IT NEWS

Depending on where you live, you can ask a company to hand over all the data it has collected about you and, in a matter of weeks as mandated by law, that company has to fork that information over.

Whether the company will abide on time, however, is a different story.

In the European Union, the United Kingdom, and California, consumers have a leg up in understanding what data is collected about them, largely thanks to several laws passed in those regions in the last few years. And at least in California, people can request that a company hand over the data it has collected about them, even if they are not an active user of that company’s product or a customer of that company’s services.

That’s because in today’s world, your data is not collected only by the companies you directly interact with, but also by the companies that your friends and families interact with.

In February of last year, Whitney Merrill proved this was true when she requested her data from the then-popular app Clubhouse. Though Merrill did not have an account with the company and was not a user of the app, she proved that Clubhouse did have her phone number, which had been shared with Clubhouse by Merrill’s contacts who were active users.

Merrill, who has requested her data from several more companies since then, learned more about data privacy compliance than about just what is being collected about her. Each request, Merrill said, can be different from another, and each request is done separately, forcing users who want to learn more about how their data is collected to spend increasingly more of their own time—time which they may not realistically have. The entire model right now, Merrill said, has many flaws.

This week on the Lock and Code podcast with host David Ruiz, we speak with Merrill about the difficulties of requesting your own data from a company and why some companies seem to interpret data privacy laws as mere suggestions. We also touch on proposed solutions to today’s problems with cross-border data transfers and what “data localization” may lead to in the future.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “God God” by Wowa (unminus.com)

The post Hunting down your data with Whitney Merrill: Lock and Code S03E11 appeared first on Malwarebytes Labs.

An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.

The campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely. The malware uses a number of advanced tricks to hide what it does and how it works, but our analysts have been able to reverse engineer the malware, reveal its inner workings, and uncover some clues about its possible origins.

Attribution is always difficult, and there is no shortage of countries or agencies with an interest in getting covert access to Russian government computers—and the recent invasion of Ukraine has simply increased the stakes. Although our analysis and attribution efforts are ongoing, we have discovered some indicators that suggest the threat actor may be a Chinese group.

The campaigns

The APT group has launched at least four campaigns since late February, using a variety of lures, detailed below.

1. Interactive map of Ukraine

The threat actor started this campaign around February 26, 2022, and distributed its custom malware with the name interactive_map_UA.exe, trying to disguise it as an interactive map of Ukraine. This campaign began a few days after Russia invaded Ukraine, which shows the threat actor was monitoring the situation between Ukraine and Russia and took advantage of it to lure targets in Russia.

2. Log4j patch

In this campaign the threat actor packaged its custom malware in a tar file called Patch_Log4j.tar.gz, a fake fix for December’s high-profile Log4j vulnerability.

This campaign ran in early March and was primarily aimed at RT TV (formerly Russia Today or Rossiya Segodnya, a Russian state-controlled international television network funded by the Russian government). The APT group had access to almost 100 RT TV employees’ email address.

The emails were sent with the subject “Ростех. ФСБ РФ. Роскомнадзор. Срочные сиправления уязвимостей”, which translates into “Rostec. FSB RF. Roskomnadzor. Urgent Vulnerability Fixes”. (Rostec is a Russian state-owned defense conglomerate founded by Putin.)

The emails also come with a number of image files and a PDF attached, perhaps to make the email less suspicious, and to bypass any systems that flag emails by number of attachments.

The PDF attachment—О кибербезопасности 3.1.2022.pdf—pretends to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation”. It contains instructions about how to execute the fake patch, as well as a bulleted list of security advice such as “Use two-factor authentication”, “Issue separate credit cards for purchases”, and “Use Kaspersky antivirus”.

In a confident demonstration of just how little attention people pay to such lists it ends “Do not open or reply to suspicious emails.”

The list even includes a link to a page on VirusTotal that proclaims in bright green letters that “No security vendors and no sandboxes flagged this file as malicious”. This is just another effort to convince the victims that the attachment is not malicious—the file on VirusTotal has nothing to do with the attachment and appears to be a legitimate OpenVPN file.

In another effort to build trust, the spear phishing email links to the website rostec.digital, a domain registered by the threat actor, hosting a site made look like the official Rostec website.

This email also contains links to fake Instagram and Facebook accounts. Interestingly, the threat actor created the Facebook page in June 2021, nine months before it was used in this campaign. This was probably an attempt to attract followers, to make the page look more legitimate, and it suggests the APT group were planning this campaign long before the invasion of Ukraine.

3. Build Rostec

The Rostec defense conglomerate also appears in the third campaign. This time the threat actor used the file name build_rosteh4.exe for its malware—an apparent attempt to make it look like software from Rostec.

4. Saudi Aramco job

The most recent campaign occured in mid April and used a Word document containing a fake job advert for a “Strategy and Growth Analyst” position at Saudi Aramco as a lure.

(We also discovered a self-extracting archive file that belonged to this campaign—the archive file used a Jitsi video conferencing software icon as decoy, and created a directory named Aramco under C:ProgramData.)

Although the job advert is written in English, it also contains a message in Russian, asking users to enable macros.

The document uses remote template injection to download a macro-embedded template, which executes a macro that drops a VBS script called HelpCenterUpdater.vbs in the %USER%DocumentsAdobeHelpCenter directory.

The template also seems to do a redundant check for the existence of %USER%DocumentsD5yrqBxW.txt and only if it doesn’t exist, will it drop the script and execute it.

The obfuscated HelpCenterUpdater.vbs script drops another obfuscated VBS file named UpdateRunner.vbs and downloads the main payload—a DLL named GE40BRmRLP.dll—from its command and control (C2) server. (Interestingly, some anti-analysis code, and code responsible for persistence, seems to be commented out in UpdateRunner.vbs and isn’t executed.)

In another payload related to this campaign, the script seems to drop an EXE instead of a DLL, but after analyzing both it seems they share the same code.

The job of the UpdateRunner.vbs script is to execute the DLL through rundll32.exe.

The malicious DLL contains the code that communicates with the C2 server and executes the commands it receives from it.

The malware, which is common to all four campaigns, is explained in detail in the next section.

Payload analysis

This analysis focuses on the GE40BRmRLP.dll payload from the Saudi Aramco campaign, but the malware used in all four campaigns is essentially the same, with small differences in the code.

The DLL is heavily obfuscated and most of the library functions are statically linked. IDA is barely able to recognize any functions, though it was able to recognize a few that indicate the DLL was most likely compiled with LLVM. The DLL’s original name is supposed to be simpleloader.dll, as we can see after analyzing it a bit.

Before we dive into the functionality and capabilities of this malware, let’s look at various methods it uses to make the analysis difficult for us.

Anti-analysis techniques

Control Flow Flattening

All of the samples used in these campaigns use control flow flattening heavily, a technique that flattens the nested structure of a program, making analysis very difficult. We used the D810 plugin for IDA which has the capability to deobfuscate flattened code and make the decompilation more readable.

Although there are many tools that can perform control flow flattening, in this case we suspect OLLVM—an obfuscator for LLVM—was used. The different samples had different levels of flattening and OLLVM allows users to specify this. Additionally we also saw what looks like the Bogus Control Flow LLVM pass being used.

String obfuscation

The payload’s strings are obfuscated with simple XOR encoding. The decode_string function which is used to decode a string takes 3 arguments: The encoded string, the destination of the decoded string, and the byte that is used while decoding the string.

Each string is decoded every time it’s required by the malware.

Command and control

Before contacting its C2 server the malware derives an ID which is unique to every machine, which could be used to differentiate infections. It uses the data from the following APIs to construct the ID:

• GetFileAttributesA on the C:Windows directory
• GetComputerNameA
• GetVolumeInformationA on the C: drive

It then calculates a hash of this data using the Blake2b-256 algorithm and sends it when it makes the first contact with its C2.

The C2 address is decoded every time the malware sends a request. To communicate with the C2 the malware uses GET requests in the form url/?wSR=data, where data contains the encoded information.

Interestingly Any.run and Fiddler fail to capture the HTTPS requests made by the malware. To make them, the malware doesn’t use any library functions but instead implements everything over raw sockets, and it uses the WolfSSL library to implement SSL itself. Our analysis also uncovered traces of http-parser from ZephyrOS. The certificate used for the SSL communication is stored inside the binary as chunks of encoded strings. Initially the malware decodes this data and stores it. Later, while making the HTTPS request, it loads this data using WolfSSL’s loadX509orX509REQFromBuffer.

After making every request the malware sleeps for a random amount of time.

Based on the response to the above request, the malware decides which of command to execute:

1. getcomputername. This retrieves the computer name using GetComputerNameA and sends a response to the C2 containing the unique id and the computer name.
2. upload. This receives a file name and file contents from the C2 which it writes to the local file system.
3. execute. This receives a command line instruction from the C2 and executes it using CreateProcessA. If the command is successful then the malware sends the UID with the “OK” string to the C2, or the output of GetLastError if it fails.
4. exit. This is used to terminate the malware process.
5. ls. This command uses a directory name from the C2, or the name of the current directory if one isn’t provided. It uses the FindFirstFile and FindNextFile function to retrieve a list of all the files under the directory and sends it back to the C2.

Attribution

Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low confidence that this group is a Chinese actor.

All of the C2s are from BL Networks, which has been used by Chinese APTs in the past. Also, we discovered infrastructure overlap between the malware we analyzed and the Sakula Rat malware used by the Deep Panda APT.

Another interesting indicator we found was that the macro used in the Aramco campaign is almost identical to some macros used by TrickBot and BazarLoader in the past. We think the actor may have used the same macro builder to generate its macro, and they may have used it as a false flag. There are some other weak indicators, such as WolfSSL, which has been used by Lazarus and Tropic Troopers, but they are not enough to help attribute the attack to any specific actor.

Malwarebytes customers were proactively protected against these campaigns thanks to our heuristic detection engines.

IOCs

C2 Domains

windowsipdate[.]com
microsoftupdetes[.]com
mirror-exchange[.]com

C2 IPs

168.100.11.142
192.153.57.83
45.61.137.211
206.188.197.35

Download Domain

fatobara[.]com

Download IP

91.210.104.54

Hashes

The post Unknown APT group has targeted Russia repeatedly since Ukraine invasion appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Fake reCAPTCHA forms dupe users via compromised WordPress sites
• How COVID-19 fuelled a surge in malware
• Why MRG-Effitas matters to SMBs
• “Look what I found here” phish targets Facebook users
• AirTag stalking: What is it, and how can I avoid it?
• Long lost @ symbol gets new life obscuring malicious URLs
• Gmail-linked Facebook accounts vulnerable to attack using a chain of bugs—now fixed
• Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV
• Car owners warned of another theft-enabling relay attack
• Sysrv botnet is out to mine Monero on your Windows and Linux servers
• 10 ways attackers gain access to networks
• VMWare vulnerabilities are actively being exploited, CISA warns
• Cardiologist moonlighted as successful ransomware developer
• How iPhones can run malware even when they’re off
• Why you should act like your CEO’s password is “qwerty”

Stay safe!

The post A week in security (May 16 – 22) appeared first on Malwarebytes Labs.

A poor password at the highest levels of an organisation can cost a company millions in losses.

Recent findings show that half of IT leaders store passwords in shared documents. On top of that, it seems that folks at executive level are not picking good passwords either. Researchers from NordPass combed through a large list of CEO and business owner breaches. Their findings should renew considerations for additional security measures at executive level.

The findings

The five most common passwords among C-level executives, managers, and business owners were “123456”, “password”, “12345”, “123456789”, and our old friend “qwerty”. Terrifyingly, but perhaps not surprisingly, this looks exactly like every other list of the most frequently used passwords, suggesting no extra precautions are in place (or enforced) at the top.

Executives really love to use the names “Tiffany”, “Charlie”, Michael”, and “Jordan” for their passwords. I was curious to know if these are the names of executives’ name their kids. My entirely unscientific trawl for the names of CEO’s children turned up list of CEOs themselves. Henry, William, Jack, James, and David are all very popular names. This doesn’t match up with our list of password names. However, there is one list which claims that the Michaels of this world are most likely to become CEOs. Are CEOs naming their passwords after themselves? I’d like to think not, but then I probably wouldn’t have expected to be writing about “123456” either.

Animals and mythical creatures are popular choices. When not naming passwords after themselves, dragons and monkeys are both incredibly popular and also incredibly easy to guess.

Breaking and entering

Common ways corporate breaches and basic passwords spill all over the floor are issues we’ve covered at length. We recently highlighted recommendations from the Cybersecurity and Infrastructure Security Agency which deal with most of the causes of CEO password loss.

A combination of weak and reused passwords, and risky password-sharing habits make up the majority of hits on the “these passwords can lead to nothing good” indicator.

What happens when you combine bad password practices with human error and poor security infrastructure? These weak and obvious passwords just help to bring the whole thing crashing down that little bit faster.

There are some very smart attacks and compromises out there. Clever attackers can exfiltrate data from a network for weeks or months before making a more overt move. You’d expect people hijacking CEO data to be made to really work for it at every level. Sadly this research seems to suggest the opposite is happening in a lot of cases.

If nothing else, I’d love to see the actual response on the part of the criminals. What do they think when pulling down a C-Level executive’s data and discovering their email password is “sandwich”? Are they surprised? Is it business as usual? Do they think it can’t possibly be real, and they’re staring down the wrong end of a prank or law enforcement bust?

Is the CEO password sky falling? A word of caution…

There are some caveats here. The research doesn’t go into detail with regard to additional security measures in place. Yes, a CEO may have the worst password you’ve ever seen. That doesn’t mean the business has been popped right open.

Maybe they had two-factor authentication (2FA) set up. The password may be gone, but unless the attacker also has access to the CEO’s authentication app on their phone, it may not be much use. The CEO may use a hardware authentication token plugged into their desktop. Admins may have set up that one machine specifically for use by the CEO, for all CEO-related activity. It may not be usable remotely, and could be tied to a VPN an added precaution.

Having said all of that…

Manager? Use a password manager

If we’re talking purely about fixing the short, terrible, obvious passwords, then some additional work is required. 2FA, lockouts, and hardware tokens are great. Ultimately they’re fixing a myriad of additional problems regardless of whether the password is good or bad.

To fix bad password practices, we need to look to tools which can improve them and help keep them a bit more secure at the same time. I am talking about password managers, of course.

A password manager is a software application that gets around the twin evils of poor passwords and password reuse by creating strong, random passwords and then remembering them.

They can function online, so they are accessible via the web and can sync passwords between devices, or they can work entirely offline. Offline password managers are arguably more secure. Online components can add additional risk factors and a way for someone to break in via exploits. The important part is to keep the master password to access your vault secure, and to use 2FA if available for an additional layer of protection. Make your master password long and complex—don’t use “querty”.

Password managers with browser extensions can help deter phishing. Your password manager will object to entering a password into the wrong website, no matter how convincing it looks. No more risk of accidental logins!

Some password manager tools allow you to share logins with other users in a secure fashion. They don’t show or display the password to the other users, rather they just grant a form of access managed by the tool or app itself. If your CEO has no option but to share a password with somebody else, this is the only safe way to do it.

There’s never been a better time to wean ourselves away from shared password documents and the name “Michael” as the digital keys to an organisation’s kingdom. It’s perhaps time for CEOs and other executives to lead from the front where security is concerned.

The post Why you should act like your CEO’s password is “querty” appeared first on Malwarebytes Labs.

A joint multi-national cybersecurity advisory has revealed the top ten attack vectors most exploited by cybercriminals in order to gain access to organisation networks, as well as the techniques they use to gain access.

The advisory cites five techniques used to gain leverage:

1. Public facing applications. Anything internet-facing can be a threat if not properly patched and updated. Whether a glitch, bug, or design, a poorly secured website or database can be the launchpad for an exploit.
2. External remote services. Theft of valid accounts is often combined with remote corporate services like VPNs or other access mechanisms. This allows attackers to infiltrate and persist on a network.
3. Phishing. A mainstay of business-centric attacks, everything from spear phishing to CEO fraud and Business Email Compromise (BEC) lies in wait for unwary admins.
4. Trusted relationships. Attackers will map out relationships between organisations. Third-party trusted access from one organisation to the target will itself become a target, used to gain access to otherwise unreachable internal networks.
5. Valid accounts. These may be obtained by phishing, social engineering, insider threats, or carelessly handed data.

There’s some degree of overlap between most of these techniques, with some following on naturally from another. The advisory lists ten different areas for concern, which you can see below. If you recognise some as potential weak points, or your organisation has no policy on the issues raised, it may be time to take this bull by the horns.

10 ways attackers gain access to networks

1. Multifactor authentication (MFA) is not enforced

MFA is especially useful when bad actors have such a heavy focus on techniques like phishing, trusted relationships, and valid accounts. Any of these approaches could have serious long-term impacts on an affected organisation. It’s not just how they get in, but what they get up to afterwards.

A company struck down with ransomware and data exfiltration may have experienced several stages of attack to reach this point. Imagine if all of them had never taken place because the initial point of entry, a phished password, had been protected with MFA. An absolutely invaluable tool for all users, and especially for administrators or people with elevated privileges.

2. Incorrectly applied privileges or permissions and errors within access control lists

Users should only be able to access resources necessary for any given purpose. Someone accidentally granted admin level controls on a corporate website may cause chaos if their account is compromised, or they leave the business and nobody revokes access. On a similar note, Access Control Lists (ACLs) used to filter network traffic and/or grant certain users file access can go bad quickly if users are granted the wrong access permissions.

3. Software is not up to date

Asset and patch management will help keep operating systems and other key software up to date. Vulnerability scans are valuable for assessing which software is unsupported, in an end-of-life state, or another category which means continuous updating may be difficult. Outdated software ripe for attack via exploits is one of the most common bad practices leading to network compromise.

4. Use of vendor-supplied default configurations or default usernames and passwords

Off the shelf hardware using default setups are a no go for business. There’s a very good chance default username/passwords are easily available online, on everything from access dumps to generic questions on help sites. Not changing defaults on both hardware and software is going to be one of the number one ways an organisation is breached without knowing about it.

Depending on where you live, default passwords may be a major point of concern not just in a business sense but in a very legal one too. Default configurations are now running the risk of bans and fines.

5. Remote services—such as a virtual private network (VPN)—lack sufficient controls to prevent unauthorized access

Additional security and privacy tools require care to be taken with regard setup and configuration. A poorly-designed workplace VPN may be easily accessed by an attacker, and could also help mask exploration and exploitation of the network. MFA is useful here, as is monitoring connection times for abnormal use patterns such as suddenly connecting to the VPN outside of work time.

6. Strong password policies are not implemented

Insufficient and weak passwords are a key way to gain a foothold on the network. Poor Remote Desktop Protocol (RDP) setups are hit particularly hard by bad password practices. It’s a common way ransomware attacks begin life on a corporate network.

Password guessing tools will keep trying until they guess a weak password and enable entry into the target organisation. One way to combat this is limit the amount of login attempts via RDP before locking the user out.

7. Cloud services are unprotected

Unprotected cloud services are a permanent feature of security breach stories. Default passwords, and in some cases no passwords, allows for easy access to both corporate and client data. Aside from the actual harm of people’s data left lying around, the reputational damage for those responsible can be immense. It’s much better to not end up in this scenario in the first place.

8. Open ports and misconfigured services are exposed to the Internet

Criminals use scanning tools to discover open ports and leverage them as attack vectors. Compromising a host in this way can give rise to the possibility of multiple attacks after gaining initial access. RDP, NetBios, and Telnet are all potentially high-risk for an insecure network.

9. Failure to detect or block phishing attempts

Malicious macros in Word documents or Excel files are a key feature of business-centric phishing attacks. They may be a little closer to being ushered through the exit, thanks to recent permission changes in Office products which makes it harder to run them.

Even without the threat of bogus attachments, phishing is still a huge problem for administrators. No scanning of mails coming into the network, or checking message content from internal senders for signs of compromised accounts, will add to this issue. This internal threat is another area where MFA will help greatly. A policy for swift disabling and deletion of accounts for departed employees should also be considered.

10. Poor endpoint detection and response

Cybercriminals frequently make it as hard as possible to identify the attacks they use. Malware is packed in certain ways to avoid detection and identification. Malicious scripts uploaded to websites are obfuscated so it’s difficult to figure out exactly what they’re doing.

Is your website playing host to a card skimmer or SEO poisoning and spam redirection? Without the right tools and analysis, it may take much longer to figure out and your business will suffer for the duration.

Best practices to protect your systems

The advisory includes a helpful list of ways to combat some of these issues:

• Control access: Rigorously policing who can access what, when, and how is important. Allow local logins only for administrators, barring them from RDP unless absolutely necessary. Consider dedicated admin workstations if feasible. Everyone should only have access to what is required to do their job effectively, with a proper business flow required to authorise requested additional permissions. If employees change roles or leave the organisation, revoke their access immediately.
• Harden Credentials: MFA across all areas of the organisation is again key here. Consider physical hardware tokens for those with access to business critical services. If MFA is not available for certain employees, make use of other security techniques to minimise unauthorised logins. A rigorous password policy combined with checking devices used, time of day, location data, and user history can help piece together a picture of what could reasonably be described as a legitimate employee.
• Establish centralized log management: Log generation and retention are essential tools for many aspects of security. Data from intrusion detection tools help shape a picture of potentially malicious activity, where it comes from, which time of day, and so on. Determine which logs you require. Do you need a full picture of cloud activity? Is system logging important? Are you able to capture activity on the network? Decide on a retention period. Too short a timeframe and you may have to refer back to logs which no longer exist. Too long, and there may be privacy issues around what what you’ve captured and retained. Safe storage is also important, as you don’t want attackers tampering with the data you’ve collected.
• Use antivirus solutions: Workstations require security solutions capable of dealing with exploits that require no user interaction and attacks reliant on social engineering. Desktop hijacks, malvertising, and bogus attachments are just some of the threats to consider. Routine monitoring of scan results will assist with figuring out weak spots in your security perimeter.
• Employ detection tools: An Intrusion Detection System (IDS) helps sniff out malicious network activity and protects from dubious activity. Penetration testing can expose misconfigurations with services listed above such as cloud, VPNs, and more. Cloud service provider tools will aid in pinpointing overshared storage and irregular or abnormal access.

Stay safe out there!

The post 10 ways attackers gain access to networks appeared first on Malwarebytes Labs.

The Cybersecurity & Infrastructure Security Agency has issued an Emergency Directive ED 22-03 and released a Cybersecurity Advisory (CSA) about ongoing, and expected exploitation of multiple vulnerabilities in several VMware products.

Chaining unpatched VMware vulnerabilities

The title of the advisory is “Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control”. That’s a bit confusing since there are patches available for these vulnerabilities, but threat actors are actively attacking unpatched systems.

The advisory warns organizations that malicious threat actors, most likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.

CVE-2022-22954: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Server-side template injection is when an attacker is able to inject a malicious payload into a template, which is then executed server-side.

CVE-2022-22960: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to root.

Both these vulnerabilities were patched on April 6, 2022. But it took malicious threat actors less than 48 hours to reverse engineer the vendor updates to develop an exploit and start exploiting these disclosed vulnerabilities in unpatched devices.

On May 18, 2022, CISA said it expects malicious threat actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973 as well.

CVE-2022-22972: is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users. In order to exploit this vulnerability, a remote attacker capable of accessing the respective user interface could bypass the authentication for these various products.

CVE-2022-22973: is a local privilege escalation vulnerability in the VMware Workspace ONE Access and Identity Manager. In order to exploit this vulnerability, an attacker would need to have local access to the vulnerable instances of Workspace ONE Access and Identity Manager. Successful exploitation would allow an attacker to gain “root” privileges.

Mitigation

CISA strongly encourages all organizations to deploy the updates provided in VMware Security Advisory VMSA-2022-0014 or remove those instances from networks. CISA added CVE-2022-22954 and CVE-2022-22960 to its catalog of known exploited vulnerabilities, and federal, executive branch, departments, and agencies were all required to patch those vulnerabilities by May 5 and May 6 respectively. It stands to reason that the two new vulnerabilities will follow suit.

CISA encourages organizations with affected VMware products that are accessible from the Internet to assume they have been compromised and to initiate threat hunting activities. To help with the threat hunting, CISA has provided detection methods and indicators of Compromise (IOCs) in the CSA.

In the Response Matrix, as listed in the VMWare advisory, you can find the impacted products and versions.

The post VMWare vulnerabilities are actively being exploited, CISA warns appeared first on Malwarebytes Labs.

The US has charged a 55-year-old French-Venezuelan cardiologist from Venezuela with “attempted computer intrusions and conspiracy to commit computer intrusions”. This was revealed in an unsealed complaint in a federal court in Brooklyn, New York.

Moises Luis Zagala Gonzales worked as a ransomware developer on the side, renting out and selling ransomware tools to cybercriminals. He is known by many names—all related to his line of work—in the criminal underground: “Nosophoros” (Greek for “disease-bearer” or “diseased”), “Aesculapius” (Greek God of Medicine and Doctors), and “Nebuchadnezzar” (famed Babylonian king responsible for conducting the first recorded clinical trial in history).

US Attorney Breon Peace, who announced the charges, said:

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran. Combating ransomware is a top priority of the Department of Justice and of this Office. If you profit from ransomware, we will find you and disrupt your malicious operations.”

Jigsaw v2 and Thanos are Zagala’s creations

Jigsaw made its first appearance in 2016. Initially called “BitcoinBlackmailer”, Jigsaw became a memorable ransomware strain in that it depicted Billy the Puppet, a macabre figure from the popular thriller franchise Saw.

Saw-inspired, Jigsaw puts pressure on victims to do what they’re told: Pay up now, or more of your files will be deleted every hour you delay. On top of this, it also has (in Zagala’s description) a “Doomsday” counter that counts the times a user attempts to terminate the ransomware.

“If the user kills the ransomware too many times, then it’s clear he won’t pay, so better erase the whole hard drive,” Zagala wrote about the tool.

The Thanos ransomware, Zagala’s second ransomware tool, was advertised as a “Private Ransomware Builder” in 2019. Presumably, he named it after a malevolent comic villain, who is based on “Thanatos”, the personification of death in Greek mythology.

Thanos allowed criminals to create their own unique ransomware strain, which they could then rent out to other criminals. Interested criminals could purchase a license for Thanos or join Zagala’s affiliate program, where he received a cut of the ransom payout.

The complaint alleged Zagala bragged that Thanos was “nearly undetected” by antivirus software. After encrypting all files, Thanos also deletes itself, making detection and recovery “almost impossible” for the victim.

MuddyWater, an Iranian APT, used Thanos ransomware to attack Israeli entities in September 2020. In June 2020, Hakbit, a Thanos offshoot, was used in attacks against pharmaceutical and healthcare sectors (among others) in Austria, Switzerland, and Germany.

“Malware analysts are all over me”

According to the FBI, Zagala began appearing online as “Nebuchadnezzar” because “malware analysts are all over me”.

Around May 3, 2022, law enforcement agencies conducted an interview with a relative of Zagala, who resides in Florida. Zagala used the PayPal account of this relative to receive his illicit ransomware earnings.

The relative provided details that proved helpful in deepening Zagala’s link to his ransomware activities as a creator and underground businessman. They revealed that Zagala taught himself computer programming. The contact details they had for Zagala also matched the registered email associated with Thanos infrastructure.

Zagala is facing up to ten years’ imprisonment if convicted.

The post Cardiologist moonlighted as successful ransomware developer appeared first on Malwarebytes Labs.

Most people think that turning off their iPhone – or letting the battery die – means that the phone is, well, off. The thing is, this isn’t quite true. In reality, most of the phone’s functionality has ended, but there are components that mindlessly continue a zombie-like existence, for the most part unbeknownst to the user.

Even when the battery dies in your iPhone, it’s not truly dead. The phone will shut itself down to conserve the last little bits of power, and will enter a low power mode that is very different from the Low Power Mode that is offered when the battery drops to 20%, and that is found in the battery settings. These last trickles of power are used to keep certain limited functionality active for some time. The same is true of turning the phone off, except that this functionality can stay active much longer with a battery closer to full.

What is this functionality? Most notably, Express Cards – payment cards used with public transit systems – can continue to work in such a state. So can things like digital home or car keys, which seems logical. After all, you don’t want to get locked out just because your iPhone battery died!

More surprising is that the iPhone’s Find My capabilities continue to function. This means that the phone’s location can still be tracked, in a manner similar to how AirTags work, even after it has been turned off.

Is this a problem or not a problem?

Much ado has been made in the past of the use of things like Express Cards, which can be used without authentication. Someone could potentially jostle you in a public place and scan your phone with a fake public transit payment terminal, thus skimming money off the card you have set as an Express Card. That’s 100% possible, but not really all that likely.

Not to mention that there’s a simpler scenario. Someone could pull the same trick with a normal payment terminal, rather than one pretending to be a public transit terminal, and the tap-to-pay cards in your wallet. That’s a much simpler scenario with a much higher probability of success.

Similarly, digital keys could be used to access your car or your home, if someone stole your phone. Of course, that’s assuming they could figure out where your car or your home are from a locked phone, which is a pretty big “if” unless the thief had some prior knowledge.

In this regard, your phone doesn’t really pose much more of a risk than other things you’d have on your person. Of course, this is highly dependent on circumstances. For example, stealing a phone left on a table while the owner’s not paying attention would be a lot easier than stealing a wallet and keys from someone’s pocket. On the other hand, if a thief snatches someone’s purse or backpack, they may get phone, keys, and wallet, and the phone could easily be the least useful of the three.

Find My, on the other hand, is a bigger problem.

What’s the problem with Find My?

The major use cases for Find My are for you to find a lost device, or for someone you’ve shared your location with to find you. So what’s the problem? I mean, these are situations where you fully intend for your phone to be trackable, right? Unfortunately, there are scenarios that are not so beneficial.

Consider stalking or abuse scenarios where the stalker knows your Apple ID credentials, or has been given – through stealth or bullying – the ability to see your location. This is often the case with intimate partner abuse, for example. If you are in such an abusive situation, you may be under the false impression that turning your phone off will temporarily stop the tracking. Alas, that is not the case, and this could be a painful lesson to learn… both literally and figuratively.

However, there’s a possibility of still worse problems, like malware.

Wait… what?! Did you say malware?

Indeed. German researchers recently found that the Bluetooth firmware, responsible for managing the Bluetooth Low Energy (BLE) communication upon which Find My relies, is not cryptographically signed. Since the firmware is not signed, that means that modifications to the firmware cannot be detected without comparing the firmware to a known-good copy of the firmware.

Since BLE communication continues when the phone is off, the researchers found that there is a theoretical possibility that malware on the device could modify the Bluetooth firmware, thus installing malicious code that could continue to run even when the phone appears to be off. The most likely use case for such malware would be to use the BLE tracking capabilities to monitor the phone’s location.

Now, before you go chucking your phone in the garbage or smashing it with a hammer, let’s keep in mind that this is all theoretical at the moment. Compromising the firmware would require a jailbreak, which is not an easy thing to accomplish remotely. Physical access lowers the difficulty level, but it’s still not likely that this technique could be used by most adversaries.

How can I protect myself?

If you’re in a situation where an abuser is monitoring your location, you should be aware that turning off your phone will not stop the tracking. For those in such situations, we advise seeking help, as disabling the tracking could have bad consequences. If you need to not be tracked for a while, leave your phone in a location where it’s reasonable to expect you might spend some time.

When it comes to malware, there’s not much to worry about at present. There’s no known malware using BLE firmware compromise to remain persistent when the phone is “off.” Further, unless you are likely to be targeted by a nation-state adversary – for example, if you are a human rights advocate or journalist critical of an oppressive regime – you’re not likely to ever run into this kind of problem. (If that ever changes, you can be sure we’ll cover that here!)

If you actually are a potential target for a nation-state adversary, don’t trust that your phone is ever truly off. In such a case, a Faraday bag, or a low-tech flip phone, might be a good investment!

The post How iPhones can run malware even when they’re off appeared first on Malwarebytes Labs.

In a Twitter thread, the Microsoft Security Intelligence team have revealed new information about the latest versions of the Sysrv botnet.

The variant they focused on uses a range of known exploits for vulnerabilities in web apps and databases to install cryptocurrency miners on both Windows and Linux systems.

Background

The Sysrv botnet first received attention at the end of 2020 because at the time it was one of the rare malware binaries written in Golang (aka GO). Since then the botnet has evolved, gained new features, and changed its behavior. One of the advantages of the Golang language for malware authors is that it allows them to create multi-platform malware—the same malware binaries can be used against Windows and Linux machines.

The latest Sysrv variant scans the Internet for web servers that have security holes offering opportunities such as path traversal, remote file disclosure, and arbitrary file download bugs. Really, any vulnerability that can be exploited to infect the machines.

Once it has gained a foothold and the bot malware is running on a compromised system it deploys a Monero cryptocurrency miner.

The favorite cryptocurrency

The most popular cryptocurrency for attackers to mine is Monero. Monero is a cryptocurrency designed for privacy, promising “all the benefits of a decentralized cryptocurrency, without any of the typical privacy concessions”.

No cryptocurrency is anonymous, as many people think, but there are other reasons why cryptojackers favor Monero:

• Many cryptomining algorithms run significantly better on ASICs or GPUs, but Monero mining algorithms run better on CPUs, which matches what the cryptojacker can expect to find in a containerized environment.
• Like Bitcoin, Monero is one of the better known cryptocurrencies and therefore is expected to hold its value. That’s a big perk given the unrest in cryptocurrency markets at the time of writing.

With cryptocurrencies, users hide behind a pseudonym, like one or more wallet IDs. Their activities can be tracked—forever—so keeping their identity secret depends on how well they can separate their real identity from their wallet IDs.

Linux malware

While Linux malware was almost unheard of a few years ago, a couple of factors have “helped” the development of malware that targets Linux based systems. One is the development of languages that enable the creation of multiplatform malware like Golang. Another is the usage of Linux as the go-to operating system for many IoT devices.

IoT malware has matured over the years and has become popular, especially among botnets. With billions of Internet-connected devices like cars, household appliances, surveillance cameras, and network devices online, IoT devices are a very large bullseye for botnet malware.

The number of malware infections targeting Linux devices rose by 35% in 2021, most commonly to recruit IoT devices for distributed denial of service (DDoS) attacks. And around 95% of web servers run on Linux.

Vulnerabilities

Like many other botnets, Sysrv weaponizes bugs in WordPress plugins and in the Spring Framework.  It can rifle through WordPress files on compromised machines to take control of web server software. According to Microsoft:

“A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server.”

The latest Sysrv variant also scans for Secure Shell (SSH) keys, IP addresses, and host names on infected machines so that it can use this information to spread via SSH connections. SSH keys are an access credential used in the SSH protocol and are foundational to modern Infrastructure-as-a-Service platforms such as AWS, Google Cloud, and Azure.

Another vulnerability the botnet uses is CVE-2022-22947. Some Spring cloud gateway version applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Development

The botnet malware starts with a simple script file that deploys modules of exploits against potentially vulnerable targets. Not only do the developers constantly add new exploits to the code, they keep updating the code. If the exploits aren’t successful, the developers get rid of them. Ever since the first appearance of the Sysrv botnet, the threat actors have released new scripts almost monthly.

Mitigation

Most of the vulnerabilities that the Sysrv botnet uses have been patched, so an effective patch management strategy can be a big help in keeping these miners off your systems.

Another strategy to looks at is whether all the servers that are at risk need to be Internet-facing. In some cases it may be better to take them offline.

Don’t forget to equip your servers with anti-malware protection. The time that you could rest assured that your Linux server would be safe is unfortunately over.

Safeguard your credentials and make sure that multi-factor authentication (MFA) is in place for your important assets.

Stay safe, everyone!

The post Sysrv botnet is out to mine Monero on your Windows and Linux servers appeared first on Malwarebytes Labs.

More voices are being raised against the use of everyday technology repurposed to attack and stalk people. Most recently, it’s reported that Ohio has proposed a new bill in relation to electronic tagging devices.

The bill, aimed at making short work of a loophole allowing people with no stalking or domestic violence record to use tracking devices, is currently in the proposal stages. As PC Mag mentions, 19 states currently ban the use of trackers to aid stalking.

Dude, where’s my car?

Using tech to find missing items is nothing new. Back in the 80s, my dad had one of the new wave of tools used to find your lost keys. You put a small device on your keychain, and when they inevitably went missing, you whistled. The device, assuming it was nearby, would beep or whistle back. That is, it would if the range wasn’t awful and it frequently didn’t respond to your best whistle attempts.

Skip forward enough years, and we had similar concept but with Bluetooth and Radio Frequency. But the range on them isn’t great and so the use is limited.

Step up to the plate, tracker devices.

What is an AirTag?

There are many types of tracking device, but AirTags are unfortunately for Apple the one most closely associated with this form of stalking.

Find My, an app for Apple mobiles, is an incredibly slick way to keep track of almost any Apple product you can think of. Making your lost phone make a noise, offline finding, and sending the last location when battery is low are some of the fine-tune options available.

An AirTag is a small round device which plugs right into the Find My options. The idea is a supercharged version of ye olde key whistler. Misplace an item attached to an AirTag, and when you get close enough you’ll even have Precision Finding kicking in to guide to the lost item.

This is all incredibly helpful, especially if you’re good at misplacing things. Even better if something is stolen. Where it goes wrong is when people with bad intentions immediately figure out ways they can harass people with it.

A stalker’s life for me

Back in January, model Brooks Nader claimed someone placed an AirTag in her coat. Whoever was responsible used it to follow her around for several hours. She only became aware of what was happening because her phone alerted her to the tag’s presence.

However, this is an Apple-specific product, which means not all devices will be able to flag it. Android users are resorting to downloading standalone apps which can flush out unwanted AirTag stalkers. Meanwhile, the case numbers themselves are steadily increasing across multiple regions. Smart stalkers will place tags on items or in places victims won’t suspect. A tag under the car means victims may never even find out they’ve been stalked in the first place.

Apple pushes back on AirTag stalking

This isn’t great news for any company faced with a sudden wave of people abusing their devices. Apple is trying to lead the charge against these practices by making it harder for stalkers.

• Improving the accuracy of “unknown accessory detected” notices
• Adding support documents for people who believe they may be being stalked.
• Implementing notices which say “tracking without consent is a crime”

Advice for people worried about AirTag stalking

Apple’s support document lists two ways to discover unwanted tracking.

1. If you have an iPhone, iPad, or iPod touch, Find My will send a notification to your Apple device. This feature is available on iOS or iPadOS 14.5 or later. To receive alerts, make sure that you:
   Go to Settings > Privacy > Location Services, and turn Location Services on.
   Go to Settings > Privacy > Location Services > System Services. Turn Find My iPhone on.
   Go to Settings > Privacy > Location Services > System Services. Turn Significant Locations on to be notified when you arrive at a significant location, such as your home.
   Go to Settings > Bluetooth, and turn Bluetooth on.
   Go to the Find My app, tap the Me tab, and turn Tracking Notifications on.
2. If you don’t have an iOS device or a smartphone, an AirTag that isn’t with its owner for a period of time will emit a sound when it’s moved. This type of notification isn’t supported with AirPods.

Any alert on your mobile device that a tracker is nearby allows you to make the tracker produce a noise via your phone. You can make this noise repeat as often as you want until the device is found.

Disabling the AirTag

If you can’t find the physical object, don’t worry. You can disable it, again using your phone. Apple’s advice:

To disable the AirTag, AirPods, or Find My network accessory and stop it from sharing its location, tap Instructions to Disable and follow the onscreen steps. After the AirTag, AirPods, or Find My network accessory is disabled, the owner can no longer get updates on its current location. You will also no longer receive any unwanted tracking alerts for this item.

Apple has been quite visible in both drawing attention to the problem and providing accessible and straightforward solutions to shutting unwanted tracking down. We can only hope that other companies whose trackers are being misused in this way are doing their part too.

The post AirTag stalking: What is it, and how can I avoid it? appeared first on Malwarebytes Labs.