IT NEWS

Holidays inspire fraudsters and scammers to create timely and effective ways to string people along and get them to give up either their money or their personal information. This is the case in this chocolate-themed scam.

Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam making the rounds on WhatsApp and other social media sites like Facebook.

Users of WhatsApp have reported receiving links to a web page where they can claim a “free Cadbury easter chocolate basket.”

When they open the link, users are presented with a short list of questions to answer—purportedly as part of an “Easter Egg Hunt”—before they are prompted to enter their personal details.

The Dorset Police Cyber Crime Unit posted an appeal about this scam to its Facebook page.

“DON’T CLICK THE LINK.” the post reads, the text bookended with the warning sign emoji. “Our Cyber Protect Officer has done it for you.”

The post continues with how the scam works:

“The site looks fairly convincing, however the only buttons that actually work are the ones to answer the questions. The search icon and the three little lines do nothing at all.

Once you answer those question [sic], you’re taken to a little game where you have to ‘find your prize’. Conveniently, your first and second tries won’t be successful, but you’ll ‘win’ on your third go! At that point, to claim your “prize”, you’ll be asked to hand over all sorts of personal information. That’s where the scam comes in!”

Looking at the shortened URL link (“tinyurl2.ru“) used in this campaign and how this scam campaign itself was formatted, it resembles the Amazon International Women’s Day 2022 Giveaway scam that is said to have gone viral in February.

It’s highly likely that scam links similar to these two can only be accessed via mobile devices.

This isn’t the first time Cadbury’s name has been dragged into a scam campaign. On December 2021, a Facebook scam about Cadbury reportedly giving away hampers of chocolate for Christmas did the rounds.

How to avoid falling for a scam like this

Warn your less security-savvy friends and family: When it comes to giveaways, think twice before clicking or sharing with friends, family, and social contacts. Scammers have always been on the prowl and do not rest until they get what they want. They are patient and have only got better at attempting to social engineer anyone who has a soft spot for anything—dogs, cats, commemorations, pizza, and, as we’ve just seen, chocolates.

Err on the side of caution. If you see a giveaway post in your feed, visit the official website of this brand to see if it’s genuine. Or, if they have a social media presence, which they usually do, ask on Twitter or Facebook. Send screenshots if you can.

It’s always a good idea to verify. But it’s not a good idea to click links thoughtlessly, and give your details away for delicious, delicious chocolate you can just buy from the shops.

Stay safe!

The post “Free easter chocolate basket” is a social media scam after your personal details appeared first on Malwarebytes Labs.

It is now officailly spring in the Northern Hemisphere, and with spring and the longer days comes the inescapable urge to shake off the lethargy of Winter and embrace the need to go through your stuff, throw a bunch of it out, and give the rest of it a shiny new lustre.

And in our increasingly digital lives, more and more of our stuff exists as bits and bytes on our phones, tablets, laptops and desktop computers. With the trees now full of blossom and the air prickling with pollen, the may feel an urge to straigten out your digital mess too.

If you do, we’ve got your back, and we humbly suggest that when you’re done tagging your dog in every photo and getting your folder names just so, you turn your attention to your device security and give that a little dust off as well. After all, nothing makes a bigger mess of your digital life than malware rummaging through it.

1. Say “yes” to software updates

Patching (downloading software updates) is like fixing the broken locks on the front doors of your digital life—the updates contain code that fixes weaknesses that thieves could otherwise jimmy open with their digital crowbars.

Start your spring clean by downloading all the software updates you’ve been putting off. Especially the big ones.

And yes, you’ve heard this advice before (we hope). Maybe you’ve heard it a hundred times, and maybe you’re heard it so often that you’re tired of hearing it and looking for some other advice. Well, fine, there’s some other advice below, but this is number one in our list for a reason, so please don’t skip it. This is the first and most important thing you can do to give your digtal security a spring boost.

2. Say “no” to duplicate passwords

How many online accounts do you have? Twenty, thirty, one hundred? And how many different passwords do you have for all those accounts? If the answer to these two questions isn’t exactly the same number—meaning that you have as many different passwords as you have different accounts—then you have some cleaning up to do.

Criminal hackers love it when you use the same password for more than one account. Once they’ve done the hard work of cracking one of your passwords they aren’t going to waste it, they’re going to try it on a laundry list of other websites to see what else it can unlock for them. It’s like a twofer at the grocery store for them: Hack one account, get one free!

The way to stop this is to create a unique password for each of your accounts, no exceptions. If you’re up for a deep clean then get yourself a password manager to make the job of creating and storing all those passwords easy. It’s a little more effort upfront, but well worth it.

3. Lose what you don’t use

We’re going to leave you to decide where you want to take this one and how far you want to go with it. We’ll just get you started with this simple line of thinking: From a security perspective, “more” is often worse. More apps means more places a hacker might find a broken lock or an open window they can use to break into your device. The same thing goes for your online accounts—each one is a potential way in to your digital life (particularly the accounts you haven’t used for a while, aren’t paying much attention to, or didn’t bother to lock down very well).

It’s amazing how many rarely-if-ever-used apps we accumulate on our devices, and how many accounts we open and then abandon online.

So why not lose some things? Ditch some apps you don’t need, clear out your unused browser add-ons, and delete some accounts you don’t use. The more you lose, the better.

4. Get on top of your email

Criminals use email to spread malware, fakes, and scams, so it is worth paying some attention to. Getting your unread email count to zero is immensely satisfying, and if you do it the right way it can give your security a spring in its step too.

Start by unsubscribing from all the mailing lists and newsletters you never read. You want the email that arrives in your inbox to be full of things that actually interest you, so it’s easier for you (and your spam filter) to spot anything that is slightly off. It’s just like step #3—lose what you don’t use.

Now go through your email and mark the things that look like scams, spams, malware, or junk as “Junk” or “Spam.” Every time you do that instead of just deleting shady emails you are actually training your email’s spam filter to work more effectively (if you want to know why, read our article on Bayesian Filtering). To work correctly your spam filter needs a few thousand up-to-date examples of both “good” emails and “bad” emails, so you want your inbox to be full of good things you care about, and your spam folder to be full of bad things that are malicious or spammy.

5. Run a malware scan

Spring cleaning is about the satisfaction of a job well done, and the peace of mind that comes with knowing your environment isn’t harbouring any nasties. To get that same sense of inner calm from your computer, put down the bleach and pick up a malware scanner.

A malware scanner is the quintessential deep clean for your device. It will pick over your files and apps, one by one, and run through them with a fine tooth comb, weeding out any malware that’s lurking in there undetected.

Now, we’re going to toot our own horn a little on this one. We try to give good, sensible, impartial advice on this blog, without somehow making everything about us and the things we make. Well it so happens that our scans are famous for their ability to pick up things that others miss, and it wouldn’t make any sense if we didn’t mention it when other people will happily tell you the same thing. So, if you want to scrub all the dark and difficult corners of your desktop or laptop computer, we honestly think the best advice we can give you is to run our anti-malware scanner. Sorry, not sorry.

The post 5 ways to spring clean your security appeared first on Malwarebytes Labs.

GitLab has issued several critical security updates, with users of the version control software urged to upgrade their installations as soon as possible. One of the fixes is for a hard coded password issue.

What is distributed version control?

Distributed version control is a way for an organisation’s codebase to be mirrored on the devices of anyone who needs access. Where people occasionally become confused is when they see a number of services using the word “Git” in their name. They’re not all the same thing, and we shouldn’t unnecessarily worry that one issue affects lots of different services due to naming conventions.

Are GitHub and GitLab the same thing?

They are not! If you’re reading about this update, you’re reading about an update for users of GitLab specifically. GitHub isn’t affected by this, and so users shouldn’t worry about missing security updates for hard-coded passwords. Hub and Lab are similar, but most definitely not the same.

What’s happened with GitLab?

There’s been a critical security release, addressing multiple issues. No fewer than 17 elements have been addressed, with one rated critical, two rated high, and nine rated medium. Here’s the rundown of the issue rated critical from their release page:

Static passwords inadvertently set during OmniAuth-based registration

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162.

This vulnerability has been discovered internally by the GitLab team.

Note: We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.

What are hardcoded passwords, and why are they bad?

Hardcoded passwords, also known as embedded credentials, make using the software or device they’re attached to a risky business. If your cheap, off the shelf router has the same single password in use for every single device, that’s bad. Someone who owns one of these devices now knows the password for all of those devices. If your forum software has a single, unchangeable password buried in the code, that’s bad. Somebody with dubious intentions may well have the keys to the kingdom for all versions of that forum.

It’s a similar story here – with a few caveats. According to The Register, accounts created through OmniAuth using fewer than 21 characters for the password were vulnerable to the default password. A script has also been released which, in GitLab’s words, “…can be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162”.

Time to update

If you think you may be impacted by this, make haste and check out the list of updates. You don’t want to leave an easy way in for attackers to exploit your business.

The post GitLab issues security updates; watch out for hard coded passwords appeared first on Malwarebytes Labs.

This blog post was authored by Ankur Saini, Roberto Santos and Hossein Jazi.

UAC-0056 also known as SaintBear, UNC2589 and TA471 is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia. The group is known to have performed a wiper attack in January 2022 on multiple Ukrainian government computers and websites.

Earlier in March, Cert-UA reported UAC-0056 activity that targeted state organizations in Ukraine using malicious implants called GrimPlant, GraphSteel as well as CobaltStrike Beacon. Following up with that campaign, SOCPRIME and SentinelOne have reported some similar activities associated with this actor.

In late March, the Malwarebytes Threat Intelligence Team identified new activity from this group that targeted several entities in Ukraine, including ICTV, a private TV channel. Unlike previous attacks that were trying to convince victims to open a url and download a first stage payload or distributing fake translation software, in this campaign the threat actor is using a spear phishing attack that contains macro-embedded Excel documents. In this blog post, we provide a technical analysis of this new campaign.

Attack process

The following picture shows the overall attack procedure used by this actor. The attack starts with malicious documents sent as attachment to a phishing email. The document contains a malicious macro that drops an embedded payload within the document. The next stage payloads are being downloaded from the attacker server in Base64 format.

Phishing email

The actor has distributed phishing emails at least from March 23th to March 28th. The email subject is Заборгованість по зарплаті (wage arrears) and the body of all the emails is the same:
Заборгованість по зарплаті. Оновлюється автоматично. Просимо надіслати вашу пропозицію для скорочення заборгованості по зарплаті. (Wage arrears. Updated automatically. Please send your offer to reduce your salary arrears.)

Excel document:

The attached document has the same name as email subject “Заборгованість по зарплаті” and it seems the actor has used a legit document as decoy.

This document contains an embedded macro that drops the first stage payload called “base-update.exe”. The payload has been saved in a “very hidden sheet” named “SheetForAttachedFile”. The sheet contains the filename, the date the payload is attached (21th March 2022), the file size and the content of the attached file in hex format.

The macro reads the content of the embedded file in the hidden sheet and writes it into the defined location for this payload which is the “AppDataLocalTemp” directory. The macro used by the actor is taken from a website that described and provided code for a method to attach and extract the files from an Excel workbook.

Elephant Dropper (Base-Update.exe)

Elephant Dropper is the initial executable deployed in this attack; as the name suggests this is a simple dropper which deploys further stages. This executable is written in the Go programming language and is signed with a stolen Microsoft certificate. The strings in the binary suggest that it was actually named as Elephant Dropper by the attackers themselves.

It checks if the “C:Users{user}.java-sdk” directory exists on the system and creates it if it does not. The strings in the binary are encoded and are only decoded when they are required to be used.
The dropper decodes the C2 address from a string and then downloads a Base64 encoded binary from the C2 and writes it to “C:Users{user}.java-sdkjava-sdk.exe”. This downloaded binary is named as Elephant Downloader by the attackers judging from the strings present. java-sdk.exe is then executed by the dropper with the following arguments, “-a 0CyCcrhI/6B5wKE8XLOd+w==”. The argument “-a” refers to address and the Base64 string is the C2 address in AES encrypted format.

Elephant Downloader (java-sdk.exe)

Elephant Downloader is also written in the Go Programming Language and is executed by the Dropper. The main purpose of this payload is to maintain persistence on the system and also deploy the next two stages of the attack. The strings in this executable are encoded in the same way as in the Dropper. It makes itself persistent through the auto-run registry key. To do so, it creates a registry key under “SoftwareMicrosoftWindowsCurrentVersionRun” named as “Java-SDK” with value “C:Users{user}Desktopjava-sdk.exe -a 0CyCcrhI/6B5wKE8XLOd+w==”.

The downloader is responsible for getting the implant and the client; the URL paths for the payloads are stored in encoded form in the binary. It downloads the implant and the client from http://194.31.98.124:443/m and http://194.31.98.124:443/p respectively in Base64 encoded format.

After this, it decodes the file names which are stored as well in encoded format and creates the file in the earlier mentioned directory .java-sdk. The file name of the implant is oracle-java.exe and the client is microsoft-cortana.exe. The downloader executes both payloads and passes “-addr 0CyCcrhI/6B5wKE8XLOd+w==” as arguments to both. Again the Base64 string is the C2 address in AES encrypted format.

Elephant Implant (oracle-java.exe)

Elephant Implant (also tracked as GrimPlant backdoor) seems to be one of the most important payloads in this attack. This executable communicates with the C2 on port 80. Similar to earlier payloads, strings are encoded in the same fashion is in this binary as well, and it also gets the C2 address encrypted from its parent process. The implant makes use of gRPC to communicate with the C2, it has a TLS certificate embedded in the binary and makes use of SSL/TLS integration in gRPC. This allows the malware to encrypt all the data that is being sent to the C2 via gRPC.

The implant uses the MachineID library to derive a unique id for each machine. It also gets the IP address of the machine by making a request to “https://api.ipify.org/”.
It also collects information related to the OS in a function named GetOSInfo, as part of this the malware collects the hostname, OS name and number of CPUs in the system. A function named GetUserInfo collects the Name, Username and path to Home directory of the current user.

The Implant can communicate with the C2 by using 4 types of RPC requests:

• /Implant/Login – This is the initial RPC request that is sent to the C2. Along with this RPC request the earlier retrieved ID and system information is sent to the C2 as well.
• /Implant/FetchCommand – This RPC request is used to retrieve the command that the actor wants to execute on the target machine. The retrieved command is executed via “%windir%SysWOW64WindowsPowerShellv1.0powershell.exe“. An AdminId and Command to be executed is received as a response to this command.
• /Implant/SendCmdOutput – This is used to send the output of an executed command by sending a
  SendCmdOutput RPC request to the C2. An AdminId and Command Output is sent with this request.
• /Implant/Heartbeat – A Heartbeat RPC request is made to C2 to send the status to the C2 at regular intervals. The machine id and system info retrieved earlier is sent with this request.

Elephant Client (microsoft-cortana.exe)

The last payload that will be described is this blog is the one named elephant_client by the actor (also tracked as GraphSteel backdoor). The functionality suggests that this final payload is a data stealer.
Similar to other payloads in this attack chain, this payload receives the C2 server as a parameter in Base64 format (0CyCcrhI/6B5wKE8XLOd+w==) which is AES encrypted format of the server. Decoding the Base64 string gives us the C2 IP address in AES encrypted format: d02c8272b848ffa079c0a13c5cb39dfb. The actor uses the following key to AES decrypt (ECB-NoPadding mode) the C2 address: F1D21960D8EB2FDDF2538D29A5FD50B5F64A3F9BF06F2A3C4C950438C9A7F78E.

Once the sample has established its connection with its C2 server, it starts collecting data and exfiltrating them into the server. At first it collects some basic info about the user and send it to the server as shown in Figure 12. (some info has been removed for privacy). The collected data is Base64 encoded, and includes hostname, OS name(windows), number of CPUs, IP address, Name, Username and home directory.

After that, the client tries to steal credentials from the victim’s machine. The actor steals data from the following services:

• Browser credentials
• WiFi information
• Credentials manager data
• Mail accounts
• Putty connections data
• Filezilla credentials

We have installed some of these services for testing purposes. Figure 13 shows how the stolen data is being sent to C2 server:

Base64 decoding data shows what data has been exfiltrated:

For example, to recover Wifi data, the command netsh wlan show profiles (that list all SSIDs saved in the machine) has been used. Once all the SSIDs are gathered, if any, it will launch the command netsh wlan show profile [SSID] key=clear, revealing all saved wifi passwords:

The following image shows an example of the command execution, where you can see some of the commands executed in the process:

Figure 17 shows another example of exfiltration in which an encoded PowerShell command is used to steal the data from the Secure Vault:

In addition to stealing credentials, the actor steals all the files from the victim’s machine. To collect the data it iterates through all the files in the user directory and hashes each of them. All of these collected hashes will be sent to the actor’s C2 server. Finally, the malware will send to the attackers all these files.
Note that all the collected data are AES encrypted before being sent to C2 server, so packet inspection will not reveal any useful information.

Conclusion

UAC-0056 aka UNC2589, TA471, or SaintBear is an active actor that has been performing cyber espionage campaigns against Ukraine since 2021. The group is known to have performed the WhisperGate disruptive attack against Ukraine government entities in early 2022. Recently we have observed new activity associated with this actor that used macro-embedded excel documents to drop its malicious software on victims machines. In this blog we provided a technical analysis of this campaign.

The Malwarebytes Threat Intelligence team continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.

IOCs

Emails:
1ce85d7be2e0717b79fbe0132e6851d81d0478dba563991b3404be9e58d745b1
58c93b729273ffa86ed7baa7f00ccd9664ab9b19727010a5a263066bff77cee8
ed0128095910fa2faa44e41f9623dc0ba26f00d84be178ef46c1ded003285ae3
Excel doc:
c1afb561cd5363ac5826ce7a72f0055b400b86bd7524da43474c94bc480d7eff
Elephant dropper (base-update.exe):
9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a
Elephant downloader (java-sdk.exe):
8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1
Elephant Implant (oracle-java.exe):
99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532
Elephant Client (microsoft-cortana.exe):
60bdfecd1de9cc674f4cd5dd42d8cb3ac478df058e1962f0f43885c14d69e816
C2:
194.31.98.124

The post New UAC-0056 activity: There’s a Go Elephant in the room appeared first on Malwarebytes Labs.

Apple has released security updates for macOS Monterey 12.3.1, iOS 15.4.1, iPadOS 15.4.1, tvOS 15.4.1, and watchOS 8.5.1. The update patches two vulnerabilities about which the advisory states that Apple is aware of a report that this issue may have been actively exploited for both vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the vulnerabities that were patched in the updates:

• CVE-2022-22674
• CVE-2022-22675

Intel Graphics Driver

The vulnerability listed as CVE-2022-22674 exists in the Intel Graphics Driver and is described as an out-of-bounds read issue that may lead to the disclosure of kernel memory and that was addressed with improved input validation. Impacted devices are Macs running macOS Monterey. The graphics drivers are built into the Mac operating system.

AppleAVD

The vulnerability listed as CVE-2022-22675 exists in the AppleAVD audio and video decoding component and is described as an out-of-bounds write issue that was addressed with improved bounds checking. Impacted devices include:

• Macs running macOS Monterey
• iPhone 6s and later
• iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Out-of-bounds read

If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions. This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Specific details about the vulnerabilities have not been disclosed which is habitual, since Apple wants to give as many users as possible a chance to update before giving others a chance to abuse them.

Stay safe, everyone!

The post Update now! Apple patches two zero-day vulnerabilities that may have been actively exploited appeared first on Malwarebytes Labs.

Globant, an IT and software development firm with offices all around the globe, recently admitted in a press statement Wednesday that it has suffered a breach in their network. Affected data includes (but may not be limited to) some source code and certain project documentations of clients.

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation,” company officials wrote. “To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected. We are taking strict measures to prevent further incidents.”

The breach allegedly represents the latest work from the increasingly popular threat actor group LAPSUS$, which claimed responsibility for the attack this week. In a message sent on Telegram to 45,000 followers, individuals who claim to be behind LAPSUS$ first announced that they were “officially back from vacation.”

A follow-up message sent shortly after reads:

For anyone who is interersted about the poor security practices in use at Globant.com. I will expose the admin credentials for ALL their devops platforms below.

As of this writing, Globant never confirmed when they were breached nor did they mention if a group has already approached them for ransom.

More about LAPSUS$

Globant is the latest company in a lengthening list of huge names compromised by LAPSUS$, a relatively new group in the online extortion gig. This list already includes Microsoft, Nvidia, Samsung, LG, and Okta.

If you’re wondering if LAPSUS$ has always targeted such large companies, the answer is yes. When LAPSUS first grabbed the attention of the cybersecurity community, they had already compromised companies like Impresa, the largest media conglomerate in Brazil; Claro, one of Brazil’s telecommunications operators; and Brazil’s Ministry of Health.

These early attacks have led people to believe that LAPSUS$ hailed from South America. Notably, their use of Spanish and Portuguese was akin to native speakers. Microsoft tracks the group as “DEV-0537”.

As a criminal group, their primary focus is to hack companies, steal their data, and demand a ransom. In some cases, they have used ransomware and phishing (among other social engineering tactics) as a precursor to get inside target systems. LAPSUS$ is known for not only stealing data but also for stealing code from companies they target. It is said that they use stolen code to better hide their malware. To date, they have reportedly pilfered a total of $14 million (£10.6 million)

Before revealing that the group breached Globant and stole the company’s data, LAPSUS$ claimed that some of their members were taking “a vacation”. In cybersecurity, we have learned that this could either mean that threat actors are moving away from the spotlight to lay low—because of the pressure to evade law enforcement—or the actors have somehow already been captured. It appears that the latter applies in LAPSUS$’s case.

In late March, cybersecurity researchers investigating these big-named hacks were able to trace the attacks to a 16-year old teenager in Oxford, England. The teen, who remains unnamed due to his age, goes by the online monikers “White” and “Breachbase” and is believed to be the group’s mastermind. It is said that the Oxford teen hacker’s personal information, including those of his parents, was leaked by rival hackers. On top of that, forensic investigators used evidence from the hacks and public information to tie the teen to the hacking group.

Another suspected LAPSUS$ member is also a teenager but based in Brazil. According to Bloomberg, this teen is “so skilled at hacking—and so fast—that researchers initially thought the activity they were observing was automated.”

Investigators looking into the hacks have found a total of seven unique accounts associated with the extortion group. This indicates that there are likely more members of LAPSUS$ that are involved.

On March 21, the FBI launched a public appeal for information about the group. Four days later, news of the UK police arresting seven teenagers between the ages of 16 and 21 broke. It was part of an international police investigation into the LAPSUS$ gang. Today, according to the BBC, two of the teens (aged 16 and 17) have been formally charged with “three counts of unauthorised access to a computer with intent to impair the reliability of data, one count of fraud by false representation, and one count of unauthorised access to a computer with intent to hinder access to data.”

The 16-year-old, whom we believe could be the teen from Oxford, is also charged with “one count of causing a computer to perform a function to secure unauthorised access to a program.”

The post Globant suffers network breach due to LAPSUS$ compromise appeared first on Malwarebytes Labs.

Ransomware authors are once again targeting health services, holding important files to ransom and impacting potentially vital services. On this occasion, the victims are a non-profit organisation assisting people with their healthcare needs in California.

When Hive ransomware strikes

The victim, Partnership HealthPlan of California, has apparently been struggling since at least March 24 with this outbreak of Hive ransomware. Hive ransomware has been around since June 2021, and is a typical targeted ransomware-as-a-service (RaaS). It leverages threats to publish exfiltrated data to pressure victims to pay up. The ransomware group is known to work with affiliates that use various methods to compromise company networks.

Last August, the FBI published a paper detailing indicators of Hive compromise, along with additional tactics and techniques used by the ransomware operators. It is not a threat to be taken lightly.

The impact of ransomware

The website for the embattled provider currently reads as follows:

Partnership HealthPlan of California recently became aware of anomalous activity on certain computer systems within its network. We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation. Should our investigation determine that any information was potentially accessible, we will notify affected parties according to regulatory guidelines. We appreciate your patience and understanding and apologize for any inconvenience.

They go on to list what to do if you’re a partnership member or provider, along with the warning not to send any PII via email. As noted on VentureBeat, setting up alternate methods of contact (in this case, Gmail addresses) is a smart move in case their regular email comms are also compromised.

A slice of data exfiltration to round things off

Any impact on medical services can be extremely serious. Anything from routine appointments and check-ups to delayed operations or medical assistance can be the end result. The affected organisation in this case serves upwards of 600,000 people in the California region.

Additionally, the ransomware operators claim to have stolen 400GB of files. This allegedly includes 850k PII records which includes names, addresses, and social security numbers. This is less than ideal, though investigations are still ongoing. The primary concern right now has to be that services are restored to full functionality. The human impact of healthcare attacks is significant, and the kind of additional worry that people using said services don’t need to be dealing with.

This story is still developing, and we’ll add any important information to the blog as it comes to light. If you think you may be affected by this incident, you should contact the affected organisation using the contact details they’ve provided as soon as you can.

The post Hive ransomware impacts California non-profit health organisation appeared first on Malwarebytes Labs.

There’s a flaw in the way many of the world’s most popular messaging and email platforms—such as Facebook Messenger, Instagram, iMessage, Signal, and WhatsApp—render URIs (Uniform Resource Identifiers). That flaw makes it possible for phishing attempts to bypass filters and escape the trained eye, and results in apps incorrectly displaying URLs.

The flaw can be exploited when an attacker inserts an RTLO (right to left override) Unicode control character, which is used to display Arabic or Hebrew messages, in a string. Because messages written in these two languages are read from right to left, once the browser or messaging application sees the RTLO character, it displays every character after it right-to-left.

Two security researcher, zadewg and sick.codes, demonstrated this rendering flaw in a GitHub post you can see here.

“When a message contains a valid URL, it is highlighted and marked as hyperlink. However, this is printed to screen before sanitizing Unicode Control Characters, which results in URI spoofing via specially crafted messages.”

The two researchers used Google’s browser URL in a test case involving Instagram. In this case, they took https://google.com/ and combined it with the shortened URL, bit.ly/2Max1Kz#. They then inserted an RTLO Unicode character after the “/” of Google’s URL and before bit.ly. Once this is sent to someone, it will look like the URL you see on the GIF above:

https://google.com/#zK1xaM2/yl.tib

Notice that the bit.ly bit of the URL is flipped from the left-to-right orientation to the right-to-left orientation.

It’s simple to do, but what are the implications of this trick?

For one thing, it’s a tactic that attackers can use to fool potential victims by making them think what they received is legitimate. Attackers can piggyback on legitimate domains as well, such as in this demo where the domain is legitimately Google.

Abusing the RTL has been done many times in the past, but it usually involves filenames and not URLs. Several malware authors, such as those behind Bredolab, Mahdi, and SpyEye, are known to abuse the RTLO to hide malicious file names by disguising them as Word files or PDFs in spam attachments.

Malware Intelligence Researcher Pieter Arntz and Senior Security Researcher Jean Taggert have shown how the disguising could be done here and here, respectively. Sirefef, a Trojan known for its stealth, used RTLO when injecting malicious entries into the affected systems’ registry. And just last month, researchers from Vade Secure unearthed a phishing campaign that targeted Microsoft 365 users by disguising its spam attachment as a “voice message” when it was actually the phishing page in HTML format.

As there are a handful of applications affected by this flaw, each one has been assigned a CVE number to track:

• CVE-2020-20093 – Facebook Messenger 227.0 or prior for iOS and 228.1.0.10.116 or prior on Android
• CVE-2020-20094 – Instagram 106.0 or prior for iOS and 107.0.0.11 or prior on Android
• CVE-2020-20095 – iMessage 14.3 or older for iOS
• CVE-2020-20096 – WhatsApp 2.19.80 or prior for iOS and 2.19.222 or prior on Android

If you are wondering if the RTLO flaw works in emails, it doesn’t. BleepingComputer tested this on Gmail, Outlook.com, and Protonmail.

The URI spoofing flaw is still there with the current versions of Facebook Messenger, Instagram, iMessage, and WhatsApp. So, it’s best for users of these apps to exercise caution when clicking links until a patch or update is released for this flaw. Sick Codes has advised users the following:

“Turn off link previews in everything, especially mail apps and anything related to notifications. Don’t visit weird websites with popups. Don’t click random prize giveaways.

You already have a phone, so use your bookmarks and make sure to keep it up to date. Given the amount of zero-days flying around, especially those disclosed recently for iOS, it would be perilous to trust URLs in IMs.”

Stay safe!

The post URI spoofing flaw could phish WhatsApp, Signal, Instagram, and iMessage users appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team has identified a malvertising campaign targeting Japanese users. The campaign they discovered was found to be using a cloaking technique to lure visitors of popular adult site PornHub to a decoy site at the domain mixhd[.]club.

Cloaking

Cloaking is a method which gives visitors and search engines the impression that a website carries content that is different from what users actually see. In this case, every visitor that was not geolocated in Japan was shown a decoy page with content stolen from a well-known Japanese adult site.

The web server in this case decides what the visitor gets to see based on the information provided by the visitor like the user-agent string, browser language, IP address, and cookies.

Japan

With a population of some 125 million and a high level of connectivity, Japan has the third highest number of Internet users after China and the US. However, we hardly ever hear about any tech support scams directed at this audience.

In fact, the first arrests for tech support scams in Japan only happened in January this year, when Tokyo police announced that they had arrested three people in connection with an alleged scam where the suspects claimed to be providing technical support for malware-infected computers.

The campaign

Visitors to PornHub were shown an advertisement for another site with adult content. Users that followed the advertisement and that were fingerprinted as being Japanese were confronted with this browser lock page.

Popups and an audio warning on the page urge the victim to call Microsoft support, but shows telephone numbers that do not belong to Microsoft.

The goal is to defraud the victims in a tech support scam. Typically, scammers will use remote control of the affected system to help the victim get rid of the browser lock and the pop-ups at a steep price. They will then try to convince the victims to sign expensive contracts. In the case where the arrests were made, for example, victims were charged around ¥30,000 (US$ 245) for half-year contracts.

While most tech support scams are operated out of India, in this case Japanese police arrested the alleged ring master, a Filipino man. Based on additional evidence we collected, we believe there is a collaboration between criminal groups in India and the Philippines, with the former providing the traffic, pop-up alerts and browser locker infrastructure. But this is not limited to Japan, as we reported a few days ago tech support fraud is still a growing market in the US.

Stay safe, everyone!

The post Tech support scam campaign targets Japanese visitors to PornHub appeared first on Malwarebytes Labs.

Calendars are a rich source of bad behaviour for scammers and spammers. They’re one of the most prolific tools the workplace has for collaborative actions and general cross-purpose messaging. They’ve been misused by bad actors for many years now, most commonly spamming unwary potential victims and leading them to bad times ahead.

A brief history of calendar connivances

Scammers abuse pretty much any beneficial feature you can think of in order to get the job done. In 2016, Mac spammers made use of the ability to suggest events found in other apps. They also fired calendar invites to people’s iCloud addresses, meaning the spam would hit the calendar and the notification center.

In 2021, iPhone calendar spam was on the up with fake infection/pornographic spam giving device owners major headaches. Bogus CAPTCHA spam and redirects to device cleaning tools were less than appreciated.

Just this year, we had something resembling an update to the tried and tested calendar methods with comment spam in shared Google documents.

These tactics have been around for many years. Witness 419 scammers misusing Google calendar invites in 2011, or even using Yahoo! Calendar to spam in 2009. If there’s a calendar with any form of sharing functionality, you can bet someone will be along shortly to post invites you don’t need. What’s the latest in unwanted calendar spam messaging land?

Calendar app spam leads to phishing pages

Many tools use calendar apps/plugins for additional features and functionality. Calendly is one such app which provides Zoom integration, website embedding, and more. It’s free and easy to sign up which means scammers will try to abuse it however they can.

According to Bleeping Computer, it’s been abused to send phishing missives. The example given shows a supposed fax message which claims “You have received a new fax document”. It also lists page count, size, and a clickable link to preview the document in question.

The landing page for these links is a blurred document with a bogus Microsoft login popup box which claims “only recipient email can access shared files”. It also has potential victims enter details twice, presumably to make sure they’re definitely entering usable credentials.

The phish routine ends with that time honoured process of redirecting the phished individual to a real website afterwards. This is to make them think there’s nothing untoward going on, unaware that they’ve handed over login details to a faker.

Dodging bogus calendar invites

This is, of course, a very bad and sneaky thing to do. While some folks may be aware of more general spam and nonsense sent their way via Google Calendar, they might not suspect the same thing can happen via other platforms. As Bleeping Computer notes, a password manager with login functionality will help as the mismatch in URLs means login details will stay safely tucked away from harm’s reach.

It’s also possible the slightly unnatural approach to “document” sending may work against the spammers here. Do people typically send you important documents by email, or by third party calendar app messaging? If it’s the former, and it likely is, then this should be enough to set alarm bells ringing.

As with all these attacks, the key is to remain calm. Don’t rush to open the document. Check who it claims to be from. Is it a stranger? Or someone you know? If it’s someone you know, it’s time to do some outreach and double check if the document is what it appears to be. Last but not least, make use of any available security/privacy features your calendar may possess. It could be the difference between a clutter free week ahead or days of skipping through rogue invitations.

The post Phishers make a date with your calendar apps appeared first on Malwarebytes Labs.