IT NEWS

Last week on Malwarebytes Labs:

• Beware of this bogus (and phishy) “Instagram Support” email
• Meet Exotic Lily, access broker for ransomware and other malware peddlers
• Double header: IsaacWiper and CaddyWiper
• How to protect RDP
• Online Safety Bill’s provisions for “legal but harmful” content described as “censor’s charter”
• Deepfake Zelenskyy video surfaces on compromised websites
• Gh0stCringe RAT makes database servers squeal for protection
• Clouding the issue: what cloud threats lie in wait in 2022?
• FBI catches up with one of its Most Wanted, arrests head of advance-fee crime network
• “Threatening and coercive” cold-callers who targeted the elderly hit with big fines
• CafePress faces $500,000 fine for data breach cover up
• Valorant cheats on YouTube are actually information-stealing malware
• Fake Royal Mail chatbot offers up…a new iPhone?
• Escobar is the new Android banking Trojan we’ve met before
• DDoS barrage against Israel described as the “largest ever” cyberattack its faced
• Update now! Apple fixes several serious vulnerabilities in iOS and macOS
• Stolen Nvidia certificates used to sign malware—here’s what to do
• De-Googling Carey Parker’s (and your) life: Lock and Code S03E06
• CISA list of 95 new known exploited vulnerabilities raises questions

Stay safe!

The post A week in security (March 14 – 20) appeared first on Malwarebytes Labs.

Watch out for bogus Facebook phishing messages winging their way to your mailbox. The ruse is quite simple: The mail senders are relying on the recipient’s sense of panic to respond without thinking about it.

The mail looks professional enough, and seeks to imitate what would be a fairly typical looking message from Facebook. As for the panic aspect, the phishers have pinned the hopes of this attack onto the old faithful “Someone is trying to login as you, so you’d better do something about it ASAP” routine.

The phish

The mail itself combines a fairly clean design with minimal messaging. There’s a tendency with some phish attempts to overstuff the mail with all manner of nonsense to look more convincing. When that happens, we often see increasing amounts of typos or broken mail design. This one simply gets to the point. It reads as follows:

Someone tried to Iog into Your Account, User lD 

A user just logged into your Facebook account from a new device Samsung S21. We are sending you this email to verify it’s really you.

Thanks,

The Facebook Team

So far, so good. However, it goes a bit off the rails with the two clickable buttons presented. The first one says “Report the user” which makes sense. The second one just says “Yes, me” instead of something more plausible such as “Yes, it’s me” or even just “It was me”. This may set some alarm bells ringing.

The functionality

What happens when you click the button(s)? The expected process is to be whisked away to a phishing page and enter your details. Not here. This one follows the same pattern as a mail we covered a little while ago.

You may remember the phish attempt claiming to have detected unusual sign-in activity from Russia. That mail didn’t bother with phishing pages. Instead, it popped open a pre-formatted mail in your client of choice for you to respond to the creators. Anybody replying would likely receive additional requests for login details or much more besides.

This phish follows the same path, opening one of two pre-filled response styles depending on which button you select. “Report the user” is the most interesting one, pre-filling the subject line as “Send statement”.

What is sent back may be a booby-trapped document of some kind, or perhaps phishing done through a form. It’s also possible the dialogue will simply continue via mail. Whatever they’re up to, they should be treated with the cold shoulder they so richly deserve.

Go to the source

Always remember to navigate directly to the sender of supposed security alerts. If it’s genuine, you should be able to address whatever issue you’ve been sent. If there’s no sign of it, consider sending it along to them directly. It may be a scam sample they’ve not seen before, and this can in turn help them to protect a wider userbase. Above all else: don’t panic, because this is how attackers can trick you into doing something you’ll regret.

Report, block, and go about your day.

The post Facebook phish claims “Someone tried to log into your account” appeared first on Malwarebytes Labs.

The FBI has issued an advisory about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector.

AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.

Threat profile

AvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim’s server and renames them with the “.avos” extension.

The AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.

Attention!

Your systems have been encrypted, and your confidential documents were downloaded.

In order to restore your data, you must pay for the decryption key & application.

You may do so by visiting us at <onion address>.

This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/

Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website.

Contact us soon, because those who don’t have their data leaked in our press release blog and the price they’ll have to pay will go up significantly.

The corporations whom don’t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at <onion address>

So, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim’s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.

The FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.

Exchange vulnerabilities

Since AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.

The Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.

CVE-2021-31207: a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.

CVE-2021-34523: a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.

CVE-2021-34473: a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.

This is exactly the same attack chain we described in August 2021. This chain of attack was generally referred to as ProxyShell.

Another RCE vulnerability in Exchange Server has been seen as well:

CVE-2021-26855: the ProxyLogon vulnerability which we discussed in detail in our article on Microsoft Exchange attacks causing panic as criminals go shell collecting. The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

Mitigation

As we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.

Microsoft’s team has published a script on GitHub that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.

Detection

Malwarebytes detects AvosLocker as Ransom.AvosLocker.

Stay safe, everyone!

The post AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI appeared first on Malwarebytes Labs.

We’ve seen Esports occasionally become the focus of gaming or Steam scams. One particular tactic of note was to claim joining an official league is an easy process. Links to third-party hosted files would offer up a supposedly cracked ESEA Esports league client. In reality, it was a data stealing Trojan.

One current twist on Esports where Steam scams are concerned is the “vote for my team” fakeout.

Crying foul on bogus voting

This trick has been around for a while now, but shows no signs of going away. As some have noticed, it is indeed “flaring up again”. The scam routinely separates unwary gamers from their logins. It’s also used to spam people from compromised accounts. On top of all that, the social pressure of “Please help me out” is often too good to let go.

An additional headache here is that people change usernames on Steam all the time. As a result, some people assume the message sender is actually a friend and not a stranger. This makes it even more likely they’ll feel obliged to assist.

People want to be helpful, and this slice of social engineering takes full advantage of this.

How does it work?

A Steam user receives an unsolicited message from a stranger. It may be sent via Steam’s own messenger service, or it could be in a Steam-themed Discord channel. The scammer presents the “offer” as a way to help a fellow Steam enthusiast out, or tie it to fictional rewards if the message recipient takes part. The message may also be sent in a different language. Some scammers simply won’t care about this, on the basis they can just send it to a seemingly never-ending pool of other recipients.

After some small talk, the scammer will ask the message recipient if they want to join their Esports team. More likely, they’ll ask them to vote for their team in an upcoming competition, or do some form of nomination to take part.

Clicking into the site and hitting the specified team vote button will typically open up a phishing page or window. If the intended victim uses some form of account protection such as Steam Guard, they’ll be asked to switch it off. Once this is all done and dusted, the account is officially phished and at the mercy of the phisher(s).

What’s the impact from being phished in this manner?

We’ve touched on a few of the impacts, but they include:

• Spamming your friends. Not great, and they’ll likely unfriend you once they see suspicious messages rolling in.
• Losing your digital items. Hard-earned items will vanish, after being sent to other accounts. If you paid real money for those items then they’re at risk too. The scammer may even just choose to sell the entire account in one go. If you used money in your Steam wallet to purchase a valuable item, both money and item may be lost.
• Loss of access. Perhaps an obvious one, but you probably don’t need the hassle of trying to get through to customer support when the pandemic continues to cause significant delays on, well, everything.

Protecting your Steam account from esports voting scams

You’ll probably be familiar with some of these Steam security suggestions:

• Add additional protection to the email account tied to Steam. If 2FA style safeguards are available, be sure to use them. If you have a second, backup email account tied to the primary account, then make sure that’s locked down too.
• Enable Steam Guard. It’ll mean the scammers have to work harder to access your account. While it won’t tip everyone off, having to awkwardly ask you for your 2FA code may be enough to set alarm bells ringing.
• Unsure if an account is one of your friends sporting a new username? Hover over the username of the person messaging you on their profile. It’ll reveal a list of all the old names they’ve gone by. If you’re unable to view their profile at all, add that to the “probably suspicious” pile.
• Never, ever log into anything related to Steam via messages from friends or strangers. Even if you know the person sending the message, it’s possible they’ve been compromised and are being used to send more spam.

The post Fake Esports voting sites looking to phish Steam users appeared first on Malwarebytes Labs.

Recently, a fake Instagram email successfully bypassed Google’s email filters and made it into hundreds of employee inboxes used by a prominent US life insurance company based in New York.

This was revealed in a report by Armorblox, a cybersecurity company specializing in stopping business email compromise (BEC) campaigns. According to its threat research team, the spoofed email originated from “lnstagram Support” with the email address, membershipform@outlook.com.tr. The “l” you see in “Instagram” is actually a small letter “L”. It wouldn’t have been obvious—if not for Gmail automatically setting the first letter of a sender’s name in caps—as you can see from the screenshot below.

Clearly, threat actors have layered their campaign with a number of known fraud tactics, one of which is using a homoglyph (or homograph), making this a good example of a homograph attack, as well.

A homograph attack is a method of deception where threat actors take advantage of how certain character scripts look the same. In this case, a small “L” looks the same as a big “i”.

The initial scam email reads in full:

FROM: Lnstagram Support <membershipform@outlook.com.tr>
SUBJECT: Instagram Support
MESSAGE BODY:
You have been reported for sharing fake content in your membership. and approved by us.
You must Verify your membership. If You Can't Verify Within 24 Hours
Your membership will be permanently deleted from our servers.
You can continue by pressing the Verify button to verify your membership.

The phishing email tells the recipient that their Instagram account has been reported for spreading fake or false information, which nowadays is not unheard of and considered a serious breach of Instagram’s Terms of Service. The scammers then push the recipient to verify their “membership” within 24 hours else their Instagram account will be deleted. Incorporating a sense of urgency is a scam red flag because it aims to get users to act first and think later when it’s too late.

Clicking the verify button takes users to a Google’s Site page instead of the actual Instagram page—another red flag. Here, users are then asked for their credentials as a requirement for verification.

The phishing site also offers up some fraudulent text that can make the whole process feel more official. The text from the phishing site is as follows:

We have received numerous complaints that you violated our copyright laws regarding your account. If you do not give us feedback, your account will be removed within 24 hours. If you think this is wrong, please verify your information below. We ask for this information because we cannot verify that you are the real owner of your account.

Be on the lookout, dear Reader, for this or similar campaigns that might land in your work inbox in the future. We always advise caution when dealing with emails—both unsolicited and claiming to have come internally—especially those that want something from you and pressures you to act quickly “or else”. If you have an email that you’re unsure if it’s a phish, ask your colleagues or contact the person who sent you the email via other means. Better safe than sorry, as they say, because one small slip-up is all it takes for an entire organization to get compromised. After all, big attacks do start small.

Stay safe!

The post Beware of this bogus (and phishy) “Instagram Support” email appeared first on Malwarebytes Labs.

You didn’t really think that the ransomware wave was coming to an end, did you? You may be tempted to think so, given the decline in reports about massive ransomware campaigns. Don’t be fooled.

Over the last five years, one of the primary attack vectors for ransomware attacks has been the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, a tool for remotely controlling a PC that gives you all the power and control you would have if you were actually sitting behind it—which is what makes it so dangerous in the wrong hands.

Bruce-force attacks

Threat actors use brute-force password guessing attacks to find RDP login credentials. These attacks use computer programs that will try password after password until they guess one correctly, or run out of passwords. The passwords they guess can be sold via criminal markets to ransomware gangs that use them to breach their victims’ networks.

Once they have RDP access, ransomware gangs can deploy specialized tools to:

• Elevate their privileges (when needed)
• Leave backdoors for future use
• Gain control over wider parts of the infiltrated network
• Deploy ransomware and leave payment instructions

The first three steps are most important for businesses to pay attention to, as they need to be examined after a breach has been noticed. The easiest and cheapest way to stop a ransomware attack is to prevent the initial breach of the target, and in many cases that means locking down RDP.

Securing RDP

If you want to deploy software to remotely operate your work computers, RDP is essentially a safe and easy-to-use protocol, with a client that comes pre-installed on Windows systems and is also available for other operating systems. There are a few things you can do to make it a lot harder to gain access to your network over unauthorized RDP connections:

• Decide if you really need RDP. This is an important question and you should not be afraid to ask it. Even if you are hardened against brute-force attacks, there is always the chance that attackers will find a remote vulnerability in RDP and exploit it. Before you enable RDP for anyone, be sure that you need it.
• Limit access to the users who need it. Reduce the number of opportunities an attacker has to guess a weak password by following the principle of least privilege. This cannot be done from the Remote Desktop settings but requires security policies. We have included a guide on how to do this later in this article.
• Limit access to specific IP addresses. This is another form of following the principle of least privilege. There is simply no need for many IP addresses to have access to your RDP clients. Rather than banning the IP addresses that don’t need access, allow only those that do.
• Use strong passwords. Even the most persistent attacker will only ever guess very weak passwords because it is more cost effective to make a few guesses on a lot of computers than it is to make lots of guesses on one. So the first and most basic form of defence is to have users choose even moderately strong passwords—meaning passwords that don’t appear in lists of the most commonly used passwords, and aren’t based on dictionary words. Of course, getting users to actually do that is notoriously difficult, so you need to use other hardening measures as well.
• Use rate limiting. Rate limiting (such as Malwarebytes Brute Force Protection) has the effect of significantly strengthening the defenses of weak passwords. It works by reducing the speed at which attackers can make login attempts, typically by shutting them out for a period of time after a small number of incorrect guesses. This represents a huge barrier for a computer program looking to race through tens or even hundreds of thousands of password attempts.
• Use multi-factor authentication (MFA). MFA can stop password guessing in its tracks but it can be difficult to roll out and support. Any second authentication factor will make attacks significantly more difficult, but factors that don’t require user interaction—such as hardware keys and client certificates—are the most robust.
• Put RDP behind a VPN. Forcing users to connect to a VPN before they can log in to RDP effectively takes RDP off the Internet and away from password guessing attacks. This can be extremely effective but it comes at the cost of maintaining a VPN, and simply shifts the burden of securing your users’ point of access from RDP to the VPN. Diligent patching is essential. In the last few years ransomware gangs and other cybercriminals have made extensive use of vulnerabilities in popular, corporate VPNs.
• Use a Remote Desktop Gateway Server. This provides additional security and operational benefits, like MFA. The logs it takes of RDP sessions can prove very useful if you find yourself trying to figure out what might have happened after a breach. Because the logs are not on the compromised machine, they are harder for intruders to modify or delete.
• Do not disable Network Level Authentication (NLA). NLA offers an extra authentication level. Enable it, if it wasn’t already.

Other things that might help

The things in the list below aren’t effective enough to constitute genuine hardening, but might help reduce the volume of attacks you see. They are easy to do but they are not a substitute for the list above.

• Changing the RDP port. Some hardening guides recommend changing the RDP port so that it does not use the default port number, 3389. Although this might reduce the number of scans that find your RDP clients, our research suggests that plenty of attackers will still find you.
• Retire the Administrator username. Although some password guessing attacks use a variety of usernames, including automatically generated ones, many of them simply try to guess the password for the user named Administrator (or the local equivalent). However, because usernames are not treated as secrets by either users or systems, unlike passwords, you should not rely on the obscurity of your usernames to protect you.

Limiting access to the users that need it

The first step in this process is to create a user group that will be allowed remote access. You can do this in the Group Policy Management Console (GPMC.MSC).

• In this console, select Computer Configuration > Windows Settings > Security Settings > Restricted Groups.
• Right-click Restricted Groups and then click Add Group.
• Click Browse > type Remote > click Check Names and you should see “REMOTE DESKTOP USERS.”
• Click OK in the Add Groups dialog.
• Click Add beside the MEMBERS OF THIS GROUP box and click Browse.
• Type the name of the domain group, then click Check Names > click OK > OK.
• On the PC, run an elevated command prompt and type GPUPDATE/FORCE to refresh the GPolicy.
• You should see the group added under the SELECT USERS button on the REMOTE tab of the PC’s SYSTEM PROPERTIES.

Now you can open the related local policies by opening Control Panel > System and Security > Administrative Tools > Local Security Policy > User Rights Assignment.

Remove the “Administrators” group from the “Allow log on through Remote Desktop Services” policy and certainly do not grant access to the account with the username “Administrator.” That account is perfect for the intruders—they would love to take it over. Also remove the “Remote Desktop Users Group” as contradictory as that may seem. Because by default, the user group “Everyone” is a member of the “Remote Desktop Users” group.

Now, add the user(s) that you specifically want to have remote access to this system, and make sure that they have the rights they need—but nothing more. Restrict the actions they can perform to limit the damage that they can do if the account should ever become compromised.

Secure your network resources

In the context of RDP attacks, it is also important that you apply some internal safety measures. PCs that can be used remotely should be able to use network resources, but not be able to destroy them. Use restrictive policies to keep the possible damage at bay that any user, not just a remote one, can do.

Aftermath of an attack

If you have been impacted by a ransomware attack via RDP, you’ll need to take some steps to better secure your network and endpoints. After you have recovered your files from a backup or by forking over the ransom, you need to check your systems for any changes the attackers have made that would make a future visit easier for them—especially if you decided to pay the ransom. By paying the threat actors, you have essentially painted a bulls-eye on your own back. You are now a desirable target, because they know you will pay to get your files back, if necessary.

To be sure there are no artifacts left behind, check the computer that was used to access the network via RDP for Trojans and hacking tools, and also any networked devices that could have been accessed from the compromised machine.

This article was originally published in August 2018 and was extensively updated in March 2022. Since this article was first published, Malwarebytes has added Brute Force Protection to the Nebula cloud-based security console. Check it out.

The post How to protect RDP appeared first on Malwarebytes Labs.

As war in Ukraine rages, new destructive malware continues to be discovered. In this short blog post, we will review IsaacWiper and CaddyWiper, two new wipers that do not have much in common based on their source code, but with the same intent of destroying targeted Ukrainian computer systems.

IsaacWiper

IsaacWiper was one of the artifacts security company ESET reported to be targeting Ukraine. Other artifacts were named as HermeticWiper (wiper), HermeticWizard (spreader) and HermeticRansom (ransomware). IsaacWiper is far less advanced than HermeticWiper, the first wiper that was found which we analyzed here.

IsaacWiper is made of an executable, compiled with Visual Studio. The executable has imported functions like DeviceIoControl, WriteFile, MoveFile, GetDiskFreeSpaceEx, FindNextFileW. Although these functions are legitimate, the combination of all these imports could be suspicious. Sections analysis, on other hand, is perfectly normal. No strange segments are found, and entropy has the expected values:

The sample is presented in DLL form with just one export, named _Start@4 that contains the main functionality of the malware:

The malware will iterate through all system disks, overwriting the first bytes of these disks:

The following chunk shows an extract of the code responsible for that behavior. Also, it can be seen how the volume is unlocked after write operations:

We have found that not only the physicalDrive but also partitions are wiped in the process. The wiper will iterate through the filesystem, enumerating files and overwriting them. This behavior is similar to ransomware activity, but in this case there is no decryption key. Once the data has been overwritten, it is lost:

The attackers left in the code various log strings. An example of one of these debug strings, being referenced inline is presented below:

In fact, these debug strings describe pretty well the malware functionality. All debug strings are presented below:

As it can be seen, the attackers’ goal is destroying data on victims systems. Affected users will lose their files, and their computers will be unbootable, forcing them to reinstall the OS.

CaddyWiper

CaddyWiper is a 3rd Wipper (after HermeticWiper and IzaakWiper) that was observed in this year’s attack on Ukraine. In contrast to HermeticWiper, this one is very small, and has less complex capabilities.

The sample is not signed and its compilation date is: 14 March 2022 07:19:36 UTC. The executable is dedicated to destroying files and partition information for each available disk.

The main function of the wiper can be seen below:

First, the wiper checks if it is running on the Primary Domain Controller. The malware will avoid trashing Domain Controllers, probably because it wants to keep them alive for the purpose of propagation.

If the current machine is not a Domain Controller, the wiping starts. It recursively wipes files in the C:Users directory. Then, it iterates over available hard disks, starting from “D:” and wipes recursively all the files it can access.

The wiping is done in the following way:

It tries to grant access to the files before writing:

All the files/directories are enumerated by well-known APIs: FindFirstFileA/FindNextFileA. If the found element is a directory, the function is called recursively. And if it is a file, a new buffer filled with 0s is allocated, and the file content is overwritten with it. The buffer is limited to 10 Mb max, so if the file is bigger than this, only the beginning of it will be wiped.

Interestingly, this enumeration starts from the drive letter D (treating C as a separate case), so if there are any disks mounted as A or B, they are skipped. Finally the malware wipes layout information of the available disks/partitions:

It starts from the \.PHYSICALDRIVE9, and at each iteration decrements the partition number by one.

The wiping of the partition layout is implemented via IOCTL sent to the drive device: IOCTL_DISK_SET_DRIVE_LAYOUT_EX. The malware sets an empty buffer as the new layout.

The sample is very mildly obfuscated and most of the used strings are stack-based. Also the Import Table is very small, containing only one function. All the needed functions are dynamically retrieved, with the help of a custom lookup routine:

CaddyWiper is extremely light in comparison to HermeticWiper, which was the most complex from all the wipers that have been associated with those attacks. There is no code overlap between each of them, and most likely they have been written by different authors.

Protection

Malwarebytes clients are protected against both of these wipers:

References

1. https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
2. https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-ukraine-hit-by-destructive-attacks-before-and-during-the-russian-invasion-with-hermet/

Indicators of Compromise

IsaacWiper

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

CaddyWiper

a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea

The post Double header: IsaacWiper and CaddyWiper appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization’s defenses, exploit that vulnerability, and sell the access to the victim’s network to an interested party, several times over with different victims.

Among these interested parties TAG found the Conti and Diavol ransomware groups. Because Exotic Lily’s methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.

Initial access broker

Like in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.

These initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.

Exotic Lily

From the TAG blog we can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.

Their email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.

Last year, researchers found that Exotic Lily used the vulnerability listed as CVE-2021-40444, a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a blog about attacks that exploited this vulnerability. Later, the group shifted to using customized versions of BazarLoader delivered inside ISO files.

Based on the fact that the Exotic Lily’s operations require a lot of human interaction, the researchers did an analysis of the “working hours” and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.

Social engineering

As with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a “spray-and-pray” attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.

Exotic Lily used identity spoofing where they replaced the TLD for a legitimate domain and replaced it with “.us”, “.co” or “.biz”.  At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using such spoofed accounts, the attackers would send spear phishing emails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project’s design or requirements.

IOC’s

SHA-256 hashes of the BazarLoader ISO samples:

• 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
• 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
• c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

SHA-256 hashes of the BUMBLEBEE ISO samples:

• 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
• 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
• 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
• 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
• 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

IP address of the C&C server:

• 23.81.246.187

Stay safe, everyone!

The post Meet Exotic Lily, access broker for ransomware and other malware peddlers appeared first on Malwarebytes Labs.

The UK’s Online Safety Bill, a landmark piece of legislation that that aims to regulate the country’s online content, has just been introduced into Parliament after undergoing significant revisions.

The bill has been in progress for about five years and its main objective is to regulate online content in the UK to make it the safest in the world. It is perhaps most famous for legally requiring pornographic websites to verify users’ age, and, yes, that’s still in there.

According to The Independent, the government has strengthened several areas since the previous draft, one of which is shortening the time it takes for company executives to comply with requests for information from Ofcom, the UK’s communications regulator. The last draft proposed a time frame of two years after the bill is made law; the revised draft now proposes a time frame of two months before executives are held criminally liable.

What’s new and what was tweaked

There are other notable changes in the bill.

Company managers could also be held criminally liable by Ofcom if they (1) destroy evidence, (2) fail to attend interviews with the regulator, (3) provide false information in interviews with the regulator, and (4) obstruct Ofcom when it enters company offices.

Platforms that host user-generated content, such as social media platforms and search engines, would not only have a duty of care to protect users from scams and fraud conducted by other users, but also a duty to protect them from “pre-paid fraudulent ads,” which includes unlicensed financial promotions and ads from fake companies. To do this, the revised bill proposes that social media platforms and search engines must put in place “proportionate systems and processes to prevent the publication and/or hosting of fraudulent advertising on their service and remove it when they are made aware of it.”

“We want to protect people from online scams and have heard the calls to strengthen our new internet safety laws,” Culture secretary Nadine Dorries is quoted as saying in The Guardian, “These changes to the upcoming online safety bill will help stop fraudsters conning people out of their hard-earned cash using fake online adverts.”

Further into the list of changes, there is now a new requirement to report any incidents or encounters of child sexual abuse to the National Crime Agency (NCA).

News content will also be exempted from regulations to protect free speech.

Cyberflashing, or the act of sending unsolicited sexual images to receivers, who are usually girls and young women, would also be a crime. Users who cyberflashed would face the same maximum sentence as indecent exposure: A two-year stay in prison.

The bill also includes proposals to punish digital “pile-ons”, and the sending of threatening social media posts and hoax bomb threats.

Finally, arguably the most notable and controversial revision in the draft is how the Bill has changed its approach regarding “legal but harmful” content. As the phrase denotes, this refers to content that is not in itself illegal but could cause harm to whoever encounters it online.

The slippery slope of “legal but harmful” content

The updated bill demands that social media platforms address their approach to “legal but harmful” content in the terms of service (ToS) for their services. It also proposes that such platforms conduct a risk assessment of possible harms that users might encounter while using their service.

Many free speech advocates, including members of the UK’s governing Conservative party, have expressed concern over the possible removal or suppression of such content. In a post, Dorries reassures her readers: “Companies will only be required to remove ‘legal but harmful’ content if it is already banned in their own terms and conditions. This only applies to the biggest platforms carrying the highest risk, and we are updating the legislation to ensure platforms focus on priority categories of harm that are set out in secondary legislation.”

Judging by some of the comments on the post (highlighted in this Twitter entry), some readers at least were not moved by Dorries’ rhetoric. The Open Rights Group (ORG), a UK-based organization working to protect the digital rights and freedoms of individuals in the UK, discussed the harms of the Online Safety Bill in December 2021, calling for the “legal but harmful” clauses to be removed to “ensure that the focus of the legislation remains on its stated purpose—protecting the well being of individuals”.

Jim Killock, executive director of the ORG, describes “legal but harmful” as a censor’s charter. “Civil society groups have raised the warning, Parliament has raised the warning, the government’s own MPs have raised the warning but the government has ignored them all,” he said, “The online safety bill will outsource decisions about what we can see online from British courts, Parliament and police to the terms of service documents of social media platforms drafted by Silicon Valley lawyers.”

The post Online Safety Bill’s provisions for “legal but harmful” content described as “censor’s charter” appeared first on Malwarebytes Labs.

Some don’t mind putting extra effort into making their crime appear as legitimate as possible by perpetuating more lies as long as they are guaranteed money in the end.

Osondu Victor Igwilo is one such Nigerian scammer.

The “catchers”

52-year-old Igwilo has been on the Federal Bureau of Investigation’s watch list since 2018.

According to court documents, Igwilo was charged in 2016 in the US District Court, Southern District of Texas, Houston, Texas for “one count of wire fraud conspiracy, one count of money laundering conspiracy and one count of aggravated identity theft.” He is also the alleged ringleader of an international criminal network of “catchers.” Their main fraud technique is sending out phishing emails to potential victims, enticing them to false offerings of investment funding on behalf of BB&T Corporation, one of the largest banking and financial firms in the US.

Igwilo and his co-conspirators used fake email accounts and stolen identities of US government officials to net victims all over the world. When an organization in the US showed interest in the funding, Igwilo would dispatch hired US citizens to victim countries to pose as representatives of BB&T, meet them in person and sign a purported investment agreement. This only makes the entire scheme appear all the more authentic.

When ordered by Igwilo to visit victims from other countries, these fake bank officials were instructed to visit their local US embassy or consulate and fabricate documents with fake US government seals to further deepen the deception that the US government was sponsoring the funding.

Both “catchers” and representatives had the role of convincing victim organizations to wire advance payments to US bank accounts as a requirement for them to receive their funding. Owners of these accounts were deemed “money movers”, who then sent the money to Igwilo per his direction. This included the purchasing of luxury vehicles and shipping them to Nigeria.

Igwilo is said to have defrauded victims out of approximately $100M.

“Catchers” caught

On Monday, the Economic and Financial Crimes Commission (EFCC) of Nigeria released a press statement about the capture of Osondu Igwilo along with his accomplices, Okafor Nnamdi Chris, Nwodu Uchenna Emmaunel, and John Anazo Achukwu in a studio in Lagos. They were arrested on Thursday, 11 March 2022. According to the statement, five houses around Lagos belonging to Igwilo were recovered after the arrest.

The US Diplomatic Mission Nigeria praised the arrest, which was made possible by the partnership between the FBI and the EFCC.

Igwilo and his accomplices are expected to be formally charged in court soon.

The post FBI catches up with one of its Most Wanted, arrests head of advance-fee crime network appeared first on Malwarebytes Labs.