IT NEWS

The FBI’s Internet Crime Complaint Center (IC3) has released its annual report. In 2021, IC3 continued to receive a record number of complaints from the American public: 847,376 reported complaints, which was a 7% increase from 2020, with potential losses exceeding $6.9 billion. Among the complaints received, ransomware, business email compromise (BEC) schemes, and the criminal use of cryptocurrency are among the top incidents reported.

The IC3 also received 23,903 complaints related to tech support fraud from victims in 70 countries. The losses amounted to more than $347 million, which represents a 137 percent increase in losses from 2020.

Tech support fraud

Tech support fraud is a type of scam that is often neglected in the press, but as a security software vendor we often get reminded that this branch of scamming is still active. The only surprise in the report is that it is still a sector that is showing a strong growth.

Tech support fraud is where a criminal poses as customer, security, or technical support in order to defraud unwitting individuals. Criminals involved in tech support fraud will claim to be support or service employees from trusted institutions like banks and software vendors. Often, they sell victims services they don’t need or at absurd prices, and many victims report being directed to make wire transfers to overseas accounts or purchase large amounts of prepaid cards.

Malwarebytes examples

We get a lot of questions and complaints about tech support scammers impersonating us or using our brand to defraud victims. We set up a dedicated page for tech support scams years ago. Sometimes the scam mails are easy to recognize, and the offers these scammers make are often heavily over-priced. In the example shown below, the scammer couldn’t decide whether to use MW Bytes or MA Bytes, but they added our logo at the bottom to make a good impression.

This is an email template we see quite often. Although the phone number may be different at times.

To help you avoid Malwarebytes impersonators, there are a few important red flags you can look out for:

• Overpricing. You can find our actual pricing here: https://www.malwarebytes.com/pricing
• Malwarebytes does not use a third party company for technical support on our products. Support is in-house at Malwarebytes.
• Our employees have company email addresses, so we will not use gmail, comcast, or other third party email addresses in our customer facing communications.

Senders that claim to be responsible for Malwarebytes Tech Support which we see repeatedly are TechGeek, Geek Squad Team, Czone Solutions Inc, Tech philosopher, Web-Gear solutions, and Malwarebytes Support R Us. While some of these may be the names of actual legitimate companies, none of them have any business acting on Malwarebytes’ behalf.

How to avoid tech support scams

In general, keep an eye out for overpricing. And do your own research to check the company in question’s charges.

When in doubt, do not use links or phone numbers sent by email. Research a direct method of contacting the organization by yourself and use that line of contact to enquire whether they are the origin of the mail.

For matters regarding Malwarebytes, please reach out to our Support team.

Stay safe, everyone!

The post Tech support fraud is still very much alive, says latest FBI report appeared first on Malwarebytes Labs.

Google has urged its 3 billion+ users to update to Chrome version 99.0.4844.84 for Mac, Windows, and Linux to mitigate a zero-day that is currently being exploited in the wild. This is in response to a bug reported by an anonymous security researcher last week.

The flaw, which is tracked as CVE-2022-1096, is a a “Type Confusion in V8” and is rated as high severity, meaning that it’s necessary for everyone using Chrome to update as quickly as possible because of the damage attackers could cause once they exploit this.

Not much is known about the vulnerability itself or how great the impact would be if exploited, but the unusual release of this patch, which notably addresses just one vulnerability, means that this update shouldn’t be ignored.

Google is always cautious to release more details until the majority of users are updated with a fix. Google says it may take weeks before the update reaches its entire user base.

How to update

The easiest way to update is to allow Chrome to do it automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is relaunch the browser.

Microsoft Edge

Microsoft has confirmed that Edge, a Chromium-based browser, is also affected by this vulnerability. Edge users should urgently update their browsers to version 99.0.1150.55, which is not vulnerable to the flaw.

The post Update now! Google releases emergency patch for Chrome zero-day used in the wild appeared first on Malwarebytes Labs.

In 2017, a former NSA contractor named Reality Winner was arrested for allegedly leaking an internal report to the online news outlet The Intercept. To verify the report itself, a journalist for The Intercept sent an image of the report to the NSA, but upon further inspection, it was revealed that the image was actually a scan of a physical document. 

This difference—between an entirely digital document and a physical piece of paper—spurred several suspicions that the news outlet had played an unintended role in identifying Winner to her employer. Some security onlookers proposed that, because The Intercept had sent a scan, the NSA did not have to search far to find who looked it: Rather than combing through every employee or contractor who had access privileges to the report itself, the NSA only had to find people who had printed it.

Winner eventually received the longest sentence ever for sharing classified information—five years and three months in Federal prison. The former co-editor of The Intercept said that the way that the story was handled, including the push to have the documents verified by the NSA, was a “deeply embarrassing newsroom failure.” 

This is what journalism can look like in the modern age. There are countless digital traces left behind that can puncture the safety and security of both journalists and their sources. Adding complexity and stress to the situation is that many journalists have an online person in which they share many details about their private lives—a habit that could provide leverage for future harassment, said security researcher Runa Sandvik.

“If you’re default is to share absolutely everything and anything that you’re doing on social media, at some point in time, some people that are upset with something you wrote, may actually find that and use that to harass you and harass your friends harass your loved ones.”

Runa Sandvik

Today, on the Lock and Code podcast with host David Ruiz, we speak with Sandvik about how she helps reporters tell important stories securely and privately amongst many digital threats. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Telling stories securely, with Runa Sandvik: Lock and Code S03E07 appeared first on Malwarebytes Labs.

Russia is in the midst of its fourth week of attack against Ukraine. People worldwide have been increasingly and passionately showing support for Ukrainians since day one while condemning the atrocities of Russian President Vladimir Putin, the Russian military, and Belarus, its allied country.

While there is truly increased risk against lives and property in the frontline, we have also seen certain risks online affecting individuals and businesses alike. There were scams; disinformation campaigns; and several wiper malware variants including HermeticWiper, IsaacWiper, and CaddyWiper. But one emerging trend we’re beginning to see play a part in the online impacts of the Russia-Ukraine war is the appearance of “protestware”.

When protestware doesn’t just protest

Protestware is a portmanteau of the words “protest” and “software.” It is software used in protest against something or someone—and we know what those are in the context of the current Ukraine crisis. Protestware is a very new term, but it has already come of age in a span of days.

Many open-source developers have started expressing their support (“We Stand With Ukraine”) on their official websites, either as content or banner. Some have also begun modifying their applications to include similar messages of support in the program’s UI or README text files.

One package, for example, called es5-ext, a small library (or a “shim”) that can be used in ECMAScript 5 or ECMAScript 6 environments, has been given a new dependency named postinstall.js, which displays a “call for peace” message when the shim is run on systems using a Russian IP address.

A portion of the message reads in English as follows:

Currently aware of 5000-11000 casualties among the Russian military and about 1500-3000 - among Ukranians, and also about 350 civilians killed, including 38 children.

The people of Ukraine are fully mobilized and ready to defend their country from the enemy invasion. 91% of Ukrainians fully support their President Volodymyr Zelensky and his response to the Russian attack.

The whole world condemned the unreasonable invasion and decided to enter unprecedented sanctions against Russia. With each new day, they will be felt more and more among the civilians citizens. It is predicted that within 2-3 years (with the current sanctions) Russia's GDP may reach the level of a small European country.

Fellow developers criticized medikoo, the brains behind es5-ext and postinstall.js, saying “the NPM package is not a place for politics.” One even went as far as calling this benign change to the shim “malware.” But medicoo stood his ground, saying he’ll only remove the dependency “once the aggression stops, and Ukrainians can live in peace in their own country.”

Not all changes to one’s work are benign, though. Several open-source developers have started gravely sabotaging their projects by adding code that, at its worse, would wreak havoc on systems that download and run them.

One popular application, node-ipc, was updated in early March to include code that, according to Liran Tal, a security researcher from cybersecurity company Snyk, “raised concerns for suspicious activity and potential abuse of the source code and the package’s behavior.” When executed on systems geolocated in Russia or Belarus, versions 10.1.1 and 10.1.2 completely wipe files from machines and replace them with the heart emoji.

node-ipc developer Brandon Nozaki Miller (also known as RIAEvangelist, Sparky, and Electric Cowboy) also created a new library called PeaceNotWar. It carries the same wiping capabilities as the node-ipc package. Miller added this library as a dependency of node-ipc version 11.0.0. So every time node-ipc is called by other dependencies that import it, PeaceNotWar executes as well. One of the library’s payloads is to drop a file named WITH-LOVE-FROM-AMERICA.txt into an affected user’s desktop and their OneDrive.

Miller did the same for node-ipc version 9.2.2, the latest stable version of the package that many projects rely on. But he also added the highly popular module, colors, as a dependency on this package. Doing so would pull in nasty code deliberately created to introduce an infinite loop to the source code, triggering a denial of service (DoS) to any Node.js server using it.

Suffice to say, servers using version 9.2.2 would be rendered useless.

Portions of PeaceNotWar‘s README page on Github says this:

This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users' desktops, and it will only do it if it does not already exist just to be polite.

...

I pledge that this module, to the best of my knowledge and skills, does not do any damage to anyone's data. If you do not like what this module does, please just lock your dependencies to any of my work or other's which includes this module, to a version you have code reviewed and deemed acceptable for your needs. Also, please code-review your other modules for vulnerabilities.

We have not confirmed that this module is already free of malicious code.

For those who are anti-war and pro-Ukraine, this form of protest may seem appropriate. But Snyk’s Tal raised questions that revealed a lack of foresight on the part of Miller in sabotaging his work and deploying his protestware.

“How does that reflect on the maintainer’s future reputation and stake in the developer community? Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?” Tal said in a post.

The US National Institute and Standards and Technology (NIST) recognizes the malicious package versions of node-ipc as a vulernability, which is tracked as CVE-2022-23812.

When protestware ripples out

Because of the new threat posed by protestware against Russia, Sberbank, Russia’s biggest state-owned bank, advised Russians to not update any software due to “increased cyberattacks.”

“We urge users to stop updating software now, and developers to tighten control over the use of external source code,” a press release from the bank states, “If there is an urgent need to use software, be sure to check all downloaded files with an antivirus, and when using someone else’s code in your programs, conduct a manual or automatic check, including, view the text of the source code.”

“In addition, various content and malicious code can be embedded in freely distributed libraries used for software development. The use of such software can lead to malware infection of personal and corporate computers, as well as IT infrastructure.”

The National Coordination Center for Computer Incidents (NCCCI), a Russian cybersecurity agency, also issued a list of recommended guidelines (text in Russian) for IT risk for Russian companies and organizations in light of sabotaged open-source software.

In an unfortunate and ironic turn of events, a Washington-based American NGO who monitors human rights in post-Soviet states is one of those affected by Miller’s protestware. A Github post, which has already been taken down but preserved for posterity here, details the harm that the protestware has caused the organization—and they are likely to seek litigation against the developer as a result:

Since our start in 2014, we have been in contact with 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.

Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus. Normally, we backup the received content to an external server on 20th day of every month, as this is reasonable given the volume we usually get, but since the start of the invasion on February 24th, traffic to our web service has increased over fiftyfold. Our staff has been working round the clock to accomodate the influx and during one of their tasks, package containing node-ipc module was updated on a production server, which resulted in executing your code and wiping over 30,000 messages and files detailing war crimes commited in Ukraine by Russian army and government officials. Due to the way the files were stored on the server, we are not able to recover any data and it's most likely gone forever. For some of the senders, this might as well have been their last contact with the outside world, as many of them were front-line soldiers that could've been killed in action during the offensive.

Personally, me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could.

Snyk has recommended that developers refrain from using affected packages of these modified FOSS (free and open source) projects altogether. If that is not possible, however, they should use an npm package manager to override poisoned versions and use a clean version instead.

When protestware becomes a point of no return

Protestware is one of the ways internet users have actively used tech to make a statement of support for Ukrainians, combat Russian government misinformation, and deliver news to Russian civilians who are victims of their own state’s propaganda and severe censorship.

Apart from the developers of these poisoned packages, no developer has been happy with what protestware had to offer. For one thing, a great majority of developers see the FOSS ecosystem as politically agnostic. Although the intent is understandable, many agree that there are better avenues for developers, especially those who maintain popular packages with millions of downloads, to exercise their support for a people or cause.

Protestware, whether seen as benign or malicious, throws a spanner in the face of developer trust. It has also, yet again, raised concerns about the safety and integrity of the software supply chain. All it takes is one developer deciding to turn things around and ruin everyone’s day. This is something any open-source software would start thinking more often, like a gray cloud hanging over their heads, uncertain of when sabotage might happen next.

“The Pandora’s box is now opened, and from this point on, people who use open source will experience xenophobia more than ever before, EVERYONE included,” writes GitHub user NM17. “The trust factor of open source, which was based on goodwill of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought was ‘the right thing to do.’ Not a single good came out of this ‘protest.’”

The post Anti-war open-source software developer targets Russians and Belarussians with “protestware” appeared first on Malwarebytes Labs.

In two security advisories, HP has alerted users to the existence of security vulnerabilities in several of its printer models.

In total, four vulnerabilities were patched, but three of those vulnerabilities are rated critical, and all of them can lead to remote code execution (RCE) when exploited.

Link-Local Multicast Name Resolution

CVE-2022-3942 is a vulnerability rated with a  CVSS score of 8.4 out of 10. As HP puts it: Certain HP Print products and Digital Sending products may be vulnerable to potential remote code execution and buffer overflow with use of Link-Local Multicast Name Resolution.

The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. Its main function is to resolve host names to facilitate communication between hosts on local networks.

HP Print devices

The second security advisory states that certain HP Print devices may be vulnerable to potential information disclosure, denial of service, or remote code execution. This is a set of three vulnerabilities, of which two have been rated as critical and one rated “high”.

• CVE-2022-24291 (CVSS 7.5 out of 10)
• CVE-2022-24292 (CVSS 9.8 out of 10)
• CVE-2022-24293 (CVSS 9.8 out of 10)

Which models are affected?

The list of printer models affected by the first vulnerability is almost endless. Users of every model of HP Color LaserJet, HP LaserJet, HP PageWide, HP Scanjet Enterprise, HP DeskJet, HP OfficeJet, HP DesignJet, and the HP Digital Sender Flow 8500 fn2 Document Capture Workstation are encouraged to check for updated firmware.

The models affected by the second set of vulnerabilities are:

• HP Color LaserJet Pro M453 – M454, MFP M2XX, MFP M478, M479
• HP LaserJet Pro M304, M305, M404, M405, MFP M428, M429, MFP M428, M429 F
• HP PageWide 352dw Printer, 377dw Multifunction Printer,
• HP PageWide Managed P55250dw Printer series, P57750dw Multifunction Printer
• HP PageWide Pro 452dn Printer series, 452dw Printer series, 477dn Multifunction Printer series, 477dw Multifunction Printer series, 552dw Printer series, 577 Multifunction Printer series
• HP OfficeJet Pro 8210 Printer series, 8216 Printer series, 8730 All-in-One Printer, 8740 All-in-One Printer series

How to update your printer

Patches are available for these vulnerabilities, so users can visit HP’s official software and driver download portal, navigate to their device model, and install the latest available firmware version.

An exception exists for the HP Color LaserJet Pro MFP M2xx models where remediation is pending. Users of these type of all-in-one printers will have to check later whether a patch has been made available.

Stay safe, everyone!

The post Update now! Many HP printers affected by three critical security vulnerabilities appeared first on Malwarebytes Labs.

Back in January, we wrote about how the Dark Souls games had their online components switched off for PC gamers. This is because someone figured out how to execute code remotely on the target’s PC. Given that the multiplayer angle of Souls games is rather important, this was quite a body blow for anyone playing. I fired up the first Dark Souls game a few days ago to see if the online services have been reinstated. They have not.

“Logging into the Dark Souls Remastered server” appears in the top right hand corner. A few moments later, I’m greeted with the following message:

Cannot log in to the Dark Souls Remastered game server because it has been stopped or is undergoing maintenance.

I haven’t tested the other two titles but it’s the same situation there too:

Note that this issue doesn’t affect console gamers; it’s PC specific.

The latest round of problems for Souls titles affect the latest game from the developer, FromSoftware. Interestingly, it may have its origins in one of the games which currently has its multiplayer component switched off.

Heavy souls and broken rings

The new game in the Souls line-up (in a roundabout fashion) is called Elden Ring. In the run up to launch, some wondered if it, too, would suffer from the same remote code execution attack forcing the brand new title to launch with its online capabilities disabled.

This did not happen, and a jolly multiplayer time was had by all. Well, for a little while at least. The exploits have arrived, despite the game itself making use of the anti-cheating service called Easy Anti-cheat.

What happened?

A little over a week ago, players of Elden Ring complained that their sessions were being invaded by “hackers”. Invading people’s games is a normal feature of the title, but being put into an endless death loop, not so much.

After the first time your character dies, you’re supposed to respawn at locations resembling a bonfire. Instead, in the death loop scenario the victim simply continues to die over and over again.

No detailed information has been released by the developer FromSoftware as to what is happening. One of the theories from players is that the invaders were able to edit their save files somehow while in game, or at least adjust some parameters related to the victim’s save points. In other words: you no longer spawn at the nearest bonfire. You respawn somewhere over the nearby ocean and die instantly on account of not being able to swim.

Avoiding the exploit

The solution, as with so many attacks of this nature, is to remove functionality from the title. Switching off online play is the only way to ensure you’re not caught by this. Anyone trapped in a death loop has to attempt an ALT + F4/rapid-fire sequence of button presses in menus to try to manually respawn at a bonfire. This, as it turns out, isn’t easy to do. At one point there were Twitch videos of people punching in the combination with the right timing.

Ouch.

Where did this come from?

One of the older Souls titles, Dark Souls 3 from 2016, suffered from the exact same problem. The hack there was described as being able to alter player save data and “lock them out of their save files”. The article above and most of the detailed warnings about this are from a year ago. However, there are multiple complaints about this going back to 2020.

One portion of the Elden Ring fix—using ALT + F4 to kill the game at the right moment—was even used for the fix in Dark Souls 3.

Has this been patched?

Good news! A patch was released yesterday for various game related issues. One note in particular is relevant here:

“Fixed a bug in multiplayer that allowed players to teleport others to incorrect map coordinates.”

No word as to the specifics of how they were doing it are given. Even so, this is hopefully the last we’ll see of game invading/save locking/character murdering exploits along these lines. Save points in Souls titles are supposed to be the one safe breathing space in the entire game. To have them corrupted or tampered with and cursed with instant death is probably a bridge too far for even the most hardcore of Souls players.

This hack comes hot on the heels of one which caused innocent players to receive bans.  Let’s hope fewer exploits manage to spawn in the next Souls title.

The post Elden Ring exploit traps players in infinite death loop appeared first on Malwarebytes Labs.

Through its usual means of communication, its Telegram channel, the LAPSUS$ group has posted screenshots of what appears to be superuser access to the Okta management console. As such, the group claims to have acquired “superuser/admin” access to Okta.com and gained access to Okta’s customer data, saying on Telegram:

BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA – our focus was ONLY on okta customers.

Yesterday morning, an Okta spokesperson said the company was investigating the matter, and admitted an attempted breach in late January 2022 in which customers were exposed for five days. The date visible in the LAPSU$ screenshots is 21 January, 2022. Okta provided a more detailed update later in the day, which we have summarised below.

Importantly, neither Okta nor LAPSU$ are claiming that Okta’s software has been compromised. Both are saying that the criminal hacking group acquired access to a user account with access to some customer data.

Okta

Okta is an access management company based in San Francisco. According to its own website, Okta serves over 15,000 organizations. Essentially, Okta software allows employees to log in using single sign-on—a central platform where employees can log in once in order to access resources that have been assigned to them by an organization’s IT staff. The kind of indentity-first approach to security is seen by some as an important underpinning of a Zero Trust security model.

LAPSUS$

LAPSUS$ is a relative newcomer to the cybercrime scene that first appeared in the summer of 2021. It has made a name for itself by leaking sensitive information from some big targets. The group is believed to hail from South America, based on its earliest targets and the near-native use of Spanish and Portuguese.

In recent events, LAPSUS$ claims to have hacked:

• Samsung (source code has been leaked)
• Nvidia (at least limited access has been proven)
• Mercado Libre (confirmed)
• Microsoft (under investigation)
• Okta (under investigation)

Okta’s statement

In an article on Okta’s website, CSO David Bradbury provided a timeline of the incidents which took place in January. According to Bradbury, a forensic examination identified a five-day window between January 16 and January 21 when a threat actor “had access to the Sitel environment”. Sitel is what Okta calls a “sub-processor”—a company that provides contract workers for Okta’s Customer Support Organization.

According to that post, the intruder “obtained remote access using RDP” to a Sitel-owned machine that was logged into Okta. The company says the access permissions of the user were limited, and that the tools support engineers have access to include Jira, Slack, Splunk, RingCentral, Salesforce, and an internally-built application called SuperUser.

The group has not explained how it got access to an RDP session. Brute-force attacks against RDP are common, as is phishing, but LAPSU$ is also known to bribe insiders for access. For example, on 10 March, it said it was looking to recruit tech company “employees/insiders” who were prepared to provide remote access, such as VPN or Citrix access.

To understand the scope of the breach, Bradbury says Okta examined all of the access performed by all Sitel employees to the SuperUser application for the five-day period in question. His conclusion was that the maximum potential impact of the breach is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel. Affected customers are promised “…a report that shows the actions performed on their Okta tenant by Sitel during that period of time”, so they can perform their own analysis.

In what is fast becoming a bizarre back-and-forth, LAPSU$ took to Telegram to respond to Okta’s assertions. Although the group doesn’t dispute that support engineers are limited to the applications Bradbury listed, it does take issue with whether that access is as benign as he suggests, commenting that it’s “…rather a bad security practice to store AWS keys in Slack channels”, and “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems”.

Advice for Okta customers

What Okta customers can do to keep any damage contained is hard to say while we are still waiting for details. But here are a few pointers:

• Keep an extra pair of eyes on your access logs.
• Same for threat hunting and other logs.
• Change the privileged Okta passwords.
• Wait for more information.
• Inform your customers that you are on the case.

The post Okta admits 366 customers may have been impacted by LAPSUS$ breach appeared first on Malwarebytes Labs.

On Monday, the White House told US business leaders to toughen up their cybersecurity defenses against a potential cyberattack from Russia.

“The Biden-Harris Administration has warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States in response to the unprecedented economic sanctions we have imposed.  There is now evolving intelligence that Russia may be exploring options for potential cyberattacks.”

Since Russian forces begun their attack against Ukraine on February 24, the US government and cybersecurity community have raised the possibility of a cyber arms conflict. The day Russian troops set foot in Ukraine, the Administration released a statement saying the US is prepared to respond to Russian cyberattacks if it comes to that.

“If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond. For months, we’ve been working closely with the private sector to harden their cyberdefenses [and to] sharpen our ability to respond [to] the Russian cyberattacks as well.”

In a business advisory, the FBI warned that US critical infrastructures, particularly entities within the financial, water, and energy sectors, are likely to be targeted. In fact, the FBI has already seen some abnormal “network scanning activity” from multiple IP addresses based in Russia, with an early stage of reconnaissance, a means to find vulnerabilities for potential future intrusions.

The FBI also revealed the at least five energy companies and at least 18 other US companies in different sectors (information technology, financial service, defense industrial base) have been subjected to these scanning activities.

With all this in mind, what should organizations be doing? Inspired by the Shields Up initiative, a campaign set up by the US Cybersecurity & Infrastructure Security Agency (CISA), here’s a list of things that business leaders can do to prepare.

• Update your systems. Your IT teams should prioritize patching vulnerable software that is currently being exploited.
• Change passwords across your networks. This is to ensure that any previously stolen or leaked credentials will no longer work when when used to access certain resources within your business network.
• Install good security software and make sure you keep it up to date.
• Create multiple backups of your data. It’s the key to bouncing back from a ransomware attack as quickly as possible, especially when done right—something one school district found out the hard way—and you want to avoid paying cybercriminals. And while we’re on the subject of backups, test your backup procedures, too.
• Require the use of multi-factor authentication (MFA) wherever you can.
• Educate your employees. Ensure that they know common threat tactics, such as social engineering ploys, that may be used against them. Lower your company’s threshold of reporting incidents, so if an employee notices that their computer or phone is starting to show unusual behavior, such as crashing or suddenly running slowly, they should report it.
• Keep an open line to your local FBI or CISA Regional Office. CISA has opened 24/7 reporting avenues via report@cisa.org and (888)282-0870 and encourages business organizations to report cyber incidents they may encounter.

You can also read about four key cybersecurity practices businesses can adopt when there’s a threat of “cyberwar”.

The Administration has made clear that the US government will do what it can to protect US businesses and critical infrastructure. But it also said they can’t defend without the help of the private sector, which owns and operates most of the big businesses and infrastructures the country relies on.

In the statement he made on Monday, Biden concluded:

“You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time—your vigilance and urgency today can prevent or mitigate attacks tomorrow.”

The post White House urges US businesses: Protect against potential Russian cyberattacks appeared first on Malwarebytes Labs.

It’s not unusual for sites and services to offer additional forms of protection on top of regular security features. Some of the bigger ones even go the extra mile, protecting from attacks up to a potential nation state level.

The most famous example of this recently is likely Google. Its Advanced Protection Program (APP) was deployed to warn people that Fancy Bear was on the prowl. We often see advanced security features like the APP feed back into security features for regular service users too. This is all very good.

What isn’t perhaps quite as good, is when not taking up the offer of additional security features results in a total lock out of your account. This is the complaint that’s been raised by many Facebook users over the last few days.

What happened?

Facebook has a service similar to Google’s APP which it is rolling out to users. That service is called Facebook Protect, and it’s being expanded to more and more countries. As per Facebook’s own description of what it does:

We’re expanding Facebook Protect, our security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials.

No action is required unless you’re prompted to enroll.

We’re also making it easier for these groups of people to set up two-factor authentication.

Sounds like a good plan! However, the roll out and various interactions with Facebook Protect haven’t gone well for everybody. At the beginning of March, people started to receive emails out of the blue which also included a clickable button to set everything up. It also pointed out that if recipients didn’t enable the feature, they’d be locked out of their account.

When is/isn’t the promise of a lockout real?

This immediately threw recipients into confusion, as they tried to figure out if they were being phished:

The fact that Facebook said everything was “fine” if they navigated to the site directly didn’t help ease the feelings of confusion. While the head of security policy at Meta confirmed the mails were real, once the deadline had passed people started to flag issues with getting back into the site:

The lockout begins

As it turns out, many people are now indeed experiencing some form of lockout. Worse, they’re having major issues trying to resume business as usual. Most of the complaints I’ve seen are focused on the fact that they thought the clickable button email was some sort of scam attempt:

This on its own is fairly problematic for those affected. It’ll no doubt be fixed, but if you’re one of the people who ignored the mail, unfortunately there’s no ETA for a fix. What I find particularly interesting in this story is the knock-on effect on additional Facebook/Meta services.

A virtual headache

At launch, users of the Oculus Quest 2 headset found they needed to have a Facebook account in order to play. If the account was banned, bad luck – no more Oculus Questing for you. While it’s been mentioned a few times that Facebook-free headsets will be with us at some point, this doesn’t help people caught by the Protect problem. This is because not only will you lose the ability to use your headset if banned, you’ll also suffer the same fate if the account is disabled for some reason.

Locked out due to not clicking through on an email from the start of March? It’s not just your social platform impacted, it’s your headset, too. As one device owner put it, they’ve had their headset “bricked” to protect them from hackers. They too are suffering from the various options to re-enable things not currently working.

As we mentioned above, this will no doubt be fixed down the line. However, a lot of people really need access to their accounts and devices as soon as possible. For now, it’s a case of the waiting game – all because of an unexpected email and a suspicious looking button.

The post Facebook users wary of security mail find themselves locked out of accounts appeared first on Malwarebytes Labs.

It’s not unusual to hear about malware created to affect automated teller machines (ATMs). Malware can be planted at the ATM’s PC or its network, or attackers could launch a Man-in-the-Middle (MiTM) attack.

Recently, a new rootkit, which the Mandiant Advanced Practices team have named CAKETAP, was found targeting Oracle Solaris systems running on ATM switch servers. This rootkit is a Unix kernel module that performs several malicious tasks to aid attackers—Mandiant tracks it as UNC2891 (aka LightBasin)—in conducting fraudulent ATM transactions.

CAKETAP has an impressive list of stealth capabilities to hide its presence and activities. It hides network connections, processes, and files. It removes itself from a list of loaded modules on execution and updates data in the last_module_id function to reflect data from a previously loaded module.

This rootkit can conduct fraudulent bank transactions by intercepting specific messages—card and PIN verification messages—sent to the ATM system’s Payment Hardware Security Module (HSM). Banks use this tamper- and intrusion-proof hardware component to generate, manage, and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. When threat actors use a fraudulent card on an affected ATM, CAKETAP alters card verification messages to disable card verification. This, in turn, creates a valid response from the HSM.

On the other hand, when a regular ATM user uses a valid card on an affected ATM, CAKETAP stores the verification message from a valid transaction, which essentially says that the card is not fraudulent, and forwards it to the HSM, allowing for routine transactions to continue uninterrupted. CAKETAP sends this stored verification message to the HSM to trick it into allowing a fraudulent transaction by sending the stored message.

“Based on Mandiant’s investigation findings, we believe that CAKETAP was leveraged by UNC2891 as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” Mandiant security researchers said in the report.

UNC2891 (aka LightBasin) are financially motivated and uses an arsenal of tools in their ATM attack campaigns: two of which are backdoors called TINYSHELL and SLAPSTICK; two decryptors called STEELCORGI and STEELHOUND; a network reconnaissance toolkit named SUN4ME; two keyloggers called WINGHOOK and WINGCRACK; and utilities named BINBASH, WIPERIGHT, and MIGLOCLEANER.

Mandiant has noted that, although LightBasin and another threat actor UNC1945 have overlapping operational tactics, they cannot readily conclude that they are the same. “For example, it is possible that significant portions of UNC2891 and UNC1945 activity are carried out by an entity that is a common resource to multiple threat actors, which could explain the perceived difference in intrusion objectives—a common malware developer or an intrusion partner, for example,” the report concludes.

The post A new rootkit comes to an ATM near you appeared first on Malwarebytes Labs.