IT NEWS

AstraLocker 2.0 ransomware isn’t going to give you your files back

Reversing Labs reports that the latest verison of AstraLocker ransomware is engaged in a a so-called “smash and grab” ransomware operation.

Smash and grab is all about maxing out profit in the fastest time. It works on the assumption by malware authors that security software or victims will find the malware quickly, so it’s better to get right to the end-game as quickly as possible. Adware bundles in the early 2000s capitalised on this approach, with revenue paid for dozens of adverts popping on desktops in as short a time as possible.

That smash and grab spirit lives on.

In a ransomware attack, criminals typically break into a victim’s network via a trojan that has already infected a computer, by exploiting a software vulnerability on an Internet-facing server, or with stolen Remote Desktop Protocol (RDP) credentials. They then make their way silently to devices and servers where important data is stored. Anything of value is stolen and sent outside of the network. When the attacker is good and ready, ransomware is deployed, encrypting the files on the machines and rendering them useless. From here, double or even triple threat extortion (blackmail and the threat of data leakage) is deployed. This careful approach, which can sometimes take weeks, allows attackers to stop organisations dead in their tracks and demand multi-million dollar ransoms.

It is so successful that almost all major ransomware families are used in this way.

But AstraLocker is not a major ransomware family, and it doesn’t do this. (These two things may be connected.)

Click to run

In the attacks observed by Reversing Labs, AstraLocker just arrives and encrypts.

It starts life as a rogue Word document attachmed to an email. The payload lurking in the document is an embedded OLE object. Triggering the ransomware requires the victim to double click the icon within the document, which comes with a security warning. As researchers note, this isn’t as slick a process as the recent Follina vulnerability (which requires no user interaction), or even misusing macros (which some user interaction).

In its rush to encrypt, AstraLocker still manages to do some standard ransomware things: It tries to disable security programs; it also stops applications running that might prevent encryption from taking place; and it avoids virtual machines, which might indicate it’s being run by researchers in a lab.

The sense of this being a rushed job doesn’t stop there.

Reaffirming (and then breaking) the circle of trust

When decryption doesn’t happen, either because of a poor quality decryptor, or because no decryption process actually exists, the ransomware author’s so-called circle of trust is broken. Too many decryption misfires is bad for business. After all, why would victims pay up if there’s no chance of file recovery?

It’s interesting, then, that the following text is in AstraLocker 2.0’s ransom note:

What guarantees?
I value my reputation. If I do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data.

So far, so good…you would think. Unfortunately, there’s a sting in the tail.

The cost of their decryption software is “about $50 USD”, payable via Monero or Bitcoin. There is some question as to who the author of this version of AstraLocker is, as the email addresses tied to the original campaign have been replaced. Unfortunately, this is where the circle of trust falls apart.

You can certainly pay the ransom with no problem whatsoever. That side of things, the making money side, works perfectly. The getting your files back side of things? Not so much. The new contact email address mentioned above is only partially included.

There is currently no way to ask the ransomware author for the decryption tool. Unless some sort of update is forthcoming, this is the quickest way you’ll ever lose both your files and $50.

Whether this is by accident or design, the circle of trust here is more of a downward curve.

The post AstraLocker 2.0 ransomware isn’t going to give you your files back appeared first on Malwarebytes Labs.

Ransomware review: June 2022

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In June, LockBit was the most active ransomware, just as it has been all year. The month was also notable for the disappearance of Conti, and the large number of attacks by groups alleged to have links with the disbanded group.

The service industry remained the hardest hit industry sector, and the USA the most attacked country. The number of attacks in the USA continued to dwarf other countries, with more known victims than Canada and all the European countries in our list combined.

Known ransomware attacks by group, June 2022
Known ransomware attacks by group, June 2022
Known ransomware attacks by country, June 2022
Known ransomware attacks by country, June 2022
Known ransomware attacks by industry sector, June 2022
Known ransomware attacks by industry sector, June 2022

LockBit

Without fanfare, LockBit has become the dominant force in ransomware this year. Although there were fewer victims on its leak site in June than in May, it was still far ahead of its competition.

While Conti—“the costliest strain of ransomware ever documented,” according to the FBI—has spent 2022 making noisy pronouncements and digging itself out of a hole of its own making with a hair-brained scheme to fake its own death, LockBit has been all business.

Like all the ransomware in our review, LockBit is offered in the form of ransomware-as-a-service (RaaS). Attacks are carried out by affiliates (“pen testers”) who pay the LockBit organization 20 percent of the ransoms they receive in return for using its software and services.

And while some ransomware gangs seem to want to tell the world what they think, and how great they are, LockBit seems to care more about what its users think. Its affiliate page begins with a statement that seems designed to contrast it with its nosiy Russian rival:

We are located in the Netherlands, completely apolitical and only interested in money.

Thereafter the page is peppered with people-pleasing language designed to signal the gang’s trustworthiness and willingness to listen. Affiliates are asked “if you do not find one of your favorite features, please inform us,” and told that “it is very important for us to know about all our strengths and weaknesses.” It says “we have never cheated anyone and always fulfill our agreements. Decrypter work, stolen data is deleted”

It is this combination of attractiveness to affiliates and an ability to avoid costly mistakes that seems to be behind its success this year.

This risk averse approach is nothing new. Out of an abundance of self interest, ransomware has always conspicuously avoided attacking targets in Russia and the Commonwealth of Indpednent States, for example. Attracting the attention of the three-letter agencies in Russia and the USA is simply bad for business.

Unusually, LockBit hit the headlines in June with some obvious publicity seeking. The gang launched LockBit 3.0, along with a new dark web site, and a bug bounty program promising rewards of up to $1 million for finding bugs in its website and software, submitting brilliant ideas, or successfully doxing the head of the gang’s affiliate program.

lockbit 3 bug bounty page
The LockBit 3.0 bug bounty page

We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million.

Whether the group seriously intends to pay out these sums remains to be seen. If all it wanted from the announcement was to drum up some publicity, it has already succeeded. However, if it does intend to use bug bounties it improve its software and sharpen its approach then it could deprive law enforcement and security researchers of valuable tools and information.

Conti

As expected, the last public vestige of the Conti ransomware gang, its leak site, disappeared in June, after a few weeks of inactivity. As we reported in last month’s ransomware review, detailed research by Advintel in May suggested that the gang’s alignment with the Russian state in February had caused victims’ lawyers to warn against paying it ransoms, for fear of breaking sanctions.

When the group’s revenue dried up its leaders allegedly hatched a plot to retire the brand by dispersing its members into other ransomware gangs like BlackBasta, BlackByte, KaraKurt, Hive and ALPHV, and then faking its own death.

Malwarebytes Threat Intelligence was able to independently confirm that Conti sent an internal announcement about its retirement to affiliates at the end of May, and that its internal chat servers stopped working around the same time.

The leak site disappeared on June 22, 2022, and remains down.

The missing Conti leak site
The Conti leak site on June 22, 2022

The Conti shutdown has overlapped with the overnight arrival of BlackBasta in April and a big increase in activity (and the appearance of a new leak site) by KaraKurt in June. It may be a coincidence, but we note that last month the combined activity of BlackBasta, BlackByte, and KaraKurt reached Conti-like levels.

conti vs alleged conti brands
Known attacks involving Conti compared to known attacks involving alleged Conti “brands” BlackBasta, BlackByte, and KaraKurt
karakurt dark web site
The resurgent KaraKurt extortion group has a new leak site

Trends

Most software, even malware, trends towards “feature completeness”—a point where adding new features adds little, if anything, to its usefulness. Ransomware has been more-or-less feature complete for a number of years, and most RaaS offerings have very similar capabilities.

Similarly, the way that ransomware is packaged and sold, and the ways that different affiliates break into networks and deploy ransomware vary little from one ransomware group to another, and evolve slowly.

The most active area of innovation in the last few years appears to be how gangs operate as a business, and in how they put pressure on victims to pay a ransom.

In June we saw some things we haven’t seen before: The LockBit gang offering bug bounties, and a leak site by the ALPHV group aimed at the staff and customers of a victim.

At least one ransomware gang has tried targeting executives at the top of companies in an effort to ramp up the pressure, but ALPHV’s targeting of employees and customers with a dedicated website is new. The site allowed guests and employees to explore the personal data ALPHV had stolen from them in the attack and, very unusually, the leak site was not on the dark web.

ALPHV leak site for emloyees and guests
A leak site dedicated to one victim, a hotelier, allowed guests and employees to explore the data about them that had been stolen

By putting the site on the regular web the gang made the information much more accessible to non-technical users, but without the protection of Tor it only lasted a few days before being taken down. The gang would certainly have known this would happen, but presumably it only had to last long enough to gather the attention it needed in order to impact negotiations.

An ALPHV leak site appears in Google Search results
The experimental ALPHV leak site appeared on the regular world wide web and was even indexed by Google

Such innovation is nothing new—ransomware gangs experiment with new ideas all the time. The experiments that don’t work are forgotten and those that do are quickly copied by other gangs.

In this case the experiment appears to have been unsuccessful. The victim has since appeared on the main ALPHV dark web leak site, which normally indicates they have resisted the pressure to pay a ransom.

Malwarebytes protection

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

The post Ransomware review: June 2022 appeared first on Malwarebytes Labs.

YTStealer targets YouTube content creators

Researchers are reporting the discovery of malware targeting YouTub content creators. The aim is to compromise accounts and then take over the victims’ channels completely.

The malware, dubbed YTStealer, has one game plan: Grabbing authentication cookies. A site gives you an authentication cookie when you log in, and your browser then uses it in place of a password until you log out. If somebody can steal the authentication cookie from your browser they can use it log into whatever website you’re using, as if they are you.

Armed with YouTube cookies, YTStealer plunders YouTube accounts, and their real owners have some customer support chats waiting in their immediate future.

Targeting interests

How do malware distributors reel in YouTube channel owners in the first place? Like so many of these scams, they promote a variety of bogus applications designed to lure victims. The rogue apps don’t just install YTStealer though, they also drop several other malicious files, depending on which installer is used. Vidar and RedLine may also be present.

Several popular (fake) versions of editing and design tools, which would naturally appeal to people in video circles, are on offer. Adobe Premiere Pro, HitFilm Express, and Filmora are some of the fake installers mentioned.

Games, too, are a popular revenue stream on YouTube with game streamers and reviewers galore. No surprise, then, that fake installers and cheats for titles like Call of Duty and Grand Theft Auto are along for the ride.

The final group of bogus files relate to imitation security products and supposed cracks for Discord Nitro and Spotify Premium.

System checks and balances

Once installed on a target machine, YTStealer performs some checks to see if its running inside of a virtual machine. This is to see if the malware is being analysed by security researchers. If detection takes place, files like YTStealer will typically terminate or become incredibly stubborn.

With this out of the way, YTStealer proceeds to harvest authentication cookies and fire up a browser in “headless” mode (a browser with no windows to look at). In other words: A silent, invisible browser. The victim is completely unaware of what’s happening. Swiped cookies are loaded into the phantom browser, which can now log in to YouTube as the victim.

The malware harvests the victim’s subscriber count, channel name, age of channel, verification status, and whether or not the channel is monetised. The data is collected, encrypted, and sent to the Command and Control (C2) server tied to the malware.

How to avoid malware aimed at Youtubers

  • Scammers will target your interests, and try to interest you in cheap / free copies of software related to the content you create. Is a stranger really going to give you free editing tools worth a few hundred dollars? Almost certainly not. “If it sounds too good to be true,” and all that.
  • Many of these files insist you turn off security protection prior to installing. Ask yourself why they’d want you to do this, and then make a sharp exit.
  • Are they directing you to a YouTube channel of their own for the download links? Check the comments. Are they disabled? Is every single comment positive, and posted from new / low quality accounts? There’s a reason for that…
  • Free cheat tools advertised on YouTube are not going to work. Bypassing anti-cheat protection in major video game titles is big business, and people pay to use these tools. Anything given away for free in this manner will do little beyond infect your system.

The post YTStealer targets YouTube content creators appeared first on Malwarebytes Labs.

Immigration organisations targeted by APT group Evilnum

Organisations working in the immigration sector are advised to be on high alert for Advanced Persistent Threat (APT) attacks. Bleeping Computer reports that European organisations, specifically, are under threat from the Evilnum hacking group.

Evilnum, on the APT scene since 2018 at the earliest and perhaps most well known for targeting the financial sector, appears to have switched gears.

In times of conflict

The observed attacks seem to have sprung into life on or around the beginning of the invasion of Ukraine. This is quite worrying for several reasons:

  • Immigration organisations in Europe are still impacted by the fallout from COVID-19. Additionally, Government immigration services continue to be non-functional or afflicted with severe delays in processing. The UK, which set up a dedicated visa for Ukrainian refugees, has experienced processing delays for unrelated visas of up to 6 months as a result of this project. Being targeted with malware could impact crucial services still further, putting people at risk.
  • Huge amounts of sensitive data is passing to and from independent immigration organisations related to the invasion of Ukraine. Exfiltration of this data could put people both outside Ukraine and those still there at risk of significant harm.
  • Many volunteer organisations have sprung up to support efforts related to Ukraine. Many of these have little to no funding and are being run by random groups of immigration lawyers with minimal experience of cybersecurity issues. This is, unfortunately, an area of potential rich pickings for attackers.

Important attack details

The APT group targeted an Intergovernmental organisation (IGO), an entity created via treaty which involves two or more nations to work on issues of common interest. This attack, then, is at the highest level in terms of immigration related impact.

It begins, as so many attacks do, with a targeted email containing a rogue attachment. Opening the attached Word document fires up a message which claims that the document was created in a later version of Microsoft Word. It explains how to enable editing in order to view the supposed content, typically called “Compliance” but also “Complaint” or “Proof of ownership”, among others.

Heavily obfuscated JavaScript decrypts and deposits an encrypted binary and a malware loader (which loads up the binary), and creates a scheduled task to keep things constantly ticking over. File system artefacts created during execution are designed to imitate legitimate Windows binary names, to assist in detection avoidance.

The aim here is to create a backdoor on infected systems. Machine snapshots are taken and sent back to base via POST requests, with exfiltrated data in encrypted form.

Cybersecurity, just from a different point of view

Refugees from Ukraine are being assisted by multiple organisations that were set up after the initial invasion. Lawyers helping to run these groups may not be fully immersed in cybersecurity. However, they follow strict rules and regulations with regard to client data by default. As a result, they’re often doing security-centric things to keep client data secure without perhaps noticing the crossover.

For example: Most immigration lawyer/client interactions in the UK currently are remote, partly due to COVID-19 and partly because the UK’s visa system is now almost entirely online. As a result, pretty much everything involving sensitive documentation begins life in the form of an email. This sounds bad at first glance; however, this isn’t the case. Lawyers and clients aren’t emailing important documents in plaintext. Instead, they’re making use of encrypted documents, secure file uploads, and deleting data as and when required.

Tips for immigration orgs

If you’re a small organisation looking to help with visa or refugee processes for Ukrainians fleeing the invasion, here’s some of the things you can make a start on now to help keep things secure:

  • Ensure your website is HTTPs. Most sites I’ve seen in this realm use a combination of contact email and/or web form. You don’t want sensitive information intercepted because of insecure websites. As few people as possible should have admin access to the site, and anything related to publishing. Use as few extensions and plugins as possible. Paying for domain anonymity services is useful if required.
  • Consider using an alias for public facing email addresses. Additionally, lock down all email addresses with multifactor authentication (MFA). The same goes for backup/recovery emails tied to the main account(s).
  • If you have the choice of SMS codes or authentication apps/hardware based security keys for 2FA, choose the latter. SMS won’t work with no signal reception, and fraudsters may divert your SMS codes via SIM swapping.
  • Consider using a password manager for organization-specific passwords. If you need to share logins, use a management tool which allows you to share logins without revealing the password itself. Should you land on a phishing site, your password manager won’t pre-fill your details into the bogus portal.

I’ve spoken to individuals from several UK-based immigration organisations, including those focused on helping Ukrainians. At this point, none of them report having been targeted by attacks similar to the above. However, those organisations are absolutely in the spotlight for anyone potentially up to no good. If you’re in this line of work, or you’re just getting started, consider where and how you can begin to get things locked down right now.

The post Immigration organisations targeted by APT group Evilnum appeared first on Malwarebytes Labs.

Criminals are applying for remote work using deepfake and stolen identities, says FBI

The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII (personally identifiable information).

A deepfake is essentially created or modified media (image, video, or audio), often with the help of artificial intelligence (AI) and machine learning (ML). Deepfake creations are designed to appear and sound as authentic as possible. Because of this, they’re difficult to spot unless you know what to look for.

Years of data breaches made millions of Americans’ identities available for anyone with ill intent to gather and use for personal gains. This time, criminals seem confident about pulling off a scheme that fully intends to sabotage or steal from companies that hire them while keeping their true identities intact.

Armed with compelling synthetic images and videos with legitimate PII, we can imagine criminals likely getting the job before pulling the wool over their employer’s eyes.

Most open positions identified in the report were in the technology field, such as IT (information technology), computer programming, database, and software. The FBI has also noted that some positions criminals are trying to fill would grant them access to PII, financial data, corporate databases, and proprietary information.

Fortunately for organizations, there is a glaring flaw to an otherwise masterful execution of deceit: the deepfakes the criminals use suffer from sync issues.

“Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants. In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.”

~ FBI, PSA number I-062822-PSA

Misuse of stolen PII is spotted with a pre-employment background check. So even if an interviewer puts the desyncs in a deepfake video down to a dodgy connection, criminals won’t be able to escape findings from a standard background check.

TechCrunch said the most at-risk businesses from criminals entering the job market this way are startups and SaaS (software as a service) companies. This is because these potentially hold lots of data or access to it “but comparatively little security infrastructure compared with the enterprises they serve or are attempting to displace.”

If you’re worried that your data might be used to get criminals into the same sector as you are, there’s not much to do apart from remaining alert and keeping an eye out for strange emails or phone calls.

Stay safe!

The post Criminals are applying for remote work using deepfake and stolen identities, says FBI appeared first on Malwarebytes Labs.

Amazon Photos vulnerability could have given attackers access to user files and data

Amazon has patched a flaw in the Amazon Photos app which could have allowed an attacker to steal and use a user’s unique access token that verifies their identity across multiple Amazon APIs.

That would give attackers access to a trove of information, since many of these APIs contain personal data, such as names, email addresses, and home addresses.

Amazon Photos, previously known as Prime Photos, is a service related to Amazon Drive, the company’s cloud storage application. To date, it has been downloaded more than 50 million times from the Play Store. The Photos app is geared towards the storing, organizing, and sharing photos and videos.

Due to a misconfiguration of a component in the app, rendering a client’s access token severely unprotected, a third-party malicious app could access and use this token. In a ransomware scenario, threat actors could steal, delete, and encrypt files and leave affected users with no means to restore them.

To put it plainly, it’s like sending a password over to another app in plain text, the researchers who found the bug explained.

The researchers from Checkmarx informed Amazon in November 2021. The following month, the company issued a patch for the vulnerability.

Because this flaw also affects Amazon Drive, threat actors could theoretically modify files while erasing a user’s history, effectively rendering original content irrecoverable.

Erez Yalon, Checkmarx’s vice president of security research, was quoted in an interview with The Record:

“We know there is nothing completely secure in the software world. But seeing that kind of vulnerability in the software of Amazon, one of the leading companies in the world when it comes to security practices, means that it can happen to every software company.”

An Amazon spokesperson also told The Record they found “no evidence that sensitive customer information was exposed as a result of this issue.”

“We appreciate the work of independent security researchers who help bring potential issues to our attention,” the spokesperson said.

The post Amazon Photos vulnerability could have given attackers access to user files and data appeared first on Malwarebytes Labs.

ZuoRAT is a sophisticated malware that mainly targets SOHO routers

Researchers have analysed a campaign leveraging infected SOHO routers to target predominantly North American and European networks of interest.

The so-called ZuoRAT campaign, which very likely started in 2020, is so sophisticated that the researchers suspect that there is a state sponsored threat actor behind it.

SOHO routers

SOHO is short for small office/home office and SOHO routers are hardware devices that route data from a local area network (LAN) to another network connection. Modern SOHO routers have almost the same functions as home broadband routers, and small businesses tend to use the same models. Some vendors also sell routers with advanced security and manageability features, but most SOHO devices are only monitored in exceptional cases.

Which is probably the reason why the ZuoRAT managed to fly under the radar for so long.

Compromise the router

The first step in the campaign is to take control of the router. The researchers identified infected routers of several manufacturers including popular brands like ASUS, Cisco, DrayTek, and NETGEAR. It is likely that the threat actor used unpatched vulnerabilities to steal credentials from the targeted routers. Although patches for these vulnerabilities exist, it is not uncommon for device administrators never to apply these patches.

This lack of security is often caused by lack of awareness. And the lack of awareness starts by small business owners not knowing which type or model of router they have exactly. So even if they read about a vulnerability in their router, it may not sink in that it applies to them. The rebranding of routers by providers is another contributing factor to the owners’ ignorance.

Drop the RAT

The vulnerability or chain of vulnerabilities allow the threat actor to download a binary, then execute it on the host. Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware.

The ZuoRAT agent framework enables in-depth reconnaissance of target networks, traffic collection and network communication hijacking. Some of the functions will run by default, while others might be intended to be called by additional commands.

Mirai

ZuoRAT looks like a heavily modified version of the Mirai malware. The authorities may have caught the Mirai creators, but the spirit of their botnet lives on. Numerous groups took advantage of the open-source code to create mini variants. But the command and control infrastructure used in this campaign is intentionally complex in an attempt to conceal what’s happening.

Attribution

While attribution is always hard, the researchers listed several indications that the group behind this campaign might be of Chinese origin. One set of C2 infrastructure controlled by this threat actor and used to interact with the Windows RATs was found to be hosted on internet services from China-based organizations. Also, some of the program database paths contained Chinese characters, while others referenced “sxiancheng”, a possible name or Chinese locality.

China is a likely candidate even if it seems they have already bitten off more than they can chew. According to an article in the Financial Times Chinese university students have been lured to work as translators to help identify hacking targets, and to analyze stolen material.

DNS hijacking

Using the gathered information about the DNS settings and the internal host in the adjacent LAN, there were several functions designed to perform DNS hijacking. Some functions allowed the threat actor to update DNS hijacking rules specifying which domains to hijack, the malicious IP address resulting from the hijack and the number of times to trigger the rule.

HTTP hijacking

Another noteworthy function enabled the actor to specify which client or subnet to hijack. It hijacked the process so that it could match the traffic pattern. If the pattern matched one of the rules, it displayed a 302 error that redirected the client’s browser to another location where the threat actor could manipulate the connection.

Mitigation

If you fear that your router has been compromised, simply restarting an infected device will remove the initial ZuoRAT exploit. To fully recover, however, a factory reset clears infected devices.

To avoid your router from getting infected, find the most recent firmware and install it so you have all the latest patches.

Systems that used an infected route for their internet access and used no block lists that included the C2 infrastructure of ZuoRAT may be infected. This is not only true for Windows systems. The researchers found samples written in GO, which is a cross-platform language.  

IoCs associated with this campaign for threat hunting can be found on the Black Lotus Labs GitHub page.

Stay safe, everyone!

The post ZuoRAT is a sophisticated malware that mainly targets SOHO routers appeared first on Malwarebytes Labs.

Update now! Mozilla fixes security vulnerabilities and introduces a new privacy feature for Firefox

Mozilla released version 102.0 of the Firefox browser to Release channel users on June 28, 2022.

The new version fixes 20 security vulnerabilities, five of which are classified as “High”. The new version also comes with a new privacy feature that strips parameters from URLs that track you around the web.

Vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs we think you should know:

High

CVE-2022-34479: A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. This bug only affects Firefox for Linux. It does not apply to other operating systems.

CVE-2022-34470: Use-after-free in nsSHistory. Use after free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Navigations between XML documents may have led to a use-after-free and potentially exploitable crash.

CVE-2022-34468: CSP sandbox header without ‘allow-scripts’ can be bypassed via retargeted javascript: URI. An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11. Some of these bugs showed evidence of JavaScript prototype or memory corruption, and with enough effort some of these could have been exploited to run arbitrary code.

Moderate

CVE-2022-34482 and CVE-2022-34483: Two separate issues with the same effect. Drag and drop of malicious image could have led to malicious executable and potential code execution. An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension.

CVE-2022-34478: The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild, so in this release Firefox has blocked these protocols from prompting the user to open them.

New privacy feature

Many companies involved in advertising use custom URL query parameters that enable them to track clicks on links. The most well-known example is probably the ?fbclid= parameter that Facebook adds to outbound links.

With the release of Firefox 102, Mozilla has added the new “Query Parameter Stripping” feature that automatically strips some of these query parameters. It does not matter whether you clicked on a link or pasted the URL into the address bar.

To enable Query Parameter Stripping, go into the Firefox Settings, click on Privacy & Security, and then change Enhanced Tracking Protection to Strict.

Strict setting

You will need to click Reload All Tabs to apply the changes. If you find that setting Enhanced Tracking Protection to Strict could causes issues with certain sites, you can use the Manage Exceptions option to add these websites, or use the “Custom” setting to choose which trackers and scripts to block.

Updating

Under normal circumstances, updates will be applied without user intervention. You can check for the version number in the products’ menu under Help > About

Firefox is up to date

Should you not be using the latest version for some reason, e.g. automatic updates are disabled, then this screen will inform you that a new version is available and will start downloading it.

When it’s done, you’ll see a prompt to restart the browser. This will apply the update.

Stay safe, everyone!

The post Update now! Mozilla fixes security vulnerabilities and introduces a new privacy feature for Firefox appeared first on Malwarebytes Labs.

Hermit spyware is deployed with the help of a victim’s ISP

Google’s Threat Analysis Group (TAG) has revealed a sophisticated spyware activity involving ISPs (internet service providers) aiding in downloading powerful commercial spyware onto users’ mobile devices. The spyware, dubbed Hermit, is reported to have government clients much like Pegasus.

Italian vendor RCS Labs developed Hermit. The spyware was spotted in Kazakhstan (to suppress protests against government policies), Italy (to investigate those involved in an anti-corruption case), and Syria (to monitor its northeastern Kurdish region), all deployed by their respective governments.

Hermit affects Android and iOS devices and is described as a modular spyware. This means it can download pieces of itself (modules) for additional functionalities, making it customizable to suit client needs, from a C2 (command and control) server.

Unlike NSO’s Pegasus, Hermit is not as stealthy. But at its core, it functions like any government-grade spyware. It can read SMS and chat messages, view passwords, intercept calls, record calls and ambient audio, redirect calls, and pinpoint precise locations of victims.

Hermit also roots all infected Android devices, giving itself deeper access to phone features and user data. On iOS, Hermit is packed with six exploits, two of which were targeting zero-day vulnerabilities. According to Google’s report, these are the following exploits:

  • CVE-2018-4344 internally referred to and publicly known as LightSpeed.
  • CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
  • CVE-2020-3837 internally referred to and publicly known as TimeWaste.
  • CVE-2020-9907 internally referred to as AveCesare.
  • CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
  • CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.

A Hermit spyware campaign starts off as a seemingly authentic messaging app users are deceived into downloading. A government actor also poses as a mobile carrier over SMS—sometimes with the help of the target’s ISP—to socially engineer targets into downloading the spyware masquerading as a tool to “fix” their internet connection.

Both Apple and Google have already notified their users regarding this spyware, and then some. Apple revoked the legitimate certificates Hermit abused to reside on iPhone devices, while Google beefed up its Google Play Protect security app to block Hermit from running. Google also pulled the plug on Hermit’s Firebase account, which it uses to communicate with its C2.

When questioned by TechCrunch, RCS Labs provided a statement, which we have replicated in part below:

RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.

Providers of government-grade spyware like Pegasus and Hermit always claim to have legitimate reasons for creating malware. But as we’ve seen and heard from countless reports, they are mainly used to spy on journalists, activists, and human rights defenders.

The post Hermit spyware is deployed with the help of a victim’s ISP appeared first on Malwarebytes Labs.

Internet Safety Month: Everything you need to know about Omegle

Omegle reached the heady heights of fame when everyone least expected it. Thanks to TikTok influencers, children flocked to this 13-year-old platform during the pandemic, unaware of the dangers already there.

The concept of talking to strangers online is Omegle’s main selling point, but it’s not new. When you think about it, most of us always engage with strangers on online platforms that promote conversations and debate or inspire reactions.

But unlike other social sites, Omegle has scant security to protect anyone willing to take that risky but exciting dive. Users are, once again, left to fend for themselves as they explore an online world through a platform where the only thing simple is its interface.

omegle page
Omegle’s front page. It used to sport the message: “Predators have been known to use Omegle, so please be careful.” However, it removed this due to a lawsuit alleging it knowingly pairs minors with child predators.

So what are the things every parent, potential and current user, or school personnel should know about; and what can they do to protect themselves and the children in their care?

What do you need to sign up for Omegle?

Nothing. Unlike other popular social networking sites, users wanting to try out Omegle don’t need to sign up and create a profile. You just need to visit it from your computer or smartphone’s browser to start.

Once a user is signed up and paired with another user, the platform automatically sets the names to “You” and “Stranger”.

What are the risks of using Omegle?

Because people are randomly paired up for a text or video chat, anyone could meet anyone. These include VCH (virtual cam whore) puppets (which are bots), other extortionists, and impersonators (including child predators).

Content in Omegle isn’t guaranteed clean either. Your child might be exposed to nudity, grooming, privacy threats (such as strangers earning your child’s trust so they can get sensitive information from them), scams, and sexual abuse.

There is also the risk of your child being coaxed into exposing themselves and their younger siblings, or performing sexual acts. Child predators and extortionists do this so they can sell the clips, keep them for personal use, or use them in other extortion campaigns to lure more Omegle users into participating in sexual acts. Remember that the majority of these incidents happen in a house where parents and other family members are present.

Lastly, your child could become a target of cyberbullies. One TikTok user documented his experience of racism while using Omegle to TikTok users. Dr. Joanne Meredith, a cyberpsychologist, said the incident is a consequence of people losing their inhibitions online.

“Due to various features of online interaction—including dissociative imagination, or the view that the online world is a kind of game—people become less inhibited and behave in ways that they would not normally.”

Does Omegle have any parental controls?

No, none.

What other features does Omegle have?

Omegle used to have what it called “Spy Mode” (or “Spy (question) mode”), wherein the “spy” becomes the third party in a conversation between two strangers. The “spy” can ask questions for them to answer, or the “spy” could just listen in on the conversation without contributing.

This has now been removed, reportedly because it was being used to sell child pornography.

Another feature is the College Student Chat, where curious college students can enter their student email addresses before getting paired with others enrolled in their school.

Finally, there is the Adult chat function, which is free for kids to access.

Is Omegle safe for kids?

I think you know the answer to that at this point.

If your child looks up to a TikTok influencer who encourages followers to use Omegle, explain that it is not a safe place to meet other people online because it doesn’t have safeguards, unlike other social media platforms.

Staying safe on Omegle

It is better for parents, carers, and other responsible adults to deter their young persons from using Omegle altogether until they are 18. Personally, this is a non-negotiable because of the lack of safeguards and high risk of children being targeted, especially if they are young teen girls.

Any one-on-one stranger video chat platform like Omegle is risky for kids. It is paramount to keep an open and healthy communication with your child regarding this.

If you have found out your child has or continues to use Omegle, it’s time to sit them down for a quiet chat. Never punish them for being curious. Instead, let them know about the risks in order to explain why they need to stop using the platform until they’re at the right age.

Should your young person insist on using stranger video chat apps despite knowing the risks and repeated warnings, then do whatever you can to keep them from reaching these sites. Blacklist them locally using your security solution of choice with a web filter feature on your browser, on Windows via the HOSTS file (but take care not to put a lot of URLs there) or on a Mac.

Good luck!

The post Internet Safety Month: Everything you need to know about Omegle appeared first on Malwarebytes Labs.