IT NEWS

Researchers have found a vulnerability in a popular C standard library in IoT products that could allow attackers to perform DNS poisoning attacks against a target device.

The library is known to be used by major vendors such as Linksys, Netgear, and Axis, but also by Linux distributions such as Embedded Gentoo. Because the library maintainer was unable to develop a fix, this vulnerability remains unpatched. For this reason, the affected devices were not mentioned in detail.

Libraries

In computing, a library is a set of resources that can be shared among processes. Often these resources are specific functions aimed at a certain goal. These functions can be called upon when needed so they do not have to be included in the code of the software that uses it. Another example of such a library that caused some havoc was Log4j.

A C standard library is a library for the C programming language itself. Such a library provides macros, type definitions, and functions for tasks such as string handling, mathematical computations, input/output processing, memory management, and several other operating system services. As you can imagine, such a standard library is called numerous times by many programs that depend on these basic functions.

uClibc

In this case, the library at hand is uClibc, one of the possible C standard libraries available, which focuses specifically on embedded systems because of its size. Because uClibc is a relatively small C standard library intended for Linux kernel-based operating systems for embedded systems and mobile devices. Features can be enabled or disabled to match space requirements.

The alternative uClibc-ng is a fork of uClibc that was announced after more than two years had passed without a uClibc release, citing a lack of any communication from the maintainer. Unfortunately uClibc-ng shares the same vulnerability.

Similar to other C standard libraries, uClibc provides an extensive DNS client interface that allows programs to readily perform lookups and other DNS-related requests.

DNS poisoning

DNS poisoning, also known as DNS cache poisoning or DNS spoofing, is a cyberattack method in which threat actors redirect web traffic, usually toward fake web servers and phishing websites.

In a typical home setup, there is:

• A modem provided by your Internet Service Provider (ISP) which is your connection to the outside world.
• A router that distributes the internet connection across all the devices (often wireless).
• The devices like your laptop, phones, tablets and IoT (Internet of Things) devices such as TVs, temperature sensors, and security cameras.

These days, the modem and router are usually combined in the same device.

A DNS poisoning attack enables a subsequent Machine-in-the-Middle (MitM) attack because the attacker, by poisoning DNS records, is capable of rerouting network communications to a server under their control.

The vulnerability

One of the main ingredients to protect us against DNS poisoning is the transaction ID. This is a unique number per request that is generated by the client, added in each request sent, and that must be included in a DNS response to be accepted by the client as the valid one for that particular request. So while this transaction ID should be as random as possible, the researchers found that there is a pattern. At first the transaction ID is incremental, then it resets to the value 0x2, then it is incremental again.

While figuring out where this pattern comes from, the researchers eventually found out that the code responsible for performing the DNS requests is not part of the instructions of the executable itself, but is part of the C standard library in use, namely uClibc 0.9.33.2.

Given that the transaction ID is now predictable, to exploit the vulnerability an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server. As the function does not apply any explicit source port randomization, it is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port.

Mitigation

Since the library maintainer has indicated he is unable to develop a fix, this vulnerability remains unpatched. The researchers are working with the maintainer of the library and the broader community in order to find a solution. The maintainer explicitly asked to publicly disclose the vulnerability, hoping for help from the community.

Because of the absence of a fix, the researchers did not disclose the specific devices that they found to be vulnerable. They did however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure.

The vulnerability was disclosed to 200+ vendors invited to the VINCE case by CERT/CC since January 2022, and a 30-day notice was given to them before the public release.

If you suspect that your router has been affected by DNS cache poisoning, have a look at our article DNS Hijacks: Routers where you will find some information on how to resolve such matters. When it is purely a case of router DNS caching, I have yet to find a router where resetting the router and leaving it off for at least 30 seconds did not clear the cache. But note that this does not resolve an ongoing attack or remove the vulnerability. It’s just a matter of symptom management.

Stay safe, everyone!

The post Unfixed vulnerability in popular library puts IoT products at risk appeared first on Malwarebytes Labs.

Airdrop phishing is a really popular tactic at the moment. It emerged alongside the explosion of Web3/NFT/cryptocurrency popularity, and ensures scammers get a slice of the money pie. You may well have heard the term in passing, and wondered what an Airdrop is. Is your iPhone about to be Airdrop phished?

It doesn’t really help that the term tied up into lots of new forms of tech you might never have experienced directly. It’s one of those odd scams, doing weird things, to accounts you have no idea about.

Fret no more, because we’re going to walk you through an actual Airdrop phish example. No apes were harmed in the making of this documentary.

What is an Airdrop?

Confusingly, the term has multiple uses jostling for attention. The older, more familiar term is the one related to Apple devices. An Apple Airdrop is where Bluetooth is used to send files to other people. If you’re not an Apple user, it’s likely you’ve only ever seen Airdrop in relation to trolling. If you’re out and about, you may walk into an unintended crossfire of memes, and in the worst case scenario, it might be objectionable unsolicited images.

In terms of security concerns specifically, research has shown how it could potentially aid spear phishing in the right circumstances. Crucially, none of these things are related to the Airdrops we’re talking about today.

What type of Airdrop are we talking about?

The Airdrops of the moment are promotional tactics aimed at cryptocurrency/Web3 people. Airdrops typically reward early adopters of certain currencies or communities. This type of reward can also be given out as no strings attached freebies to anyone who wants in on the action, and they’re great ways to keep people emotionally invested in their Web3 activities. There’s a lot of real world examples listed here.

In terms of how you receive the Airdrop, there are a few different ways. Those early adopters may find the free Airdrop distributed to their address automatically, assuming they have some level of investment in the service giving it away. A big red flag is when a supposed Airdrop asks for funds (for a freebie?), or even worse, your login/recovery phrase.

Nobody should ever be asking for that.

Airdrops are very popular, and this is where phishing attacks come in.

Common Airdrop phishing tactics

Airdrop phish pages try to ensnare as many cryptocurrency users as possible. No matter how obscure your digital currency of choice is, or how unusual your wallet is, there’s a scam just waiting for you.

Our bogus site below is quite slick looking, complete with ticker at the top. “Claim reward bonus/Airdrop”, they implore.

Hitting the button takes you to the select a wallet page. There is, quite simply, a ridiculous amount of wallets and services listed. MetaMask, Solflare, Binance, Digitex, Argent, the works. If you use any form of cryptocurrency wallet or service, there’s a good chance it’s on the list somewhere.

Clicking any of the wallets results in you being informed that an error has occurred. Connecting manually is what you’re now asked to do. From here, you’re asked to send them your phrase, private key, or keystore.

Hitting connect pauses the site for a second, then dumps you onto a 404 Page not found containing “sent” in the URL. At this point, it’s probably a good idea to hope the 404 is genuine and nothing has been sent to the scammers.

Some sites target users of one wallet only. Here’s one targeting MetaMask users, asking for their recovery phrase:

As MetaMask’s official support says:

The ape themed Airdrop phish

Apes are, of course, the hottest draw in town where Airdrop phishing is concerned. Just recently, close to $3m worth of Ape NFTs were stolen via an Instagram compromise. Anything ape related is a giant dollar sign in the sky for fraudsters, and the variety of fake pages out there reflects this.

This particular site asked visitors to claim up to 10 Bull & Ape NFTs, then asked for a variety of password/recovery phrases. The supposed T&C page leads to a 404, and the cookies and privacy policy pages go to pages from an unrelated wallet app. Does this really sound like something you want to hand over your recovery phrase to?

The “Connect your wallet” Airdrop phish

This is where a scam site checks to see if you have a wallet installed, and if not, tells you to install one and then connect it to the site.

Here’s an account with 60k followers, claiming to be the Moonbirds project offering up an NFT airdrop:

When people started calling out the tweet, they locked people’s ability to reply under the guise of “safety” so nobody else could highlight the scam.

This is the genuine Moonbirds account. Note the verified status, which the imposter lacks:

Below, you can see my already installed MetaMask extension opening in the top right corner when I click the “Connect Wallet” button on the fake Airdrop page.

Connecting your wallet to Decentralised Applications (Dapps) is common. What you need to be careful of is connecting to rogue sites. If you start granting permissions, or signing transactions, you may find your wallet draining of funds. It’s up to you to ensure that you don’t simply say “yes” to everything a site asks you. From the MetaMask FAQ:

Be careful about which Dapps you connect to, and what permissions you give them. 

Certain types of transaction require granting a Dapp permission to access your funds–infinite amounts of your funds.

In fact, there have been cases of Dapps being created specifically with the intent to defraud users and steal all of their funds once they’ve granted this kind of access.

Where Airdrops are concerned: safety first, every single time

Nobody needs the stress of losing all their digital currency because of phishing, no matter which form it arrives in. Whether it’s websites asking for recovery phrases or Dapp style sites connecting wallets, be very careful what you do with your wallet. You almost certainly won’t get a second chance if things go wrong.

The post Airdrop phishing: what is it, and how is my cryptocurrency at risk? appeared first on Malwarebytes Labs.

According to the US Department of Health and Human Services, Adaptive Health Integrations (AHI), a healthcare software and billing services firm in North Dakota, suffered a data breach that affected more than half a million individuals. According to the firm, the breach occurred in mid-October last year, but it only started notifying people last month.

The notification letter, a copy of which was posted on the Montana Attorney General’s website, states that the firm was made aware of the attack recently and immediately took action.

“Upon learning of the issue, we contained the threat by disabling unauthorized access to our network and commenced a prompt and thorough investigation with assistance from external cybersecurity professionals. Through an extensive investigation and an internal review, which concluded on February 23, 2022, we determined that certain potentially accessed data contained personal information such as names, dates of birth, contact information, and Social Security numbers.”

The firm was quick to add that not all individuals were affected by the breach, and not all information about affected individuals was accessed.

The letter advises those affected on what they should do next. In it, individuals are encouraged to enrol in free, 12-month complimentary identity monitor services provided by a third party. Doing so opens up additional services to help clients, such as fraud consultation and identity theft restoration.

HIPAA Journal noted that the letter has no information about Adaptive Health Integrations or why it keeps people’s protected health information (PHI). Recipients of the letter also questioned its legitimacy because it used paper with a photocopied company logo, making it look dubious and unprofessional. After checking the website (screenshot below), some letter recipients thought it was a scam.

A couple of law firms, namely Murphy Law Firm in Oklahoma and Migliaccio & Rathod LLP in Washington, are conducting their own investigation on behalf of individuals affected by the breach. Both firms made their announcements days apart.

The post US healthcare billing services group hacked, affecting at least half a million individuals appeared first on Malwarebytes Labs.

A real world scam which sucks the fun out of craft fairs has caused nothing but stress for victims. It may sound bizarre, but it’s actually a fairly popular attack focused on small/self-run business owners selling their own creations.

Are you ready for a trip to the craft fair?

You’re a small business owner. You sell a variety of craft-style items, the type you see in vast quantities on sites like Etsy and Redbubble. Getting these products in front of real world audiences at an event is sure to boost sales.

You see messages posted to genuine crafting community groups, looking for sellers to grab a stall spot at an upcoming fair. You’re given a link to a booking form for more information, and asked for payment via PayPal or similar methods. Soon after paying, the organiser vanishes and you realise you’re £60 to £75 out of pocket for a three day event. More, if you took the time to arrange transport and head down to the non-existent fair.

This isn’t an isolated case; this specific scam targeted people all across the UK.

How does this fake vendor fair scam work?

The general flow follows a similar pattern, no matter the location.

1. The fake organisers create brand new Facebook accounts, and often reuse the same name across muliple profiles.
2. They use several online forms to collect information from the would-be fair exhibitors. We’ve provided an example of what one of the forms used looked like below. It asks for name, address, a description of sold items, business name, and phone number.

3. At this point, requests for payment are made. Depending on the payment method, it may range from “reasonably easy” to “complete nightmare” to recover the funds.

How do they select targets?

The fraudsters use the seller’s own public information against them, taking note of location or even types of product sold before claiming an event is taking place nearby.

The really interesting thing about all this is that fake fair scams aren’t some weird anomaly. It’s an actual mini-industry populated by particularly dedicated scammers.

A brief history of fake fair scamming

While this may be the first fake fair scam you’ve read about in the news, it’s by no means the first to take place. They’re quite popular in the US, but can pop up pretty much anywhere. Below is just a few examples of how this ruse operates.

Targeting the visitors

October 2021 to February 2022: Spokane County discovered a fake event claiming to be the Spokane County Interstate Fair. A fake Facebook account messaged people asking them to pay for tickets via a registration link. They weren’t trying elaborate tactics on sellers here; they just wanted visitor money as fast as they could get it before being shut down.

Elsewhere, a similar fraudulent operation involving counterfeit tickets for the Coastal Carolina Fair was reported by fair officials.

Targeting the vendors

November 2020: Vendors were warned about two separate bogus craft fairs being promoted in Wyoming. That alert provided several examples of the fake posts made to Facebook pages advertising the events. The promo messages asked for a fee of $70 to take part.

October 2021: The Hunterdon, New Jersey Sheriff’s office warns of an elaborate scam involving fake fairs and requests for vendors to book a booth. Once again, it originated on social media. The fraudsters pulled out all the stops, offering no fewer than three separate craft events across November and December. This attack moved from social media to email, sending potential victims a link to an external site requesting payment information.

November 2021: Napierville, Illinois was the latest location of $40 a day fakeouts targeting vendors. As usual, vendors were asked to complete forms and submit payment online. Time was once again taken up for law enforcement while they put out alerts warning people away from the non-existent event.

November 2021: Law enforcement warned of a scam originating outside the US, targeting vendors in the Hendersonville, North Carolina region. Though they didn’t say what kind of social media post set the scam rolling, it’s likely they followed the Facebook pattern seen so many times elsewhere.

Getting personal with a fraudster

February 2022: Green River, Wyoming was the latest focal point for a fake fair scam. Unfortunately for Wyoming, this marks its second appearance on the list! This one was particularly interesting, because law enforcement provided screenshots of actual conversations between scammer and vendors.

The messages read as follows:

We’re looking for vendors and crafters for our vendor and craft show March 18th – 20th. Table and two chairs are provided, along with a meal for the vendors!

Vendors needed are Do Terra, posh, Younique, Lularoe, Norwex, Colorstreet, Scentsy, Tupperware, Mary Kay, Thirty-one, Pampered chef etc

All crafters are invited. For more details please pm!

You fill out the application and send payment via PayPal, Zelle, Venmo, or Cash app

Note that the descriptions of the best products for the event seem to have had some thought put into them. I recognise the word “Tupperware” but everything else may as well be written in a lost alien language. They’re clearly using words and product types that vendors would recognise and think “This person knows their stuff, here’s my money”.

How vendors can protect themselves

There are several posts from events and vendors giving tips for avoiding these fake events, but one of the best ones was posted back in February to a Civic Center Facebook account. The advice:

1. Posts made on Facebook with no location tag are trying to fly under the radar. The moment they do this, a wider range of people and organisations may be made aware of the event and know for a fact that it isn’t real.
2. If the method for arranging payment is kept secret and hidden away in private messages, what is the reason for this? A public payment method would be expected.
3. If the only way you hear about the supposed event is by direct messages, this is another red flag. A large fair with stalls and vendors shouldn’t exactly be a secret.
4. Missing posters and event pages is another bad sign. Why isn’t a very public event as public as it’s possible to be?

One other piece of advice I’ve seen mentioned several times is that scammers often mess up their locations. They’re not aware of the local lay of the land, but you are. Once targets have been selected, nearby location names are googled and provided to vendors.

As the lead article explains, one fraudster mixed up Bangor in Northern Ireland for Bangor in Wales. As it’s quite possible the people running these operations are nowhere physically close to the victims, this is definitely one way to drill into claims of upcoming events.

Craft fairs: look before you leap

Attempting this type of scam during a pandemic, when people are naturally low on funds, is bad enough. Sending people who may potentially be vulnerable to COVID-19 outdoors in the hope of selling products when they may otherwise have remained indoors, is quite something else.

If you’re a vendor who attends fairs to sell products, this is one multi-layered piece of social engineering that won’t go away. Keep the tips above in mind, and if anything seems suspicious, contact local event organisers or law enforcement who’ll be able to give you the most accurate advice.

The post Craft fair vendors targeted by fake event scammers on Facebook appeared first on Malwarebytes Labs.

In an unexpected turn of events, research has surfaced about a Chinese APT (advanced persistent threat) group targeting the Russian military in recent cyberattacks.

Tracked as Bronze President, Mustang Panda, RedDelta, and TA416, the group has focused mainly on Southeast Asian targets—and more recently, European diplomats—and turned their attention towards Russia and started targeting the country’s military situated close to the Chinese border.

Dell SecureWorks retrieved a file named Blagoveshchensk – Blagoveshchensk Border Detachment, which bears the icon of a PDF file but is actually an executable file.

From the report:

“Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.”

Once the supposed document is “opened,” the executable downloads four files, including a clean document file used as a decoy (screenshot below), from a server Mustang Panda is known to use.

The document appears like a formal report from the European Commission, and it details the refugee and migrant status pressuring countries bordering Belarus.

The three additional files are required for Mustang Panda to use DLL search order hijacking to install a variant of PlugX, an old remote access tool (RAT), onto target systems. This allows threat actors to secretly load a malicious DLL, thus avoiding detection from security solutions software.

PlugX is capable of stealing sensitive information from target machines. Although this, as a whole, is a benign attack that involves intelligence gathering, it is interesting to note the shifting targets, presumably based on the political situation in Europe and what’s happening in Ukraine. Suffice to say, China continues to look out for itself and its interests, even if it involves countries it considers “strategic partners of coordination”.

The post State-backed hacking group from China is targeting the Russian military appeared first on Malwarebytes Labs.

Governments of the US, EU member states, and 32 other countries have announced the launch of the “Declaration for the Future of the Internet,” a “political commitment” among endorsers “to advance a positive vision for the internet and digital technologies.”

“We are united by a belief in the potential of digital technologies to promote connectivity, democracy, peace, the rule of law, sustainable development, and the enjoyment of human rights and fundamental freedoms,” the declaration began. “As we increasingly work, communicate, connect, engage, learn, and enjoy leisure time using digital technologies, our reliance on an open, free, global, interoperable, reliable, and secure Internet will continue to grow. Yet we are also aware of the risks inherent in that reliance and the challenges we face.”

The White House and the European Commission summarized the three-page proposition and invited other countries to sign. To date, the countries that endorse the declaration are Albania, Andorra, Argentina, Australia, Austria, Belgium, Bulgaria, Cabo Verde, Canada, Colombia, Costa Rica, Croatia, Cyprus, Czech Republic, Denmark, Dominican Republic, Estonia, the European Commission, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Israel, Italy, Jamaica, Japan, Kenya, Kosovo, Latvia, Lithuania, Luxembourg, Maldives, Malta, Marshall Islands, Micronesia, Moldova, Montenegro, Netherlands, New Zealand, Niger, North Macedonia, Palau, Peru, Poland, Portugal, Romania, Senegal, Serbia, Slovakia, Slovenia, Spain, Sweden, Taiwan, Trinidad and Tobago, the United Kingdom, Ukraine, and Uruguay.

The declaration is a “political commitment” among endorsers to “advance a positive vision for the Internet and digital technologies.” It is a reaffirmation for endorsers that they’re committed to respecting and preserving human rights online across digital ecosystems and committing to “a single global internet” that fosters the following principles:

• Protect human rights and fundamental freedoms of all people; 
• Promote a global Internet that advances the free flow of information; 
• Advance inclusive and affordable connectivity so that all people can benefit from the digital economy; 
• Promote trust in the global digital ecosystem, including through protection of privacy; and 
• Protect and strengthen the multi-stakeholder approach to governance that keeps the Internet running for the benefit of all.

A single, global internet rejects the idea of restricted internet access—a “splinternet”—that regimes like Russia, China, and North Korea (all of whom did not sign the declaration) have implemented in their own countries. Splinternets are heavily regulated, and governments can pick and choose what they want their citizens to see and not see.

While every country is working towards the common goal of building a better internet and online experience for everyone, now and in the future, the Declaration allows member countries to be autonomous in creating their own laws and policies to uphold the above principles.

“We believe that the principles for the future of the Internet are universal in nature and as
such we invite those who share this vision to affirm these principles and join us in the implementation of this vision,” the declaration concludes.

The post Over 50 countries sign the “Declaration for the Future of the Internet” appeared first on Malwarebytes Labs.

May 2 marks the start of National Small Business Week, a week that recognizes “the critical contributions of America’s entrepreneurs and small business owners”, and promises to “celebrate the resiliency and tenacity of America’s entrepreneurs.”

That sounds good to us: Small business are a vital economic engine, accounting for more than 99% of all businesses in the USA, and employing about half the US workforce. And, like any engine, they need preventative maintenance and careful running to keep them ticking over smoothly—which increasingly means ensuring they have good cybersecurity discipline.

That sounds like something we can help with, so if you want your small business purring and safe from cyberthreats, watch out for these three warning signs.

1. Thinking you are not a target

Perhaps the most egregious cyber-error a small business can commit is believing it is too small to have to bother with cybersecurity, because it thinks it’s too small to be a target.

Life would be a lot easier if there were a minimum size limit on the businesses that cybercriminals care about, but sadly, there is not. Sure, there are some nation-state actors and big game ransomware gangs that might give you a swerve. But for every attacker trying to land a whale, there’s a countless multitude trying to catch minnows in drift nets.

The threat to small businesses is so serious that in 2021 it was discussed by the Senate Judiciary committee. Ranking member Senate Chuck Grassley described the problem in these terms:

“Earlier this year, FBI Director Chris Wray compared the challenges of fighting ransomware to those we faced after 9/11. Estimates on the amount of ransoms paid in 2020 run into the hundreds of millions of dollars. Ransomware has targeted schools, local governments, and, during this pandemic, even hospitals and healthcare providers…An estimated three out of every four victims of ransomware is a small business.”

Senator Chuck Grassley

Believing you can add security later means avoiding the basics now. And that leads to critical mistakes like using old, unsupported versions of Windows and macOS; not updating third-party apps; giving everyone admin access to everything; turning on RDP when you don’t need it (and failing to secure it when you do); leaving unused, unnecessary, and unsafe ports open at the firewall; saving passwords in plain text; not enforcing minimum password complexity standards; not using multi-factor authentication (MFA); and using unpatched, on-premises versions of Exchange.

It is never too soon to do these things—the longer you leave it, the more expensive and difficult they become. Be in no doubt: Cybercriminals will try to use your Exchange server to spread ransomware, they will try to brute force your RDP, they will try to inject skimmers into your website, they will try to exploit your browsers, they will try to fool you into downloading malware, they will try to phish your logins, and they will send you more malicious attachments than you’ve had hot dinners (and your employees will click them).

2. Waiting for bad things to happen

Our second red flag to watch out for is a lack of proactivity in your security.

Last year I interviewed a number of small business IT people. For all of them, security was important, but it was typically one of many responsibilities being handled by a small staff. Most of their time was spent firefighting one IT problem or another, and so, outside of a weekly check, their endpoint protection montioring went largely unattended unless it too was (figuratively) ablaze.

According to Taylor Triggs, one of our Malware Removal Specialists, that seven day gap between checks is big enough for an attacker to drive their coach and horses through.

Ransomware attacks typically start with some kind of network breach. This is often followed by activity that escalates an attacker’s privileges, lateral movement through a network, and finally encryption of the victim’s data. Each step generates behavior or artefacts that can tip off sharp-eyed threat hunters to the presence of an attacker, before the ransomware gets to work.

Right now, Triggs says, the most common problem he’s seeing in small and medium-sized businesses is a combination of unpatched Exchange servers and those unattended alerts:

“Many of the ransomware cases we have seen recently have started with Exchange servers still vulnerable to Hafnium. Customers with EDR had alerts showing that a Hafnium breach was the initial compromise before encryption occurred but they ignored the alerts.”

“Waiting for things to happen” is often a symptom of not hiring qualified IT staff, having too few IT staff, or not having the appropriate security skills and awareness among IT staff.

3. Assuming everything will be OK

Any breach that goes unnoticed or is left unattended can lead to ransomware, and the target of modern ransomware operators is not a computer, it is your entire organization. That makes ransomware an existential threat. You might not get hit by an earthquake every day, but that doesn’t excuse you from planning for one if you’re at risk, and ransomware is an earthquake that can hit any small business.

Failing to plan is planning to fail, as they say, and the symptoms of failing to plan are:

• Not having having an incident response plan
• Not making backups
• Not testing that your backups work
• Not keeping backups beyond the reach of attackers

If the worst happens, you will wish you had planned your response in advance. You will wish you knew how to identify and isolate an attack; you will wish you had decided what data and assets you care about most, which you want to restore first, what that will take, and who will do it; and you will probably wish you had rehersed it all. You can read more about how to prepare for a ransomware attack by downloading our Ransomware Emergency Kit.

If you simply assume it won’t happen to you, or that you’ll be OK if it does, you may be left with no option but to pay an extortionate ransom for a criminal’s decryption tool, and you really want to avoid that. The tools frequently fail, and your willingness to pay will lead to repeat attacks.

If you want to know how it feels to be attacked by ransomware without actually having to go through it yourself, listen to our podcast interview with Ski Kacoroski below. Ski is a sysadmin who was brave enough to speak openly about his race against a real-life ransomware attack and his candid interview is a warning against the complacency of assuming everything will work out.

The post Watch out for these 3 small business cybersecurity mistakes appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Why MITRE matters to SMBs
• Apple’s child safety features are coming to a Messages app near you
• Why software has so many vulnerabilities, with Tanya Janca: Lock and Code S03E09
• Watch out for this SMS phish promising a tax refund
• Rogue ads phishing for cryptocurrency: Are you secure?
• Hospitals taken offline after cyberattack
• Emotet fixes bug in code, resumes spam campaign
• “Reject All” cookie consent button is coming to European Google Search and YouTube
• What’s happening in the world of personal cyber insurance?
• “URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance
• Elon Musk-themed cryptocurrency scam uses fake Medium as the promotion site
• Facebook phishers threaten users with Page Recovery Help Support
• Onyx ransomware destroys files, and also the criminal circle of trust
• QNAP customers urged to disable AFP to protect against severe vulnerabilities
• Fake USA for UNHCR site wants your Ukraine donations in Bitcoin
• Call of Duty cheats can expect embarrassment with new anti-cheat feature
• Hackers fool major tech companies into handing over data of women and minors to abuse
• FBI warns food and agriculture to brace for seasonal ransomware attacks
• Why you should be taking security advice from your grandmother
• Ukraine government and pro-Ukrainian sites hit by DDoS attacks
• Google Play’s Data safety section empowers Android users to make informed app choices
• Warning! Instagram Stories hides a scam in plain sight
• Beware scammers disguised as fraud busters
• Beware Twitter Messages claiming “Your blue badge Twitter account has been reviewed as spam”
• The top 5 most routinely exploited vulnerabilities of 2021
• Russia continues digital onslaught against Ukrainian systems
• Update now! Critical patches for Chrome and Edge

Stay safe!

The post A week in security (April 25 – May 1) appeared first on Malwarebytes Labs.

According to Microsoft, at least six Kremlin-backed hacking groups have been attacking Ukraine in the digital space in an onslaught that began before the invasion in late February. The company counted more than 237 cyberattack operations against Ukrainian systems and critical infrastructure.

These attacks involve destructive malware that “threaten civilian welfare”, accompanied by intelligence gathering and reconnaissance.

APT28 (aka FancyBear), DEV-0586, Energetic Bear (aka Dragonfly), Gamaredon, Nobelium, Sandworm, and Turla are the nation-state actors carrying out the attacks.

“Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” Microsoft said. The company gave several examples to illustrate this correlation: “While Russian forces besieged the city of Mariupol, Ukrainians began receiving an email from a Russian actor masquerading as a Mariupol resident, falsely accusing Ukraine’s government of ‘abandoning’ Ukrainian citizens.”

Russia was seen using various techniques in its attack to gain initial access. This includes phishing campaigns, vulnerability exploitation, and compromising upstream IT services. The country is also not shy about using wiper malware—destructive malware CISA (the Cybersecurity and Infrastructure Security Agency) and the FBI (Federal Bureau of Investigation) highlighted in an updated alert initially released in late February.

HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper were deployed to Ukrainian networks in January 2022.

Microsoft believes that Russian cyberattacks will continue to escalate. Nation-state threat actors may also expand their destructive attacks outside Ukraine to retaliate against countries helping Ukraine or continuing to inflict punitive measures against Russia.

“We’ve observed Russian-aligned actors active in Ukraine show interest in or conduct operations against organizations in the Baltics and Turkey—all NATO member states actively providing political, humanitarian or military support to Ukraine.”

You can read more about Russian cyberattack activities against Ukraine in Microsoft’s Special Report: Ukraine.

The post Russia continues digital onslaught against Ukrainian systems appeared first on Malwarebytes Labs.

Google has released an update for its Chrome browser that includes 30 security fixes. The latest version of the stable channel is now Chrome 101.0.4951.41 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

Microsoft advises Edge users—which is essentially a Microsoft-badged version of Chrome—to update as well, since it shares many of these vulnerabilities.

Seven of the vulnerabilities are rated as “high.” Five of those vulnerabilities are “Use after free” flaws, which, thanks to a memory relocation issue, can allow hackers to pass arbitrary code to a program. Which is another way of saying that attackers can do unauthorized things on your computer just by getting you to go to a malicious web page coded to exploit these problems.

Use after free

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The use after free vulnerabilities that are listed with a high severity are:

• CVE-2022-1477, a use-after-free vulnerability in the Vulkan graphics API.
• CVE-2022-1478, a use-after-free vulnerability in the SwiftShader 3D renderer.
• CVE-2022-1479, a use-after-free vulnerability in ANGLE a “graphics engine abstraction layer.”
• CVE-2022-1480, is a use-after-free vulnerability in Device API. A remote attacker can reportedly create a specially crafted web page, trick the victim into visiting it, trigger the use-after-free error and execute arbitrary code on the target system.
• CVE-2022-1481, is a use-after-free vulnerability in Sharing. This vulnerability can be reportedly be exploited by a remote non-authenticated attacker via the Internet, by luring the victim to a specially crafted web page.

Other high severity vulnerabilities

There are two other vulnerabilities listed as high severity issues:

• CVE-2022-1482, is described as an “Inappropriate implementation in WebGL” in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise their system.
• CVE-2022-1483, is a heap buffer overflow in WebGPU, a web API that exposes modern computer graphics capabilities for the Web. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, the two common areas that are targeted for overflows are the stack and the heap.

How to update

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the updates Chrome should be at version 101.0.4951.41 and Edge should be at version 101.0.1210.32.

Stay safe, everyone!

The post Update now! Critical patches for Chrome and Edge appeared first on Malwarebytes Labs.