooms and boardrooms. It produces several pieces of hardware, including the Meeting Owl Pro, a speaker fitted with cameras, microphones and an owl-like face, and a whiteboard camera for hybrid meetings.

The research

Researchers at modzero examined the Meeting Owl and found serious defects in the built-in security mechanisms.

And these vulnerabilities were not minor. By exploiting the vulnerabilities an attacker could find registered devices, their data, and owners from around the world. Attackers could also access confidential screenshots of whiteboards or use the Owl to get access to the owner’s network.

The researchers found the existence of at least four different ways to bypass the PIN protection (passcode), which protects the Owl from unauthorized use.

The vulnerabilities

The Common Vulnerabilities and Exposures (CVE) database is a list of publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below you will find the CVEs assigned to the vulnerabilities:

• CVE-2022-31460: Owl Labs Meeting Owl 5.2.0.15 allows attackers to activate Tethering Mode with hard-coded credentials. The tethering mode turns the Owl into an access point (AP) by creating a new Wi-Fi network while staying connected to the existing Wi-Fi. This basically allows any authorized user to turn the Owl into a rogue access point. A rogue access point by definition constitutes a wireless access point installed on a secure network without explicit authorization from a local network administrator. Hard-coded credentials is where embedded authentication data, like user IDs and passwords, are included the source code of the device.

Passcode bypasses

• CVE-2022-31463: Owl Labs Meeting Owl 5.2.0.15 does not require a password for Bluetooth commands, because only client-side authentication is used. To extend the range of devices and provide remote control by default Owl Labs uses the Bluetooth functionality. The vulnerability makes it possible for an attacker in proximity to control the devices to the extent that they can disable any set passcode.
• CVE-2022-31462: Owl Labs Meeting Owl 5.2.0.15 allows attackers to control the device via a backdoor password which can be found in Bluetooth broadcast data. A hardcoded backdoor passcode exists which depends on the serial number of the device. This hardcoded passcode is the SHA-1 hash representation of the devices’ software serial number. The hash is broadcasted as the name of the Owl over Bluetooth Low Energy (BLE). So an attacker in close proximity can simply get hold of the hardcoded backdoor passcode. Also, it is possible to generate all existing serial numbers by a script.
• CVE-2022-31461: Owl Labs Meeting Owl 5.2.0.15 allows attackers to deactivate the passcode protection mechanism via a certain message from the companion app. An attacker would have to be close enough to the Owl to communicate over BLE to exploit this vulnerability.
• CVE-2022-31459: Owl Labs Meeting Owl 5.2.0.15 allows attackers to retrieve the SHA1 hash of the passcode over BLE. It is possible to brute-force the passcode from the hash in seconds since it consist only of digits. An attacker with knowledge of the BLE endpoint can use this knowledge to control any Meeting Owl in their proximity.

What is Bluetooth Low Energy (BLE)?

BLE is a Bluetooth protocol which launched in 2010, especially designed to achieve low power consumption and latency, while at the same time accommodating the widest possible interoperable range of devices. The BLE protocol also does not require paring between the sender and receiver and it can send authenticated unencrypted data.

For those interested, a full disclosure report by modzero is available online.

Slow pokes

Another worrying factor in the report is the timeline of disclosure which gives the impression of an uninterested attitude and unwillingness to fix on the part of Owl Labs. Given the seriousness of the vulnerabilities and the nature of Owl Labs’ clients one might have wished it was treated with more urgency.

The researchers shifted the time of disclosure several times until they were finally fed up with the unresponsiveness of Owl Labs. And only after the vulnerabilities had been disclosed Owl Labs came up with patches for the vulnerabilities. On June 6, 2022, Owl Labs stated that all high-security issues had been addressed, and said it was in the process of implementing a few additional updates. Earlier Owl Labs said that the likelihood that its customers were affected by these issues is low.

Mitigation

Meeting Owl Pro and Whiteboard Owl will automatically send over the air software updates to Owls that are connected to Wi-Fi and plugged into power over night.

To determine what version of software is on your Owl, follow these steps.

If your Owl’s software is out of date, please follow these instructions for how to update your Owl’s software.

We are pretty sure this owl will have a tail and will keep you updated about any developments here.

The post Update now! Patch against vulnerabilities in Meeting Owl Pro and Whiteboard Owl devices appeared first on Malwarebytes Labs.

BlackBasta, an alleged subdivision of the ransomware group Conti, just began supporting the encryption of VMware’s ESXi virtual machines (VM) installed on enterprise Linux servers. Because more and more organizations have begun using VMs for cost-effectiveness and easier management of devices, this change in tactic makes sense.

An ESXi VM is a bare-metal hypervisor software. Software can be characterized as “bare metal” if installed directly onto the physical machine, between the hardware and the operating system.

Siddharth Sharma and Nischay Hegde, threat researchers from Uptycs, were the first to spot and reveal BlackBasta’s tactical change in a report.

On Linux: BlackBasta 101

BlackBasta first appeared in April 2022 after the group ramped up their attacks against dozens of organizations. Although the brand seems relatively new, the way the group quickly accumulates victims, as well as their negotiation tactics, betray a level of experience not seen in fledgling and inexperienced online criminal gangs. This is probably why many cybersecurity communities associate them with known ransomware actors, particularly Conti.

Like other ransomware variants targeting Linux systems, BlackBasta encrypts the /vmfs/volumes folder. This is where virtual machines on ESXi servers are stored. Encrypting the files here will render VMs unusable.

If it cannot find this folder, however, the ransomware exits.

BlackBasta ransomware uses ChaCha20, a cryptographic algorithm known for its speed, to encrypt files. This is run in parallel with multithreading to make encryption faster, further avoid detection, and increase ransomware throughput.

Once files are encrypted, the extension .basta is appended at the end of all affected files. BlackBasta also drops the ransom note, readme.txt, which contains a unique ID and a URL to a chat support channel accessible only using Tor.

A section of the ransom note reads:

Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
You can contact us and decrypt one file for free on this TOR site
(you should download and install TOR browser first https://torproject.org)
{URL redacted}

Protect your Linux ESXi VM against ransomware attacks

Vincent Bariteau, Threat Intelligence Support Analyst at Malwarebytes, recommends organizations follow these best practices to protect their Linux servers against ransomware attacks if they’re using ESXi VM:

• Harden the SSH (Secure Shell) access to allow only a specific user to use it.
• Disable SSH if it’s not needed, or only make it available from a specific network/IP address via a firewall configuration.
• Ensure that you are following VMWare’s general security recommendations for ESXi.

Organizations also have the option of using a free, open-sourced tool called Lynis, which is an auditing tool.

You can also read our article on 5 Linux malware families SMBs should protect themselves against.

The post BlackBasta is the latest ransomware to target ESXi virtual machines on Linux appeared first on Malwarebytes Labs.

Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have tracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit.

In this quick blog post, we will look at this new attack chain and link it with previous activity from what we believe are the same threat actors.

FakeUpdates (SocGholish) lookalike

Our researcher Fillip Mouliatis identified a malvertising campaign leading to a fake Firefox update. The template is strongly inspired from similar schemes and in particular the one distributed by the FakeUpdates (SocGholish) threat actors.

However distribution and implementation are very different. Unlike FakeUpdates which uses compromised websites to push their template, this one is driven via malvertising. Please note the IP addresses involved in the redirection infrastructure as we will come back to them in a moment.

The template itself is much more simplified and appears to be in development with a fake Firefox update that contains a couple of scripts that pull down an encrypted payload. The initial executable consists of a loader which retrieves a piece of Adware detected as BrowserAssistant. This payload was seen before and interestingly through a similar malvertising campaign involving the RIG exploit kit.

MakeMoney connection

The malvertising infrastructure is essentially the same one that was used in numerous drive-by campaigns with exploit kits since late 2019. For some reason the threat actors are reusing the same servers in Russia and naming their malvertising gates after different ad networks.

Security researcher @na0_sec saw the “MakeMoney gate”, named after the domain makemoneywithus[.]work (188.225.75.54), redirect to the Fallout exploit kit in October 2020, although it mostly used RIG EK for several years. Probably the earliest instance of this threat group was seen in December 2019 via the gate gettime[.]xyz (185.220.35.26).

Looking at this infrastructure shows that the group reused a few servers quite predictably during these years between AS59504 vpsville and AS9123 TimeWeb. For example, gettime[.]xyz was hosted on the same server (185.220.35.26) as makemoneyeazzywith[.]me. Staying with the MakeMoney theme, we see makemoneywith[.]us on 188.225.75[.]54. That server was likely hosting a Keitaro TDS given such hostnames as keitarotrafficdelivery[.]xyz.

There is also activity on 185.220.33.3, 185.230.140.210 and 188.225.75.54 hosting a number of impersonation hostnames such as magicpropeller[.]xyz (PropellerAds), magicpopcash[.]xyz (PopCash).

We find it interesting that the same threat actors remained faithful to RIG EK for so long during a period where exploit kits were going out of business. They also seemed to poke fun at the same ad networks they were abusing, unless the choice for names associated with their gates was motivated by sorting out their upstream traffic.

We don’t believe we have seen the last of this threat group. Having said that, their latest social engineering scheme could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up.

Indicators of Compromise

IP addresses (malvertising domains, gates)

185.220.35.26
188.225.75.54
185.220.33.3
185.230.140.210

IP addresses (fake template)

188.227.107.121
188.227.107.92

Domains (malvertising domains, gates)

References

https://twitter.com/MBThreatIntel/status/1483235125827571715
https://twitter.com/MBThreatIntel/status/1361824286499950601
https://twitter.com/malware_traffic/status/1412128664721014785
https://twitter.com/malware_traffic/status/1357513424566124548
https://twitter.com/FaLconIntel/status/1351739449932083200
https://twitter.com/tkanalyst/status/1226125887256416256
https://twitter.com/david_jursa/status/1346562997305696262
https://twitter.com/nao_sec/status/1334289601125445633
https://twitter.com/FaLconIntel/status/1298661757943087105
https://twitter.com/nao_sec/status/1294871134001799168
https://twitter.com/david_jursa/status/1232996830520193024
https://twitter.com/david_jursa/status/1229354505583628288
https://twitter.com/nao_sec/status/1211975197219151876

The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs.