IT NEWS

Three years ago, a journalist for Gizmodo named Kashmir Hill wanted to understand what life was like without “Big Tech.”

Far from a “digital detox” retreat—the kind of which were popular with exceedingly plugged-in, very online types of mid-20s and early-30s folks—Hill’s experiment with technology abstinence was colored by restrictions. Swearing off Apple, Google, Facebook, Microsoft, and Amazon meant no iPhone, no Android phone, no MacBook, no PC running Windows, and no Chromebooks, and that’s just hardware. Hill was also unable to visit Facebook or use its owned subsidiaries, Instagram and WhatsApp, and similarly, she could not use Microsoft’s many tools, including the entire Microsoft Office suite, but also LinkedIn, Skype, and Teams (but that was far less a need in pre-pandemic times). Also off the table were any sites hosted by Amazon Web Services, which Hill managed to avoid with the help of a VPN that a technologist programmed for her.

After weeks without Big Tech, Hill said plainly: “It was hell.”

The takeaways from Hill’s reporting are many, but one obvious lesson is that big tech is so entrenched in our lives that, without it, we’d be unable to function in quite the same way. And that’s a bit of a bummer for anyone who wants to lessen their reliance on these companies because of their corporate practices or their notoriously flippant attitudes about data privacy.

In 2022, then, one cybersecurity evangelist saw an opportunity: Don’t remove every Big Tech company all at once, but just one, and do it in phases where you can introduced privacy-preserving alternatives along the way. No more Google Chrome? No problem, just use Brave, he said. No more Gmail? That’s also fine, he said, because you can use FastMail, or ProtonMail.

In today’s episode of Lock and Code, with host David Ruiz, we speak to Carey Parker, host of the podcast Firewalls Don’t Stop Dragons, about how he has progressively removed Google and Google services from his life, opting into new providers for crucial services like email, calendaring, document-writing, spreadsheets, and more.

“The first step in any of these things is understanding the problem. And, so, what you really need to do, first of all, is understand what Google has on you.”

Carey Parker, cybersecurity evangelist and host of Firewalls Don’t Stop Dragons

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs. You can also learn more about de-Googling your own life from Carey Parker’s website and podcast, which is having a giveaway for its fifth anniversary in which 10 lucky winners will get a one-year, consumer premium license for Malwarebytes (hey we know those people!).

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post De-Googling Carey Parker’s (and your) life: Lock and Code S03E06 appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• The struggle to reduce bug-fixing time is real
• Update now! Mozilla patches two actively exploited vulnerabilities
• Google takes on Docs notification spammers
• When fake dating profiles try the military approach
• Azure AutoWarp brings automation headaches
• RagnarLocker ransomware gang breached 52 critical infrastructure organizations
• FormBook spam campaign targets citizens of Ukraine
• Update now! Microsoft patches three zero-day vulnerabilities on Patch Tuesday
• Twitter makes the leap to Tor
• Brave browser goes the extra mile to block third-party cookies
• Extortion scheme impersonates government officials, law enforcement
• Ransomware: February 2022 review
• Linux “Dirty Pipe” vulnerability gives unprivileged users root access
• HBO sued for sharing subscriber data with Facebook
• Blunting RDP brute-force attacks with rate limiting

Stay safe!

The post A week in security (March 7 – March 13) appeared first on Malwarebytes Labs.

On Friday March 3, the Cybersecurity and Infrastructure Security Agency (CISA) added a whopping number of 95 new known exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog.

This catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.

But even if your organization isn’t a FCEB agency that needs to follow the Binding Operation Directive 22-01, the CISA list can act as a good guide for your patch management strategy.

95 new ones?

CISA normally sends out a mail every few days in which it details a few important vulnerabilities it’s added to the Catalog. However, on March 3 it didn’t even enumerate the list. Instead, it just emailed a link to the Catalog and included instructions on how to find the most recently added vulnerabilities. If you’re looking yourself, you need to click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates.

Not so new

The first thing that jumped out at me is that these vulnerabilities were not all very new at all. The oldest vulnerability on that list is CVE-2002-0367, an almost 20 year old vulnerability in Windows NT and Windows 2000. In fact, only 5 vulnerabilities were patched in 2022. All these applied to Cisco’s Small Business RV160, RV260, RV340, and RV345 series routers by the way.

This brings me to the next thing that is remarkable. 38 of the 95 added vulnerabilities are for Cisco products. Other products include those by Microsoft (27), Adobe (16), and Oracle(7).

Of the Adobe vulnerabilities, nine were found in Flash Player. Adobe Flash Player reached End of Life (EOL)  on December 31, 2020, after being first announced in 2017. Since Adobe no longer supports Flash Player, on January 12, 2021,  the company started blocking Flash content from running. In fact, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.

Possible reasons

Pondering the reason for CISA to suddenly add 95 vulnerabilities to their list, I came up with the following options:

• It suddenly became aware of several old vulnerabilities that were nonetheless still being exploited.
• It suddenly decided to list vulnerabilities in software that has long reached EOL but could still be used a lot.
• The nature of actively exploited vulnerabilities has changed.

Some examples

Personally, I suspect that the nature of the actively exploited vulnerabilities has changed. Last year, you would typically see exploited vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold. This allows attackers to exfiltrate data, plant ransomware, and other criminal activities that could lead to financial gain.

However, looking at some of the vulnerabilities that were included in this list of 95, I noticed that many could lead to Denial-of-Service (DoS) attacks.

Examples:

• A vulnerability in Siemens SIMATIC CP 1543-1 versions before 2.0.28 allows remotely authenticated users to cause a denial of service by modifying SNMP variables.
• Multiple Cisco vulnerabilities on this list which could result in a DoS condition or cause an affected system to reload.

Other vulnerabilities could allow attackers to run arbitrary code or cause a denial of service. For example, a PowerPoint vulnerability that has been around since 2015 and was found to be used by the Russian state-sponsored team APT28 (aka Fancy Bear) in 2018.

Some Flash Player vulnerabilities were found to be used in targeted attacks. The suspect in this case was APT37, also known as the North Korean “Lazarus” group.

A vulnerability in older Windows versions (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1) would allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document. The use of this exploit was attributed to the Russian “SANDWORM” operation.

I also found an Elevation of Privilege (EoP) vulnerability in a Windows Installer on the CISA list that would allow an attacker to delete targeted files on a system. However, they would NOT gain privileges to view or modify file contents.

Other interesting items on the list are some IoT vulnerabilities that got some fame in 2020 under the name Ripple20.  Successful exploitation of these vulnerabilities could result in denial of service, information disclosure or remote code execution.

So, is it just me or is there a trend here that shows vulnerabilities that were previously hard to exploit for financial gain, but are perfectly usable to disrupt operations? Could it be that, no surprise, the war in Ukraine has changed the nature of the actively exploited vulnerabilities?

According to Adam Kujawa, Security Evangelist and Director of Malwarebytes’ Threat Intel team:

“In 2007, we observed Russian sympathizers online utilizing hacking tools to launch disruption attacks against Georgian news networks and government networks, to prevent information from flowing to the public while Russia had troops roll in. Similar events have happened in Estonia, and Russian sponsored hackers are known to utilize Ukrainian networks as a kind of “playground” for their attacks, shutting off power grids and other critical infrastructure, launching massive supply chain attacks against them (as in the case of NotPetya). And those are just some of the attacks we know about.

With that in mind, I believe that while many of these vulnerabilities are useless against actual intrusion and espionage, the exploits developed from them will be used to disrupt and degrade rather than collect.

I am not sure how many of these have been used in the wild, and while it is great to see CISA be proactive in spreading this information, I must wonder how much of the information will get to those protecting networks in Ukraine?  Could it be that CISA may have just handed over the knowledge about various disruptive exploits that will work on unpatched systems, to be used against those who don’t have endpoint patching as their top priority?”

Mitigation

Given the varied nature of the list, the most actionable advice is to keep an eye on the known exploited vulnerabilities catalog. To make things easier, you can subscribe to receive the updates. Besides the usual security advice, now seems to be a good time to invest in clever patch management, and ditch that software which has reached EOL and no longer receives security updates.

Stay safe, everyone!

The post CISA list of 95 new known exploited vulnerabilities raises questions appeared first on Malwarebytes Labs.

Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article.

Not long ago, guessing a Windows Remote Desktop Protocol (RDP) password successfully was widely regarded as ransomware operators’ number one choice for breaching a target. It attracted a lot of press coverage three or four years ago, and interest in it was renewed in 2020 by the sudden addition of a million or so RDP-connected computers to the Internet, with the onset of the pandemic and wide-scale working from home.

Things have been a little quiet since, and in 2021 RDP was eclipsed—in the press at least—by ransomware gangs’ use of a whole host of different and diverting vulnerabilities, such as the ProxyLogon attack chain.

You’d be forgiven for thinking that RDP abuse was a thing of the past. It is not.

The Ransomware Delivery Protocol

RDP is a fantastically powerful feature of Windows that makes remote work and remote administration feel like it isn’t remote at all. If a Windows computer has an Internet connection, and RDP switched on, it can be used from anywhere by anyone with a valid username and password, with all the same features and access rights as if they were sat right in front of it.

RDP is so useful that millions of Internet-connected Windows computers have it enabled.

We know this because it is trivially easy to find them, and that’s a problem.

To see why, imagine that you work in an office building that doesn’t close its doors at night and instead lets criminals wander around, trying their luck at logging on to its computers. The criminals are in no hurry, they can come back night after night, so they have plenty of time to find a computer with a weak password, or to plug away at one computer trying more and more complex passwords.

The Internet is like that overly-permissive office—and thanks to RDP it has over four million computers exposed to every cybercrook in the world, and their password guessing software.

RDP password guessing has been an enormously important technique for ransomware gangs in the last few years, because it allows them to breach a victims’ network disguised as a legitimate employee. It has been so successful that it has spawned criminals who specialise in guessing RDP passwords, and markets where they can sell them to ransomware operators.

RDP brute-forcing is alive and well

The Malwarebytes Threat Intelligence team maintains RDP honeypots that track the effectiveness of Malwarebytes Brute Force Protection (BFP), a countermeasure against RDP password guessing. The honeypots provide a revealing insight into the enormous amount of RDP brute-forcing attacks happening in the background, all day, every day.

We took a slice of data from an unremarkable period of last year—the last 15 days of October 2021—to illustrate the scale of the problem.

The honeypot in our test was an Internet-connected Windows computer with RDP enabled on the non-standard port. It used out-of-the-box BFP rate-limits: Attackers were shut out for five minutes if they entered five incorrect passwords within the space of five minutes.

There is nothing about our honeypots that makes them tempting targets. If you have RDP-enabled computers, you can assume that each and every one is attracting a similar level of attention from password guessing attacks.

10,000 attacks a day

In the last 15 days of October, a five-minute BFP lockout was triggered 28,910 times, by attacks from 29 separate IP addresses. Because it takes five attempts to trigger a lockout, the total number of password attempts made against the honeypot during that test period was therefore 144,550, or about 10,000 per day. This figure is likey to be dampened considerably by the rate limiting—without it, the numbers would likely have been much higher.

The five IP addresses that probed the honeypot most frequently during that time all presisted for about ten days, in overlapping shifts. This similarity in the number of daily guesses they made, and the time they spent making guesses, may indicate that they come from the same attacker using multiple IP addresses.

Using a non-standard port is no protection

RDP normally uses port 3389. Since it is easy to scan the Internet for computers listening on port 3389 it is fairly common for RDP hardening advice to recommend assigning it a different port number.

The honeypots in this test do that: They are connected using a port from the dynamic port range, which is unlikely to be any hacker’s first guess. Despite that, our honeypots’ RDP ports receive heavy and continuous attention from brute-force password guessing programs.

It is our assessment that changing the port number does not provide any meaningful protection. It’s a cheap and easy change to make, and there is no harm in it, but you should look elsewhere for genuine hardening.

The effects of rate limiting

Rate limiting works by throttling the speed at which attackers can make password guesses, typically by shutting them out for a period of time after a small number of incorrect guesses. This is mildly inconvenient to a real user who is unlikely to make more than a handful of incorrect guesses before calling support, but represents a huge barrier for a computer program looking to race through tens or even hundreds of thousands of password attempts.

Rate limiting is what allows enormously important things like credit cards and smartphones to be secured with four- or six-digit PINs that are otherwise trivival to crack.

So how many guesses does rate limiting prevent?

In our test, attackers were shut out for five minutes if they entered five incorrect passwords within the space of five minutes. Our attackers were persistent over several days and received, on average, about 150 bans per day.

To trigger 150 bans per day, our attackers must have made 750 incorrect guesses and incurred 750 minutes of bans, leaving them 690 minutes of the day in which to guess passwords. 750 guesses in 690 minutes gives us a guessing rate of about one password every 55 seconds, or about 1,500 guesses per day.

At that guessing rate, rate limiting reduced the number of daily password attempts from 1500 to 750, halving the effectiveness of the attack and doubling the time a security team would have to react.

But 1,500 guesses per day is an extremely low guessing rate and a very poor use of an attackers’ resources. Other attackers are much more aggressive in their approach.

A few years ago I co-authored a research paper on RDP brute forcing. During our research we monitored an attacker who made 109,934 password guesses in ten days, at a rate of about 11,000 guesses per day, or about 7.5 guesses per minute.

Against that attacker, the rate limiting we used for this article would have been triggered every 40 seconds, allowing them just 1,270 guesses per day—reducing the guessing rate by 87%, giving a security team an additional two and a half months to respond to the attack.

Rate limiting is a powerful technique for limiting the effectiveness of brute-force attacks. However, in all areas of security we recommend a defense-in-depth approach over a reliance on any one tool or technique. For more information on how to protect your RDP connections read our article on how to protect your RDP access from ransomware attacks.

The post Blunting RDP brute-force attacks with rate limiting appeared first on Malwarebytes Labs.

HBO Max subscribers Angel McDaniel and Constance Simon filed a class-action lawsuit against HBO on Tuesday, alleging that the company has violated their privacy by sharing subscriber viewing data with Facebook. Bursor & Fisher filed the case on behalf of McDaniel and Simon.

According to case documents, the suit asserts that HBO hands over customer lists to Facebook, which the social media company then uses to match customers’ viewing habits with their Facebook profiles. It alleges that because HBO didn’t ask for subscribers’ consent to share their data, this violates the Video Privacy Protection Act (VPPA), a bill that became law in 1988.

The VPPA was created to protect people from “wrongful disclosure of videotape rental or sale records [or similar audiovisual materials, to cover items such as video games and the future DVD format].” Although VHS and Betamax rentals from brick-and-mortar video shops haven’t been the norm for a very long time now, VPPA has newfound relevancy in cases involving computers and Internet of Things (IoT) devices, such as the smart TVs.

The suit further alleges that HBO partnered with Facebook to retarget Facebook ads to its subscribers. HBO Max’s privacy policy states this; however, per VPPA, subscribers are required to consent to share their viewing history first before companies can use this data. According to the suit, having a privacy policy is not enough for this.

Bursor & Fisher have been successful representing people fighting for their right to privacy in the past. The firm previously represented Josephine James Edwards, a lifestyle magazine subscriber, who filed a case against Hearst, a multinational conglomerate that owns several newspapers and magazines (among others) in 2015. The suit alleged that Hearst violated the Michigan Video Rental Privacy Act by selling magazine-subscriber data, which included age, race, religion, and income level, to third-party companies without subscribers’ consent.

The post HBO sued for sharing subscriber data with Facebook appeared first on Malwarebytes Labs.

A vulnerability in the Linux kernel, nicknamed “Dirty Pipe”, allows an unprivileged user to overwrite data in read-only files. This can lead to privilege escalation as a result of unprivileged processes being able to inject code into root processes.

If you’re not sure what that means but you think it sounds bad—you are correct!

The vulnerability was found and explained in detail by Max Kellerman of CM4all. The affected Linux kernel versions are 5.8 and above. The fixed versions are 5.16.11, 5.15.25 and 5.10.102.

CVE-2022-0847

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Dirty Pipe is the nickname for the vulnerability listed as CVE-2022-0847.

It is described as a flaw in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

To understand the name you need to know that a pipe is a data buffer in a Linux system’s memory that can be used as if it was a file. Pipes are used to pass information from one program to another by storing the output of the first program and then passing it to the second. For example, if you want to pass information from the list command ls to the paging program less, you’d join them with a pipe. On the command line, it looks like ls | less.

The Dirty Pipe vulnerability can be abused by creating a pipe—which the attacker has permission to change—and then confusing the Linux kernel into thinking that the pipe is a file the attacker doesn’t have permission to change.

If you are up for a full technical analysis, and would like to read about the journey of finding this vulnerability, feel free to read Max Kelderman’s post.

For those that want the short, less technical version, the confusion in the Linux kernel is created by making use of the caching pages. Caching pages are temporary copies of files in a system’s memory that are created to make the handling of frequently used files faster. The vulnerability allows the attacker to make changes to the cached copy of a file that should be “read-only” for a user without root permissions.

In this way, it is possible for an attacker to gain root privileges, which ultimately allows him to take control of an affected system.

Impact

The vulnerability is serious enough for the Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning about it. Maybe because this vulnerability is similar to an older vulnerability disclosed in 2016, Dirty COW (CVE-2016-5195), which has been actively exploited by malicious actors since then. And according to the experts, this vulnerability is easier to exploit than Dirty COW was.

Proof-of-Concept has already been published by several researchers.

And while many readers may think: “Oh, it’s Linux, nothing for me to worry about”, the Linux kernel underpins an enormous number of websites and cloud services, and is a base for many other operating systems.

The Linux kernel is an extremely important part of the software on nearly every Android device, and some smartphones are therefore vulnerable to Dirty Pipe.

Mitigation

The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102, so make sure to get those or a later one if you are a Linux user.

For Android users it is a bit more complicated. There are so many devices and kernel versions, that it is hard to give a clear statement. We can say that version 5.x under normal circumstances will only be found on the latest models. My smartphone (1 year old) and many other legacy devices are not vulnerable, because the vulnerability does not affect 4.x versions, which account for the majority of devices from Google and other vendors. You can view your kernel version under Settings > About phone > Android/Software version > Kernel version. Android users with 5.x versions should check whether they are vulnerable and, if so, be on the lookout for an update to be rolled out to fix this vulnerability.

Stay safe, everyone!

The post Linux “Dirty Pipe” vulnerability gives unprivileged users root access appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team continuously monitors the threat landscape to stay on top of existing and emerging attacks. In this February 2022 ransomware review, we go over some the most successful ransomware incidents based on both open source and dark web intelligence.

BlackByte

• Observed since: July 2021
• Ransomware note: BlackByteRestore.txt
• Ransomware extension: .BlackByte
• Kill Chain: Some victims reported that attackers used known Microsoft Exchange Server vulnerabilities to gain access to their networks. > BlackByte Ransomware 
• Sample hash: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad

HermeticRansom (PartyTicket)

• Observed since: February 2022
• Ransomware note: read_me.html
• Ransomware extension: <original file name>.[vote2024forjb@protonmail[.]com].encryptedJB
• Kill Chain:  On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack
• Sample hash: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SFile (Escal)

• Observed since: February 2022
• Ransomware note: .<company_name>.!README.log
• Ransomware extension: .<company_name>.<random>
• Kill Chain:  Smaller ransomware strains used in targeted attacks
• Sample hash: 6a7cef95a501cce16dce6f5a645fc97c4bcbb568c83dde5a7f2e4a0d7555dd98

LockBit 2.0

• Observed since: September 2019
• Ransomware note: Restore-My-Files.txt
• Ransomware extension: .lockbit
• Kill Chain: Brute force attack on a web server containing an outdated VPN service > LockBit
• Sample hash: 9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af

Magniber

• Observed since: October 2017
• Ransomware note: readme.txt
• Ransomware extension: dihlxbl
• Kill Chain:  Being Distributed via Microsoft Edge and Google Chrome (Korean users)
• Sample hash: 06ea8f2b8b70b665cbecab797125733f75014052d710515c5ca2d908f3852349

Surtr

• Observed since: December 2021
• Ransomware note: SURTR_README.hta
• Ransomware extension: .surtr
• Kill Chain:  Spear-Phishing > MalDoc > Surtr Ransomware
• Sample hash: 40e5bb0526169c02126ffa60a09041e5e5453a24b26bc837036748b150fa3fae

Sugar

• Observed since: January 2021
• Ransomware note: BackFiles_encoded01.txt
• Ransomware extension: .Encoded01
• Kill Chain:  Spear-Phishing > MalDoc > Sugar Ransomware
• Sample hash: 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058

Conti

• Observed since: June 2021
• Ransomware ext: .CONTI
• Ransomware notes: CONTI.txt – R3ADM3.txt – readme.txt – CONTI_README.txt
• Kill Chain: Spear-Phishing > Bazar backdoor, or IcedID  > Cobalt Strike > Conti Ransomware 
• Sample hash: 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59

Mitigations

Source: IC3.gov

• Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• Install and regularly update antivirus software on all hosts, and enable real-time detection.
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.
• Ensure routine auditing is conducted for all accounts.
• Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Recommended reading: How to protect your RDP access from ransomware attacks

The post Ransomware: February 2022 review appeared first on Malwarebytes Labs.

Brave is testing a new feature to stop bounce tracking, a sneaky method that websites use to load third-party tracking cookies so they can gather more information about who is visiting their site.

The Brave browser

As you may remember from our post about the best browsers for privacy and security, Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.

Brave Nightly is the version of Brave that is used for testing and development. The releases are updated every night, hence the name, and may contain bugs. Nightly automatically sends out crash reports when things go wrong. Nightly is now used to test a feature that’s designed to prevent what’s known as bounce tracking.

Why third party cookies are out of fashion

Many browsers and, especially, ad-blockers will refuse to load third-party cookies, which are cookies that do not originate from the site that you are currently visiting. From a website administrator’s point of view, third-party cookies are tracking codes that are placed on a web visitor’s computer after being generated by another website other than their own. When a web visitor visits their site and others, the third-party cookie tracks this information and sends it to the third-party who created the cookie. The most common third-parties are advertisers, marketers, and social media platforms.

Google has long since changed its ways and adopted other methods of tracking users. But not everyone is a tech giant with the necessary resources to pull that off, so some have resorted to bounce tracking.

Bounce tracking

Tracking protection has become a mainstream feature in many browsers these days, including Apple’s Safari, Mozilla’s Firefox, and Microsoft’s Edge. So the targeted ad industry felt it had to find a way to circumvent those measures. Enter Bounce tracking, also known as redirect tracking. Another, even more invasive method is fingerprinting, which identifies users based on their computers’ unique attributes.

Bounce tracking abuses the fact that browsers’ anti-tracking tools generally allow sites to store their own cookies so they can remember repeat visitors. To limit their tracking to first-party cookies, a site that wants to track you can load an intermediary site—or tracking site—first before transferring you to the intended destination. The intermediary site sets a first-party cookie along the way, and each time you cross through it, it gathers more information about where you’ve been and where you’re going.

But there are other methods of bounce tracking like link decoration, which means a website can add a unique identifier to the links you click on, serving as a flag to the next site you visit. The destination site can then store the identifier in a first-party cookie on the original site’s behalf, letting it track your activity. The more this happens on additional sites, the more the original site can track you without ever using third-party cookies. Facebook adverts use this method in the fbclid parameter which allows the destination site to recognize you as a specific Facebook user.

Stopping bounce tracking

Some browsers have some methods to detect and stop bounce tracking but it is not always easy, since the browser doesn’t know beforehand that it will be directed through a tracking site.

In a privacy update, Brave explained how it plans to improve the existing methods. It is calling the new feature Unlinkable Bouncing. The browser will notice when you’re about to visit a privacy harming (or otherwise suspect) website, and route that visit through a new, temporary browser storage. This prevents the site from identifying you by tying your footprint to that of previous visits, but allows the site to otherwise function as normal because your visit will look like a unique, first-time visit. The temporary storage is then deleted when you browse away from the suspect site, preventing the site from re-identifying you on future visits.

The Unlinkable Bouncing feature is now enabled in Brave Nightly, and will be in Brave’s full release on version 1.37.

A possible weak point in the Unlinkale Bouncing feature is that it relies on consulting filter lists, but you can think of it as an extra layer on top of the existing features designed to stop bounce tracking, like the query parameter stripping, debouncing, and bounce-tracking interstitial features.

Stay safe, everyone!

The post Brave browser goes the extra mile to block third party cookies appeared first on Malwarebytes Labs.

The FBI issued a public warning this week about a fraud scheme wherein scammers impersonate government officials and law enforcement personnel. According to the PSA, the scammers spoof legitimate numbers and names and use fake credentials of well-known members of the government and law enforcement agencies.

The scam starts off either as a call from the “police” or a text message from a “government agency”. The content of the calls and text messages vary, but they are all bogus.

In the case of phonecalls, victims are either informed that their identities have been used in a crime, such as drug dealing or money laundering, or told they missed jury duty. The victim is then pressed to verify their identity using their social security number (SSN) or date of birth (DOB). If the victim resists, they are threatened with fines, arrest and imprisonment.

The text messages don’t involve accusations but instead ask victims for information related to either passport, driver’s license, or medical license renewals. The scammers threaten the revocation of licenses or registration if the victims refuse to renew or hand over the information.

Other tactics include extorting money from romance scam victims to “clear their name for participating in a crime” or as means to aid law enforcement in capturing their romance scammer. The scammers also impersonate law enforcement and say they are collecting taxes and fees from lottery scam victims. Lastly, the scammers call victims to tell them they are due to recieve a government grant, but say they need to pay some money before they can claim it.

Victims are offered a variety of means of payment, including prepaid cards, wire transfers, and cash sent by mail or cryptocurrency ATMs.

The FBI says legitimate law enforcement personnel and government officials would never request payment via the above means. It also remindes people to never give out personal information over the phone without verifying that the caller is who they say they are.

The warning included some red flags to pick up on: “Scammers will use an urgent and aggressive tone, refusing to speak to or leave a message with anyone other than their targeted victim; and will urge victims not to tell anyone else, including family, friends, or financial institutions, about what is occurring.”

The post Extortion scheme impersonates government officials, law enforcement appeared first on Malwarebytes Labs.

Azure is Microsoft’s cloud computing service providing a wide range of features for businesses worldwide. It’s particularly popular for its virtual machines and IaaS (infrastructure as a service). One useful Azure feature is Automation, which has been around for some years now. Management tasks can be automated across multiple external systems. This is where the latest vulnerability tale begins.

Researchers at Orca Security have discovered an issue with Azure which they’ve called “AutoWarp”. The issue allows for attackers to grab authentication tokens and grant unauthorised access to accounts. As per the research itself, AutoWarp could mean “…full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer”.

How could this issue be used in an attack?

The flaw enables interaction with servers managing sandboxes belonging to other entities. The tokens—used to confirm a user has the correct permissions to access Azure—could be grabbed via automation jobs.

Here’s a description of what went down from the Microsoft Security Response Center:

An Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token’s access is defined in Automation Account’s Managed Identity. Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.

A timeline of token disaster…almost

This flaw was reported to Microsoft on December 6, 2021 and it was fixed by December 10. The researchers then went hunting for other similar attacks. The good news is, they don’t appear to have found any. Not only that, but it also seems there’s no evidence of this having been exploited out in the wild.

As the Orca blog points out, you may well have been vulnerable to this problem before Microsoft fixed it if you used the Automation service and the related managed identity function was enabled by default. Even so: no examples of exploitation in the wild. That’s as good an end result as we can possibly hope for, given how many organisations may have been running with default configurations.

Why Azure is an appealing target for attackers

Anything cloud based is always going to be a hot target for people up to no good. Depending on the setup, attackers may be able to impact multiple people and companies all in one go. Exfiltration, ransomware, and blackmail all go well alongside vulnerable cloud services. This is why flaws like the above are taken so seriously.

Whether we’re talking about OMIGOD exposing virtual machines, the Mirai botnet, brute forcing, or four-year long source code leak bugs, the cloud space has been affected by many issues. Organisations place a lot of trust in cloud services, and they expect secure platforms and data that’s kept safe from prying eyes and sticky fingers.

You can’t guarantee something is 100% foolproof. Even so, the above is a great example of getting an issue resolved in a very short timeframe. We can only hope to see more of this the next time a cloud-based service runs into trouble.

The post Azure AutoWarp brings automation headaches appeared first on Malwarebytes Labs.