IT NEWS

CISA and the United States Coast Guard Cyber Command (CGCYBER) are warning that the threat of Log4Shell hasn’t gone away. It’s being actively exploited and used to target organisations using VMware Horizon and Unified Access Gateway servers.

Log4Shell: what is it?

Log4Shell was a zero-day vulnerability in something called Log4j. This open source logging library written in Java is used by millions of applications, many of them incredibly popular. The easy to trigger attack could be used to perform remote code execution (RCE) on vulnerable systems. If successful, attackers could gain full control over a target system. If they managed to have affected apps log a special string, then it was a case of game over. The system(s) at this point would be ripe for exploitation.

Discovered in November 2021, the exploit was estimated to potentially affect hundreds of millions of devices. With so much potential for damage, fixes were quickly developed and released on December 6, three days before the vulnerability was published.

Related bugs and additional vulnerabilities were also discovered and subsequently patched.

Broadening Log4Shell’s horizons

According to CISA and CGCYBER, Log4Shell has been used to exploit unpatched, public-facing VMWare Horizon and UAG servers. Suspected APT threat actors…

…implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.

Attackers not only make use of malware and HTTP, but also PowerShell scripts and Remote Desktop Protocol (RDP). In the latter’s case, this was to further move around the network and other hosts inside the organisation’s production environment.

Compromised administrator accounts were used to run several additional forms of loader malware. Here are some of the samples found by CISA during one investigation:

• SvcEdge.exe is a malicious Windows loader containing encrypted executable f7_dump_64.exe. When executed, SvcEdge.exe decrypts and loads f7_dump_64.exe into memory.
• odbccads.exe is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe decrypts and loads the executable into memory.
• praiser.exe is a Windows loader containing an encrypted executable. When executed, praiser.exe decrypts and loads the executable into memory.
• fontdrvhosts.exe is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory.
• winds.exe is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. winds.exe has complex obfuscation, hindering the analysis of its code structures.

Advice for securing installations

CISA/CGCYBER are quite clear about this. Organisations which haven’t applied patches released back in December should treat any and all affected VMware systems as compromised:

• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
• Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.
• See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
• Note: Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
• If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible. 
• Prior to implementing any temporary solution, ensure appropriate backups have been completed. 
• Verify successful implementation of mitigations by executing the vendor supplied script Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details. 

Log4Shell, rated a 10 in the Common Vulnerability Scoring System (CVSS), is not to be trifled with. We advise affected organisations to pay heed to the warnings above and set about patching as soon as possible.

The post CISA Log4Shell warning: Patch VMware Horizon installations immediately appeared first on Malwarebytes Labs.

Brave Search, Brave Software’s privacy search engine, just turned one. To celebrate, the company says it is moving the search engine out of its beta phase to become the default search engine for all Brave browser users.

Goodbye, Google? Not entirely.

In May 2015, Mozilla alumni Brendan Eich and Brian Bondy launched Brave Software. Its first product was the Brave Browser, a privacy-friendly, Chromium-based internet browser that automatically blocks ads and site trackers. In March 2021, the company launched Brave Search so it could use its own index to generate search results.

In a recent announcement, the company said its search engine had passed 2.5 billion queries since its release a year earlier. That was a staggering increase in a year, from 8.1 million search queries to 411.7M by May 2022. However, as impressive as that is, Brave Search (and the other privacy search engine, DuckDuckGo) are still lightyears away from challenging Google’s hegemony. While Google enjoys a 92% market share, Brave has yet to break out of the search engine ranking’s miniscule “other” category.

Besides a loyal following, one reason for Brave Search’s fast growth is likely that it (mostly) avoids using third-party search indexes, such as Google and Bing. According to Brave’s blog, 92 percent of queries users receive are directly from Brave’s search index. The company admitted, however, that they will be pulling search results from other providers—Google in particular—if their index doesn’t have enough data of its own.

Search engines that depend too much, or exclusively, on Big Tech are subject to their censorship, biases, and editorial decisions. The Web needs multiple search providers—without choice there’s no freedom.

Brave’s blog

Brave Search is currently ad-free, but the company has plans to work on an ad-supported version of Search. This will involve Brave Ads, Brave’s adtech platform. Users who click these ads are rewarded 70 percent of the ad revenue.

While Brave is quick to claim that its query algorithms are unbiased, The Verge pointed out that all algorithms have inherent biases. But Goggles, a new feature, may help to mitigate this.

Going gaga over Goggles

Brave also announced a new Brave Search results curation feature called “Goggles,” which interested users can start testing out right now. The company has already prepared some demos to try.

“Goggles will enable anyone, or any community of people, to create sets of rules and filters to constrain the searchable space and / or alter the ordering of search results,” the browser company explains. “Essentially, Goggles will act as a re-ranking option on top of the Brave Search index.”

The search team released a white paper on Goggles, detailing its features and showcasing how these work using examples. In a nutshell, Brave is giving its users access to information filtered by their own explicit biases. This means that users’ preferences take precedence over Brave’s preferences.

Brave presented benefits for both the average user and content creator:

“The benefit for the users is that they would be empowered to explore multiple realities in a straight-forward way. The point is to offer people the freedom to choose their own biases while being conscious of them.”

“The benefit for the content creators is that they have multiple options to expose their content, by increasing their potential audience, which will reduce the need to optimize for the single set of biases implicitly encoded in the search engine’s ranking.”

The only downside to Goggles, so far, is that it’s not as easy to use as you might think. You can’t simply enter keywords or personalize preset filters. There is some coding involved, which might put off users without coding experience.

In addition to Goggles, Brave also released Discussions in April. This is a way to augment Brave Search results with actual conversations pulled from popular sites, all related to the search query.

The post Brave Search wants to replace Google’s biased search results with yours appeared first on Malwarebytes Labs.

Microsoft has posted a reminder that Exchange Server 2013 reaches End of Support (EoS) on April 11, 2023.  That’s a little more than 9 months from now. A useful and timely reminder, since we all realize that it takes some time to migrate to a different system.

Every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported. Knowing key dates in this lifecycle helps you make informed decisions about when to update, upgrade, or make other changes to your software.

Exchange Server

Microsoft Exchange Server is a groupware solution platform that provides many organizations with a mail server and calendaring server. It runs exclusively on Windows Server operating systems.

A few weeks ago Microsoft announced that the 2021 subscription model version of Exchange Server was not going to happen. So there may have been some questions whether the EoS for Exchange Server 2013 would go forward as planned. Now we know the answer: Yes.

Since the next on-premise version is not expected until the second half of 2025, your upgrade options are Exchange Server 2016 and Exchange Server 2019. Unless you want to migrate to the Exchange Online version.

End of Support

EoS (also called End-of-Life, or EoL) describes the final stage of a product’s lifecycle. Once a product reaches EoS, developers stop creating updates and patches for the product.

For Exchange Server 2013 this means that Microsoft will no longer provide:

• Technical support for problems that may occur.
• Fixes for usability or stability bugs.
• Time zone updates.
• Security fixes.

EoS makes the most basic security hygiene practice, “patch now”, impossible, and vulnerabilities discovered after EoS remain an open wound forever.

Immediate threats

Microsoft has chosen to further develop Exchange Server 2019, rather than come out with a completely new version. It mentioned the fact that state sponsored threat actors, like Hafnium, are targeting on-premises Exchange servers as one of the reasons for the cancellation of Exchange Server 2021.

The number and severity of active threats that target Exchange Server is worrying enough. And this will only get worse when one of the versions is no longer eligible for bug and security fixes.

The most prominent threats for Exchange Servers from last year were:

• ProxyLogon that was used to infect thousands of servers before Microsoft released patches. targets on-premise Exchange servers.
• ProxyOracle is a bit less numerous since threat actors have to trick users into clicking on a malicious link to steal the user’s password.
• ProxyToken allows an unauthenticated attacker to perform configuration actions on mailboxes belonging to arbitrary users.
• ProxyShell another on-premise Exchange Server vulnerability on unpatched servers with Internet access.

By now, all of the above have had patches created for them. Unfortunately that doesn’t mean that all vulnerable Exchange Servers have installed the relevant updates. But new vulnerabilities will be found. And vulnerabilities that work on a server software that no longer receives patches will be critical.

Transition

If you don’t want to get stuck with an unpatchable Exchange Server version, it is time to start planning, find the necessary budget, maybe think through what you are going to use next, and when is the best time for the transition.

Stay safe, everyone!

The post You only have nine months to ditch Exchange Server 2013 appeared first on Malwarebytes Labs.

Today, many Americans will head out to the water—not to swim, but to catch a catfish in time for National Catfish Day.

But when we talk about catfishing in cybersecurity, we mean something different. Here, catfishing refers to someone who assumes someone else’s identity online in order to harass, troll, or scam someone.

But there are ways to protect yourself:

1. Be suspicious

Catfishes and romance scammers prowl social media sites and dating apps.

Usually, scammers will message potential targets privately first, through DMs. And when the target bites, they immediately ask them to switch to a more private chat option, such as email or text.

If you suspect you are being catfished, ask them questions that only someone with their background would know. If they’re hesitant, slow to answer, or try to avoid your questions, then be wary.

2. Don’t fall too quickly for a pretty face

Scammers know that people are likely to respond positively if they’re using an image of someone who looks good. But you can use that pretty picture for your own benefit. Do a reverse-image search to check if the face matches the name, or if anyone has mentioned scams alongside that image.

Take note, though, that scammers can entirely steal the identity of someone and use it. They can also use create a deepfake image, which wouldn’t be caught in reverse-image searches.

3. Take it slow

If a love interest ticks all your boxes, remind yourself to slow down. Scammers will want to get you moving, so they can go on to target someone else.

And, since scammers talk to multiple targets, they can make big mistakes, such as forgetting your or their name. Taking it slow may not seem to be the most exciting thing you’d do, but it gives you a chance to build up a bigger picture of the person you are talking to.

4. Talk to someone you trust

An outsider perspective is invaluable if you’re about to fall head first for a scammer.

Let’s face it, sometimes we see the red flags but choose to ignore them. A second or third opinion from someone you trust might be the jolt you need before it’s too late.

5. Never send them anything

Scammers are quick about everything regarding love, revealing too much about “their personal life,” professing their love, or asking something from you. That could be money, cryptocurrency, personal information, banking details, or gift card numbers.

Occasionally, they might ask you to move money on their behalf. Never do this, even if it sounds like they are desperate for your help.

Finally

If you suspect someone is a scammer, immediately stop contact and report them to the site where you first met, whether that was on social media or a dating app. If you have mistakenly sent someone money, file a report to your bank ASAP. And don’t hesitate to report your experience to your local law enforcement and FBI office.

Stay safe!

The post 5 ways to avoid being catfished appeared first on Malwarebytes Labs.

Microsoft’s PowerShell is a useful, flexible tool that is as popular with criminals as it is with admins. Cybercrooks like it becasue PowerShell is powerful, available almost everywhere, and doesn’t look out of place running on a company network.

In most places it isn’t practical to block PowerShell completely, which raises the question: How do you stop the bad stuff without disrupting the good stuff?

Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell that attempts to answer that question.

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK) hope that “these recommendations will help defenders detect and prevent abuse by threat actors, while enabling legitimate use by administrators and defenders.”

PowerShell

Although it’s closely associated with the world of Windows administration, PowerShell is a cross-platform (Windows, Linux, and macOS) automation and configuration tool which, by design, is optimized for dealing with structured data. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core.

It allows system administrators and power users to perform administrative tasks via a command line—an area where Windows previously lagged behind its Unix-like rivals with their proliferation of *sh shells.

Threat actors are equally fond of it because it allows them to “live off the land”, and for the options it provides to create fileless malware or to gain persistence on a compromised system.

Reduce abuse

The CIS discusses some security features available in PowerShell which can reduce abuse by threat actors.

Remote connections

Remote connections can be used for powerful remote management capabilities, so Windows Firewall rules on endpoints should be configured appropriately to control permitted connections. Access to endpoints with PowerShell remoting requires the requesting user account to have administrative privileges at the destination by default. The permission requirement and Windows Firewall rules are customizable for restricting connections to only trusted endpoints and networks to reduce lateral movement opportunities. Organizations can implement these rules to harden network security where feasible.

Multiple authentication methods in PowerShell permit use on non-Windows devices. PowerShell 7 permits remote connections over Secure Shell (SSH) in addition to supporting Windows Remote Management (WinRM) connections. This allows for public key authentication and makes remote management through PowerShell of machines more convenient and secure.

AMSI integration

The Antimalware Scan Interface (AMSI) feature, first available on Windows 10, is integrated into different Windows components. It supports scanning of in-memory and dynamic file contents using an anti-malware product registered with Windows and exposes an interface for applications to scan potentially malicious content. This feature requires AMSI-aware anti-malware products (such as Malwarebytes). Basically, AMSI works by analyzing scripts before the execution, so the anti-malware product can determine if the script is malicious or not.

Constrained Language Mode

Configuring AppLocker or Windows Defender Application Control (WDAC) to block actions on a Windows host will cause PowerShell to operate in Constrained Language Mode (CLM), restricting PowerShell operations unless allowed by administrator-defined policies.

PowerShell methods to detect abuse

Logging of PowerShell activities can record when cyber threats use PowerShell, and continuous monitoring of PowerShell logs can detect and alert on potential abuses. Deep Script Block Logging, Module Logging, and Over-the-Shoulder transcription are disabled by default. The authors recommend enabling the capabilities where feasible.

Before you start

If you plan on following the advice in the CIS, there are a few things you may want to consider first.

• Execution Policies do not restrict execution of all PowerShell content.
• AMSI bypasses are found and remediated in a constant whack-a-mole game, and most anti-malware products have different ways of accomplishing the same, or better, results. Therefor you will find that most AMSI-aware anti-malware products do not rely on AMSI alone.
• If you are a customer of a Managed Service Provider (MSP) you may need to contact them before taking any of the actions listed above, since doing so may hinder them in their remote management.
• Windows Remote Management/Remote Shell (WinRM/WinRS) connection limitations can become an obstacle in organizations with numerous administrators performing remote management, or that have multiple monitoring solutions connecting to the environment. By default, Microsoft Server limits the number of concurrent users connected to the WinRM/WinRS session to five and the number of shells per user to five. This can, and has often been modified by using an elevated command prompt.

Disabling PowerShell, if you do not need it, is a lot easier and safer than applying policies to make it safer to use. But looking at the options to make it more secure is certainly a good idea if you do need it.

Stay safe, everyone!

The post Cybersecurity agencies: You don’t have to delete PowerShell to secure it appeared first on Malwarebytes Labs.

Europol has coordinated a joint operation to arrest members of a cybercrime gang and effectively dismantle their campaigns that netted million in Euros. This operation also led the Belgian Police (Police Fédérale/Federale Politie) and the Dutch Police (Politie) to nine arrests, 24 house searches, and the seizure of firearms, ammunition, jewelry, electronic devices, cash, and cryptocurrency.

The group was involved in fraud, money laundering, phishing, and scams.

According to a Europol press release, the group’s modus operandi started with an email, text message, or private message containing a link to a phishing page.

Once recipients opened the link, they would be directed to a bogus bank website. Here, they were encouraged to enter their banking credentials. Money mules then used these credentials to cash out millions in Euros from victim accounts.

On top of fraud, the group was also involved in drug and possible firearms trafficking.

“Europol facilitated the information exchange, the operational coordination and provided analytical support for investigation,” reads the press release, revealing law enforcement involvement in the arrest operation. “During the operation, Europol deployed three experts to the Netherlands to provide real-time analytical support to investigators on the ground, forensics and technical expertise.”

The takedown of this phishing operation came months after Europol shut down the FluBot Android operation and the seizure of RaidForums, a hacking forum.

The post Police seize and dismantle massive phishing operation appeared first on Malwarebytes Labs.

Billboards and digital real world advertising has raised many questions of privacy and anonymity in recent years. Until now, the primary concern has been (mostly) legal, yet potentially objectionable geolocation and user profiling. Bluetooth beacons work in tandem with geofenced billboards to send you offers. Stores follow your movements and tailor products accordingly, occasionally with very bad results. It’s such a common practice that you even see digital advertising used to track appearing in video games.

Attacks we’ve seen in the real world typically involve QR code stickers and take two main forms:

• Letters or emails/chat app conversations which direct victims to Bitcoin ATMs. These attacks can often tie into money mule schemes.
• Real world alteration/tampering of genuine QR codes. This can involve bogus QR code stickers placed over locations you’d expect to see a real code. Parking meters and car parks generally are prime targets for this type of scam.

We can now add rogue billboards to the list.

Beware of the party crashers

NFT NYC describes itself as “the leading annual non-fungible token event”. The 2022 meet-up is the fourth such event to take place. With NFTs hitting boiling point in the media, it’s natural to think scammers would turn their sights on the plundering of incredibly fungible apes and other items of a digital nature.

If you’re up to no good, and you know digital finance is filled with insecure coin-laden wallets and expensive jpegs, this is absolutely something you’re going to take an interest in.

Sure enough:

The screenshot is from a Discord channel, which says:

BE ALERT IF YOU ARE AT NFT NYC

Reports of scam billboards in NYC with QR codes leading to Wallet Drainer sites.

This is probably a good time to explain what a wallet drainer site is.

Of wallets and draining

Sadly, it seems nobody grabbed a photo of what these scam billboards look like. However, a “wallet drainer” is just another way of saying “phishing website”. There are three ways the majority of cryptocurrency phishes take place:

1. Airdrop phishing. This can involve entering your wallet’s recovery phrase onto a fake website (don’t do this), or connecting your wallet directly to the phishing portal (don’t do this either).
2. Bogus giveaways. These claim you’ll double your money, and often say they are endorsed by celebrities or Elon Musk.
3. Rogue adverts. These bogus advertisements could lead you to either of the above, or even some completely unrelated technique.

People have confirmed in the replies to the original tweet that the theft here depended on victims scanning the code, and then clicking through to the phishing page. The phishing component depended on them manually entering their details into the fake website. It is not the case that simply visiting it would immediately drain funds or cause apes to go walkabout.

Rogue cryptocurrency billboards: A growing trend?

I’m wondering if this is the official cementing of rogue billboards as a digital finance scam technique. You may be surprised to learn this isn’t the first time someone has tried this.

Back in May, cryptocurrency exchange Binance warned of a rash of bogus billboards popping up in Turkey. Scam artists “plastered fake Binance billboards throughout the country”, many of which included a phone number answered by criminals behind the scheme.

The tactic used here was to convince unwary investors to hand over their seed/recovery phrases. Others were asked to register new accounts. Cryptocurrency scams involving new accounts tend to have funds deposited over time. Eventually the scammers have the victim transfer the funds to sites run exclusively by them. No matter which tactic is used, someone pulled in by the billboard has a strong chance of losing out.

This is clearly a technique which is working for phishers no matter the location. If you’re at an event or simply out and about and spot a cryptocurrency billboard, play it safe. Does the billboard mention a digital finance organisation? Check with the organisation if the URL is genuine. If you’re asked for seed/recovery phrases, don’t hand them over. Does the billboard make claims of doubling whatever you deposit? This is almost certainly a scam, especially if tied to a promotion from Elon Musk or TESLA.

Stay safe out there!

The post Rogue cryptocurrency billboards go phishing for wallets appeared first on Malwarebytes Labs.

Members of the Cybersecurity Advisory Committee of CISA (Cybersecurity and Infrastructure Security Agency) have proposed an emergency cybersecurity call line for small and medium-sized businesses (SMBs). Should the proposition be approved, SMBs would be able to call 311 in the event of a cybersecurity incident.

CISA’s cyberhygiene subcommittee head, George Stathakopoulos, originally floated the idea that CISA should “launch a 311 national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses.” The communications subcommittee also floated a similar idea.

CISA and other cybersecurity experts have pushed for more robust incident response reporting. In March, President Joe Biden signed the Strengthening American Cybersecurity Act, a cyber incident reporting bill requiring critical infrastructure operators to report a breach to CISA within 72 hours, and 24 hours if they made a ransomware payment.

CISA Executive Assistant Director for Cybersecurity Eric Goldstein bemoaned how damaging it is for CISA to have little data over ransomware attacks in the US. Speaking to attendees in RSA, Goldstein was quoted saying:

“A tiny fraction of ransomware infections are reported to the government and the problem is getting worse because we don’t even know what that actual number is. We have no idea the actual denominator of ransomware instructions that are occurring across the country on any given day.”

The post Dial 311 for… cybersecurity emergencies? appeared first on Malwarebytes Labs.

The dark web leak site used by the notorious Conti ransomware gang has disappeared, along with the chat function it used to negotiate ransoms with victims. For as long as this infrastructure is down the group is unable to operate and a significent threat is removed from the pantheon of ransomware threats.

Ransomware gangs like Conti use the threat of leaking stolen data on their dark web sites to extort enormous ransoms from their victims, making the sites a vital cog in the ransomware machine.

While the cause of the site’s disappearance isn’t known for sure, and criminal dark web sites are notoriously flaky, there is good reason to suspect that Conti has gone permanently.

However, while anything that stops Conti from terrorising businesses, schools, and hospitals is welcome, the disappearance of its leak site is unlikely to make potential ransomware victims any safer, sadly.

As we explained in our May ransomware review, recent research by Advintel suggests that Conti has spent the last few months executing a bizarre plan to fake its own death. If that is what’s happened, then the gang’s members have simply dispersed to other ransomware “brands” that are either operated by the Conti gang or affiliated to it.

Conti—as bad as they come

The gang behind Conti ransomware (called WizardSpider, although rarely referred to by that name) is believed to be based in Russia, and first appeared in 2020. The FBI recently called it “the costliest strain of ransomware ever documented,” and the US Department of State is offering a reward of up to $10 million for “information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group.”

Conti has been used in a number of high profile attacks, including a devastating assault on Ireland’s Health Service executive on May 14, 2021. The attack disrupted healthcare in Ireland for months and the recovery effort could end up costing the country more than $100 million.

The real cost of the attack was measured in human suffering though. Speaking to Malwarebytes Labs, a doctor in one of the affected hospitals described how a 21st-century healthcare system deprived of it’s computers is brought to its knees. The attack caused enormous unnecessary suffering for both patients and healthcare professionals, and triggered hundreds of thousands of appointments to be cancelled.

The doctor’s brutal assessment of the Conti gang? “I think they lost their humanity.”

Faking its own death

According to Advintel, the Conti gang sealed its fate in February when it published a message in support of Russia’s invasion of Ukraine, declaring its “full support of Russian government.” By aligning itself to the Russian state it had made itself the subject of sanctions. Victims were not prepared to run the risk that their ransom payments might be treated as sanctions violations and Conti’s income dried up.

Ransomware gangs often react to trouble by going dark, or with ham-fisted attempts to pretend they’ve retired. These retirements are often quickly followed by the sudden appearance of a brand new ransomware gang that is obviously just the old gang working under a new name.

Advintel’s research suggested that Conti was aware of this pattern and determined to try something different. Instead of disappearing and then popping up a week later under a new name, the group created and operated new brands—Advintel names KaraKurt, BlackByte, and BlackBasta as examples—before retiring the Conti name, to make the transition less obvious. In addition to creating these new brands, it also dispersed parts of its workforce into existing gangs it had a relationship with, such as Hive and ALPHV.

To complete the deception, it maintained a skeleton crew that carried out extremely noisy, headline-grabbing attacks on Cost Rica, and continued to operate the leak site until the last moment.

Malwarebytes Threat Intelligence was able to independently confirm that Conti sent an internal announcement about its retirement to affiliates at the end of May, and that its internal chat servers stopped working around the same time.

The site had been inactive for 28 days before it disappeared, with the last new leak appearing on May 25. As our May ransomware report revealed, despite the noise it generated from its attacks on Costa Rica, Conti’s activity was significantly depressed in May, while the activity of gangs with alleged links to Conti increased, driven largely by the rise of BlackBasta.

The post Conti ransomware group’s pulse stops, but did it fake its own death? appeared first on Malwarebytes Labs.

MEGA, the cloud storage provider and file hosting service, is very proud of its end-to-end encryption. It says it couldn’t decrypt your stored files, even if it wanted to.

“All your data on MEGA is encrypted with a key derived from your password; in other words, your password is your main encryption key. MEGA does not have access to your password or your data. Using a strong and unique password will ensure that your data is protected from being hacked and gives you total confidence that your information will remain just that – yours.”

But there’s a problem. A Swiss team of researchers has just proved those claims wrong.

And that’s not all. The research went one step further, finding that an attacker could insert malicious files into the storage, passing all authenticity checks of the client.

Cryptography flaws

Researchers at the Department of Computer Science of the ETH Zurich in Zurich, Switzerland reviewed the security of MEGA and found significant issues in how it uses cryptography.

These findings could lead to devastating attacks on the confidentiality and integrity of user data in the MEGA cloud.

Key hierarchy

The MEGA client derives an authentication key and an encryption key from the password. The authentication key identifies users to MEGA. The encryption key encrypts a randomly generated master key, which in turn encrypts other key material of the user. Every account has a set of asymmetric keys: An RSA key pair for sharing data, a Curve25519 key pair for exchanging chat keys for MEGA’s chat functionality, and an Ed25519 key pair for signing the other keys. Furthermore, the client generates a new key for every file or folder (collectively referred to as nodes) uploaded by the user.

Long story short, all the keys are derived in one way or another from the password. And all the keys get stored on MEGA’s servers to support access from multiple devices.

Ciphertext

Ciphertext is encrypted text transformed from plaintext using an encryption algorithm. The researchers built two attacks based on the lack of integrity protection of ciphertexts containing keys, and two further attacks to breach the integrity of file ciphertexts and allow a malicious service provider to insert chosen files into a user’s cloud storage.

Attacks

Due to the flawed integrity protection, a malicious service provider can recover a user’s private RSA share key (used to share file and folder keys) over 512 login attempts. The number is 512 because of the RSA-CRT implementation used by MEGA clients to build an oracle that leaks one bit of information per login attempt about a factor of the RSA modulus.

As a result the malicious service provider can recover any plaintext encrypted with AES-ECB under a user’s master key. This includes all node keys used for encrypting files and folders. As a consequence, the confidentiality of all user data protected by these keys, such as files and chat messages, is lost.

Based on the first two attacks, a malicious service provider can construct an encrypted file. The user cannot demonstrate that they didn’t upload the forged data because the files and keys are indistinguishable from genuinely uploaded ones. It needs no further explanation that introducing a malicious file in such an attack could further compromise not only the user’s system, but also for those the user has shared their files or folders with.

MEGA’s response

MEGA acknowledged the issue on March 24, 2022, and released patches on June 21, 2022, awarding the researchers a bug bounty. But MEGA’s fix differs greatly from what the researchers proposed, patching only for the first attack alone since the other attacks rely on the first one.

Since that does not fix the key reuse issue, lack of integrity checks, and other systemic problems the researchers identified, this remains a source of concern for them.

As a regular MEGA user there is no reason to worry about these flaws, especially if you haven’t logged in more than 512 times. An attacker would need to have control over MEGA’s API servers or TLS connections without being noticed to perform any of these attacks.

Anyone interested in more technical details, can read the researcher’s paper.

The post MEGA claims it can’t decrypt your files. But someone’s managed to… appeared first on Malwarebytes Labs.