IT NEWS

On April 26th, we identified a suspicious email that targeted a government official from Jordan’s foreign ministry. The email contained a malicious Excel document that drops a new backdoor named Saitama. Following our investigation, we were able to attribute this attack to the known Iranian Actor APT34.

Also known as OilRig/COBALT GYPSY/IRN2/HELIX KITTEN, APT34 is an Iranian threat group that has targeted Middle Eastern countries and victims worldwide since at least 2014. The group is known to focus on the financial, governmental, energy, chemical, and telecommunication sectors.

In this blog post, we describe the attack flow and share details about the Saitama backdoor.

Malicious email file

The malicious email was sent to the victim via a Microsoft Outlook account with the subject “Confirmation Receive Document” with an Excel file called “Confirmation Receive Document.xls”. The sender pretends to be a person from the Government of Jordan by using its coat of arms as a signature.

Excel document

The Excel attachment contains a macro that performs malicious activities. The document has an image that tries to convince the victim to enable a macro.

After enabling the macro, the image is replaced with the Jordan government’s the coat of the arms:

The macro has been executed on WorkBook_Open(). Here are the main functionalities of this macro:

• Hides the current sheet and shows the new sheet that contains the coat of arms image.
• Calls the “eNotif’ function which is used to send a notification of each steps of macro execution to its server using the DNS protocol. To send a notification it builds the server domain for that step that contains the following parts: “qw” + identification of the step (in this step “zbabz”) + random number + domain name (joexpediagroup.com) = qwzbabz7055.joexpediagroup.com. Then it uses the following WMI query to get the IP address of the request: Select * From Win32_PingStatus Where Address = ‘” & p_sHostName & “‘” which performs the DNS communication the the created subdomain.
• Creates a TaskService object and Gets the task folder that contains the list of the current tasks
• Calls ENotif function
• Checks if there is a mouse connected to PC and if that is the case performs the following steps
  • Creates %APPDATA%/MicrosoftUpdate directory
  • Creates “Update.exe”, “Update.exe.config” and “Microsoft.Exchange.WenServices.dll”
  • Reads the content of the UserForm1.label1, UserForm2.label1 and UserForm3.label1 that are in base64 format, decodes them and finally writes them into the created files in the previous step
  • Calls a ENotif function for each writes function
• Checks the existence of the Update.exe file and if for some reason it has not been written to disk, it writes it using a technique that loads a DotNet assembly directly using mscorlib and Assembly.Load by manually accessing the VTable of the IUnknown. This technique was taken from Github (link). Even though, this technique was not used in this macro since the file was already written, the function name (“Test”) suggests that the threat actor is trying to implement this technique in future attacks.
• Finally, it calls the ENotif function.

• Defines a xml schema for a scheduled task and registers it using the RegisterTask function. The name of the scheduled task is MicrosoftUpdate and is used to make update.exe persistent.

Saitama Backdoor – A finite state machine

The dropped payload is a small backdoor that is written in .Net. It has the following interesting pdb path: E:SaitamaSaitama.AgentobjReleaseSaitama.Agent.pdb.

Saitama backdoor abuses the DNS protocol for its command and control communications. This is stealthier than other communication methods, such as HTTP. Also, the actor cleverly uses techniques such as compression and long random sleep times. They employed these tricks to disguise malicious traffic in between legitimate traffic.

Another element that we found interesting about this backdoor is the way that it is implemented. The whole flow of the program is defined explicitly as a finite-state machine, as shown in the Figure 7. In short, the machine will change its state depending on the command sent to every state. Graphically, the program flow can be seen as this:

The finite-machine state can be:

BEGIN

It is the initial state of the machine. It just accepts the start command that puts the machine into the ALIVE state.

ALIVE

This state fetches the C&C server, expecting to receive a command from the attackers. These servers are generated by using the PRNG algorithm that involves transformations like the Mersenne Twister. These transformations will generate subdomains of the hard coded domains in the Config class (Figure 8).

Figure 9 shows an example of the generated subdomain:

This state has two possible next stages. If the performed DNS request fails, the next stage is SLEEP. Otherwise, the next stage is RECEIVE.

SLEEP and SECOND SLEEP

These states put the backdoor in sleep mode. The amount of time that the program will sleep is determined by the previous stage. It is clear that one of the main motivations of the actor is to be as stealthy as possible. For example, unsuccessful DNS requests puts the backdoor in sleep mode for a time between 6 and 8 hours! There are different sleep times depending on the situations (values are expressed in milliseconds):

There is also a “Second Sleep” state that puts the program on sleep mode a different amount of time.

RECEIVE

This state is used to receiving commands from the C&C servers. Commands are sent using the IP address field that is returned by the DNS requests. Further details about the communication protocol are provided later in this report. In a nutshell, every DNS request is capable of receiving 4 bytes. The backdoor will concatenate responses, building buffers in that way. These buffers will contain the commands that the backdoor will execute.

DO (DoTask)

That state will execute commands received from the server. The backdoor has capabilities like executing remote pre-established commands, custom commands or dropping files. The communication supports compression, also. The following figure shows the list of possible commands that can be executed by the backdoor.

It is pretty shocking to see that even when attackers have the possibility of sending any command, they choose to add that predefined list in the backdoor in Base64 format. As we can see, some of them are common reconnaissance snippets, but some of them are not that common. In fact, some of the commands contain internal IPs and also internal domain names (like ise-posture.mofagov.gover.local). That shows that this malware was clearly targeted and also indicates that the actor has some previous knowledge about the internal infrastructure of the victim.

SEND – SEND AND RECEIVE

The Send state is used to send the results generated by commands to the actor’s server. In this case, the name of the subdomain will contain the data. As domain names are used to exfiltrate unknown amounts of data, attackers had to split this data in different buffers. Every buffer is then sent through a different DNS request. As it can be seen in the Figure 12, all the required information in order to reconstruct original data is sent to the attackers. The size of the buffer is only sent in the first packet.

Attribution

There are several indicators that suggest that this campaign has been operated by APT34.

• Maldoc similarity: The madoc used in this campaign shared some similarities with maldocs used in previous campaigns of this actor. More specifically similar to what was mentioned in CheckPoint’s report this maldoc registers a scheduled task that would launch the executable every X minutes, also it uses the same anti sandboxing technique (checking if there is a mouse connected to the PC or not). Finally, we see a similar pattern to beacon back to the attacker server and inform the attacker about the current stage of execution.
• Victims similarity: The group is known to target the government of Jordan and this is the case in this campaign.
• Payload similarity: DNS is the most common method used by APT34 for its C&C communications. The group is also known to use uncommon encodings such as Base32 and Base36 in its previous campaigns. The Saitama backdoor uses a similar Base32 encoding for sending data to the servers that is used by DNSpionage. Also, to build subdomains it uses Base32 encoding that is similar to what was reported by Mandiant.

Malwarebytes customers are protected from this attack via our Anti-Exploit layer.

IOCs

Maldoc:
Confirmation Receive Document.xls
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b
Saitama backdoor:
update.exe
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d
C2s:
uber-asia.com
asiaworldremit.com
joexpediagroup.com

The post APT34 targets Jordan Government using new Saitama backdoor appeared first on Malwarebytes Labs.

Think of all the really common, very mundane things you search for of a tech nature. Drivers. Scanners. Printers. A broken photocopier. USB sticks not recognised. Activating a streaming service which refuses to play ball.

Some of the above have many issues already with bogus search engine results and tech support scams. Streaming and other internet based viewing options have their own support related perils to contend with.

Have you ever stopped to consider what’s lurking out there in relation to your humble printer?

Bogus Canon sites causing headaches

Gizmodo reports that numerous dodgy sites are riding on the coat-tails of the Canon printer brand, extracting cash however they can. Gizmodo discovered the sites after issuing a Freedom of Infomation request to the Federal Trades Commission (FTC) in relation to Canon-specific complaints.

The sites vary in terms of style or general setup, but all focus on having you download Canon drivers. However, when someone attempts to download the driver, the download fails and the site displays a message with a phone number you can call for assistance. We’re very quickly in the realm of tech support scams. Direct requests for money in exchange for supposed drivers, or remote access requests quickly follow.

According to Gizmodo, there are also “support packages” available to buy over the phone which (of course) fail to materialise. All tried and tested Windows-centric tech support scam tactics.

Site specifics

The sites are referred to as fairly sophisticated. In fairness, a few of those listed are already offline or not responding to requests, so they may have been shut down since the report went live.

What’s left is sites which look a bit like blogs and loop visitors round, with no download in site. Others are a bit more professional looking, and ask you to download a driver first.

Another is very upfront about you phoning the listed number before apparently doing anything else. No matter which site you end up on, they’re all about the drivers.

A very testing download

We decided to check one of the few remaining sites and see how hard it leans into error messages after a driver search. Testing the site in the above screenshot, the download button leads to another website altogether. I decided to look for a Canon PIXMA:

The site looks as though it has my driver. Success! Except not really. I’m not saying the odds are stacked against you when using this site, but look at the destination URL in the bottom left hand corner when hovering over the download driver button:

Yes, that does say /error.html. Yes, we’re about to run into that most common of tech support scam pages:

Printer driver installation has been failed due to fatal error “C0000022” preventing product driver installation. Please contact Canon Customer Support For Assistance! Click on below button to connect live chat experts

Tracing a problem

The Gizmodo article contains numerous examples of this type of scam. I decided to check out the BBB scam tracker and see if I could observe the evolution of the Canon scam. It turns out that you actually can (to a degree).

I turned up 17 reports of Canon themed scams from the beginning of 2021 to the present day across Canada and the US. They’re tagged as a mixture of phishing, tech support, and fake invoices.

What’s interesting is that most of the oldest scams are all about Canon cameras. Some are bogus orders, or missed deliveries. At the start of March, we see our first Canon printer tale of woe and it’s our old friend the customer support conversation slide.

Scammers inserted themselves into a help session for a Canon printer and posed as certified Canon technicians. They took remote control of my computer, got personal information and credit card numbers and charged $199 unsuccessfully.

In September, there’s a blend of printer driver and fake infection tactics:

Global Assistance has a scam that leads you to their fake canon website. They make you believe that you have computer infections that prohibit you from connecting to your printer. You have to pay for their services and then they make you believe that you need protection for all of your devices that can connect to the internet. After I fell for this, I did my research and found out that they are a scam. I called them and they refused to refund my money, $362.16 tonight.

Pretty much everything after September is a Canon printer scam—from bogus tech support and remote mobile/desktop connections to people being signed up to cryptocurrency and references to ransomware.

How to avoid these support sites

Never download a driver from anywhere other than the official Canon site. As long as you’re on Canon.com, you can feel reassured you are very likely not being scammed.

The moment you’re asked to call somebody, or grant them remote access to your device, close the site you’re on and ensure you’re where you want to be. As we’ve seen, this somewhat unique offshoot of the tech support scam can end up being just as costly.

The post Canon printer owners: Be careful of bogus driver download sites appeared first on Malwarebytes Labs.

Jester Stealer, a malicious file capable of large amounts of data theft, is on the prowl again. The Ukrainian Computer Emergency Response Team (CERT-UA) has warned of a large distribution campaign abusing a “chemical attack” theme. Receiving an email like this in the invasion-affected regions of Ukraine is likely to cause huge alarm.

From bogus attack warnings to data theft malware

As per Bleeping Computer, the mail reads as follows:

“Today the information was received that chemical weapons will be used at 01.00 at night, the authorities are trying to hide it in order not to panic the population. Urgently get acquainted with the places where chemical weapons will be used and the places of special shelters where we will be safe.

Help us to disseminate the information attached to the document in the letter as much as possible. map of the zone of chemical damage.

We need to save as many lives as possible!”

Although the mail is being described as phishing, there is no direct request for passwords or logins linked to in the mail itself. Instead, there’s a link to an Excel document which has been booby-trapped with harmful macros.

A rogue file called JesterStealer is downloaded to the victim’s PC and executes when the document is opened with macros enabled. At this point, the device is infected. CERT-UA notes that the infection files are being hosted on “compromised web resources”. When organisations don’t keep their services updated and vulnerabilities patched, this is the unfortunate knock-on effect.

Impact on affected systems

Once infected, the system is at serious risk of data theft. The list of potential target areas includes:

• Internet browsers
• MAIL/FTP/VPN clients
• Cryptocurrency wallets
• Password managers
• Messengers
• Game programs

Jester Stealer is also capable of swiping screenshots and stealing network passwords.

There’s some anti virtual machine/debug/sandbox tactics in play to hamper researchers analysing the file. The malware also removes itself once closed, helping attackers evade suspicion from those affected as they may well never realise the malware was present.

Tips for avoiding this attack

1. Stick to official news sources for breaking information in affected areas. You’re more likely to see a genuine warning on the President’s page, or similar messaging from official sources on Twitter, than from random emails.
2. Think carefully about attachment types in emails. Does it make much sense that a warning like this requires an Excel spreadsheet? Why not just put the full warning in the email? If it’s urgent, breaking information, people need everything in one place. Having to open up websites to download, and open files seems a long-winded and very odd way to accomplish this goal.
3. Macros in Office files have been a long running problem. Microsoft has made several changes to try and minimise the risk of harm. Downloading macros from the internet results in an automatic block with regard to being able to run. Some individuals and organisations will always need macros available to some degree. This is why the “learn more” button will ultimately allow you to enable if you definitely need them.

What Microsoft has to say about enabling macros

Microsoft’s advice for this is very good. Here’s what it suggests in relation to macros:

• Were you expecting to receive a file with macros? Never open a file attachment you weren’t expecting, even if it appears to come from somebody you trust. Phishing attacks often appear to come from a person or organization you trust in an effort to get you to open them.
• Are you being encouraged to enable content by a stranger? A common tactic of attackers is to create some pretense such as cancelling an order or reading a legal document. They’ll have you download a document and try to persuade you to allow macros to run. No legitimate company will make you open an Excel file to cancel an order and you don’t need macros just to read a document in Word.
• Are you being encouraged to enable content by a pop-up message? If you downloaded the file from a website, you may see pop-ups or other messages encouraging you to enable active content. Those are also common tactics of attackers and should make you suspicious that the file is actually unsafe.

Think carefully about enabling macros from random documents sent your way, and follow the tips above. Rogue mails which do nothing but compromise or damage your computer may make it more difficult to receive genuine alerts, and that’s definitely an additional problem you can do without.

The post “Chemical attack” email warnings deliver Jester Stealer malware appeared first on Malwarebytes Labs.

On May 11, 2022, the EU will publicize a proposal for a law on mandatory chat control. The European Commission wants all providers of email, chat and messaging services to search for suspicious messages in a fully automated way and forward them to the police in the fight against child pornography.

History

In 2020, the European Commission initiated temporary legislation which allows the searching of all private chats, messages, and emails for illegal depictions of minors and attempted initiation of contact with minors. This allows the providers of Facebook Messenger, Gmail, et al, to scan every message for suspicious text and images.

A majority of the Members of the European Parliament adopted the chat control regulation on July 6, 2021, allowing providers to scan communications voluntarily. So far, only some unencrypted US services such as Gmail, Meta/Facebook Messenger, and X-Box apply chat control voluntarily.

The European Commission announced that it will propose follow-up legislation that will make the use of chat control mandatory for all email and messenger providers. This legislation will be presented tomorrow, May 11, 2022 and would also apply to communications services that are end-to-end (E2E) encrypted.

It is important to note that the European Parliament has already pointed out that even voluntary scanning, which is currently permitted by the short-term law, lacks a legal basis and would probably be invalidated if it were taken to court.

Privacy advocates

Needless to say that many privacy advocates are ready to storm the barricades to prevent this law from being approved. Not only does this violate our basic human right to privacy, but encrypted messaging has been a boon to activists, dissidents, journalists, whistleblowers, and marginalized groups around the world.

Privacy advocates argue it brings the EU closer to the surveillance state that many see in other countries and that is a frightful image. It is also a step back when it comes to cybersecurity. What do we call software that eavesdrops on what we are doing on our devices and sends it to a third party? Spyware! And what happens to servers that accumulate large amounts of private data? They become targets for cybercriminals.

The goal

Similar developments are taking place in the US and the supporting narrative has expanded from domestic terrorism to other illegal content and activity, such as child sexual exploitation and abuse, terrorism, foreign adversaries‚ and attempts to undermine democratic values and institutions.

What most, if not all, of these activities have in common is that you usually won’t see the criminals using the same platforms as those of us that want to stay in touch with friends and relatives. They are already conducting their “business” in illegal marketplaces on the Dark Web, or they are using encrypted phone services.

Client side scanning

What does client side scanning mean exactly, some may wonder. Client side scanning broadly refers to systems that scan message contents for matches against a database of objectionable content before the message is sent to the intended recipient.

In this case, it means that the EU wants to force all providers of email, messaging, and chat services to comprehensively search all private messages, even in the absence of any suspicion. That makes the contents of messages no longer private between the sender and receiver, and client-side scanning breaks the E2E encryption trust model.

Pitfalls

As we have seen in the US, once the trend has been set, the number of targets can quickly expand from child abuse to other areas. As some of the privacy advocates noted, it’s a slippery slope.

It’s building a database of objectionable content. Given the amount of data you will need something to make a first selection. Machine Learning and Artificial Intelligence will undoubtedly be put to use. These systems can be manipulated and led astray, where static databases are too easy to circumvent.

False positives are a risk to keep in mind. What happens to a sender, or receiver for that matter, that gets tied to several flagged messages? I’m asking for me. Once an interest in cybercrime, vulnerabilities, and other related areas get added to the areas of government interest, my search queries alone would be enough to get me in trouble. On a lighter note, how hard will it be to explain that autocorrect is responsible for your message getting flagged? And will my reputation accompany me on my travels? In other words, will the US know if the EU thinks I’m involved in something shady?

The complexity of breaking the chain of E2E encryption could also limit the reliability of a communications system, and potentially stop legitimate messages from reaching their intended destinations.

So far, for every method that has been devised to limit the amount of private data that gets shared and scrutinized after the first selection, a downside has been brought up. And the stage in which these messages are unencrypted to be reviewed offers a target area where criminals can exfiltrate a lot of valuable information.

Since client-side scanning technologies may represent the most powerful surveillance system ever imagined, it is imperative that we find a way to make them abuse-resistant and auditable before we decide to start using them. Failures from the past have taught us that it’s often the other way around. We learn from our mistakes, but how costly are they?

It is also important to realize that the criminals we are trying to catch will simply move away from the platforms we decide to subject to client side scanning. So in the end, we are monitoring the communications of innocent citizens, for what exactly?

The post Client side scanning may cost more than it delivers appeared first on Malwarebytes Labs.

The German Sparkasse bank has launched a browser that is especially designed to do your online banking. The browser called S-Protect is available for macOS and Windows users.

The idea is interesting, since having a separate browser for banking can certainly add an extra layer of security.

Separate browsers

Unfortunately there is a low correlation factor between what most people find the best browsers and what are the best browsers when it comes to privacy and security. If you look at the market share of the most popular browsers, there is one browser that steals the crown without a lot of competition: Google’s Chrome. But as we all know there are more secure and privacy oriented browsers available.

I have personally advocated for using different browsers for different things in the past and I still use that method myself, but using a browser that is designed for banking alone? Why not use the app instead? What’s the difference?

S-Protect

According to the Sparkasse’s website [in German] S-Protect is a so-called ‘hardened banking’ browser. You can best think of it as an additional protective screen for online banking. S-Protect prevents Trojans and other malicious programs that may have hidden on your computer from spying on or manipulating online banking. Setting up and using S-Protect is child’s play and gives you a great security advantage in all financial transactions.

The browser has been built for Sparkasse by Coronic GmbH who has built a “protect browser” for other clients and who add that:

“with PROTECT you can work securely on any PC and smart device – even if the computer is already compromised. Malware and hackers don’t stand a chance. Banking and payment remain secure. This helps bank customers who are still reluctant to do online banking.”

Advantages

Your advantages with S-Protect would be:

• Additional protection against data theft, phishing attacks, fake websites
• Easy handling, no installation or configuration
• Automatic login function
• No interference with other security procedures

Access to third-party websites, like manipulated or fake banking sites will be automatically blocked, because the browser is based on the “know your friends” principle, which limits the sites it can visit to that of the bank and their partners.

Phishing

In addition, the browser checks the security certificates of the pages to ensure their authenticity. However, if a user clicked on a phishy link in their email client then the URL will be opened in their default browser. If that default browser is not S-Protect—and why would it be, given its limited reach—the phishing site will be opened. That’s not S-Protect’s fault, but it just means that users will still need to keep their wits about them to make sure they’re using the correct browser.

Infected system

Sparkasse claims that the browser can be safely used for banking on an infected system, but we would advice very strongly against doing this. We also could not find any information about how the browser is hardened. For example, S-Protect claims to block screenshots of the browser, but would it stop a keylogger from being able to intercept what you are doing?

Disclaimer

Even though the idea deserves merit, I think we should be careful and not expect miracles to happen. Many browsers already have sandboxing in place. Sandboxing is the practice where an application, a web browser, or a piece of code is isolated inside a safe environment against any external security threat. That will stop malware from escaping the browser onto the system or the network. But none have demonstrated a good level of the other way around—stopping malware on the system affecting the browser—however hardened the browser may be. I can only hope Coronic will prove me wrong.

I would have loved to try some of the features of this browser, but I was unable to install S-Protect on my Windows 7 VM so the testing ended there for me.

Stay safe, everyone!

The post A special browser designed for online banking. Good idea, or not so much? appeared first on Malwarebytes Labs.

Swearing off a company used to be easier. Rude customer service, an unfortunate bout of food poisoning, even standing up for workers’ rights against the alleged involvement of a private company to order a country’s military to brutally quash a strike—almost every facet of an individual boycott could be satisfied by simply refusing to purchase a company’s products.

But such a move can be far more difficult to accomplish today, especially when you’re trying to sever your relationship with an Internet conglomerate. Tired of Facebook? Be sure to jump off Instagram and WhatsApp, too, which are both owned by the social media giant. Over Amazon? Good luck trying to navigate the web without landing on at least one site hosted by Amazon Web Services.

And what about Google?

The online behemoth has become so much more than a search engine, as it owns and produces hardware like Android phones, Google Pixel phones, Nest thermostats, and FitBit devices, while also operating Google Chrome, Google Mail, Google Calendar, Google Hangouts, YouTube, and Waze.

Saying goodbye to Google, then, isn’t as easy as refusing to buy an Android phone. It means likely changing several aspects of your life, including some that will affect the people around you.

Thankfully, this daunting task has already been taken on by the cybersecurity evangelist Carey Parker, who spoke recently on the Lock and Code podcast from Malwarebytes. According to Parker, it isn’t that he wanted to remove Google because he “hates” its products—if anything, he’s a fan. Instead, he wanted to start supporting other companies that will respect him and his data privacy.

“Google knows so much about us,” Parker said, explaining that Google makes the overwhelming majority of its revenue from online advertising, which it can only do because of how much data it collects from its users. “For me, it was about limiting as best I could how much information Google knows about me, removing as much as I can for things they already know about me, and then wanting to support companies who put privacy first.”

For anyone who has wanted to take a similar plunge into a Google-less life, here are some of the tips that Parker shared with us.

Start with the individual—Search, Chrome, and Android

Getting rid of everything Google product all at once could be a disaster, as there are simply too many services and products to track. Instead, Parker began the first steps of his experiment by only removing the products that directly affected him.

“I started with the easiest things—at least I think the easiest things,” Parker said. “The ones that have maybe the least tendrils into other things. They don’t affect anybody but yourself.”

For Parker, that meant removing and finding new providers for Google Search and the web browser Google Chrome. When it comes to stepping away from Android devices, Parker found that easy—he’s been using iPhones for years.

In finding an alternative to Google Search, Parker offered two suggestions: DuckDuckGo and the search engine Startpage, both of which claim to refuse any user data tracking for revenue purposes. Instead, the companies say they serve purely contextual ads based on the searches themselves—like showing ads for Nike and Adidas for anyone looking for shoes—and they do not record or keep data on users’ specific searches. In fact, Parker said, Startpage actually works with Google to deliver search results, but the company tells users that it refuses to collect user IP addresses, device information, and browsing history.

“You don’t have to track people to make money,” Parker said, “and Startpage is proof of that.”

In looking for a different, privacy-focused browser, Parker suggested his personal choice, Mozilla’s Firefox, and also the up-and-coming browser Brave.

Bigger shifts with Gmail and GCal

Having found different solutions for searching and browsing the Internet, Parker said he then focused his attention on finding alternatives to Google services that impact those around him.

“[Google Search and Google Chrome were] the first tier, and then, the next one, which is harder—a lot harder, because it involves other people—are Google email and Google calendar, Gmail and Gcal,” Parker said, “I’ve got shared calendars with my family and I am not going to expect them to drop Google like I am trying to do, so for that reason, I’m going to be stuck there for a little while, but I can minimize it.”

After researching the many options out there, Parker found two email providers—one that fulfills much of Google’s functionality and integration with a calendar function, and another that provides end-to-end encryption on messages sent and received between users of the same program.

The first suggestion is Fastmail. Fastmail, Parker said, is a for-profit email provider that users pay to use through a monthly subscription. The email provider also has a calendar solution that works directly with its main product. Even better, Parker said, is that Fastmail respects its users’ data.

“[Fastmail] explicitly say they don’t mine your data, and they are privacy-focused even if they’re not end-to-end encrypted by default,” Parker said. “It’s a really great service and it has the full suite of email, calendar and contacts, among other things. I use it for all my business stuff and some personal stuff.”

For user who wish to prioritize security, Parker suggested ProtonMail, which, by default, provides end-to-end encryption for all emails sent between ProtonMail users. That means that even if your emails get intercepted by a third party along route, those emails cannot be read by anyone other than you and your intended recipient.

More complexity with Google Drive and Google Docs

For users who want to take even more data out of Google’s view, there are just a couple final products to remove from the daily workflow. Those are the cloud storage service Google Drive and the cloud-based word processor Google Docs.

For each product, Parker encountered headaches and obstacles, but he managed to find alternatives that both respected his privacy and provided similar feature sets and functionality.

In finding a proper cloud storage platform, Parker recognized that some of the major players, such as Box and Dropbox, did not provide meaningful encryption for users’ data that would prevent the companies from scanning and gleaning information from user files.

Parker offered several suggestions depending on what users want most. If a user wants to securely send a private file to someone else, he recommended the online services Swiss Transfer and Mega, which can give users the option to set certain parameters on how they share a file, including how long a shareable link is active and whether the file requires a password to access.

For pure storage options, Parker recommended the service Sync.com because of its client-side encryption. Many of the cloud storage providers today, Parker explained, will promise to keep your data secure, but they will also hold the decryption keys to anything that you store on their servers.

“Machines will review the files that you have stored on these drives, either for advertising purposes or, a lot of times it’s for copyright violations,” Parker said. “They’ll look and see—are you trading movies or music with other people? And they’ll flag that and give you grief.”

But after extensive research, Parker found that Sync.com actually provided users with a type of encryption that the company cannot work around.

“[Sync.com is] end-to-end encrypted,” Parker said, “meaning that, even if behind the scenes, Sync.com uses Amazon Web Services, Amazon can’t see what my files are.”

As to finding an alternative to Google Docs, Parker said he struggled a great deal, simply because Google Docs works so well. After first trying to adopt a solution that Parker said is “secure, it’s private, it’s end-to-end encrypted—as far as checking boxes, it checks them,” Parker grew disappointed with the solution’s interface and its sluggish response time. Then, a second option called OnlyOffice was, as Parker put it, “not for the faint of heart” because of a high technical bar which could require renting out cloud servers.

The best, most accessible alternative, then, Parker said, is Skiff, which has an easy-to-use interface, but which only has a replacement for Google Docs, and not for the other, related tools, like Google Spreadsheets or Google Slides. Skiff’s tool can be found at Skiff.org.

Step by step

Taking Google out of your life can be a long and complex process, but it doesn’t have to be hard at the very beginning. And remember, if you ever start to doubt what you’re doing, think about what made you want to start the process. If you’re anything like Parker, you’re motivated to keep your data private and out of the hands of a company that is making money off of you and your browsing habits.

“At the end of the day, we are in an age of surveillance capitalism,” Parker said, “and Google is a publicly traded company with a fiduciary responsibility to maximize profits for their shareholders. Absent privacy regulations in the United States, the financial incentives are just too great to ignore. That’s money off the table.”

Parker emphasized that until Google creates—and there’s no evidence this will happen—a version of its products that users can pay for with their own funds rather than with their own privacy, that users should assume that “at any moment, any Google product unfortunately can and probably will, somehow, monetize your data.”

As the saying goes, Parker said, “if the product is free, then you are probably the product.”

You can listen to our full conversation with Parker on the Lock and Code podcast below.

The post How to remove Google from your life appeared first on Malwarebytes Labs.

Earlier this year, many members of the public were introduced to the facets of a long-ignored crime in cyberspace: The romance scam. A flashy documentary called The Tinder Swindler had premiered on Netflix, and in it, filmmakers documented the efforts of one man to manipulate several women into giving him tens of thousands of dollars after sometimes convincing them that he was their one true love.

Immediately after the documentary premiered, viewers judged the victims. Some viewers blamed the women in the documentary for falling for what looked, externally, like an obvious scam. Others asked how the women could be swept off their feet with so many red flags present? Others blamed the victims for not doing better research into the man, who had worked tirelessly to build fraudulent websites that claimed he was the son of a billionaire diamond miner.

But according to Cindy Liebes, Chief Cybersecurity Evangelist for Cybercrime Support Network, this public perception misses a lot, particularly in how skilled these scammers can be in their work.

This week on the Lock and Code podcast with host David Ruiz, we speak with Liebes about the facts behind romance scams: How prevalent they are, the types of damage they cause beyond financial ruin, and how you can spot a romance scam as it is happening.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “God God” by Wowa (unminus.com)

The post Recovering from romance scams with Cindy Liebes: Lock and Code S03E10 appeared first on Malwarebytes Labs.

The Australian Cyber Security Centre (ACSC) has announced it is aware of the existence of Proof of Concept (PoC) code exploiting a F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range.

The vulnerability listed as CVE-2022-1388 allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.

F5 BIG-IP

The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.

On May 4, 2022 F5 notified users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 stated that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-1388 and received a CVSS score of 9.8 out of 10.

F5 added that there is no data plane exposure; this is a control plane issue only. So, not much of a problem if the management plane is not exposed to the public Internet, you would think. But since F5 BIG-IP devices are commonly used in enterprises, this vulnerability is a significant risk as it would allow threat actors to exploit the bug to gain initial access to networks and then spread laterally to other devices. And experts estimate based on online searches there are some 2,500 devices exposed to the Internet.

Exploits

Soon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG IP.

Exploits are often found by reverse engineering the changes made by the patch, which is one of the reasons why patches should be applied as soon as possible. Besides assumed reputation damage, this is a reason why vendors and open source maintainers are often hesitant to request a CVE.

The researchers that created the exploits warned that all admins should immediately update their devices as soon as possible due to the trivial nature of the exploit. Now the ACSC has warned about the existence of a proof of concept, and attempts by malicious actors to exploit this vulnerability on Australian networks.

Mitigation

A list of vulnerable products and versions can be found in the F5 KB article. Experts recommend to take Internet-facing devices offline and check if they are safe first, before applying the patches. If an attacker has already planted a backdoor, they can still control the product even after patching.

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

• Block iControl REST access through the self IP address
• Block iControl REST access through the management interface
• Modify the BIG-IP httpd configuration

For future use, this F5 BIG-IP Security Cheatsheet is a great resource to make sure your product is configured securely, and that attackers will not have access to the management interface from the Internet.

Please note that BIG-IP 11 and 12 are vulnerable as well but these are too old to be patched.

Stay safe, everyone!

The post Update now! F5 BIG-IP vulnerability being actively exploited appeared first on Malwarebytes Labs.

It’s not been plain sailing recently for Conti ransomware, the Ransomware as a Service (RaaS) group with several major attacks under its belt. In August last year, a pen tester leaked valuable manuals and documents related to the operation. These leaks continued as the Conti gang expressed support for the Russian Government in the midst of their invasion.

Elsewhere, researchers gained access to a ransomware server and the owners eventually pulled Conti’s infrastructure offline for two days. To top it off, an offshoot based on leaked source code is targeting Russian organisations with this rather unambiguous message:

By now it’s probably painfully apparent that your environment has been infected with ransomware. You can think Conti for that…your President should not have committed war crimes. If you’re searching for someone to blame for your current situation look no further than Vladimir Putin.

In short, it’s quite the volatile situation. As offshoots butt heads against the public support for Russia coming from the Conti gang, the ransomware organisation is increasingly becoming the digital public enemy number one in Costa Rica.

Going toe to toe with Conti

Conti ransomware has been causing major problems in Costa Rica since at least April, with several important agencies impacted by outbreaks, which according to Bleeping Computer includes:

• Costa Rican Social Security Fund
• Administrative Board of the Electrical Service of the province of Cartago
• Radiographic Costarricense
• The Ministry of Science, Innovation, Technology, and Telecommunications
• National Meteorological Institute

On top of this, there also exists a 672GB dump of data which may include data from multiple compromised Government agencies. The message accompanying the leak reads as follows:

It is impossible to look at the decisions of the administration of the President of Costa Rica without irony, all this could have been avoided by paying you would have made your country really safe, but you will turn to Biden and his henchmen…no government of other countries has finalised this attack, everything was carried out by me with a successful affiliate. The purpose of this attack was to earn money, in the future I will definitely carry out attacks of a more serious format with a larger team.

Little wonder, with all of this happening, that Costa Rica is on high alert.

Embattled services struggle with outbreaks

As this article points out, the Treasury alone has been without any form of digital service for three weeks. It’s also unclear at this time if tax payer information has been stolen. This has meant a return to physical procedures as opposed digital. As we’ve seen previously where Conti is concerned, any move away from digital to physical can result in all manner of problems.

Counting the cost

Make no mistake, the attacks have been varied and relentless. Last month, the administrative systems of a government agency managing electricity in Cartago were encrypted and rendered useless. That’s roughly 160,000 people potentially impacted in one go. A cool $10m was demanded as a ransom during the attack on the finance ministry. This attack is claimed to have caused losses of $200m.

Little wonder, then, that the US State Department has offered up to $10m for information on the Conti group. If you’re able to identify key individuals in the group, you may well be in for a significant payday. On top of that, there’s an additional $5m in relation to arrests/convictions for affiliates.

As the release notes:

The FBI estimates that as of January 2022, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti Ransomware variant the costliest strain of ransomware ever documented. In April 2022, the group perpetrated a ransomware incident against the Government of Costa Rica that severely impacted the country’s foreign trade by disrupting its customs and taxes platforms. In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cyber criminals.

It appears the game is most definitely afoot. Will anyone actually be able to bring the group and affiliates to justice before another major attack? Based on what we’ve seen so far, the answer for the time being is almost certainly not.

The post Costa Rica continues defence against sustained Conti ransomware attacks appeared first on Malwarebytes Labs.

While we recently “celebrated” World Password Day, almost every security outlet keeps telling us that passwords alone are not enough.

In practice, in the last few years this has meant pairing passwords with something else, such as a one-time code from an app or an SMS message, in a scheme called two-factor authentication (2FA).

But while pairing passwords with a second factor is much better than using a password by itself, it is just a way of working around some very serious, inherent flaws in password authentication. Which begs the question: If passwords are such a problem, why use them at all?

Now Apple, Google and Microsoft have announced that you don’t have to.

The trio of tech giants all used World Password Day to declare increased support for FIDO Alliance standards like FIDO2, a globally-recognized standard for passwordless authentication.

According to the alliance:

In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

Microsoft, Google, and Apple

Last year, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

On May 5, 2022, Google announced it will implement passwordless support in Android and Chrome, and Apple announced its support for new authentication capabilities enabled by the adoption of FIDO’s latest standard.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

With all three tech giants on board, we can expect passwordless FIDO sign-in across macOS and Safari; Android and Chrome; and Windows and Edge. This means that, for example, users will be able to sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

FIDO2

Instead of using a password, which can be intercepted as it passes over the Internet, and has to be processed and stored by each service you use, FIDO2 uses public-key encryption. It performs the cryptographic operation that verifies who you are on a device you own, using a private key that never leaves your possession. This means that nothing of value is shared with or stored on the website or service you’re using, and the information sent back and forth during authentication is of no use to an attacker.

FIDO2 combines two standards: WebAuthn and CTAP. WebAuthn does the important job of setting out how web browsers authenticate to websites, but the real magic of FIDO2 is CTAP, the Client to Authenticator Protocol.

CTAP is what allows that crucial cryptographic operation to happen on a wide variety of devices (referred to as “roaming authenticators”), including hardware keys, phones, and laptops. These roaming authenticators are expected to have a mechanism to obtain a “user gesture” which authorises the cryptographic operation, such as a consent button, a password, a PIN, a fingerprint, or face recognition. And this is what allows you to approve your authentication to a website using your iPhone’s Touch ID or Windows Hello.

Devices that act as roaming authenticators can also communicate with other devices, so you can do things like signing in to websites you’re visiting on your laptop by using Touch ID on your iPhone or drawing a pattern on your Android tablet.

Will it work?

The idea of passwordless authentication is to create a login method that is secure and easy-to-use, and that eliminates the risks of phishing, password guessing, password reuse, and credential stuffing.

As with all security innovations, we don’t expect attackers to respond by giving up and going home, just to shift their attention to (hopefully) more difficult and expensive forms of attack.

When Microsoft announced in September that you no longer needed a password, we spoke to Per Thorsheim, one of the world’s leading experts on passwords. He had some major concerns about situations when people lose access to their choice of authenticator, and with that lose access to their Microsoft account.

[I am concerned about] when people lose access to their choice of authenticator, and by that lose access to their Microsoft account. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers.

FIDO2 puts a heavy burden on the account recovery process. Will there be a backup method similar to a “forgot my password” procedure, or do I have to create a new account which can then be linked to my online persona? Either way, such a method could create create a backdoor for attackers to target instead of FIDO-protected authentication.

Passwordless authentication could also multiply the stress caused by a stolen or lost device. If an attacker can guess your PIN or pattern they have access to all of your accounts.

Fortunately, rate-limits on phones makes that very difficult. Even if you secure your device with a 4-digit PIN or a pattern, an attacker finding or stealing your device will have to be very lucky to guess it correctly before the device shuts them out altogether.

However, trusting someone with the access code to your phone will become the equivalent of handing them the key to your entire online life.

If the importance of device access increases, this could lead to more stringent authentication requirements on our pohnes. For example, PINs with 10 digits instead of four or six, or more complicated patterns. And perhaps we’ll say goodbye to default PINs as well.

Nevertheless, we look forward to the passwordless future, even if we may have to work out some details along the way. Passwords have outlived their use for important resources: Victims have been made despite doing everything right; and threat actors have made an industry out of phishing our passwords, keyphrases, and security questions, and from brute-force guessing our passwords.

It is time for something new and three tech giants working together with an established industry association on a passwordless future looks promising.

Stay safe, everyone!

The post Google, Apple, and Microsoft step hand in hand into a passwordless future appeared first on Malwarebytes Labs.