IT NEWS

Internet Safety Month: 7 tips for staying safe online while on vacation

Going on vacation has never been more talked about and anticipated. I mean—for many of us, it’s been a while.

But before you get lost in dreamy thoughts of sun, sea, and sand, you might want to set aside some time to plan on how to keep your devices, and your data, safe while you are relaxing

Your devices need some prepping, too

Before anything else, know which devices you’ll bring and which ones you’ll leave at home. Then make backups of the files in them.

This is also the perfect time to look deeper into what’s on your devices, especially if you haven’t done any spring cleaning due to busyness. So update those apps that need updating and uninstall those that waste space; scan your devices with a trusty malware scanner, and change any duplicate passwords. Then follow these tips:

7 security and privacy tips that fit in your pocket

Ensure your devices have the “Find My Device” feature enabled. This feature isn’t just limited to Apple products, and can really help if you lose your device. You can remotely wipe a device if you lose it or even put a message on the screen with contact details in case it is found.

Be mindful of seasonal scams. Such scams may arrive via email, SMS, or social media. If a service offers rates that are too good to be true, asks for an upfront fee, or demands payments to be wired, avoid it.

Use 2FA. Make sure you lock your accounts behind two-factor authentication (2FA). This additional security measure makes them harder to compromise should someone get hold of your login details.

Turn off Bluetooth connectivity. Many people forget Bluetooth is there. As a rule of thumb, remove it if you don’t use it. But if you can’t, disable it when it’s not in use.

Leave your device in the hotel’s safe. Hotel safes are there to keep anything of value safe. This includes your devices. When you’re not using a device, keep it in the safe—and remember the pin code!

Refrain from posting on social media about your vacation. This is good practice before you leave as well. You don’t want people knowing that your home will be empty, so save posting about your getaway until you are back home.

Feel free to use a VPN. Hotel and airport Wi-Fi is safer now than years ago, thanks to HTTPS everywhere. But if you still can’t shake the feeling of being “exposed,” use a VPN you trust. Malwarebytes has one.

The post Internet Safety Month: 7 tips for staying safe online while on vacation appeared first on Malwarebytes Labs.

Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the “supply chain.” Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks.

In time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know.

While the calamity in the canal involved many lessons, there was another story in late 2020 that required careful study in cyberspace—an attack on the digital supply chain.

That year, attackers breached a network management tool called Orion, which is developed by the Texas-based company SolarWinds. Months before the attack was caught, the attackers swapped malicious code into a legitimately produced security update from SolarWinds. This malicious code gave the attackers a backdoor into every Orion customer who both downloaded and deployed the update and who had their servers connected online. Though the initial number of customers who downloaded the update was about 18,000 companies, the number of customers infected with the attackers’ malware was far lower, somewhere around 100 companies and about a dozen government agencies.

This attack, which did involve a breach of a company, had a broader focus—the many, many clients of that one company. This was an attack on the software supply chain, and since that major event, similar attacks have happened again and again.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kim Lewandowski, founder and head of product at Chainguard, about the software supply chain, its vulnerabilities, and how we can fix it.

“Our software supply chains are as brittle and sort of filled with weaknesses, similar to a physical supply chain. When you think about every step of the path from when a developer starts writing software all the way to where it’s pushed to production, or where end user is using it, there’s different attack vectors across that entire path.”

Kim Lewandowski, founder, head of product, Chainguard Inc.

Tune in to hear about why the software supply chain is so difficult to secure, what is at stake if we continue to ignore the problem, and what steps we can take today—and tomorrow—to ensure that future software builds are secure and trustworthy.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes, resources, and credits:

Kubernetes diagram:

https://user-images.githubusercontent.com/622577/170547400-ef9e2ef8-e35b-46df-adee-057cbce847d1.svg

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

The post Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13 appeared first on Malwarebytes Labs.

ALPHV squeezes victim with dedicated leak site for employees and customers

Eyebrows were raised this week when the ALPHV ransomware group created a leak site dedicated to just one of its victims. The site was aimed at the employees and guests of a hotelier that had been attacked, and allowed them to see if their personal details had been leaked. The new tactic seems to be designed to create further pressure on the victim to pay the ransom.

The ransomware-as-a-service (RaaS) group ALPHV, also known as BlackCat and Noberus, is currently one of the most active. In our recent May ransomware review, only BlackBasta and the prolific LockBit accounted for more known attacks in the last month.

ALPHV ransomware is used by affiliates who conduct individual attacks, beaching organizations using stolen credentials or, more recently by exploiting weaknesses in unpatched Microsoft Exchange servers. During the attacks data is stolen and encrypted, and the victim is asked to pay a ransom for both a decryption tool, and to prevent the stolen data being leaked.

Although affiliates perform the attacks, the ransom negotiations and data leaks are typically coordinated from a single ALPHV website, hosted on the dark web.

But in this case neither of those two things were true.

Instead of hosting the stolen data on a site that deals with all the gang’s victims, the victim had a website dedicated to them. Bolder still, the site wasn’t on the dark web where it’s impossible to locate and difficult to take down, but hard for many people to reach. Instead it was on the regular world wide web, where we (and law enforcement) could easily discover things like where it was located and what company was hosting it. It was even indexed by Google.

alphv google results
The ransomware leak site was indexed by Google

The aim seems to have been to make it as easy as possible for employees and guests to find their data, so that they would put pressure on the hotelier to pay up.

A message on the site makes it clear that this is about ramping up pressure:

Inaction endangers both your employees and your guests ... We strongly advise you to be proactive in your negotiations; you do not have much time. 

The 112GB of stolen data included personally identifiable information (PII) belonging to 1,500 employees and guests. The gang is reported to have created “data packs” for each employee, containing files related to their hotel employment.

ALPHV leak site for emloyees and guests
Employees and guests could check if their data was part of the leak

Ransomware groups use the dark web for their leak sitesm, rather than the regular web, because it makes it almost impossible for them to be taken down, or for their operators to be traced.

So, wouldn’t this make the site easy to take down, and leave the operators vulnerable?

Because this is unlike anything ALPHV has done before, it’s possible that this is being done by an affiliate, and it may turn out to be a mistake. However, it’s likely the accounts for the site’s name and hosting were created using stolen data. Equally, it may be that this was simply an experiment and that ALPHV were using the media to spread word of the site and weren’t expecting it to be around for very long.

Sure enough, the site disappeared from the web yesterday.

The post ALPHV squeezes victim with dedicated leak site for employees and customers appeared first on Malwarebytes Labs.

Interpol’s First Light operation smashes crime on a global scale

A large-scale Interpol operation has resulted in arrested and ill-gotten gains seizures galore. Operation First Light took place between March and May of this year. It involved 76 countries taking social engineers and telecommunications fraudsters to task, with multiple wins for those involved.

Taking the fight to the scammers

The operations focused on several popular scams in play from criminals the world over, including telephone scams, romance, email deception (Business Email Compromise, which targets business), and related aspects of financial crime.

All around the world, law enforcement collected huge hauls of ill-gotten gains and electronic devices. Cash and forged official documents were seized in Hong Kong. Multiple national call centres suspected of telecommunications fraud were also raided. The haul in Portugal included dozens of laptops, mobile devices of all varieties, and stacks of counterfeit official documents. These results are just the tip of the iceberg.

When an operation gets results

First Light occurs annually and has been in operation since 2014. This year, it was funded by China’s Ministry of Public Security. Originally the project focused on Southeast Asia, and this is the second time the operation has gone global. Here’s some of the preliminary findings by Interpol, with numbers subject to change as more details are confirmed:

  • 1,770 locations raided worldwide
  • Some 3,000 suspects identified
  • Around 2,000 operators, fraudsters and money launderers arrested
  • Roughly 4,000 bank accounts frozen
  • Some USD 50 million worth of illicit funds intercepted

At this stage, there are only a few examples of arrests and backgrounds to specific crimes available. Some notable examples have been given, however:

Based on intelligence exchanged in the framework of the operation, the Singapore Police Force rescued a teenage scam victim who had been tricked into pretending to be kidnapped, sending videos of himself with fake wounds to his parents and seeking a EUR 1.5 million ransom.

A Chinese national wanted in connection with a Ponzi scheme estimated to have defrauded nearly 24,000 victims out of EUR 34 million was arrested in Papua New Guinea and returned to China via Singapore.

Interpol also mentions 8 suspects arrested in Singapore for “Ponzi-like” job scams. In the example given, victims were lured with the promise of high-paying online marketing jobs. Small initial earnings led to situations where they had to recruit more members to earn commissions.

Trends and concerns

Some of the most pressing observations from the forces working this operation are as follows:

  • the way money mule herders are laundering money through the personal bank accounts of victims;
  • how social media platforms are driving human trafficking, entrapping people into forced labour, sexual slavery, or captivity in casinos or on fishing vessels;
  • an increase in vishing fraud with criminals pretending to be bank officials to trick victims into sharing online log-in details;
  • a growth in cybercriminals posing as INTERPOL officials to obtain money from victims believing themselves to be under investigation.

Impersonation of law enforcement and other official entities is a mainstay of email fraud and extortion scams. It’s also popular where scams involving visas are concerned. There can’t be many people who have yet to experience a fake banking SMS at this point. Social media has also been a problem where trafficking and forced labour are concerned for some time now.

Money muling and bogus jobs are big business, and makes regular appearances on Malwarebytes Labs. Much of this ties into fake job opportunities. It can also occur as the result of email and social media outreach. If you’re really unlucky, you could be sucked into bogus NFT art projects which eventually offer up some malware. You may even be caught out by fake postings on legitimate job hunting portals.

For scammers, the sky’s the limit. It is, however, nice to see globally coordinated law enforcement operations making some sort of dent in proceedings. It’s up to us to pay attention to upcoming criminal trends, and do what we can to avoid falling for them.

The post Interpol’s First Light operation smashes crime on a global scale appeared first on Malwarebytes Labs.

Hertzbleed exposes computers’ secret whispers

Hertzbleed is the name for a vulnerability that can be used to obtain cryptographic keys and other secret data from Intel and AMD CPUs, remotely. It works by monitoring changes in power consumption, which can be deduced by the careful timing of known workloads, thanks to a processor power saving feature called dynamic voltage and frequency scaling (DVFS).

A remote DVFS side channel

DVFS describes the adjustment of power and speed settings on a computer’s various processors, controller chips, and peripheral devices. By throttling the speed of the chips, DVFS can prolong battery life and reduce cooling costs.

When CPUs process data, transistors are switched on and off depending on the data being processed. Switching transistors uses energy. Consequently, running the same workload with different data may change the CPU’s power consumption.

Those differences trigger changes in the frequency set by DVFS. Which means the same program will run at a different frequency if the input is different—even if it is just slightly different. Those frequency changes can be deduced by monitoring the time it takes for a server to respond to specific, carefully made queries.

This allows an attacker with a stopwatch and enough datapoints to perform a “side-channel” attack and infer the data the CPU was processing. (A side-channel attack is an attack based on information that can be observed because of the way a computer protocol or algorithm is implemented.)

Vulnerability or feature?

DVFS is a useful feature of modern processors. But like some other useful features of modern processors, it turns out to have a security downside. In this case, the downside has been assigned two CVEs:

  • CVE-2022-23823: A potential vulnerability in some AMD processors using frequency scaling may allow an authenticated attacker to execute a timing attack to potentially enable information disclosure.
  • CVE-2022-24436: Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.

Hertzbleed affects all Intel and several AMD processors. Other processor vendors which also implement frequency scaling in their products may be affected.

Should I worry?

As with many threats, the risk you are running very much depends on your threat model. If you are working with highly confidential data, and there is reason to believe that advanced threat actors might be after that data, then you may have a reason to worry about it. For anyone else, it’s something to be aware of, but not necessarily something you need to act upon.

It is a known fact that threat actors can extract secret cryptographic data from a chip by measuring the power it consumes while processing cryptographic keys and other secret data. But the means for exploiting power-analysis attacks against microprocessors has always been limited because the threat actors had few viable ways to remotely measure power consumption while processing the secret material.

Hertzbleed reduces the requirements. Making power side-channel attacks into timing attacks that can be done remotely. But it will still take many hours and some level of proximity to recover a full cryptographic key. For example, the proof-of-concept attack took 36 to 89 hours to recover a full secret key from a system on the same network.

Most cybercriminals aren’t going to bother with Hertzbleed and will continue to rely on phishing, Word macros, skimmers, and other well worn tricks, but that doesn’t mean that advanced, well-resourced threat actors won’t.

According to Intel, who held the research results under embargo but decided not to deploy any patches:

“While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment.”

Mitigation

There are ways to disable the features that make Hertzbleed possible, but it will come at a price: Your system will be considerably slower. You would have to disable what Intel calls “Turbo Boost”, and AMD calls “Turbo Core” or “Precision Boost”. For more information, you can read the official security advisories by Intel and AMD.

The preferable way to mitigate is to deal with the vulnerability in the code of programs that handle cryptographic ciphers and other confidential data. Hertzbleed shows that current industry guidelines for how to write constant-time code (such as Intel’s) are insufficient to guarantee constant-time execution on modern processors. So improvements in that field will be necessary.

Stay safe, everyone!

The post Hertzbleed exposes computers’ secret whispers appeared first on Malwarebytes Labs.

Photos of kids taken from spyware-ridden phones found exposed on the internet

A stalkerware-type app that boasts “the best free phone spying software on the market,” has exposed the data it snooped on from the phones it was installed in. The data exposed by TheTruthSpy included GPS locations and photos on victims’ phones, and images of children and babies.

This news, first reported by Motherboard, is the latest in a lengthening list of spyware brands breached due to their poor cybersecurity hygiene. And TheTruthSpy is hardly the first of its kind to put kids’ data at risk.

The images exposed by TheTruthSpy were available to anyone who visited a particular URL on TheTruthSpy’s website. The photos included those of a young boy looking at the camera, a baby’s soiled diaper, a pet cat, and photos of the inside of someone’s home.

TheTruthSpy can be downloaded from the Google Play and Apple App stores. According to its website, it has 15+ features, including monitoring multiple communication apps, recording ambient voice, siphoning of photos, keylogging, and managing spying activities via a control panel. Any data retrieved from the target’s device is then uploaded to TheTruthSpy’s server, where clients can log in and view all collected data.

TheTruthSpy is maintained by 1Byte, a Vietnam-based company that handles multiple stalkerware-type apps. According to a Techcrunch exposé back in February, 1Byte was found exposing data from apps it manages due to a vulnerability in the app. It appears TheTruthSpy is suffering from the same flaw.

Stalkerware

Stalkerware is malicious in that it surreptitiously runs in the background while spying on people, usually without their knowledge.

Unlike other malware, it is also publicly available. Anyone with the means and intent can buy and use TheTruthSpy—all they need to do is download and install it onto target phones.

Not its first rodeo

This is the second time TheTruthSpy has had its data exposed. In 2018, a hacker going by the initials L.M. revealed to Motherboard his exploits in successfully infiltrating the stalkerware-type app’s servers to steal client data, and then later on losing it after it updated its servers.

“They take care about how to spy, and not take care about how they secure the attackers’ and victims’ privacy,” L.M. said at that time, criticizing TheTruthSpy for being untrue to its clients.

The post Photos of kids taken from spyware-ridden phones found exposed on the internet appeared first on Malwarebytes Labs.

Firefox stops advertisers tracking you as you browse, calls itself the most “private and secure major browser”

Cookies are in the news as Mozilla rolls out significant privacy changes for Firefox. The idea is to dramatically lessen the risk of privacy-invading tracking across websites without your knowledge. Tracking cookies have been a hot topic in recent months, as advertisers try switching to other methods of tracking. Will this make a noticeable difference to people’s everyday browsing experience?

What are cookies?

Cookies are pieces of information which websites can save in your browser. Sites you visit can request your browser save cookies whenever the browser asks it for data. This can be pictures, downloads, page content, pretty much anything at all. The browser will keep the cookie and send it back to the website whenever requests are made until the cookie expires.

Expires? That’s right. Some cookies, called session cookies, expire once you close the browser. Others, persistent cookies, will remain on board until they eventually expire or you manually delete them. Humorously, some sites allow you to permanently opt-out of cookies and tracking by…asking you to accept permanent cookies which never expire.

Forget me not…but only sometimes

But how do these cookies, session or persistent, actually work?

Browsers and websites converse in a “stateless” fashion. Every message sent is isolated from all of the other messages. There’s no link to join any of these messages up, and that’s where cookies come into play. Cookies act like a sort of bridge for many day to day tasks inside your browser. Websites send browsers cookies, known as first party cookies, tied to a unique ID the first time they converse. The browser fires the unique ID back at the website as these messages continue to be sent.

Through this, the sites you use are able to keep you logged in, remember what you’ve done, and keep the site functional for your specific needs. While sites can read their own cookies, they can’t read cookies from other websites. This is where third-party cookies come into play.

Third party tracking: An advertiser’s dream

A first-party cookie on a website has been placed there by the website itself. A third-party cookie is being set by someone else, like an advertiser or ad network, via code embedded into the page. That cookie is designed to essentially follow you around the internet. This is why you start one day on a website offering up deals on movies you’re interested in, and then see adverts for those films at a cheaper price on another site the day after.

Slowly but surely, ad networks build up an incredibly accurate advertising profile of you as you move from one site to another. Depending on what’s being collected, you may end up with a huge slice of identifiable data tagged to your identity without you ever even seeing it yourself. It’s just there, and there’s not much you can do about it.

The cookie controversy

Third party cookies are not particularly popular. Ad tracking generally, even less so. Numerous questions of privacy and safety exist. Something else which exists: big fines. Not so long ago, Google and Facebook received fines for $157 million and $62 million respectively. This was for making cookies easier to accept than refuse.

Elsewhere, replacements of varying effectiveness have been proposed. Apple blocks default tracking everywhere. Google plans to ditch third party cookies in Chrome by the end of next year. Brave browser is already taking action against something called bounce tracking.

With all this in mind: What is Mozilla doing?

Hands off the cookie jar

Users of Firefox will now find something called Total Cookie Protection ticking along in the background. Mozilla claims that this release makes Firefox:

The most private and secure major browser available across Windows, Mac, and Linux. Total Cookie Protection is Firefox’s strongest privacy protection to date, confining cookies to the site where they were created, thus preventing tracking companies from using these cookies to track your browsing from site to site.

Total Cookie Protection creates individual “cookie jars” for every website you browse. Trackers are no longer able to thread that analytics picture across the web. What you get up to on one site stays on one site. As a result, tracking/advertising services can no longer watch from afar as you move from URL to URL. Your analytics profile is no longer quite as useful to advertisers as it once was.

Those cookies are still able to provide analytics in terms of the site they’re on. The difference is they’re no longer as invasive in terms of building a big picture of your internet activities.

This new stack of cookie jars is in addition to a number of other privacy features already up and running, including Enhanced Tracking Protection. Around since 2018, ETP blocks trackers from a maintained list. If a party is on the list, they lose the ability to use third-party cookies.

A cookie clean up

No matter which browser you use, an occasional cookie clean up is a good idea. Check out our post on removing cookies, which covers removal instructions for Chrome, Firefox, Edge, Opera, Safari, and several mobile browsers too.

The post Firefox stops advertisers tracking you as you browse, calls itself the most “private and secure major browser” appeared first on Malwarebytes Labs.

Record breaking HTTPS DDoS attack

Last week, Cloudflare blocked the largest HTTPS DDoS attack on record. The attack amassed some 26 million requests per second (rps). The previous record for a HTTPS DDoS attack was 15.3 million rps.

The attack targeted an unnamed Cloudflare customer and originated mostly from Cloud Service Providers.

DDoS over HTTPS

DDoS stands for Distributed Denial of Service. This type of attack involves sending large amounts of traffic from multiple sources to a service or website, intending to overwhelm it and make it inaccessible for regular users. DDoS attacks have been growing considerably in number and scale over the past years.

DDoS attacks require traffic to come from many sources. Large numbers can be found in IoT botnets, but given the necessary computational resources needed to pull off an attack this powerful, there is no IoT botnet strong enough. This attack originated from a small but powerful botnet of 5,067 devices. This and the fact that the attack originated from Cloud Service Providers indicates the use of hijacked virtual machines and powerful servers to generate the attack.

What makes the HTTPS DDoS attack more expensive, in terms of required computational resources, is the fact that such an attack requires a secure TLS encrypted connection. The advantage of using such a HTTPS DDoS attack is that it also costs the victim more to mitigate it.

The attack

Within less than 30 seconds, this botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries.

Even though 30 seconds is not that long, such an attack can disrupt an unprotected internet property like a network or online service for a long time. DDoS attacks can cripple some online businesses for a period of time long enough to set them back considerably, or even put them out of business completely for the length of the attack and some period afterwards.

Without knowing who the target was it is hard to guess at the reason behind the attack. Application-layer denial-of-service attacks disrupt web servers and other kinds of networked software by making them unable to process legitimate requests.

The goal usually is the disruption itself or to abuse the vulnerable state in which it leaves the internet property.

Good news

International cooperation between the Federal Bureau of Investigation (FBI), the United Kingdom National Crime Agency, and the Dutch Police has brought an end to a DDoS platform that gave threat actors short-term access to malicious infrastructure, enabling them to carry out damaging attacks by renting and selecting DDoS attacks they would like to launch. In this case an Illinois man running the websites DownThem.org and AmpNode.com was sentenced to 24 months in federal prison.

“Records from the DownThem service revealed more than 2,000 registered users and more than 200,000 launched attacks, including attacks on homes, schools, universities, municipal and local government websites, and financial institutions worldwide.”

The system was set up to use one or more of their own dedicated attack servers to appropriate the resources of hundreds or thousands of other servers connected to the internet in reflected amplification attacks.

A reflection amplification attack is a technique that allows attackers to both magnify the amount of malicious traffic they can generate and obscure the sources of the attack traffic.

Mitigation

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on internet-facing servers. Without an automated defense, the attack would very likely have ended even before you noticed. But the damage would have been done.

Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

  • On-premise protection (e.g. identifying, filtering, detection, and network protection)
  • Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing)

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to a cloud-based solution when it reaches a volume that the on-premise solution cannot handle.

Stay safe, everyone!

The post Record breaking HTTPS DDoS attack appeared first on Malwarebytes Labs.

Stealthy Symbiote Linux malware is after financial institutions

Symbiote, a new “nearly impossible to detect” Linux malware, targeted financial sectors in Latin America—and the threat actors behind it might have links to Brazil. These findings were revealed in a recent report, a joint effort between the Blackberry Research Team and Dr. Joakim Kennedy, a security researcher with Intezer.

Despite its name, this Trojan—first seen in November 2021—is more parasitic than a mutual benefactor in a symbiosis, according to Dr. Kennedy. And this is what sets Symbiote apart from other Linux malware.

“[I]t needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine.

Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.”

This abuse of the environmental variable LD_PRELOAD appears to be the “LD_PRELOAD trick” described in this post. Since Symbiote is a shared object, the threat actor can set LD_PRELOAD to its path. In effect, this malformed file is loaded first before other shared objects. And because it’s loaded first, Symbiote can “hijack the imports” from other SO files.

This enables it to hide on infected Linux machines.

blackberry intezer symbiote eva
Symbiote’s evasion techniques (Source: Blackberry Threat Vector Blog)

Symbiote: the hows and whys of its ways

Once all processes have been infected, the Linux machine is as good as being infected. Symbiote then triggers its rootkit capabilities to hide, including other malware the threat actor may have dropped onto the device, processes, and network artifacts. This makes detection and active forensic examinations difficult.

Symbiote also offers threat actors a backdoor to the infected Linux machine, to which they can log in as a user with the highest privilege using a hardcoded password.

Per Dr. Kennedy, one exciting aspect Symbiote has is its Berkeley Packet Filter (BPF) hooking functionality. It does this to hide malicious traffic on an infected Linux machine. If you’re a threat actor, this is an excellent method when you don’t want to alert system admins of any network shenanigans on an infected Linux machine, as Symbiote can filter out such suspicious network traffic.

As a credential stealer, being stealthy is not an option.

“The malware’s objective, in addition to hiding malicious activity on the machine, is to harvest credentials and provide remote access for the threat actor. The credentials are first encrypted with RC4 using an embedded key, and then written to a file.

In addition to storing the credentials locally, the credentials are exfiltrated. The data is hex encoded and chunked up to be exfiltrated via DNS address record requests to a domain name controlled by the threat actor.”

The researchers further report that Symbiote impersonated Brazilian bank websites, suggesting Brazilians are the target of this campaign. The IP address of these domains is linked to the Njalla Virtual Private Server (VPS) service. Furthermore, “Passive DNS records showed that the same IP address was resolved to ns1[.]cintepol[.]link and ns2[.]cintepol[.]link a few months earlier.”

Cintepol is said to be the intelligence portal of the Federal Police of Brazil, which allowed its police officers to access intelligence from the federal police when investigating. This fake Cintepol site was abandoned in January 2022 in favor of another domain pointing to another Njalla VPS IP.

Protect against Symbiote

The threat actors behind Symbiote put a lot of effort into making it as under-the-radar as possible. However, Vulcan Cyber’s Mike Parkin, senior technical engineer, said in an interview with Dark Reading that the evasion tactics in Symbiote can still be detected by other network monitoring tools that can pinpoint malicious traffic and the infected Linux system.

Parkin further added that several endpoint tools should be able to identify malicious changes on infected systems.

“There are also forensic techniques that can use the malware’s own behavior against it to reveal its presence,” Parkin noted. “They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ.”

The Blackberry and Intezer report contains many indicators of compromise (IOCs) that IT admins should use to beef up the security of their Linux boxes.

You can also read our article on Malwarebytes’ EDR for Linux.

The post Stealthy Symbiote Linux malware is after financial institutions appeared first on Malwarebytes Labs.

It’s official, today you can say goodbye to Internet Explorer. Or can you?

Today, the Internet Explorer (IE) 11 desktop application goes out of support and will be retired for certain versions of Windows 10.

The retirement consists of two phases. During the first phase—the redirection phase—devices will be progressively redirected from IE to Microsoft Edge over the following months.

The second phase of retirement is the Windows Update phase. After the redirection phase completes, IE will be permanently disabled through a future Windows Update on all devices with Windows platforms that are in-scope for IE retirement.

History

Microsoft’s Internet Explorer 1.0 saw the first websites in August 1995. In 2003, Microsoft said goodbye to the standalone version of the browser, but Internet Explorer continued as a part of the evolution of the operating system, with updates coming bundled in operating system upgrades.

Over the following years, despite everything Microsoft tried, Chrome took over as the most used browser. With Windows 10, Edge became the default Microsoft browser, but Internet Explorer could still be found in the Windows Accessories folder.

While Edge started out based on Microsoft’s EdgeHTML browser engine, it later switched to a Chromium-based model.

After all this, Microsoft felt it was time to phase out Internet Explorer.

Platforms

For now the retirement is only partial, even for Windows 10. In scope at the time of this announcement.

Internet Explorer 11 desktop application delivered via the Semi-Annual Channel (SAC):

  • Windows 10 client SKUs
  • Windows 10 IoT

Out of scope at the time of this announcement (unaffected):

  • Internet Explorer mode in Microsoft Edge
  • Internet Explorer platform (MSHTML/Trident), including WebOC and COM automation
  • Internet Explorer 11 desktop application on:
    • Windows 8.1
    • Windows 7 Extended Security Updates (ESU)
    • Windows Server SAC (all versions)
    • Windows 10 IoT Long-Term Servicing Channel (LTSC) (all versions)
    • Windows Server LTSC (all versions)
    • Windows 10 client LTSC (all versions)
    • Windows 10 China Government Edition

In-market Windows 10 LTSC and Windows Server are also unaffected by this change. Windows Server 2022 and Windows 10 Enterprise LTSC 2021 are also out of scope.

The end

During the first phase, users will find themselves redirected from IE to Microsoft Edge. This will not happen for all devices at the same time, which gives organizations a chance to identify and resolve any potential issues, such as missed sites, before the redirection happens on all devices within an organization.

The second phase of retirement is the Windows Update phase. After the redirection phase completes, IE will be permanently disabled through a future Windows Update on all devices with Windows platforms that are in-scope for IE retirement.

Given the cumulative nature of Windows Updates, IE disablement will persist in subsequent Windows Updates.

For those that can’t wait to get rid of Internet Explorer, Microsoft has published a blog to explain how to move forward. It’s also worth reading for system administrators that want to prepare for the second phase of the retirement process.

Not so much

Why not uninstall IE entirely, you may wonder. This isn’t recommended as Internet Explorer mode relies on Internet Explorer 11 to function. IE mode on Microsoft Edge makes it easy to use all of the sites your organization needs in a single browser. It uses the integrated Chromium engine for modern sites, and it uses the Trident MSHTML engine from Internet Explorer 11 for legacy sites.

Support for IE mode follows the lifecycle of current and future Windows client, Windows server, and Windows IoT releases (including Windows 11) at least through 2029.

Security angle

While your first response to the news might have been a sigh of relief, the stage exit of Internet Explorer does not bring any immediate security improvements. The holy grail of backward compatibility has thrown a wrench in the Microsoft works before and it will probably continue to do so, as long as we are afraid to say goodbye to legacy technology in a decisive manner.

Switching to a more secure platform makes all kinds of sense, but it is held back if we keep on using the old, less secure platform on the side. Threat actors will prey on the old platform as long as it is in use.

Researchers will find vulnerabilities in Internet Explorer related files that need to stay on the system even if someone doesn’t use Internet Explorer anymore. And system administrators will find endpoint and/or users that need to keep Internet Explorer because there is some legacy resource that requires it.

The post It’s official, today you can say goodbye to Internet Explorer. Or can you? appeared first on Malwarebytes Labs.