IT NEWS

Lincoln College, one of the few rural schools in Illinois, said that it will permanently close on Friday, May 13, after 157 years, partly due to the impacts of the COVID-19 pandemic and partly due to a long recovery after a ransomware attack in December 2021. The institution notified the Illinois Department of Higher Education and Higher Learning Commission and posted a goodbye note on its website.

“Lincoln College has survived many difficult and challenging times – the economic crisis of 1887, a major campus fire in 1912, the Spanish flu of 1918, the Great Depression, World War II, the 2008 global financial crisis, and more, but this is different. Lincoln College needs help to survive.”

The institution struggled during the ongoing pandemic and a December 2021 ransomware attack only challenged it further. Lincoln said the attack “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections”.

” All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed. Once fully restored in March 2022, the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester.”

The closing of a US college or university marks another first in ransomware attack history. Director of Research and Education Networks Information Sharing and Analysis Center (ISCA) Kim Milford told NBC News, which first broke the story, that a school closing only underscores the toll a ransomware attack can take on its victim. “I feel really bad for Lincoln College and wish there was some way we could help, but it can be a very expensive proposition when you’re hit by ransomware,” she said.

How to avoid ransomware attacks

1. Require the use of multi-factor authentication (MFA). It might feel like a bother, but MFA is relatively easy to set up, and it doesn’t disrupt normal day-to-day activities.
2. Install security software on all systems. Use one that offers multiple layers of protection against online threats, especially ransomware.
3. Patch as soon as you can. Universities rely on various software for various tasks. Keeping it all up-to-date means cybercriminals can’t exploit existing and known flaws.
4. Promote awareness for all faculty members and staff. Educating university employees to help them understand their part in protecting the university from cyberattacks is essential. Remember that this is every faculty, school staff, and students’ responsibility, not just the people in IT.
5. Back up your files. When it comes to ransomware attacks, this is one of the pieces of advice we give out. But as we found out, you have to know how to back things up properly. This episode of our Lock and Code podcast is worth a listen, where Matt Crape, technical account manager of VMWare, to learn more about why backups fail us when we need them the most.

If you want to read more about how to protect yourself from a ransomware attack, or how to recover if you are in the midst of one, download our Ransomware Emergency Kit.

The post College closes down after ransomware attack appeared first on Malwarebytes Labs.

As we reported a few days ago, a F5 BIG-IP vulnerability listed as CVE-2022-1388 is actively being exploited. But now researchers have noticed that attackers aren’t just taking control of the vulnerable servers but also making them unusable by destroying the device’s file system.

F5 BIG-IP

The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.

On May 4, 2022 F5 notified users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 said the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.

Soon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG-IP.

Due to the critical nature of the bug, F5 urged admins to apply updates as soon as possible.

New type of attack

While most of the attacks so far were aimed at creating a foothold or gathering information for further attacks, we are now seeing a very different and destructive type of attacks.

At least one group of attackers is sending commands to vulnerable devices that delete the whole F5 file system, which is breaking load balancing and websites.

While destroying the file system of the device may seem worse than data exfiltration or planting a backdoor at first glance, some researchers are saying it may be a blessing in disguise. The group is making the vulnerable devices unavailable for threat actors that are trying to utilize the more monetizable attack vectors. Most of the original attacks were dropping web shells, which are malicious scripts used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

The motives of this threat actor are hard to guess. Maybe it’s simply a case of showing off, or an act out of sheer frustration.

But for those running a vulnerable device this makes the “can’t patch now, for it will make the device unavailable” argument moot. If this attackers gets to you the device will be unavailable for much longer than it takes to patch.

Stay safe, everyone!

The post F5 BIG-IP vulnerability is now being used to disable servers appeared first on Malwarebytes Labs.

The Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have updated their joint cybersecurity advisory, Strengthening Cybersecurity of SATCOM Network Providers and Customers, originally released March 17, 2022, with US government attribution to Russian state-sponsored malicious cyberactors.

Critical infrastructure

When we touched on the subject a few months ago, we explained why we think satellites are critical infrastructure. Commercial satellites provide us with the ability to establish services like Internet access, television, GPS, and scientific information about the weather and other processes in the atmosphere and on the surface.

On March 17, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) published an alert in conjunction with the Federal Bureau of Investigation (FBI) which warned of possible threats to US and international satellite communication (SATCOM) networks.

Along with that alert came a report that provided mitigation strategies for SATCOM providers and their customers. And, as part of CISA’s Shields Up initiative, all organizations are being asked to significantly lower their threshold for reporting and sharing indications of malicious cyberactivity.

Spill over

The United States believes Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the Russia invasion, and those actions had spillover impacts into other European countries.

In the months leading up to and after Russia’s invasion began, Ukraine experienced a series of disruptive cyber operations, including website defacements, distributed denial-of-service (DDoS) attacks, and cyberattacks to delete data from computers belonging to government and private entities.

For example, the United States has assessed that Russian military cyber operators have deployed multiple families of destructive wiper malware, like HermeticWiper, on Ukrainian Government and private sector networks.

Now, the US is sharing publicly its assessment that Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries.

Defense

In order to uphold the rules-based international order in cyberspace, the US and its allies and partners are taking steps to defend against Russia’s actions. The US government has developed new mechanisms to help Ukraine identify cyberthreats and recover from cyberincidents.

CISA has exchanged technical information on cybersecurity threats related to Russia’s further invasion of Ukraine with key partners, including Ukraine.

Mitigation guidance

On March 17, 2022 CISA issued an alert providing technical details and mitigation guidance on possible threats to US and international SATCOM networks. A quick recap:

• Use secure methods for authentication.
• Enforce principle of least privilege through authorization policies.
• Review existing trust relationships with IT service providers.
• Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider.
• Strengthen the security of operating systems, software, and firmware, including vulnerability and patch management.
• Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
• Create, maintain, and exercise a cyberincident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.

Stay safe, everyone!

The post Cyberattacks on SATCOM networks attributed to Russian threat actors appeared first on Malwarebytes Labs.

Clearview AI, a facial recognition software and surveillance company, is permanently banned from selling its faceprint database within the United States. The company also cannot sell its database to state and law enforcement entities in Illinois for five years.

This is a historic win for the American Civil Liberties Union (ACLU). This nonprofit organization filed a lawsuit against Clearview in 2020, alleging the company has built its business around secretly taking facial recognition data from people without consent.

“By requiring Clearview to comply with Illinois’ pathbreaking biometric privacy law not just in the state, but across the country, this settlement demonstrates that strong privacy laws can provide real protections against abuse,” said ACLU’s Deputy Director Speech, Privacy, and Technology Project Nathan Freed Wessler (@NateWessler) in a statement.

“Clearview can no longer treat people’s unique biometric identifiers as an unrestricted source of profit. Other companies would be wise to take note, and other states should follow Illinois’ lead in enacting strong biometric privacy laws.”

Clearview AI was known for scraping images of people from social networking sites, particularly Facebook, YouTube, Venmo, and other websites. According to a New York Times expose, Clearview’s app can show you additional photos of a person—after taking a snap of them—along with links to where these appeared.

Knowing this, a San Francisco Bay Area photographer and writer named Thomas Smith requested all his data from Clearview. And what came back, he said, freaked him out.

Under the settlement agreement, Clearview must also have an opt-out feature available on its website for Illinois residents so their faceprints can stop appearing in Clearview search results. They are further barred from offering free access to individual police officers without the approval of their respective departments.

The post Clearview AI banned from selling facial recognition data in the US appeared first on Malwarebytes Labs.

When you’re buying things online, reducing the exposure of payment details during transactions is one way to help reduce the risk of data theft. If you can hide this payment data and switch it out for something else entirely, even better.

Google is proposing to do just that for customers in the US, with recently announced plans to offer a virtual credit card service for Chrome.

What is a virtual credit card?

The concept of virtual credit cards has been around for some time now. But with Google proposing to start using virtual credit cards, more people are likely to start talking about them.

Have you ever used a disposable email alias, or a VoIP service which displays a number of your choosing? These are ways you can keep your most personal information safe from prying eyes. Going one step further, it can be a valuable tool to pin down who’s had a breach, and who voluntarily leaks your data. If you create an email alias for every service you use, you’ll know the moment something has happened if the alias shows up in a dump or you receive spam on it.

Virtual credit card numbers share a few of these traits. Your actual card number never goes online. In its place is a variety of virtual numbers generated by your card provider connected to your account. These numbers may well expire at a set period in the future like real ones, so you don’t have to worry about an ever-increasing set of virtual details gathering dust in the corner.

Years ago, when I first started going to security conferences overseas, my bank card wasn’t accepted in most of the cities I visited. A stop-gap solution to this was someone buying me a bunch of pre-paid credit cards. This helped keep my real card safe. Virtual cards are like a significantly more advanced version of pre-pay efforts. When I used them, some pre-paid cards had a cap on funds allocated so you had to buy several at a time, and they also expired if you didn’t use the money within a certain time period.

Good news: You don’t have to worry about any of this with a virtual card number.

What is Chrome offering to US based users?

Here’s what Google has to say on the subject:

As people do more shopping online, keeping payment information safe and secure is critically important. We’re launching virtual cards on Chrome and Android. When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number. This eliminates the need to manually enter card details like the CVV at checkout, and they’re easy to manage at pay.google.com — where you can enable the feature for eligible cards, access your virtual card number, and see recent virtual card transactions. Virtual cards will be rolling out in the US for Visa, American Express, Mastercard and all Capital One cards starting this summer.

According to TechCrunch, Google “will not use any of this information for ad targeting purposes”. It remains to be seen if or when this rollout will extend to regions outside of the US.

Keeping you safe, and saving you time

The aim of the game is to make it harder for fraudsters to obtain your genuine details. Losing your card data to a skimming attack on a hijacked site or having it swiped from a database is a huge pain. Phonecalls and cancelled cards await.

I myself have had credit card details compromised. To this day, I have no idea how or where it happened. I only know that it involved a spectacular amount of wine. It happened during a rather complicated long distance house move, and having to sink time into calling fraud teams, cancelling the card I really could have done with for the move, and having a replacement card almost sent to the wrong address by mistake was really not great.

Yet these are the additional complications any sort of compromise routinely throw up. It’s never “just” the card details. If I’d had a virtual card number when the great wine heist of 2016 had taken place, it wouldn’t have mattered at all. I could have just switched to a new virtual number and be done. No card replacement required.

Tightening the grip on bogus transactions

Banks are increasingly ramping up checks made when trying to buy items online. Seeing a Verified by Visa popup, or a request to use an authenticator device, is fairly common. These tactics appear to be working. One bank reported 2,000 fewer cases of card fraud per month after the introduction of new payment checks.

Elsewhere, Apple Pay is serious about enhancing fraud prevention features. Location specific features (should you have them enabled) will help shut down rogue payment attempts.

A recent report claims card fraud losses could hit around $408.50 billion globally over the next decade. These are huge numbers to contend with. We’re going to need every tool available to chip away at that number. Whether you’re using virtual numbers, pre-loaded cards, or another method altogether for real world payments, having so many options available can only be a good thing.

The post Virtual credit cards coming to Chrome: What you need to know appeared first on Malwarebytes Labs.

Microsoft has released patches for 74 security problems, including fixes for seven “critical” vulnerabilities, and an actively exploited zero-day vulnerability that affects all supported versions of Windows.

First, we’ll look at the actively exploited zero-day. Then we’ll discuss two zero-days that are publicly disclosed, but so far no in the wild exploits have been reported. And we’ll finish off with a few others that are worth keeping an eye on.

LSA spoofing zero-day

Microsoft has addressed an actively exploited Windows LSA spoofing zero-day that allows unauthenticated attackers to remotely force domain controllers to authenticate them via the Windows NT LAN Manager (NTLM) security protocol.

CVE-2022-26925: An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. The security update detects anonymous connection attempts in LSARPC and disallows it.

LSA (short for Local Security Authority) is a protected Windows subsystem that enforces local security policies and validates users for local and remote sign-ins. LSARPC is a protocol that enables a set of remote procedure calls (RPCs) to the LSA. Microsoft warns that the CVSS score would be 9.8 out of 10 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS).

The attack vector is closely related to the PetitPotam attacks we saw last year. If you are looking which patches to prioritize, this vulnerability affects all servers but domain controllers should be prioritized in terms of applying security updates.

Windows Hyper-V vulnerability

CVE-2022-22713: A denial of service (DoS) vulnerability in Windows Hyper V. Successful exploitation of this vulnerability requires an attacker to win a race condition. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

Hyper V is a native hypervisor, which means it can create virtual machines on x86-64 systems running Windows. The vulnerability only affects Windows Server (version 20H2) and Windows 10 x-64 based systems (versions 20H2 , 21H1, 21H2).

Redshift driver

CVE-2022-29972: A vulnerability that affects the Amazon Redshift ODBC and JDBC drivers and Amazon Athena ODBC and JDBC drivers due to improper validation of authentication tokens which may allow for unintended program invocation.

Microsoft products Azure Synapse Pipelines and Azure Data Factory are affected by a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver. An ODBC driver uses the Open Database Connectivity (ODBC) interface by Microsoft that allows applications to access data in database management systems (DBMS) using SQL (Structured Query Language) as a standard for accessing the data.

The vulnerability was dubbed SynLapse by the researchers that discovered it. They believe the tenant separation in the Microsoft Azure Synapse service is insufficiently robust to protect secrets against other tenants.

Windows Network File System

Next is a Remote Code Execution (RCE) vulnerability affecting Windows Network File System (NFS) listed under CVE-2022-26937. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). Microsoft considers it likely to be exploited and it is one of the highest-rated vulnerabilities of the month with a CVSS score of 9.8 out of 10.

Point-to-Point Tunneling Protocol

CVE-2022-21972: a Point-to-Point Tunneling Protocol Remote Code Execution vulnerability. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. A remote access server (RAS) is a type of server that provides a suite of services to remotely connected users over a network or the Internet.

CVE-2022-23270: another Point-to-Point Tunneling Protocol Remote Code Execution vulnerability. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.

Successful exploitation of these two vulnerabilities requires an attacker to win a race condition.

Other updates

Microsoft is not the only vendor to issue patches. Here are some other that may deserve your attention.

• Adobe
• Google Chrome
• Cisco
• F5 BIG-IP
• Opera

Stay safe, everyone!

The post Update now! Microsoft releases patches, including one for actively exploited zero-day appeared first on Malwarebytes Labs.

Jester Stealer, a malicious file capable of large amounts of data theft, is on the prowl again. The Ukrainian Computer Emergency Response Team (CERT-UA) has warned of a large distribution campaign abusing a “chemical attack” theme. Receiving an email like this in the invasion-affected regions of Ukraine is likely to cause huge alarm.

From bogus attack warnings to data theft malware

As per Bleeping Computer, the mail reads as follows:

“Today the information was received that chemical weapons will be used at 01.00 at night, the authorities are trying to hide it in order not to panic the population. Urgently get acquainted with the places where chemical weapons will be used and the places of special shelters where we will be safe.

Help us to disseminate the information attached to the document in the letter as much as possible. map of the zone of chemical damage.

We need to save as many lives as possible!”

Although the mail is being described as phishing, there is no direct request for passwords or logins linked to in the mail itself. Instead, there’s a link to an Excel document which has been booby-trapped with harmful macros.

A rogue file called JesterStealer is downloaded to the victim’s PC and executes when the document is opened with macros enabled. At this point, the device is infected. CERT-UA notes that the infection files are being hosted on “compromised web resources”. When organisations don’t keep their services updated and vulnerabilities patched, this is the unfortunate knock-on effect.

Impact on affected systems

Once infected, the system is at serious risk of data theft. The list of potential target areas includes:

• Internet browsers
• MAIL/FTP/VPN clients
• Cryptocurrency wallets
• Password managers
• Messengers
• Game programs

Jester Stealer is also capable of swiping screenshots and stealing network passwords.

There’s some anti virtual machine/debug/sandbox tactics in play to hamper researchers analysing the file. The malware also removes itself once closed, helping attackers evade suspicion from those affected as they may well never realise the malware was present.

Tips for avoiding this attack

1. Stick to official news sources for breaking information in affected areas. You’re more likely to see a genuine warning on the President’s page, or similar messaging from official sources on Twitter, than from random emails.
2. Think carefully about attachment types in emails. Does it make much sense that a warning like this requires an Excel spreadsheet? Why not just put the full warning in the email? If it’s urgent, breaking information, people need everything in one place. Having to open up websites to download, and open files seems a long-winded and very odd way to accomplish this goal.
3. Macros in Office files have been a long running problem. Microsoft has made several changes to try and minimise the risk of harm. Downloading macros from the internet results in an automatic block with regard to being able to run. Some individuals and organisations will always need macros available to some degree. This is why the “learn more” button will ultimately allow you to enable if you definitely need them.

What Microsoft has to say about enabling macros

Microsoft’s advice for this is very good. Here’s what it suggests in relation to macros:

• Were you expecting to receive a file with macros? Never open a file attachment you weren’t expecting, even if it appears to come from somebody you trust. Phishing attacks often appear to come from a person or organization you trust in an effort to get you to open them.
• Are you being encouraged to enable content by a stranger? A common tactic of attackers is to create some pretense such as cancelling an order or reading a legal document. They’ll have you download a document and try to persuade you to allow macros to run. No legitimate company will make you open an Excel file to cancel an order and you don’t need macros just to read a document in Word.
• Are you being encouraged to enable content by a pop-up message? If you downloaded the file from a website, you may see pop-ups or other messages encouraging you to enable active content. Those are also common tactics of attackers and should make you suspicious that the file is actually unsafe.

Think carefully about enabling macros from random documents sent your way, and follow the tips above. Rogue mails which do nothing but compromise or damage your computer may make it more difficult to receive genuine alerts, and that’s definitely an additional problem you can do without.

The post “Chemical attack” email warnings deliver Jester Stealer malware appeared first on Malwarebytes Labs.

On May 11, 2022, the EU will publicize a proposal for a law on mandatory chat control. The European Commission wants all providers of email, chat and messaging services to search for suspicious messages in a fully automated way and forward them to the police in the fight against child pornography.

History

In 2020, the European Commission initiated temporary legislation which allows the searching of all private chats, messages, and emails for illegal depictions of minors and attempted initiation of contact with minors. This allows the providers of Facebook Messenger, Gmail, et al, to scan every message for suspicious text and images.

A majority of the Members of the European Parliament adopted the chat control regulation on July 6, 2021, allowing providers to scan communications voluntarily. So far, only some unencrypted US services such as Gmail, Meta/Facebook Messenger, and X-Box apply chat control voluntarily.

The European Commission announced that it will propose follow-up legislation that will make the use of chat control mandatory for all email and messenger providers. This legislation will be presented tomorrow, May 11, 2022 and would also apply to communications services that are end-to-end (E2E) encrypted.

It is important to note that the European Parliament has already pointed out that even voluntary scanning, which is currently permitted by the short-term law, lacks a legal basis and would probably be invalidated if it were taken to court.

Privacy advocates

Needless to say that many privacy advocates are ready to storm the barricades to prevent this law from being approved. Not only does this violate our basic human right to privacy, but encrypted messaging has been a boon to activists, dissidents, journalists, whistleblowers, and marginalized groups around the world.

Privacy advocates argue it brings the EU closer to the surveillance state that many see in other countries and that is a frightful image. It is also a step back when it comes to cybersecurity. What do we call software that eavesdrops on what we are doing on our devices and sends it to a third party? Spyware! And what happens to servers that accumulate large amounts of private data? They become targets for cybercriminals.

The goal

Similar developments are taking place in the US and the supporting narrative has expanded from domestic terrorism to other illegal content and activity, such as child sexual exploitation and abuse, terrorism, foreign adversaries‚ and attempts to undermine democratic values and institutions.

What most, if not all, of these activities have in common is that you usually won’t see the criminals using the same platforms as those of us that want to stay in touch with friends and relatives. They are already conducting their “business” in illegal marketplaces on the Dark Web, or they are using encrypted phone services.

Client side scanning

What does client side scanning mean exactly, some may wonder. Client side scanning broadly refers to systems that scan message contents for matches against a database of objectionable content before the message is sent to the intended recipient.

In this case, it means that the EU wants to force all providers of email, messaging, and chat services to comprehensively search all private messages, even in the absence of any suspicion. That makes the contents of messages no longer private between the sender and receiver, and client-side scanning breaks the E2E encryption trust model.

Pitfalls

As we have seen in the US, once the trend has been set, the number of targets can quickly expand from child abuse to other areas. As some of the privacy advocates noted, it’s a slippery slope.

It’s building a database of objectionable content. Given the amount of data you will need something to make a first selection. Machine Learning and Artificial Intelligence will undoubtedly be put to use. These systems can be manipulated and led astray, where static databases are too easy to circumvent.

False positives are a risk to keep in mind. What happens to a sender, or receiver for that matter, that gets tied to several flagged messages? I’m asking for me. Once an interest in cybercrime, vulnerabilities, and other related areas get added to the areas of government interest, my search queries alone would be enough to get me in trouble. On a lighter note, how hard will it be to explain that autocorrect is responsible for your message getting flagged? And will my reputation accompany me on my travels? In other words, will the US know if the EU thinks I’m involved in something shady?

The complexity of breaking the chain of E2E encryption could also limit the reliability of a communications system, and potentially stop legitimate messages from reaching their intended destinations.

So far, for every method that has been devised to limit the amount of private data that gets shared and scrutinized after the first selection, a downside has been brought up. And the stage in which these messages are unencrypted to be reviewed offers a target area where criminals can exfiltrate a lot of valuable information.

Since client-side scanning technologies may represent the most powerful surveillance system ever imagined, it is imperative that we find a way to make them abuse-resistant and auditable before we decide to start using them. Failures from the past have taught us that it’s often the other way around. We learn from our mistakes, but how costly are they?

It is also important to realize that the criminals we are trying to catch will simply move away from the platforms we decide to subject to client side scanning. So in the end, we are monitoring the communications of innocent citizens, for what exactly?

The post Client side scanning may cost more than it delivers appeared first on Malwarebytes Labs.

On April 26th, we identified a suspicious email that targeted a government official from Jordan’s foreign ministry. The email contained a malicious Excel document that drops a new backdoor named Saitama. Following our investigation, we were able to attribute this attack to the known Iranian Actor APT34.

Also known as OilRig/COBALT GYPSY/IRN2/HELIX KITTEN, APT34 is an Iranian threat group that has targeted Middle Eastern countries and victims worldwide since at least 2014. The group is known to focus on the financial, governmental, energy, chemical, and telecommunication sectors.

In this blog post, we describe the attack flow and share details about the Saitama backdoor.

Malicious email file

The malicious email was sent to the victim via a Microsoft Outlook account with the subject “Confirmation Receive Document” with an Excel file called “Confirmation Receive Document.xls”. The sender pretends to be a person from the Government of Jordan by using its coat of arms as a signature.

Excel document

The Excel attachment contains a macro that performs malicious activities. The document has an image that tries to convince the victim to enable a macro.

After enabling the macro, the image is replaced with the Jordan government’s the coat of the arms:

The macro has been executed on WorkBook_Open(). Here are the main functionalities of this macro:

• Hides the current sheet and shows the new sheet that contains the coat of arms image.
• Calls the “eNotif’ function which is used to send a notification of each steps of macro execution to its server using the DNS protocol. To send a notification it builds the server domain for that step that contains the following parts: “qw” + identification of the step (in this step “zbabz”) + random number + domain name (joexpediagroup.com) = qwzbabz7055.joexpediagroup.com. Then it uses the following WMI query to get the IP address of the request: Select * From Win32_PingStatus Where Address = ‘” & p_sHostName & “‘” which performs the DNS communication the the created subdomain.
• Creates a TaskService object and Gets the task folder that contains the list of the current tasks
• Calls ENotif function
• Checks if there is a mouse connected to PC and if that is the case performs the following steps
  • Creates %APPDATA%/MicrosoftUpdate directory
  • Creates “Update.exe”, “Update.exe.config” and “Microsoft.Exchange.WenServices.dll”
  • Reads the content of the UserForm1.label1, UserForm2.label1 and UserForm3.label1 that are in base64 format, decodes them and finally writes them into the created files in the previous step
  • Calls a ENotif function for each writes function
• Checks the existence of the Update.exe file and if for some reason it has not been written to disk, it writes it using a technique that loads a DotNet assembly directly using mscorlib and Assembly.Load by manually accessing the VTable of the IUnknown. This technique was taken from Github (link). Even though, this technique was not used in this macro since the file was already written, the function name (“Test”) suggests that the threat actor is trying to implement this technique in future attacks.
• Finally, it calls the ENotif function.

• Defines a xml schema for a scheduled task and registers it using the RegisterTask function. The name of the scheduled task is MicrosoftUpdate and is used to make update.exe persistent.

Saitama Backdoor – A finite state machine

The dropped payload is a small backdoor that is written in .Net. It has the following interesting pdb path: E:SaitamaSaitama.AgentobjReleaseSaitama.Agent.pdb.

Saitama backdoor abuses the DNS protocol for its command and control communications. This is stealthier than other communication methods, such as HTTP. Also, the actor cleverly uses techniques such as compression and long random sleep times. They employed these tricks to disguise malicious traffic in between legitimate traffic.

Another element that we found interesting about this backdoor is the way that it is implemented. The whole flow of the program is defined explicitly as a finite-state machine, as shown in the Figure 7. In short, the machine will change its state depending on the command sent to every state. Graphically, the program flow can be seen as this:

The finite-machine state can be:

BEGIN

It is the initial state of the machine. It just accepts the start command that puts the machine into the ALIVE state.

ALIVE

This state fetches the C&C server, expecting to receive a command from the attackers. These servers are generated by using the PRNG algorithm that involves transformations like the Mersenne Twister. These transformations will generate subdomains of the hard coded domains in the Config class (Figure 8).

Figure 9 shows an example of the generated subdomain:

This state has two possible next stages. If the performed DNS request fails, the next stage is SLEEP. Otherwise, the next stage is RECEIVE.

SLEEP and SECOND SLEEP

These states put the backdoor in sleep mode. The amount of time that the program will sleep is determined by the previous stage. It is clear that one of the main motivations of the actor is to be as stealthy as possible. For example, unsuccessful DNS requests puts the backdoor in sleep mode for a time between 6 and 8 hours! There are different sleep times depending on the situations (values are expressed in milliseconds):

There is also a “Second Sleep” state that puts the program on sleep mode a different amount of time.

RECEIVE

This state is used to receiving commands from the C&C servers. Commands are sent using the IP address field that is returned by the DNS requests. Further details about the communication protocol are provided later in this report. In a nutshell, every DNS request is capable of receiving 4 bytes. The backdoor will concatenate responses, building buffers in that way. These buffers will contain the commands that the backdoor will execute.

DO (DoTask)

That state will execute commands received from the server. The backdoor has capabilities like executing remote pre-established commands, custom commands or dropping files. The communication supports compression, also. The following figure shows the list of possible commands that can be executed by the backdoor.

It is pretty shocking to see that even when attackers have the possibility of sending any command, they choose to add that predefined list in the backdoor in Base64 format. As we can see, some of them are common reconnaissance snippets, but some of them are not that common. In fact, some of the commands contain internal IPs and also internal domain names (like ise-posture.mofagov.gover.local). That shows that this malware was clearly targeted and also indicates that the actor has some previous knowledge about the internal infrastructure of the victim.

SEND – SEND AND RECEIVE

The Send state is used to send the results generated by commands to the actor’s server. In this case, the name of the subdomain will contain the data. As domain names are used to exfiltrate unknown amounts of data, attackers had to split this data in different buffers. Every buffer is then sent through a different DNS request. As it can be seen in the Figure 12, all the required information in order to reconstruct original data is sent to the attackers. The size of the buffer is only sent in the first packet.

Attribution

There are several indicators that suggest that this campaign has been operated by APT34.

• Maldoc similarity: The madoc used in this campaign shared some similarities with maldocs used in previous campaigns of this actor. More specifically similar to what was mentioned in CheckPoint’s report this maldoc registers a scheduled task that would launch the executable every X minutes, also it uses the same anti sandboxing technique (checking if there is a mouse connected to the PC or not). Finally, we see a similar pattern to beacon back to the attacker server and inform the attacker about the current stage of execution.
• Victims similarity: The group is known to target the government of Jordan and this is the case in this campaign.
• Payload similarity: DNS is the most common method used by APT34 for its C&C communications. The group is also known to use uncommon encodings such as Base32 and Base36 in its previous campaigns. The Saitama backdoor uses a similar Base32 encoding for sending data to the servers that is used by DNSpionage. Also, to build subdomains it uses Base32 encoding that is similar to what was reported by Mandiant.

Malwarebytes customers are protected from this attack via our Anti-Exploit layer.

IOCs

Maldoc:
Confirmation Receive Document.xls
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b
Saitama backdoor:
update.exe
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d
C2s:
uber-asia.com
asiaworldremit.com
joexpediagroup.com

The post APT34 targets Jordan Government using new Saitama backdoor appeared first on Malwarebytes Labs.

Think of all the really common, very mundane things you search for of a tech nature. Drivers. Scanners. Printers. A broken photocopier. USB sticks not recognised. Activating a streaming service which refuses to play ball.

Some of the above have many issues already with bogus search engine results and tech support scams. Streaming and other internet based viewing options have their own support related perils to contend with.

Have you ever stopped to consider what’s lurking out there in relation to your humble printer?

Bogus Canon sites causing headaches

Gizmodo reports that numerous dodgy sites are riding on the coat-tails of the Canon printer brand, extracting cash however they can. Gizmodo discovered the sites after issuing a Freedom of Infomation request to the Federal Trades Commission (FTC) in relation to Canon-specific complaints.

The sites vary in terms of style or general setup, but all focus on having you download Canon drivers. However, when someone attempts to download the driver, the download fails and the site displays a message with a phone number you can call for assistance. We’re very quickly in the realm of tech support scams. Direct requests for money in exchange for supposed drivers, or remote access requests quickly follow.

According to Gizmodo, there are also “support packages” available to buy over the phone which (of course) fail to materialise. All tried and tested Windows-centric tech support scam tactics.

Site specifics

The sites are referred to as fairly sophisticated. In fairness, a few of those listed are already offline or not responding to requests, so they may have been shut down since the report went live.

What’s left is sites which look a bit like blogs and loop visitors round, with no download in site. Others are a bit more professional looking, and ask you to download a driver first.

Another is very upfront about you phoning the listed number before apparently doing anything else. No matter which site you end up on, they’re all about the drivers.

A very testing download

We decided to check one of the few remaining sites and see how hard it leans into error messages after a driver search. Testing the site in the above screenshot, the download button leads to another website altogether. I decided to look for a Canon PIXMA:

The site looks as though it has my driver. Success! Except not really. I’m not saying the odds are stacked against you when using this site, but look at the destination URL in the bottom left hand corner when hovering over the download driver button:

Yes, that does say /error.html. Yes, we’re about to run into that most common of tech support scam pages:

Printer driver installation has been failed due to fatal error “C0000022” preventing product driver installation. Please contact Canon Customer Support For Assistance! Click on below button to connect live chat experts

Tracing a problem

The Gizmodo article contains numerous examples of this type of scam. I decided to check out the BBB scam tracker and see if I could observe the evolution of the Canon scam. It turns out that you actually can (to a degree).

I turned up 17 reports of Canon themed scams from the beginning of 2021 to the present day across Canada and the US. They’re tagged as a mixture of phishing, tech support, and fake invoices.

What’s interesting is that most of the oldest scams are all about Canon cameras. Some are bogus orders, or missed deliveries. At the start of March, we see our first Canon printer tale of woe and it’s our old friend the customer support conversation slide.

Scammers inserted themselves into a help session for a Canon printer and posed as certified Canon technicians. They took remote control of my computer, got personal information and credit card numbers and charged $199 unsuccessfully.

In September, there’s a blend of printer driver and fake infection tactics:

Global Assistance has a scam that leads you to their fake canon website. They make you believe that you have computer infections that prohibit you from connecting to your printer. You have to pay for their services and then they make you believe that you need protection for all of your devices that can connect to the internet. After I fell for this, I did my research and found out that they are a scam. I called them and they refused to refund my money, $362.16 tonight.

Pretty much everything after September is a Canon printer scam—from bogus tech support and remote mobile/desktop connections to people being signed up to cryptocurrency and references to ransomware.

How to avoid these support sites

Never download a driver from anywhere other than the official Canon site. As long as you’re on Canon.com, you can feel reassured you are very likely not being scammed.

The moment you’re asked to call somebody, or grant them remote access to your device, close the site you’re on and ensure you’re where you want to be. As we’ve seen, this somewhat unique offshoot of the tech support scam can end up being just as costly.

The post Canon printer owners: Be careful of bogus driver download sites appeared first on Malwarebytes Labs.