IT NEWS

Update now! F5 BIG-IP vulnerability being actively exploited

The Australian Cyber Security Centre (ACSC) has announced it is aware of the existence of Proof of Concept (PoC) code exploiting a F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range.

The vulnerability listed as CVE-2022-1388 allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.

F5 BIG-IP

The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.

On May 4, 2022 F5 notified users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 stated that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-1388 and received a CVSS score of 9.8 out of 10.

F5 added that there is no data plane exposure; this is a control plane issue only. So, not much of a problem if the management plane is not exposed to the public Internet, you would think. But since F5 BIG-IP devices are commonly used in enterprises, this vulnerability is a significant risk as it would allow threat actors to exploit the bug to gain initial access to networks and then spread laterally to other devices. And experts estimate based on online searches there are some 2,500 devices exposed to the Internet.

Exploits

Soon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG IP.

Exploits are often found by reverse engineering the changes made by the patch, which is one of the reasons why patches should be applied as soon as possible. Besides assumed reputation damage, this is a reason why vendors and open source maintainers are often hesitant to request a CVE.

The researchers that created the exploits warned that all admins should immediately update their devices as soon as possible due to the trivial nature of the exploit. Now the ACSC has warned about the existence of a proof of concept, and attempts by malicious actors to exploit this vulnerability on Australian networks.

Mitigation

A list of vulnerable products and versions can be found in the F5 KB article. Experts recommend to take Internet-facing devices offline and check if they are safe first, before applying the patches. If an attacker has already planted a backdoor, they can still control the product even after patching.

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

For future use, this F5 BIG-IP Security Cheatsheet is a great resource to make sure your product is configured securely, and that attackers will not have access to the management interface from the Internet.

Please note that BIG-IP 11 and 12 are vulnerable as well but these are too old to be patched.

Stay safe, everyone!

The post Update now! F5 BIG-IP vulnerability being actively exploited appeared first on Malwarebytes Labs.

Costa Rica continues defence against sustained Conti ransomware attacks

It’s not been plain sailing recently for Conti ransomware, the Ransomware as a Service (RaaS) group with several major attacks under its belt. In August last year, a pen tester leaked valuable manuals and documents related to the operation. These leaks continued as the Conti gang expressed support for the Russian Government in the midst of their invasion.

Elsewhere, researchers gained access to a ransomware server and the owners eventually pulled Conti’s infrastructure offline for two days. To top it off, an offshoot based on leaked source code is targeting Russian organisations with this rather unambiguous message:

By now it’s probably painfully apparent that your environment has been infected with ransomware. You can think Conti for that…your President should not have committed war crimes. If you’re searching for someone to blame for your current situation look no further than Vladimir Putin.

In short, it’s quite the volatile situation. As offshoots butt heads against the public support for Russia coming from the Conti gang, the ransomware organisation is increasingly becoming the digital public enemy number one in Costa Rica.

Going toe to toe with Conti

Conti ransomware has been causing major problems in Costa Rica since at least April, with several important agencies impacted by outbreaks, which according to Bleeping Computer includes:

  • Costa Rican Social Security Fund
  • Administrative Board of the Electrical Service of the province of Cartago
  • Radiographic Costarricense
  • The Ministry of Science, Innovation, Technology, and Telecommunications
  • National Meteorological Institute

On top of this, there also exists a 672GB dump of data which may include data from multiple compromised Government agencies. The message accompanying the leak reads as follows:

It is impossible to look at the decisions of the administration of the President of Costa Rica without irony, all this could have been avoided by paying you would have made your country really safe, but you will turn to Biden and his henchmen…no government of other countries has finalised this attack, everything was carried out by me with a successful affiliate. The purpose of this attack was to earn money, in the future I will definitely carry out attacks of a more serious format with a larger team.

Little wonder, with all of this happening, that Costa Rica is on high alert.

Embattled services struggle with outbreaks

As this article points out, the Treasury alone has been without any form of digital service for three weeks. It’s also unclear at this time if tax payer information has been stolen. This has meant a return to physical procedures as opposed digital. As we’ve seen previously where Conti is concerned, any move away from digital to physical can result in all manner of problems.

Counting the cost

Make no mistake, the attacks have been varied and relentless. Last month, the administrative systems of a government agency managing electricity in Cartago were encrypted and rendered useless. That’s roughly 160,000 people potentially impacted in one go. A cool $10m was demanded as a ransom during the attack on the finance ministry. This attack is claimed to have caused losses of $200m.

Little wonder, then, that the US State Department has offered up to $10m for information on the Conti group. If you’re able to identify key individuals in the group, you may well be in for a significant payday. On top of that, there’s an additional $5m in relation to arrests/convictions for affiliates.

As the release notes:

The FBI estimates that as of January 2022, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti Ransomware variant the costliest strain of ransomware ever documented. In April 2022, the group perpetrated a ransomware incident against the Government of Costa Rica that severely impacted the country’s foreign trade by disrupting its customs and taxes platforms. In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cyber criminals.

It appears the game is most definitely afoot. Will anyone actually be able to bring the group and affiliates to justice before another major attack? Based on what we’ve seen so far, the answer for the time being is almost certainly not.

The post Costa Rica continues defence against sustained Conti ransomware attacks appeared first on Malwarebytes Labs.

Google, Apple, and Microsoft step hand in hand into a passwordless future

While we recently “celebrated” World Password Day, almost every security outlet keeps telling us that passwords alone are not enough.

In practice, in the last few years this has meant pairing passwords with something else, such as a one-time code from an app or an SMS message, in a scheme called two-factor authentication (2FA).

But while pairing passwords with a second factor is much better than using a password by itself, it is just a way of working around some very serious, inherent flaws in password authentication. Which begs the question: If passwords are such a problem, why use them at all?

Now Apple, Google and Microsoft have announced that you don’t have to.

The trio of tech giants all used World Password Day to declare increased support for FIDO Alliance standards like FIDO2, a globally-recognized standard for passwordless authentication.

According to the alliance:

In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

Microsoft, Google, and Apple

Last year, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

On May 5, 2022, Google announced it will implement passwordless support in Android and Chrome, and Apple announced its support for new authentication capabilities enabled by the adoption of FIDO’s latest standard.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

With all three tech giants on board, we can expect passwordless FIDO sign-in across macOS and Safari; Android and Chrome; and Windows and Edge. This means that, for example, users will be able to sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

FIDO2

Instead of using a password, which can be intercepted as it passes over the Internet, and has to be processed and stored by each service you use, FIDO2 uses public-key encryption. It performs the cryptographic operation that verifies who you are on a device you own, using a private key that never leaves your possession. This means that nothing of value is shared with or stored on the website or service you’re using, and the information sent back and forth during authentication is of no use to an attacker.

FIDO2 combines two standards: WebAuthn and CTAP. WebAuthn does the important job of setting out how web browsers authenticate to websites, but the real magic of FIDO2 is CTAP, the Client to Authenticator Protocol.

CTAP is what allows that crucial cryptographic operation to happen on a wide variety of devices (referred to as “roaming authenticators”), including hardware keys, phones, and laptops. These roaming authenticators are expected to have a mechanism to obtain a “user gesture” which authorises the cryptographic operation, such as a consent button, a password, a PIN, a fingerprint, or face recognition. And this is what allows you to approve your authentication to a website using your iPhone’s Touch ID or Windows Hello.

Devices that act as roaming authenticators can also communicate with other devices, so you can do things like signing in to websites you’re visiting on your laptop by using Touch ID on your iPhone or drawing a pattern on your Android tablet.

Will it work?

The idea of passwordless authentication is to create a login method that is secure and easy-to-use, and that eliminates the risks of phishing, password guessing, password reuse, and credential stuffing.

As with all security innovations, we don’t expect attackers to respond by giving up and going home, just to shift their attention to (hopefully) more difficult and expensive forms of attack.

When Microsoft announced in September that you no longer needed a password, we spoke to Per Thorsheim, one of the world’s leading experts on passwords. He had some major concerns about situations when people lose access to their choice of authenticator, and with that lose access to their Microsoft account.

[I am concerned about] when people lose access to their choice of authenticator, and by that lose access to their Microsoft account. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers.

FIDO2 puts a heavy burden on the account recovery process. Will there be a backup method similar to a “forgot my password” procedure, or do I have to create a new account which can then be linked to my online persona? Either way, such a method could create create a backdoor for attackers to target instead of FIDO-protected authentication.

Passwordless authentication could also multiply the stress caused by a stolen or lost device. If an attacker can guess your PIN or pattern they have access to all of your accounts.

Fortunately, rate-limits on phones makes that very difficult. Even if you secure your device with a 4-digit PIN or a pattern, an attacker finding or stealing your device will have to be very lucky to guess it correctly before the device shuts them out altogether.

However, trusting someone with the access code to your phone will become the equivalent of handing them the key to your entire online life.

If the importance of device access increases, this could lead to more stringent authentication requirements on our pohnes. For example, PINs with 10 digits instead of four or six, or more complicated patterns. And perhaps we’ll say goodbye to default PINs as well.

Nevertheless, we look forward to the passwordless future, even if we may have to work out some details along the way. Passwords have outlived their use for important resources: Victims have been made despite doing everything right; and threat actors have made an industry out of phishing our passwords, keyphrases, and security questions, and from brute-force guessing our passwords.

It is time for something new and three tech giants working together with an established industry association on a passwordless future looks promising.

Stay safe, everyone!

The post Google, Apple, and Microsoft step hand in hand into a passwordless future appeared first on Malwarebytes Labs.

How Instagram scammers talk users out of their accounts

If you’ve dealt with a scammer, you’ll know that making up stories is their bread and butter. Think about it: Just when you thought you’d heard all the infamous 419 scam backstories, scammers surprise you with a “stuck astronaut” scam, something so utterly hilarious, nonsensical, and otherworldly that you’ve just got to tell your friends and families about it.

While the 419 cosmonaut backstory (surprisingly!) has layers of truth to it, your typical Instagram scam story doesn’t have an iota of fact it can stand on. But because the stories that hook someone were designed to trigger an instant emotional response and a sense of urgency, Instagram scammers are more effective at getting the job done speedily.

Mind you, scammers are not after every Instagram user. They just need a handful of those people who will help someone without thinking. And since they’re not after money, just a bit of someone’s time, they already have one foot in the door.

Instagram scammer backstories vary, but the scams themselves follows one pattern: They ask you for help, tell you their backstory, and put their fate in your hands.

Here are some of the stories that scammers are known to use:

Regardless of the script they’re following, scammers will say you’ll receive a link on your phone via SMS. They will then ask you not to click the link but merely take a screenshot and send the image back to them.

The link is a legitimate Instagram “forgotten password” URL for your account, and scammers want you to screenshot it so they can use the URL to reset your password, take over your account, and lock you out.

It’s impossible to say what fraudsters will say next just to get you to screenshot a forgotten password link. Regardless, any requests for link screenshots should be treated with extreme suspicion. Whether product lines or ambassador programs, you can safely ignore these messages and report the sender.

Stay safe out there!

The post How Instagram scammers talk users out of their accounts appeared first on Malwarebytes Labs.

Steer clear of fake premium mobile app unlockers

A site has been bouncing around YouTube comments for the past couple of weeks. The site sometimes changes, the messages alter slightly, but the essence remains the same: In all cases, people acting in suspiciously automated fashion ask if everyone is using this “glitch” or generator without ever clarifying what, exactly, either of them are, or do.

The site offers “tweaked apps”, apparently available with a single click and requiring “no jailbreak, no root.” (Jailbreaking is the practice of breaking out of the iPhone’s default, highly-restricted mode, and getting “root” is the rough equivalent on an Android device.) That’s what they claim, anyway. There’s an OnlyFans Premium, Netflix Premium, a Pokemon Go Spoofer Injector, and many more.

mobile1 edited
Get your premium content here…

No matter which app you select though, the outcome is the same.

A page informs you of the last time the app was updated, your IP address, whether the app is compatible with your device, and “no injection detected”.

They go on to say the following:

App injection required!

Follow the steps on the next page. To get started, we first need to inject the content into this app. This is a simple process and you will only have to do this once to get access.

Despite claiming that this process will “only work” on mobile, they’re being somewhat liberal with the truth. You absolutely can start the so-called injection process on a desktop, because there is no injection process, it’s all fake.

Here’s a supposed “Premium Unlocker” for OnlyFans.

A fake OnlyFans Premium unlocker
Fake OnlyFans Premium Unlocker

When you start the “injection process” a message saying “Injecting: connecting with your phone” pops up, whether you’re using a phone or not.

It’s all a fraud. We’re redirected to a domain aimed at promoting ad offers / surveys / deals to mobile users. We are, rather nostalgically, in the land of the survey scams. At one point these seemed to be the only form of fakeout in town, made massively popular by gating non-existent unicorn deals behind walls of clickthrough ads.

A stack of empty promises

If you were promised a game, you’d get a demo version. Money off vouchers? You’d likely have to spend more signing up to deals to receive one in the first place. In other words, it was a massive scam factory for people up to no good. Note the desperation on the prompt urging to you to keep opening up new offers before receiving your non-existent reward:

install offers to continue
“Please install more!”

All you’re likely to get from this is:

  • Surveys or popups
  • Malicious mobile downloads
  • Signup offers that require personal information or payment.

You could easily go into this thing expecting free premium content for your service of choice, and exit with spyware or monthly payments for subscription services you don’t actually need. As a rule, free versions of paid-for apps offered on random websites simply do not exist. Sites which claim to offer hacks or generators for titles like Roblox, FIFA, or GTAV, are simply making it up. They will almost certainly be a survey scam or something else you don’t want to get involved in.

If you’re really in need of premium versions of services you use, you’re better off paying for them. At the very least, it has to be better than spinning the wheel on sites like the above and hoping you don’t get burned.

The post Steer clear of fake premium mobile app unlockers appeared first on Malwarebytes Labs.

Steer clear of these Instagram “Get rich with Bitcoin” scams

I don’t know about you, but I open Instagram to look at cool photos of pets, not to make a fortune via suspicious claims of riches by strangers.

Despite this, following someone whose photos I liked resulted in a very peculiar message.

It’s possible I waved goodbye to a path to untold riches. Maybe if I’d stayed the course I’d now have my own “Become a millionaire in six months or less” e-book.

However, it’s more likely I dodged a Bitcoin scam. The kind of scam where I’d have to use screenshots of my bank account slowly being drained of all available funds for my next blog post.

Shall we take a look?

Introducing my good friend, Steven McBitcoin

This is the message that greeted me from my newest Instagram contact, who for ease of reference I’ve dubbed Steven McBitcoin:

Steven: Hello 

Good day

Are you interested in bitcoin mining?

I mean, oh boy am I ever. Possibly not quite in the way they were expecting, though. I decided to go with the “I don’t know anything, tell me more approach” with the vaguely non-committal:

Me: Hello possibly, how come?

Steven: I’m willing to teach you about bitcoin, coach you on how to invest and earn your profits as soon as possible. With a minimum investment of $1,000 I guarantee you of making $10,000 directly into your bank account, bitcoin wallet or any withdrawal method of your choice.

Understood?
insta1
A definitely real promise of money beyond my wildest dreams

Well now, that’s quite the promise. $10,000 dollars from $1,000 guaranteed? What could possibly go wrong…apart from everything?

How do I make this kind of money?

The messages continue to rumble on. Now we’re getting into the nuts and bolts of how this stack of digital currency shall be mine.

Me: Where would I invest and how?

Steven: Do you have cashapp, coinbase, crypto.com or Trust wallet?

It appears I’ve reached the “pretend you have one of the options mentioned and see what he says next” stage of the proceedings.

Me: Cashapp

Steven: OK good

Now go to your cashapp main page and send me the screenshot so I can give you direct guidelines on how to get paid.

You got it?

Generally speaking, sending people screenshots of the inside of your payment or bank portals is not a great idea—you can give away a lot about yourself.

This is also often used as a distraction by people who simultaneously ask for other details, such as logins. Consider it a distant cousin of the “please turn off your anti-virus while installing the dolphin.exe file you got from Limewire” technique.

The pinky-swear of digital currency

I wanted to know a little more about the guaranteed return of $10,000. That’s quite the generous deal. Some people would say it’s almost too good to be true.

I am absolutely one of those people.

Me: i have a question. How do you guarantee that i make $10,000 from $1,000? is there a time limit on when i should hit the 10k? what happens if i don't or I end up with less? is the guarantee in writing or anything?

Let’s see what cast-iron agreement he has in store. I simply cannot wait to find out how good this is. Getting it in writing? Of course I’ll be getting it in writing.

Steven: You profit is safe and guaranteed that I can very well assure you and you'll also get your money in less than 2 hours

You won't end up less than but instead even an higher profit from your trade.

I need you to believe me when I say that you have absolutely nothing to worryabout, just follow my lead and you'll be the one to thank me later OK.

Send me the screenshot let's proceed with your trade now.

Turns out the guarantee is “dude, trust me”. At this point, in the best documentary tradition, I made my excuses and left (by which I mean I blocked and reported him).

Notice how insistently pushy he becomes towards the end of the conversation. I imagine he’s already moved on to beguiling the next victim with tales of gigantic Bitcoin victory. Hopefully they block and report Mr McBitcoin too.

Common Instagram Bitcoin scams

Sadly, people promising get rich quick Bitcoin schemes on Instagram are a growing market of garbage and dross. There is currently no end of people on Facebook bemoaning the loss of their account to any one of the scams listed below:

  1. Big wins, short timespan: Claims that you’ll make big returns on smaller investments rapidly are a red flag, as is pressure to transfer funds as quickly as possible. If someone you know suddenly starts talking about all the money they’re making thanks to their “Bitcoin mentor”—run away. It’s another very common scam related to compromised accounts.
  2. Send me the money: On a similar note, asking you to go off and buy digital currency then send it to another person’s wallet to “invest” are likely going to get you nothing but an empty wallet.
  3. Held hostage to cryptocurrency: Many videos regarding wild claims of Bitcoin success are actually incredibly creepy hostage videos. This is where people previously scammed out of their cash are made to film promos to keep the scam going.
  4. A change in circumstances: If you’re asked to change your login details / email address to something somebody else has given you, you’ll simply be locked out of your account and it’ll be used to spam others.
  5. When profit becomes taxing: Here’s one which started with a $1,000 deposit—just like the messages I received—and actually did finish up with a supposed profit of $15,000. Unfortunately for the victim, the scammer then asked for a $15,000 “tax payment” in order to release the now stolen funds. The thousand dollars are not coming back.

If you receive a get rich quick missive, you may wish to report it and block the sender. You can do this on Instagram by selecting the “…” next to the Follow button, then choosing Report > report account > posting content that shouldn’t be on Instagram > scam or fraud.

At the risk of resurrecting the “if it’s too good to be true…” dead horse, it has a fair bit of merit here. If someone had the secret to huge amounts of wealth, they wouldn’t be sharing it with random people on Instagram. Sadly, the only people making bank from this kind of deal or offer are the scammers pulling the strings in the first place.

The post Steer clear of these Instagram “Get rich with Bitcoin” scams appeared first on Malwarebytes Labs.

OpenSea warns of Discord channel compromise

OpenSea, the primary marketplace for buyers and sellers of non-fungible tokens (NFTs), has reported major problems with its Discord support channel. How major? Well, there’s a “potential vulnerability” which allowed spambots to post phishing links to other users. A problem that lead OpenSea Support to declare “please do not click any links in the Discord.”

There’s no further information on how this occurred, but situations like this can happen if a channel’s administrator gets phished. If Discord had suffered a software vulnerability we would expect to see other channels being compromised too.

The spam messages originate from something called “Carl-Bot”. Discord channels typically make use of bots for low-level admin duties, general assistance and so on. Carl-Bot itself is a common sight across Discord, with lots of time saving features. Sadly, spamming phish links is not supposed to be one of them.

Carl-bot! No!

If Carl-Bot was present in the channel prior to the compromise, its purpose has been changed and not for the better. Here’s some of the spam Carl-bot was pushing out:

The spam message reads as follows:

Important announcement

We have partnered with YouTube to bring their community into the NFT space, and we’re releasing a mint pass with them that will allow holders to mint their project for free along with getting other insane utilities for being a holder of it.

The bot then mentions the limited supply of free items it is definitely, absolutely giving away to “fortunate” individuals:

You are able to get this mint pass below for 100% free. There will only be 100 of these however, once they are gone they won’t be coming back.

You can mint the YouTube Genesis Mint Pass here for free [url removed]

Fear of missing out (FOMO) is a huge driver in the NFT space, with the emphasis on scarcity of supply and rare, non-replicable items. In addition to that, YouTube has previously announced intentions to move into the NFT space. Seeing messaging like the above in the official OpenSea support Discord is bound to trick a lot of enthusiasts.

The scam site recedes into the distance

Here’s the site as it looked a few short hours ago:

The site right now is a blank page save for mention of a Twitter account, which has no content or likes posted to it. It could be the calling card of whoever did this, or it could be misdirection on the part of the site owner. Either way, Malwarebytes blocks the URL in question.

Protecting Discord

This is a developing story and information is thin on the ground. Having said that, there are still some things to keep in mind:

  1. You can often avoid scams like these with a little common sense. Even a trusted Discord channel can turn rogue if someone compromises the right account. But would a rare, NFT-themed giveaway only be referenced in this one channel and nowhere else? It seems unlikely.
  2. Use 2FA and a password manager. We don’t know what the phishing page was trying to obtain, but it will be something valuable, which probably means cryptocurrency or Discord logins. You can make it harder to steal your Discord login by using a password manager and two-factor authentication (2FA). While 2FA tokens can be phished, it sets a higher bar for scammers to clear, and a password manager will not enter your password into a phishing site.

Protecting your cryptocurrency

Protecting your cryptocurrency is all about keeping your private cryptographic keys and recovery phrases private. If you control them, you decide what happens to your money and what transactions to make. If somebody else controls them, they get to decide. Sites or random Discord accounts asking for recovery phrases should be avoided, as you risk losing all your funds for good.

The safest way to keep your keys safe is to store them offline, in a “cold wallet” that isn’t connected to the Internet. Even if you do that, your coins aren’t safe if you willingly send them to somebody though. Don’t send funds to Bitcoin addresses promising to double your payment, no matter which celebrity appears to be endorsing it.

The post OpenSea warns of Discord channel compromise appeared first on Malwarebytes Labs.

The $43 billion Business Email Compromise threat

The FBI has released a public service announcement regarding the ever-present threat of Business Email Compromise (BEC). This comes hot on the heels of an earlier release from the Las Vegas FBI department in April. Losses continue to mount, and we’re currently facing a scam racking up domestic and international losses of $43 billion.

What is Business Email Compromise?

BEC attacks, also known as CEO/CFO fraud, is financial in nature and targets organisations of all sizes The basic game plan is to pretend to be someone at executive level, and then convince an employee to help them wire funds outside of the company. Loss numbers are frequently significant, and it’s a very appealing tactic for scammers looking to get rich quick.

As the FBI points out, the goal is not always a direct fund transfer:

One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets.

With any foothold gained inside the organisation, BEC attempts which run into frustration can potentially pivot into other areas of attack as we’ll mention later. With so many avenues of approach, it’s no wonder BEC attracts the attention of law enforcement at the highest levels.

The FBI BEC numbers game

  • $43 billion vanished between June 2016 and December 2021. There were 241,206 domestic and international incidents between those two dates.
  • The FBI observed a 65% increase in losses suffered between July 2019 and December 2021, which feels like a significant ramp-up.
  • The overwhelming number of organisations filing victim complaints to the IC3 between October 2013 and December 2021 were based in the US.

The report goes into more detail, but the short version is that US organisations are suffering quite a bit from this type of attack. It’s possible that BEC still isn’t as well known as it should be. It’s also possible that the pandemic has contributed to a lack of funds for appropriate security measures and training for employees. Whatever the reason, we’ve definitely reached the part where alarm bells are ringing loud and clear.

The rise of cryptocurrency in BEC fraud

As with so many forms of online criminal activity, law enforcement is noticing an increase in cryptocurrency use. This area of concern is particularly fascinating, first identified in BEC attacks in 2018 and continuing to build through to 2021 with just over $40m in exposed losses. This will almost certainly continue to increase. No BEC fraudster will turn down the chance of fast transactions easily made online with a degree of anonymity attached to the process. Here’s what the FBI has to say about some of the cryptocurrency tactics deployed:

The IC3 tracked two iterations of the BEC scam where cryptocurrency was utilized by criminals. A direct transfer to a cryptocurrency exchange (CE) or a “second hop” transfer to a CE. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.

220504 3
Source: FBI report on BEC losses

6 tips to avoid BEC scams

  1. Your business should have an approved method for money transfers and anything of a financial nature. If cash goes out of the organisation in any way, it has to stick to the process. Deviating under any circumstance is a tiny gap in your armour that could prove fatal. “We only did it one time” often results in “We just lost a terrifying amount of money somehow”. Urgent same-day requests for wire transfers? Head straight to the page which hopefully insists upon no urgent same-day wire transfer requests ever.
  2. Some form of authentication to confirm your CEO/CFO is pulling the money-lever for real should be in place. Phone conversations are great for this. Any accounts tied to exec level should also have some form of Multi-Factor Authentication (MFA) attached to it whether or not there’s financial activity involved. Email accounts? Internal logins? Anything at all? App-based authentication or a physical hardware token is the way to go. Sometimes attackers aren’t just spoofing real emails, they’re compromising them to send money requests too. Authentication will go a long way to ward this threat off.
  3. You can’t realistically hide who your executives are from the world at large. One way or another, they’re going to be on an “About Us” page. Limit the amount of data exposure. Consider placing generic “catch-all” email addresses on the contact page. It doesn’t have to be their actual, personal email address. Don’t tell everyone on social media that the CEO is on vacation for a week, or even just travelling. When people targeted by BEC scams are potentially hard to get hold of, BEC fraudsters will likely strike.
  4. Email security plays a big part in cutting these attacks off at source. Deactivate accounts belonging to former employees, especially if they were part of the exec team: Malicious activity is a feature of old, abandoned addresses. Rules for suspicious looking emails coming into the organisation and also being sent around internally should be made use of. Any form of digital authentication/digital signatures to verify the sender will also help. Prominent “external sender” flags on mails are very handy tools to cut down on mail imitation.
  5. If the BEC tactics aren’t working, the attacker could decide to switch to malware instead. Emails from random addresses containing attachments such as fake invoices should be quarantined, especially when mail security tools detect potential keywords or phrases related to BEC indicators. Boobytrapped Excel sheets, for example, are one of the mainstays of ransomware compromise. Don’t dodge the BEC bullet only to be taken down by file encryption on a massive scale instead.
  6. Tell employees that it’s totally fine to question requests for payment or money transfer, especially if totally out of the blue. Even more so if it’s not something they’d have any involvement in. Why is the CEO asking someone in building maintenance to help them wire $30,000 through Hong Kong at 3 in the morning?

The challenge of BEC compromise

This is clearly a tricky problem to get to grips with, or else the FBI wouldn’t be publishing multiple alerts and public service announcements about it. The ever-increasing losses speak for themselves. The slowly growing relevance of cryptocurrency to BEC attacks paints a stark picture of where this tactic is headed. Try to implement as many of the tips above as possible.

Most importantly, don’t be pressured into sending money without doing some additional digging first. It may well prove to be one of the smartest work decisions you’ll ever make.

The post The $43 billion Business Email Compromise threat appeared first on Malwarebytes Labs.

Ransomware: April 2022 review

The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.

April 2022 was most notable for the emergence of three new ransomware-as-a-service (RaaS) groups—Onyx, Mindware, and Black Basta—as well as the unwelcome return of REvil, one of the world’s most notorious and dangerous ransomware operations.

An old enemy returns

REvil (aka Sodinokibi) first appeared in May 2020 and has been responsible for numerous high-profile ransomware attacks, including arguably the biggest ransomware attack of all time—a supply-chain attack on Kaseya VSA in July 2021 that is thought to have affected over 1,000 businesses.

REvil disappeared shortly after the Kaseya attack, only to emerge again a few months later, before being forced offline on October 21, 2021, by a multi-country operation. A string of arrests followed, and then in January—in an act of unprecedented co-operation—Russia’s Federal Security Service (FSB) announced that it had dismantled the REvil group and charged its members, thanks to the information provided by the USA.

REvil now seems to have returned to the fray with new payloads, and a new leak blog displaying a mixture of new victims and old victims known to have been attacked by REvil.

New gangs emerge

Black Basta made a name for itself very quickly by coming out of nowhere and carrying out at least eleven successful breaches in April 2022. That ability to perform so many attacks so quickly has led some to speculate that Black Basta is a re-brand of an existing group that already has affiliates.

Onyx is a new ransomware gang based on the old Chaos builder. At first, some suspected that Onyx may be a wiper rather than ransomware because it destroyed files larger than 2MB instead of encrypting them. It seems likely that this behavior is the result of a bug in the notoriously poorly-written ransomware builder though.

Another newly-emerged gang is Mindware, which appears to have started operations in mid-March using a well-known ransomware strain called SFile2 (aka Escal)—but it was not until April that it began to practice “double extortion”, where data is stolen before it’s encrypted so that victims are faced with the twin threats of data they can’t decrypt, and leaks of sensitive information.

Ransomware attacks in April 2022

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

Attacks by ransomware type

Despite its rapid start, the activities of Black Basta and the other newly-emerged types of ransomware were dwarfed in April by three established threats: LockBit, Conti, and AlphV, which made up 60 percent of all the known breaches in our analysis.

Ransomware attacks in April 2022 by type of ransomware
Known ransomware attacks in April 2022 by type of ransomware
Known ransomware attacks in April 2022 by country
Known ransomware attacks in April 2022 by country
RW apr 03 1
Known ransomware attacks in April 2022 by industry

Ransomware mitigations

Source: IC3.gov

  • Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
  • Implement network segmentation, such that all machines on your network are not accessible from every other machine.
  • Install and regularly update antivirus software on all hosts, and enable real-time detection.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Use double authentication when logging into accounts or services.
  • Ensure routine auditing is conducted for all accounts.
  • Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

2022 04 29 20 09 50

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

The post Ransomware: April 2022 review appeared first on Malwarebytes Labs.

It’s business as usual for REvil ransomware

After the FBS arrested 14 of its members in January, and a subsequent lull in action, the REvil ransomware gang appears to be back. We say “appears” because it’s still unclear whether the group’s operations have indeed restarted.

To the trained eye, REvil’s movements seem out of sorts. When REvil’s old Tor infrastructure came back to life in April, it was modified to redirect visitors to URLs owned by a new ransomware group. The sites the nodes point to looked nothing like REvil’s. And its data leak blog is prepopulated with new ransomware victims and old REvil victims.

“And they are recruiting,” added Malwarebytes Threat Intelligence Analyst Marcelo Rivero.

REvil ransomware: a brief look back

When the REvil ransomware gang began its operations in 2019, it started strong. REvil, also known as Sodinokibi or Sodin, was the new RaaS (ransomware as a service) of the criminal underground, filling the hole GandCrab left behind.

Like any “big-game hunting” operator, REvil only targets high-earning organizations. The logic behind this is that such targets are presumed to pay up, even a high ransom. They presumed correct.

2021 was the ransomware gang’s last year of activity. REvil attacked JBS, one of America’s largest meat and poultry processors, in June. JBS underwent recovery proceedings immediately after the attack, unlike other ransomware victims. It was revealed months after that the company paid REvil to the tune of $11M (£7.8M).

In July, REvil attacked Kaseya, the company behind Kaseya VSA, a popular remote monitoring and management software. The ransomware gang asked for a whopping $70M ransom, but the company didn’t pay. Instead, it used a decryption key “from a third party” to decrypt all its encrypted files.

Many suspected that something was up. Kaseya could not give any more details, as it was bound by an NDA (non-disclosure agreement), but the ransomware gang claimed that the decryptor was leaked by one of its operators.

Is REvil really back?

A ransomware sample is needed to dispel speculations on whether REvil has re-emerged or not. Sure enough, cybersecurity researcher Jakub Kroustek (@JakubKroustek) discovered one recently.

Multiple security researchers who looked into the sample said they noticed a few changes to the code based on old REvil ransomware code. The most notable changes in the encryptor are the version, the new accs configuration option, and the campaign and affiliate identifiers.

In an interview with BleepingComputer, Advanced Intel CEO Vitali Kremez said he believes this option “is used to prevent encryption on other devices that do not contain the specified accounts and Windows domains, allowing for highly targeted attacks.”

When asked about his thoughts, Rivero said, “I think this REvil sample is just a test file because it doesn’t encrypt.”

On top of this, the sample also adds a random extension name to affected files and creates a ransom note—both as text and HTML files—identical to old REvil’s. The web version of the ransom note links users back to new paid Tor sites and the new data leak blog.

mwb tor ransom note revil
The new REvil ransomware note.

Malwarebytes detects this new REvil sample as Sodinokibi.Ransom.Encrypt.DDS.

What should previous victims do now?

When REvil’s servers disappeared on an early Tuesday morning in July 2021, current victims of the ransomware gang were left stumped, not knowing what to do next. They were stuck in mid-negotiations, fearing they might never hear from the gang again, leaving their essential files encrypted forever.

With REvil back and the new operators apparently inheriting former victims of the old ransomware gang, what does this mean for victims?

It’s almost a year since REvil’s infrastructure went dark, and victim companies may have already moved on or sought help from law enforcement. Either way, REvil might one day come knocking at their digital doors to pick up where it left off.

The post It’s business as usual for REvil ransomware appeared first on Malwarebytes Labs.