IT NEWS

A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.

1. Log4Shell

CVE-2021-44228, commonly referred to as Log4Shell or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.

When Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.

This made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The CISA Log4j scanner is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.

2. CVE-2021-40539

CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that APT threat-actors were likely among those exploiting the vulnerability.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations.

3. ProxyShell

Third on the list are 3 vulnerabilities that we commonly grouped together and referred to as ProxyShell. CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207.

The danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:

• Get in with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.
• Take control with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.
• Do bad things with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.

The vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.

Microsoft’s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.

4. ProxyLogon

After the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name—ProxyLogon—for similar reasons. CVE-2021-26855, CVE-2021-26857, CVE-2021-2685, and CVE-2021-27065 all share the same description—”This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.”

While the CVE description is the same for the 4 CVE’s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws—CVE-2021-26858 and CVE-2021-27065—would allow an attacker to write a file to any part of the server.

Together these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

ProxyLogon started out as a limited and targeted attack method attributed to a group called Hafnium. Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Microsoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a download link, user instructions, and more information can be found in the Microsoft Security Response Center.

5. CVE-2021-26084

CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of Confluence Server and Data Center that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.

Shortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.

On the Confluence Support website you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.

Lessons learned

What does this list tell us to look out for in 2022?

Well, first off, if you haven’t patched one of the above we would urgently advise you to do so. And it wouldn’t hurt to continue working down the list provided by CISA.

Second, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:

• A large attack surface. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.
• Internet-facing instances. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.
• Easy exploitability. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.

So, if you notice or hear about a vulnerability that meets these “requirements” move it to the top of your “to-patch” list.

Stay safe, everyone!

The post The top 5 most routinely exploited vulnerabilities of 2021 appeared first on Malwarebytes Labs.

Google has launched its new “nutrition labels” for apps, a feature it promised in the spring of 2021. This release came days after the Chrome team released badges for the Chrome Web Store for browser extensions.

The company said in a blog post that it’s rolling out the labels—which it calls the Google Play Data safety section—gradually to users.

The labels are released weeks ahead of the July 20 deadline, the date when developers are required to adequately disclose what their apps do. This includes what data they collect, how it is shared with third parties (if ever), and how they secure user data. “We heard from users and app developers that displaying the data an app collects, without additional context, is not enough,” Google said.

Indeed, the search giant followed Apple’s lead when it introduced app privacy labels in its App Store in December 2020.

The Data safety section’s design relied heavily on feedback from Android users, who also want to know for what purpose their data is collected and whether app developers are sharing it. Google added information on whether an app needs data to function or if data collection is optional. Below is a list of other information that developers can show in the Data safety section of their apps:

– Whether a qualifying app has committed to following Google Play’s Families Policy to better protect children in the Play store.
– Whether the developer has validated their security practices against a global security standard (more specifically, the MASVS).

While this new feature is in place so Android users can make informed choices when it comes to trusting an app with their data, it’s still up to developers to disclose what their apps are capable of. Google said that if it finds a developer misstating their app’s features, the company will ask them to fix it instead of removing the app straight away. Action is only taken if the app remains uncompliant.

We will see if Google does a better job implementing its labels than Apple. If you recall, many labels in the App Store were found to be unreliable as they provided false information.

Here is the Google Play Help page for the Data safety section if you want to read more.

The post Google Play’s Data safety section empowers Android users to make informed app choices appeared first on Malwarebytes Labs.

Some major tech companies have unwittingly opened harassment and exploitation opportunities to the women and children who they have pledged to protect. This happened because they provided information in response to emergency data requests from legitimate law enforcement accounts that hackers had compromised. This finding came from four federal law enforcement agencies and a couple of industry investigators.

Although the data provided was limited, it was enough for the hackers to work on and use to target and harass specific women or sexually extort minors. In some instances, the data was used to pressure victims to create and share more sexually explicit material or—in one sinister case—carve the perpetrator’s name into their skin and share photos of it.

Typically, no company is under any legal obligation to respond to emergency data requests as these don’t include court orders. However, it is accepted practice that tech companies comply with such requests as a sign of “good faith.”

Former Facebook Chief Security Officer (CSO) turned consultant Alex Stamos said in an interview with Bloomberg:

“I know that emergency data requests get used in real life-threatening emergencies every day. It is tragic that this mechanism is being abused to sexually exploit children.”

When victims refuse, they are subjected to swatting, doxxing, and other harassment techniques.

People close to the issue revealed that Apple, Alphabet (Google’s parent company), Discord, Meta (Facebook’s parent company), and Twitter were the companies who complied with the bogus requests. The data that was handed over varies per company but generally includes the name, IP address, email address, and physical address.

Law enforcement and investigators consider the tactic of exploiting legitimate channels as “the newest criminal tool” to acquire data from tech companies. This is unsettling in several ways. First, attackers can successfully impersonate police officers by compromising their agency’s email systems. Second, there is no way for tech companies to identify if such requests are fraudulent or not. Third, victims can’t protect themselves from such attacks unless they completely delete their accounts.

This tactic has become prevalent in recent months.

According to Stamos:

“Police departments are going to have to focus on preventing account compromises with multi-factor authentication and better analysis of user behavior, and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers.”

Many believe that the perpetrators of these attacks are teenagers based in the US and also abroad. This is potentially based on their methods of retaliation against victims who resist them.

Unit 221b’s Chief Research Officer Allison Nixon told Bloomberg that law enforcement and the cybersecurity industry must prioritize threats led by underage perpetrators.

“We are now witnessing their transition to organized crime, and all the real world violence and sexual abuse that comes with it,” Nixon said. They are causing serious harm, so “we need to start treating them like adults,” she said—a sentiment echoed by many in the cybersecurity industry.

The post Hackers fool major tech companies into handing over data of women and minors to abuse appeared first on Malwarebytes Labs.

The Federal Bureau of Investigation (FBI) recently released a Private Industry Notification warning agriculture cooperatives (also known as “farmers’ co-ops”) of the looming danger of well-timed ransomware attacks. The agency warns that during the critical planting and harvesting seasons, attacks could result in the theft of proprietary information, and operational disruption leading to financial losses and even food shortages.

This is the second time the FBI has warned the food and agriculture sector. In September 2021, the agency revealed that ransomware threat actors were ramping up attacks as the sector adopted more smart technologies.

“Since 2021, multiple agricultural cooperatives have been impacted by a variety of ransomware variants,” the agency said, “Initial intrusion vectors included known but unpatched common vulnerabilities and exploits and secondary infections from the exploitation of shared network resources or compromise of managed services.”

The FBI is concerened that threat actors might think agricultural cooperatives have an extra incentive to pay ransoms because some phases of their work are so time-sensitive.

After-effects of ransomware attacks against the FA sector

Attacks against organizations at the root of the food supply chain can cause significant downstream disruption.

During the same month as the FBI’s initial warning, in September 2021, BlackMatter ransomware hit Iowa’s NEW Cooperative, demanding a ransom of $5.9 million. The company was forced to take affected devices offline to stop the threat from spreading, and the ransomware gang was reportedly able to steal 1,000GB of data, including financial documents, employee data, and source code for a farming technology platform.

Two days after the NEW Cooperative attack, Crystal Valley Cooperative, a major farmer’s co-op in Minnesota, was hit by a still-unnamed ransomware strain. This stopped the group from processing major payment cards and caused its phone system some downtime.

In the last decade, the agriculture sector has been through a rapid technological transformation as traditional farm machinery—such as tractors—have joined the Internet of Things (IoT).

In a recent Lock and Code podcast about the vulnerability of agricultural technology, podcast host Davd Ruiz interviewed Sick Codes, a hacker who has taken a deep dive into the security of John Deere and other agricultural equipment manufacturers.

He told us that while the industry is beginning to think about the cybersecurity of its devices and systems, many vendors still struggle with the basics like where they store data and how to make it safe, leaving it open to easy exploitation. In one example of what might be possible, Sick explained that threat actors might be able to “game” the market for corn prices by intercepting unencrypted data about the crop as it moves from tractor fleets into the cloud:

If somebody is to catch that data on the way out, they will be able to predict the price of corn. And corn is a commodity. It fluctuates daily. So actually if you have all that data, you’d be out to make serious money.

The FBI has taken stock of ransomware gangs that have hit organizations within the food and agriculture sector: BlackByte, BlackMatter, Conti, HelloKitty (aka Five Hands), LockBit, Sodinokibi (aka REvil), and SunCrypt.

FBI recommendations

The agency advises the sector to focus on protecting its networks, systems, and applications as threat actors can and will exploit vulnerabilities in them. It also offered some guidance on how to protect against ransomware attacks, including:

• Regularly back up data to an offline, air-gapped location where it can’t be reached by attackers.
• Patch software and firmware as soon as security updates become available.
• Segment networks to slow down attackers, make finding them easier, and limit their damage.
• Use multi-factor authentication (MFA) whenever possible.
• Use strong passwords and avoid reusing them.

More guidelines can be found in the agency’s Private Industry Notification on the subject.

For a glimpse of the current state of cybersecurity in an Internet-connected agriculture sector, listen to our Lock and Code podcast below:

The post FBI warns food and agriculture to brace for seasonal ransomware attacks appeared first on Malwarebytes Labs.

We tend to accept that younger folks are supposed to be more tech savvy, given they’ve grown up with computers and the Internet pretty much their whole lives. If you go back about 15 or so years, a lot of security advice focused on the “warning your grandmother away from scams” routine.

The default assumption was that people over a certain age simply did not know about computers and the threats that come with them. Grandparents were the short-hand, go-to frame of reference for examples in posts about scams or fraud: Watch out for grandfather this; your grandmother will fall for that.

Your grandfather knows what he’s doing

Crude, age-based categorisations were always dubious, and they are looking more and more baseless as the years tick by. Tech has now been around for a long time, whether it had some Internet bouncing around inside it or not. The oldest gamers playing on machines like Binatones in the 1970s might now be approaching 70 years of age themselves. Many studies have come and gone in the last couple of years declaring certain age groups to be at risk at one time or another. The interesting part is that more and more are declaring that younger age groups are at the greatest risk.

Older folks are dodging COVID-19 scams and all sorts of other shenanigans. Meanwhile, the news is definitely not as good the lower down the age slide we go.

Over here, Barclays twenty-somethings are most likely to be caught by scams. Over there, The Better Business Bureau finds that year after year it’s the younger folks getting stung by scams. In this direction, the UK’s Local Government Association has warned that it’s 16-34 year olds mostly feeling fakeout wrath. Some of the surveys listed claim that those in both the 31-40 or 71+ ranges are more susceptible to forms of advance fee fraud, but that seems to be about the only real negative mark against them.

Everything else is grim reading for the younger netizens out there.

Are digital natives in trouble?

A new study has just landed and guess what? It’s more misery for the so-called “digital native” generation (and, perhaps, those just on the fringes).

The Financial Times reports that a joint study by Visa and Aston University’s Institute for Forensic Linguistics brings bad tidings for the young. One in four 18-34 year olds trust scam messages, which is “more than double” of those over 55.

Gen-X, forgotten again.

Crunching numbers

We cover the “urgent action” type scams a lot, because it’s a core component of so many fakeouts. Nothing has people clicking links they shouldn’t click faster than the threat of losing access to accounts or finances. According to the study, some 70% of messages analysed contained some kind of “Hurry up please” messaging.

Gift cards and Bitcoin—cybercriminals’ favourite currencies—feature heavily, as you’d expect. And it’s no surprise that aspects of younger culture are tied up in the most common scam messages.

More than 50% of 18-34 year olds had sent cash to fakers pretending to be friends or family. Again, this is likely another tick in the pandemic box. There’s a lot more stats in the report itself [PDF], but that’s not what I’m most interested in. Despite it being focused on the language of fraud, there’s one key aspect which isn’t really touched upon.

Reports state that a quarter of 18-34 year olds don’t check for spelling and grammar mistakes. As the PDF itself notes that poor spelling, typography, and grammar are often indicators of a scam message, we may wonder how this disconnect is happening—and how to address it.

Annoying your spell-check for fun and profit

Security advice nowadays tends to steer clear of the “Your grandfather doesn’t understand computers” routine for the previously mentioned reasons. It’s just a bit crass and not particularly accurate.

And there may be other age-related pieces of security advice to reassess too.

Misspelling and errors have been a feature of scams for years, and a useful red flag we could advise people to watch out for. But does that advice still work for a generation that’s grown up on social media and messaging apps, and loosened its adherence to language norms by communicating with emojis and paired-down, abbreatived, vowelless blasts of text?

Some People Write On Social Media Like This.

others write everything in lower case and don’t even bother to consider throwing in the occasional comma or even a full stop because their messages are still entirely understandable

The rules have mostly gone out the window, and the “watch out for typos” advice might have to go with it. After all, you can’t tell people to beware strange spelling when everyone is officially doing their own thing.

Some good news for Gen Z and Millennials

Thankfully, “watch out for typos” is far from the only piece of security advice we can give when warning people away from bogus SMS messages or suspicious emails. When we warn you away from a phish, we give you several things to look out for in combination. It’s the same for a malware scam, or a bogus phone download, or something targeting young gamers.

The survey recognises this, and stresses the importance of picking out combinations of factors to spot a scam. It’s not just typos: It’s combinations of certain words, pressures exerted on the recipient, mismatches between sender and links given, and a dash of ambiguity. One of these alone probably won’t help, but a few of them together most likely will.

The post Why you should be taking security advice from your grandmother appeared first on Malwarebytes Labs.

The Computer Emergency Response Team in Ukraine (CERT-UA) has announced that Ukraine government web portals and pro-Ukraine sites are subjected to ongoing DDoS (distributed denial of service) attacks. They don’t currently know who is behind these attacks.

The attack involves injecting a malicious JavaScript (JS)—officially named “BrownFlood”—into compromised WordPress sites, arming them with the ability to DDoS sites. The script, which is encoded in base64 to avoid detection, is injected into the HTML structure of the sites’ main files. Whoever visits these sites are then turned into an unknowing accomplice to an online attack they are unaware of.

Target URLs are defined in the code.

Even the owners of these compromised WordPress sites do not realize that they were involuntarily signed up for a cause against Ukraine.

BleepingComputer revealed that the same JS script shared on GitHub had been involved in a DDoS attack a month ago against a smaller pool of pro-Ukraine sites. It then came to light that a particular pro-Ukrainian site had used the same DDoS code to target Russian sites.

CERT-UA worked closely with the National Bank of Ukraine to strengthen its defensive stance against DDoS attacks. The agency also informed WordPress site owners of their compromise and provided guidance on detecting and removing the malicious JS.

CERT-UA listed three recommendations for WordPress site admins to follow, which we have replicated the translated version of below:

1. Take steps to detect and remove malicious JavaScript code.
2. Provide up-to-date [active plug-ins] and up-to-date support for website content management systems (CMS).
3. Restrict access to website management pages.

The agency also provided a detection tool (scroll down to the bottom of the page) admins can use to scan their sites.

The post Ukraine government and pro-Ukrainian sites hit by DDoS attacks appeared first on Malwarebytes Labs.

In-game cheats are about to have an even harder time of things in triple AAA titles such as Call of Duty. Activision’s “Ricochet” software – a kernel level driver anti-cheat system – has added another twist to the tale of how players are protected via a new system called “Cloaking”.

Making all new punishments fit the crime

Anti-cheat software typically sniffs out people breaking the rules and penalises them. Ricochet adds some perks into the mix for people who aren’t cheating, whenever someone up to no good joins a gaming session.

As an example, if I’m using an aim-bot to assist me in scoring cheap kills and I join your Call of Duty server, I won’t just be instantly kicked out. Two things will happen:

1. Mitigations are deployed to help regular players not lose unfairly to cheaters like me, running round with aim-bots and wall hacks.. The already existing “Damage Shield” disables critical damage applied to non-cheating individuals. This means I can do everything in my power to win, but it almost certainly won’t be enough thanks to the second thing that happens.
2. The new feature called “Cloaking” kicks in, which combined with the Damage Shield will scupper my chances of victory forever. This is because, hilariously, all other players vanish from view. I can’t see their characters, their bullets, or even hear the noises they make. Essentially, I’ll be twirling around in an empty space, firing bullets that do no damage. The best is yet to come. From the FAQ:

“Legitimate players, however, can see cheaters impacted by Cloaking and can dole out in-game punishment. Similar to Damage Shield, Cloaking gives legitimate players a leg up on cheaters.”

That’s nothing to brag about: Shaming cheater out of gaming

Exploiters in games traditionally love bragging rights. Anything to score a cheap win is acceptable, and bragging rights arising from that is one of the reasons people continue to do it.

Many common anti-cheat methods exist which involve loading up tools prior to game launch, seeing if anything is running which shouldn’t be, and then simply preventing a cheater from joining in the first place.

From experience, people just load up another game and try it there instead until they’re allowed in.

This system is a curious remix of more typical anti-cheat tactics. Not only are the developers accepting that cheats will eventually end up in a session somehow, they’re also obtaining valuable game data in real-time as to how the cheats react to this approach.

Can you imagine the embarrassment when other players in the session upload incredibly funny clips of cheaters helplessly spinning into walls and firing guns at lamp posts to YouTube or stream it on Twitch? It’s possible the threat of this alone will deter some people from that level of social shaming. Nobody’s cool factor can survive an encounter like that.

No stopping the ban train

Conscious of controversy surrounding anti-cheat tools, the developers have reassured players several times. The Ricochet system only operates when playing, and it isn’t always running when playing. It also shuts down when the game is closed.

I don’t know for sure how many anti-cheat tools actually do run outside of a game being active. I suspect it’s not many, but it is good to see an organisation being very clear about what additional software needed to run a game does (and does not) do.

With 54,000 new account bans added to the 90,000 in March, the gamble seems to have paid off. We can expect to see more slightly weird and unusual approaches to shutting down cheaters in games. Letting them run free in a gaming hamster maze while both regular players and developers observe at their expense? This is simply too good an opportunity to pass up.

The post Call of Duty cheats can expect embarrassment with new anti-cheat feature appeared first on Malwarebytes Labs.

Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.

The bug—a flaw in how Emotet is installed onto a system after a victim opens a malicious email attachment—forced the actors to prematurely halt their campaign.

Emotet is spammed around in emails claiming to contain invoices, forms, or payment details. The attachment is a password-protected ZIP file with a shortcut link file (has the .LNK extension) inside pretending to be a Word document file.

Normally, once users double-click the file, Emotet is loaded into memory, steals email addresses to use in future campaigns, and drops a payload, usually another malware like ransomware or Cobalt Strike. However, the bug happened immediately after the attachment was clicked.

You see, double-clicking the file sets off a chain. A command looks for a string hidden in the .LNK file containing code written in Visual Basic. This code is then appended to a new VBS file before executing that file. But, the shortcut file a command statically calls to does not match the actual name of the attached shortcut file. For example, the command code calls for “Password2.doc.lnk”, but the attached file itself is named “INVOICE 2022-04-22_1033, USA.doc”. This error breaks the infection chain.

Cryptolaemus (@Cryptolaemus1) has provided a more technical explanation in this Twitter thread:

Emotet’s current use of .LNK files as attachments is a tried-and-tested tactic that can bypass antivirus detection and Mark-of-the-Web (MOTW) “marking.” Mark of the Web is a Windows feature that determines the origin of a file downloaded from the Internet.

Our Threat Intelligence Team has seen APT threat actors use .LNK files in their attack campaigns (the Higaisa APT comes to mind). It’s no surprise that other cybercriminal groups have adopted this. Proponents of Emotet and IcedID were just some of them.

Emotet has been revolutionizing its way of reaching victims during its years of activity. Historically, it was spread via malicious Windows App Installer packages and malformed Word documents. Emotet is a sophisticated and versatile Trojan, which has been used by other criminal groups to drop their own malware, causing multiple system infections. Some of the files it drops are QBot, QakBot, TrickBot, and Mimikatz (a legitimate tool used to steal credentials).

BleepingComputer shared a list of attachment names the new Emotet email spam campaign is using, courtesy of Cofense, a security company specializing in email security:

• ACH form.zip
• ACH payment info.zip
• BANK TRANSFER COPY.zip
• Electronic form.zip
• form.zip
• Form.zip
• Form – Apr 25, 2022.zip
• Payment Status.zip
• PO 04252022.zip
• Transaction.zip

If you have received any emails bearing attachments with the above names, it would be wise to delete them immediately to prevent the risk of accidentally opening the attachment.

Stay safe out there!

The post Emotet fixes bug in code, resumes spam campaign appeared first on Malwarebytes Labs.

Google will soon be giving European countries a “Reject All” button in the Search and YouTube cookie consent banner.

This change, which was revealed by Google’s Product Manager for Privacy, Safety & Security Sammit Adhya in a blog post, has already been rolled out in France and will be cascaded to the rest of the European Economic Area, the UK, and Switzerland. Adhya didn’t provide a date on the cascade.

From the Adhya’s post:

“In the past year, regulators who interpret European laws requiring these banners, including data protection authorities in France, Germany, Ireland, Italy, Spain and the UK, have updated their guidance for compliance. We’re committed to meeting the standards of that updated guidance and have been working with a number of these authorities.”

With directions from France’s Commission Nationale de l’Informatique et des Libertés (CNIL), Google finished a redesign of its cookie banner and changed the infrastructure behind how it handles cookies.

CNIL slapped Google with a $170M (€150M) fine for the confusing language in its cookie consent banners earlier this year. CNIL also found the asymmetry of letting users accept all tracking cookies with one click but allowing them to painstakingly untick individual options to reject them all as “unlawful.” Because the average user typically doesn’t want to bother doing this, they are left with no choice but to click “Accept all”—a win for Google’s business.

France has a strong case for declaring Google’s cookie consent behavior. In a 2019 study conducted by academics at Ruhr University Bochum (Germany) and the University of Michigan (USA), researchers found that European consumers think that most cookie consent notices are meaningless or manipulative.

Adhya implied that this could be the first step for Google to change the way cookies work on its sites. He said he knew the implications of these changes and how they impact other sites and content creators who conduct business online.

“We believe this update responds to updated regulatory guidance and is aligned with our broader goal of helping build a more sustainable future for the web. We believe it is possible both to protect people’s privacy online and to give companies and developers tools to build thriving digital businesses.”

The post “Reject All” cookie consent button is coming to European Google Search and YouTube appeared first on Malwarebytes Labs.

You’ve likely only seen cybercrime insurance primarily mentioned in relation to attacks on businesses. Most commonly, it’s cited with regard to ransomware attacks in the workplace, or associated data loss. Some folks think the mere presence of insurance simply encourages more attacks, and is hurting more than it’s helping. Now we have another string to the bow to consider. Personal insurance plans are slowly becoming a more visible and talked about topic.

A brave new world, or same-old same-old?

I’m fascinated to see talk of personal cyber insurance, in an area dominated by business.

The plans referenced in the article are for people seeking cyber insurance in India. It provides personal cover in a manner somewhat similar to contents insurance for the items in your home. The major difference is losing your digital items due to online shenanigans, as opposed spilling orange juice on your TV.

Premiums are based on how much you have to lose, and tailoring types of cybercrime to your package needs. If you make a lot of financial transactions online, that’ll bump the cost of the plan up too.

A transactional offering

Some of the exclusions listed are fairly eye-catching. For example, you’ll pay a higher premium the more online transactions you engage in. Despite this, losses incurred through cryptocurrency aren’t included which could be a deal breaker for many people. The Indian Government has floated the idea of banning cryptocurrency on at least one occasion, but eventually moved to a less aggressive regulatory approach at the end of 2021.

While it makes sense that insurers will be cautious around such rapidly changing stances, it’s no real consolation to cryptocurrency fans.

Some cyber threats listed may not have realistic or obtainable legal solutions in some countries, but they will in others. For people not in the latter group, an additional insurance safety blanket might be very useful.

A helping hand against online stalking

There’s some solid defence against people harassing others online in the policy types mentioned. For example, expenses are covered to prosecute people found to be stalking/bullying you online. So far, so good.

This same cover which provides legal fees to prosecute stalkers also provides the insured with costs against invasion of privacy.

So many examples of cyber insurance only ever focus on the technical aspects of online crime, or ransomware backups. It’s nice to see a more human aspect working its way into the mix. In some countries, the rules are fairly stacked against people and aren’t necessarily conducive to tackling online harassment. Knowing there’s a bit of backup to help with this kind of situation may itself make harassers think twice.

From add-on to standalone

Seeing cyber insurance as a standalone package for individuals is rather novel. In the UK at least, most—if not all—cyber offerings I’ve seen are add-on packages to regular insurance policies. For example, one major insurer offers it across all their insurance tiers and it covers the usual issues like ransom, fraud, restoration of systems, defamation and so on. Unlike the India-centric policy above, identity theft is included by default in regular, non-cyber packages.

The standalone offerings I’ve seen usually ask you to contact them to arrange a premium, as opposed to having a default one-size-fits all price. Some include monitoring customer data for breaches, including issuing alerts when necessary. Others seem to fall into more traditional areas of cover, offering to replace or repair damaged devices and recover data.

I’ve seen a few offer 24/7 cyber-helplines, credit reports, and “ransom monies” made available in ransomware cases. Some insurers have grey areas related to working from home, or just flat out refuse to cover it. All this, without the added complexity of business insurance and the question of whether it’s right to pay out to ransomware authors in the first place.

Drawing insurance lines in the sand

It’s a bit of a tumultuous time for insurers in the digital realm as they try to define what, exactly, is or isn’t up for coverage. Real world insurers use act of God policies, not covered by insurance. Cyber insurers are quickly coming up with their own non-coverable issues.

Then there’s the thorny problem of insurance companies themselves being juicy targets for attackers. I’m fairly certain they don’t have to look for decent cyber insurance quotes from competitors themselves. It’s still a very odd thing to think about in an industry still figuring out its role where rogues costing their customers money don’t play by the rules.

The post What’s happening in the world of personal cyber insurance? appeared first on Malwarebytes Labs.