IT NEWS

In a FLASH publication issued by the FBI in coordination with DHS/CISA, the FBI says it has identified at least 52 organizations across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including organizations in the critical manufacturing, energy, financial services, government, and information technology sectors.

Threat profile

RagnarLocker can be recognized by the extension of the encrypted files which contains “.RGNR_<ID>,”  or “.ragnar_<ID>” where <ID> is a hash of the computer’s NETBIOS name.

The ransom note is called “.RGNR_[extension].txt” and states the files and data have been encrypted by RAGNAR_LOCKER.

Exfiltrated data of victims that refuse to pay will be published on the “Wall of Shame” leak site.

RagnarLocker iterates through all running services and terminates services commonly used by Managed Service Providers (MSPs) to remotely administer networks. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files.

Don’t call the cops

In the past, RagnarLocker has warned victims explicitly against contacting the FBI, or other law enforcement agencies for that matter. In September 2021, the ransomware operators threatened to publish all the data of victimized organizations that seek help from law enforcement or investigators following ransomware attacks.

But, in the wake of recent high-profile cyber and ransomware attacks, Congress and the Biden administration have joined forces to drive policy changes that would require organizations to report certain cyberincidents to the federal government. Importantly, the legislation would give organizations 72-hours to report a cyberincident. Ransomware attacks by an entity believed to originate from the CIS would certainly qualify as such.

The FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks.

The FBI says it would like the following information:

Short term items:

• Copy of the ransom note (screen shot/picture/text file)
• Any discovered malicious IPs with time stamps/time zones (unusual RDP connections/unusual VPN connections/beacons to malicious IPs)
• Virtual currency addresses/amount of demand
• Any malicious files (executables/binaries)
• Summary of timeline of events (dates of initial observation/malicious activity)
• Evidence of data exfiltration

Long term items:

• Brief summary of where the IOCs came from
• Incident response report
• Copy of any communications with malicious actors
• Forensic images and memory captures
• Host and network logs
• Any available decryptor
• Scope of impact (amount of loss)

CIS

As mentioned in our blog post Ransomware’s Russia problem, RagnarLocker is believed to be of Russian origin and will try to avoid making victims in the Commonwealth of Independent States (CIS). To do so, Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine. If the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian,” the process terminates.

IOCs

In the pdf file that carries FLASH Number CU-000163-MW you can find the current IOCs, including IP addresses, Bitcoin addresses, and email addresses.

Mitigation

To stay out of the claws of the RagnarLocker group the usual mitigation techniques for ransomware apply. The FBI lists:

• Use multi-factor authentication with strong passwords, including for remote access services.
• Keep computers, devices, and applications patched and up-to-date.
• Monitor cyberthreat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
• Consider adding an email banner to emails received from outside your organization.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Implement network segmentation.

The FBI recommends backup strategies to speed up recovery from a ransomware attack:

• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
• Secure your backups and ensure data is not accessible for modification or deletion from the system where the data resides.

Stay safe, everyone!

The post RagnarLocker ransomware gang breached 52 critical infrastructure organizations appeared first on Malwarebytes Labs.

Our Threat Intelligence team has been closely monitoring cyber threats related to the war in Ukraine. Today, we discovered a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians.

Formbook is part of a long-running malspam operation that we observe on a regular basis. This time, the email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.

The email can be translated as:

Dear citizens, we inform you that you are not alone in this difficult time, we in the authorities are doing everything possible to protect our citizens.
 
All citizens receive support from the Federal Government in the amount of 15,000, we want to say that you must protect each other, this is a difficult time for everyone, together with God we will fight this difficult time.
 
Your letter of approval is added
 
Sincerely.

Upon opening the file called лист підтримки.xlsx (support letter.xlsx), an exploit for CVE-2017-11882 will attempt to compromise the machine in order to download the Formbook payload from a remote server.

This is not the first — and certainly won’t be the last — time we see threat actors taking advantage of crises. As heartless as it looks, we realize that malware and criminal operations are always ongoing.

Malwarebytes customers were protected from this attack thanks to our Anti-Exploit protection layer.

Indicators of Compromise

Email subject

лист схвалення касового забезпечення – міністр

Formbook maldoc

лист підтримки.xlsx
7d39e6ca46c053c1ad744de1ca8867217596bb17bb673785eb8827b00c5ae05b

Formbook URL

103.167.92[.]57/xx_cloudprotect/vbc.exe

Formbook payload

b5f79bb30d60794b7edbf486fa96a11c1ac3ba34592a496379020e8379f281be

The post FormBook spam campaign targets citizens of Ukraine️ appeared first on Malwarebytes Labs.

The updates for Microsoft’s March 2022 Patch Tuesday should fix 92 vulnerabilities, including three zero-day vulnerabilities.

Of the 92 vulnerabilities, 21 are for Microsoft Edge and originate from the Chromium Project. Of the 71 others, three are classified as Critical because they allow remote code execution (RCE).

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

The first three are publicly disclosed vulnerabilities, which makes them zero-day vulnerabilities, but so far none of them has been seen to be exploited in the wild.

Remote Desktop Client

CVE-2022-21990: A Remote Desktop Client remote code execution vulnerability. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. This vulnerability might be hard to exploit since it requires an attacker to control a malicious server and that the user must willingly connect to it. There is Proof-of-Concept (PoC) code available for this vulnerability.

Windows Fax and Scan service

CVE-2022-24459: Windows Fax and Scan service elevation of privilege vulnerability is an LPE (local privilege escalation) vulnerability in the Windows Fax and Scan service. An LPE vulnerability means that an attacker should already have some level of access and can take their privileges to a higher level by exploiting this vulnerability. Such vulnerabilities can be useful in an attack chain. There is Proof-of-Concept (PoC) code available for this vulnerability.

.NET and Visual Studio

CVE-2022-24512: A .NET and Visual Studio Remote Code Execution vulnerability. The ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack. This is because successful exploitation of this vulnerability would require a user to trigger the payload in the application.

Next up are the vulnerabilities that were rated as critical.

Exchange Server

CVE-2022-23277: A Microsoft Exchange Server remote code execution vulnerability. The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call. So the attacker needs some form of authentication to exploit this vulnerability. Which makes it all the more important to change or remove compromised accounts. Stolen or leaked credentials can be used to wreak havoc.

HEVC video extensions

CVE-2022-24508: A HEVC Video Extensions arbitrary code execution vulnerability. The High Efficiency Video Coding (HEVC) extensions allow a buyer to playback files in HEVC format. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately.

VP9 video extensions

CVE-2022-24501: A VP9 video extensions arbitrary code execution vulnerability. Very much the same as the above. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. VP9 is the successor to VP8 and competes with HEVC.

Finally, one vulnerability that is listed as Important and not as Critical, but which looks like a likely candidate to be exploited.

SMBv3 client/server

CVE-2022-24508: A Windows SMBv3 client/server remote code execution vulnerability. The vulnerability exists in a new feature that was added to Windows 10 version 2004 and exists in newer supported versions of Windows. Older versions of Windows are not affected. The attacker needs to be authenticated to exploit the vulnerability. The Microsoft page provides a workaround that requires administrators to disable SMBv3 compression.

Other vendors

Other vendors have published security related updates as well:

• Cisco released security updates
• Google released Android security updates
• Samsung released a Security Maintenance Release package that includes patches from Google and Samsung.
• HP released a security update to deal with 16 disclosed UEFI firmware vulnerabilities.

Stay safe, everyone!

The post Update now! Microsoft patches three zero-day vulnerabilities on Patch Tuesday appeared first on Malwarebytes Labs.

Tor is getting another visibility boost for people who may not otherwise come into contact with it. The reason: an attempt to navigate increasing amounts of censorship.

What is Tor?

The Tor network is something designed to keep communications anonymous. A variety of tools exist to make use of it, including messaging, web browsers, and other clients. Most people new to this realm would likely have their first experience via the standalone Tor browser. This works like any other browser download, with a lot of the same functionality. The big difference is that when you load it up, it connects to the Tor network. From the Tor browser manual:

Tor is a network of virtual tunnels that allows you to improve your privacy and security on the Internet. Tor works by sending your traffic through three random servers (also known as relays) in the Tor network. The last relay in the circuit (the “exit relay”) then sends the traffic out onto the public Internet.

Additional security tools and precautions abound in the browser to reduce the risk of fingerprinting, unwanted tracking, and more. The default search engine in DuckDuckGo. All data vanishes when the browser is closed (think Incognito mode), and three levels of security increasingly strip out page aspects such as JavaScript and media which could present problems.

That’s not all. Many sites have a .onion version available to make it even harder to perform surveillance on the user. When an onion version of a page you’re on exists, an “Onion available” notification is displayed next to the URL bar. That is highly relevant in this instance.

Peeling the onion

Onion pages are considered to have more advantages than regular sites where anonymity and privacy are concerned. Going back to the Tor manual:

• Onion services’ location and IP address are hidden, making it difficult for adversaries to censor them or identify their operators.
• All traffic between Tor users and onion services is end-to-end encrypted, so you do not need to worry about connecting over HTTPS.
• The address of an onion service is automatically generated, so the operators do not need to purchase a domain name; the .onion URL also helps Tor ensure that it is connecting to the right location and that the connection is not being tampered with.

The second bullet is particularly useful for those perhaps increasingly rare occasions of dealing with a non HTTPs site. They do still exist! The third bullet is handy for service operators, and the first is good for everybody involved.

Why is the potentially obscure world of onion addresses (to regular web users at least) getting an airing in the media?

Social media makes the leap (again)

Twitter has launched an onion version of its service, available immediately. It now joins Facebook, who went live with its own onion service in 2014. While some may flag this as a response to events in Ukraine, it seems this has been in the works for some time. Indeed, one of the people behind it says they’ve been toying with the idea for several years.

Elsewhere, major news services have had onion pages for a few years now:

They’re also actively promoting relevant language specific pages:

So, then, it really depends what you’re looking for via Tor. If your personal circumstances currently require access to blocked services to communicate with friends and family, or you simply need a variety of news sources in a hurry, then you may well want to consider downloading the Tor browser, because there’s a good chance what you need is already available.

Just keep in mind that, as with all things, risks do exist, and factor in additional security precautions as appropriate. Navigating directly to the Onion pages from official links likely presents minimal risk, but forewarned is most definitely forearmed.

The post Twitter makes the leap to Tor appeared first on Malwarebytes Labs.

Cloud-based document suites have always been a hot target for scammers. When it’s easy to dip in and out for collaboration purposes, or just share things generally, then it’s likely that bad people will want in on the action.

In 2019, Google calendar users were wading through endless spam invites/event notifications when spammers worked out how to game the system. It was fixable, with the caveat that the fix was a multi-stage process. Quite likely a bit too much work for people who just want to access their calendars without spam, and who can blame them?

Anyway, these things come around time and time again. When a new feature appears, so too do the spam vultures. Time to cast our minds back to the end of 2020.

Of comments and exploits

The pandemic has helped nudge along additional features into collaboration tools to make remote work more straightforward. One such Google Docs revamp is the “tag tool” which fetches lists of recommended people. This operates in a similar way to how when you type in a username on Twitter, it prefills a bunch of suggestions after the “@”.

So far, so good.

Around October 2020, spam messages via Google Docs came to light. Specifically: the comments feature. It’s worth noting this behaviour wasn’t just restricted to Docs; other apps like Slides were affected too.

Spammers figured out they were able to send messages via tagging to “nearly any email address” (as per this article). Inserting a tag would generate and send mail to the tagged individual’s mailbox, with the mail appearing to have come from Google. While we can question if that alone is enough to add the legitimacy sheen required, at the baseline it’s sailing past spam filters and related precautions.

The messages included everything from “inappropriate PDFs” and fake financial transaction links to more general bogus notifications and supposed financial compensation.

Filtering out the rogues

As with the workaround for calendar spam, the process to block the mails required setting up custom filters, although I suspect a lot of regular Google users didn’t bother with figuring out the mechanics of such a procedure.

As mentioned, one really big problem with this spam technique was the absence of additional sender information. Good news: Google has now addressed this. Notifications will now also show the commenter’s email address, in order to allow recipients to be sure about who it came from.

The change is scheduled to take place over a 15-day period, and as this rollout started on March 3rd, you may well already have the new functionality. According to the Times of India, this will also be a default option. No digging around for obscure options or menus, which is always appreciated.

If you’ve been weathering the storm of spam missives via Google apps over the last few weeks or even longer, then help is now officially on the way. Let’s hope we can all get back to being productive without the risk of bogus messages as soon as possible.

The post Google takes on Docs notification spammers appeared first on Malwarebytes Labs.

I’ve run into many romance scams over the years. You’ll find them lurking on social media, instant messaging, chatrooms/forums, and many more besides. They’re particularly popular during times of war or natural disaster, as they often dovetail into donation and charity scams.

The icing on the cake for many of these fakeouts is an air of respectability. Anything that adds legitimacy or something seemingly trustworthy is going to pull in potential victims. Of all the romance scams I’ve dealt with, the most common element is probably the military-centric profile picture.

A profile you can trust

Nothing adds a splash of appeal in the minds of scammers quite like a dashing hero in full combat get-up. That’s their game plan, anyway. It does seem to be rather successful though, with a neverending stream of people losing lots of money. Worth noting, large volumes of cash can go AWOL even without the addition of anything military related.

Security researchers dealing with military themed romance scams will often recognise the same images in circulation time and time again. Scammers often lazily lift the first army general they can find on Wikipedia. Other times, they’ll put a bit of work into it. It’s harder to pinpoint a scam if the image being used isn’t particularly well known.

As a result, scammers will trawl social media pages, work portals, and even Linkedin profiles. One stolen profile picture later and they’re in business. One peculiar side effect of this is that the supposedly unknown image starts getting more use as additional scammers simply grab it from their peers. The end result is that no stolen soldier photograph remains unknown for long.

When dating scammers make you famous

Have you ever considered what it’s like for the army person themselves when they realise they’re the face of scams?

This is the problem faced by Col. Daniel Blackmon. His images have been used in romance scams since around 2014, and is basically playing whack-a-mole trying to get these fake accounts shut down. The scammers grabbed his photographs from his (at the time) entirely open Facebook page, and things spiralled out of control from there. The scam messages tied to the fake profiles aren’t particularly unique, and sound like all the other romance scams out there. With a military twist, of course. Some of the examples from the article:

• Diamond sales via “the Yemen Government”
• Secretive portfolios containing all the wealth you could possibly desire
• Coming from a military family where at least one serving parent has been killed in a war
• Peacekeeping missions with a lot at stake
• Unable to access money, and not allowed to talk on video “for security reasons”

This is, of course, all nonsense. But to someone on the other side of the computer screen who’s feeling a bit lonely, it can be entirely convincing. Dropping images of someone in uniform across these profiles may well be enough to tip the scales in favour of the scammer.

How to avoid a romance scam

Romance scams are a big enough deal that banks flag potential payments before sending through the system. Should someone using Barclays select the “love interest” dropdown, when selecting the reason for transferring money, users will see a popup probing the nature of the payment. It’ll also highlight some of the things to be wary of (although the way it’s been done has itself drawn some criticism).

No matter which kind of romantic messages you’re receiving, be on your guard with people you don’t know. We recently published an article detailing some of the ways you can avoid being caught in this fashion. Here’s some of our general tips for avoiding common forms of romance scams:

• Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in.
• Do an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait.
• Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible to fleece them of their money as equally quickly.
• If they encourage you to invest in something—be suspicious. Start digging around online about the company that, they say, is worth investing in. Never send them money.
• Follow your gut instinct. If something feels off, cut off contact immediately and report your experience to the police, the Internet Crime Complaint Center (IC3), and the dating or social media site where you met the scammer.

Please check the article out for more advice on subjects ranging from sextortion to bogus dating websites, as you don’t need a broken heart and a shattered bank balance to go with it.

The post When fake dating profiles try the military approach appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Beware of malware offering “Warm greetings from Saudi Aramco”
• Update now! Cisco fixes several vulnerabilities
• HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine
• Tips to protect your data, security, and privacy from a hands-on expert
• Nvidia, the ransomware breach with some plot twists
• Don’t fall for the “Donate to help children in Ukraine” scam
• Four SMB cybersecurity practices during geopolitical upheaval
• Biden wants stronger privacy protections, no targeted ads for children
• Google launches Chrome 99, fixes 28 vulnerabilities
• Deepfake study suggests fakes can run but not hide
• Meta blocks Russia-Ukraine disinformation campaigns on Facebook, Instagram
• Toyota’s just in time manufacturing faced with disruptive cyberattack
• The Conti ransomware leaks
• Data breaches leave customers very shaky, report says
• Unusual sign-in activity mail goes phishing for Microsoft account holders
• Covid app’s privacy information ruled not clear enough
• How Crisis Text Line crossed the line in the public’s mind: Lock and Code S03E05
• TrickBot takes down server infrastructure after months of inactivity

Stay safe!

The post A week in security (February 28 – March 6) appeared first on Malwarebytes Labs.

There are many reasons why we want a bug fixed as soon as we can, but there are also plenty of reasons why doing it “right now” is not an option. This phenomenon starts at the side of the developers. The average time to fix a bug seems to vary depending on the platform the bug was found in. What is one group doing better and can the others take lessons from that? Or is it something we have to take as it comes?

“Bug-fixing time” refers to the time required to fix known bugs. So, on a per bug basis it is the time between being made aware of an existing bug and issuing a fix for the bug. The ability to better understand and predict bug-fixing time can help a project team better estimate software maintenance efforts and better manage software projects.

Reasons to fix ASAP

There are some very obvious reasons why we want to push and install bug fixes as soon as possible.

• Improved security by fixing the vulnerability.
• Even if a vulnerability is found by a researcher taking the high road of responsible disclosure, once the cat is out of the bag, there is a good chance others will be able to duplicate the researcher’s effort. This could result in a zero-day vulnerability.
• When you are working on a new version, a critical bug in the old version is holding you back as long as you don’t know how to fix it.
• If the published timeline shows it has taken months to fix a bug it reflects badly on your company, and could lead customers to question whether you care about security.

In general, you can say that the bug-fixing time is an important factor for bug related analysis, such as measuring software quality. Having your software considered to be “buggy” does not helps sales in any way. But situations may arise when you need to prioritize what needs to be fixed first.

Differences in platform

Last month, the Project Zero team at Google looked at fixed bugs that were reported between January 2019 and December 2021. During this period, Project Zero reported 376 issues to vendors under their standard 90-day deadline.

When reading the data, it is important to note that the number of issues is too small and not chosen randomly enough to give a full picture, but it gives you an idea at least.

Overall, the data show that almost all of the big vendors here are coming in under 90 days, on average.

Complaints from bug bounty hunters

At this point it should be pointed out that bugs reported by the Project Zero team are reported to vendors directly and will be taken very seriously by the vendors.

Individual bounty hunters, however, have been complaining about getting their bugs accepted. For example, in January we saw CVE-2022-22587, a vulnerability in Apple’s IOMobileFrameBuffer, where a malicious app could execute random code with kernel privileges. This vulnerability ended up being a zero-day vulnerability that was exploited in the wild after one of them posted a Proof-of-Concept (PoC).

Many researchers that don’t want to report to vendors directly make use of the Zero-Day-Initiative (ZDI). The ZDI was created to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers, although there have been complaints from researchers that they didn’t feel they were taken seriously by the ZDI.

The next step

So, yes, it’s important to fix vulnerabilities ASAP, but why does it take so long sometimes before these fixes and patches get installed?

According to recent podcast guest Jess Dodson, the problem of patching isn’t just a problem of resources—time, staffing, funding—but also of mindset. For some organizations, refusing to patch almost brings with it a bizarre sense of pride, Dodson said.

Finally, even if you are not a Federal Civilian Executive Branch (FCEB) agency that needs to follow the Binding Operation Directive 22-01, the CISA list known as the Known Exploited Vulnerabilities Catalog can act as a good guideline for your patch management strategy. This catalog provides FCEB agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.

The post The struggle to reduce bug-fixing time is real appeared first on Malwarebytes Labs.

Mozilla has announced it has fixed security vulnerabilities in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0. Users should install the out-of-band security update as soon as possible, since it is designed to apply a fix for two vulnerabilities that are known to be exploited in the wild.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:

CVE-2022-26485

The vulnerability listed under CVE-2022-26485 can be triggered by removing an XSLT parameter during processing which could lead to an exploitable use-after-free.

In the Extensible Markup Language (XML) the <xsl:param> element is used to declare a local or global parameter. XML is a markup language much like HTML and XML was designed to store and transport data. The XSLT <xsl:param> and <xsl:with-param> elements allow you to pass parameters to a template.

Use-after-free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

CVE-2022-26486

The vulnerability listed under CVE-2022-26486 can be exploited by sending an unexpected message in the WebGPU IPC framework which in turn could lead to a use-after-free and exploitable sandbox escape.

WebGPU exposes an API for performing operations, such as rendering and computation, on a Graphics Processing Unit. Interprocess communication (IPC) refers specifically to the mechanisms an operating system provides to allow the processes to manage shared data. WebGPU sees physical Graphics Processing Units (GPUs) hardware as GPUAdapters. It provides a connection which manages resources, and the device’s GPUQueues, which execute commands.

The idea of browser sandboxes is to shield the system from the malware attacking the browser. They do this by containing any malicious code that originates from visiting a website, in the sandbox part of the browser. As soon as the sandbox is closed, everything inside it is erased, including the malicious code.

So, the ability to escape the application’s security sandbox is valuable to an attacker as it can be chained with other vulnerabilities to take over the target system. Since these two vulnerabilities were reported by the same researchers, it seems highly likely they were used together in online attacks for exactly that purpose.

Critical

These vulnerabilities are rated critical and that is very likely because they are being exploited in the wild. From the descriptions, we would deduce that these bugs are critical because they could allow a remote attacker to execute almost any command, including the downloading of malware to provide further access to the device. So, there are compelling reasons to apply this update as soon as possible

Mitigation

The affected Mozilla products need to be updated to the versions listed below.

• Firefox 97.0.2
• Firefox ESR 91.6.1
• Firefox for Android 97.3
• Focus 97.3
• Thunderbird 91.6.2

Under normal circumstances, updates will be applied without user intervention. You can check for the version number in the products’ menu under Help > About

Should you not be using the latest version for some reason, e.g. automatic updates are disabled, then this screen will inform you that a new version is available and will start downloading it.

When it’s done, all you need to do is restart the application to apply the update.

Stay safe, everyone!

The post Update now! Mozilla patches two actively exploited vulnerabilities appeared first on Malwarebytes Labs.

Recently, the Malwarebytes Threat Intelligence Team found a Formbook campaign targeting oil and gas companies. The campaign was delivered by a targeted email that contained two attachments, one is a pdf file and the other an Excel document.

Formbook

The Formbook malware is an information stealer that is in use by many threat actors. Formbook has been around since 2016 and is readily available on dark web market places.

The email

The email pretends to be from Saudi Aramco, a Saudi Arabian public petroleum and natural gas company, and one of the largest companies in the world by revenue. The email asks the receiver to provide an offer for refinery renovations that requires a swift response.

It read:

Dear Sir,

Warm Greetings From Saudi Aramco.

We request you to furnish your best, complete, exclusive and competitive techno-commercial offer to our esteemed company for the supply of below mentioned item(s) on or before 10-March-2022.

Your offer should conform to all the specifications (FIT, FORM and FUNCTION) mentioned in our requisition including the following information:

1. Manufacturer's Name and Country of Origin.
2. Latest Delivery Date and Shipment Terms.
3. Estimated Weight / Volume or Dimensions of the quoted item(s) / Final Package.
4. Cost of attestation of documents from chamber of commerce shall be borne by the Supplier.
5. Warranty Period.
6. Product Specifications / Data Sheet, Drawings, and Catalog (if available)
7. Payment Terms
8. Partial Order acceptable or not acceptable.
9. Offer Validity: 90 Days. 

END USER: SEC (Saudi Arabian Oil Company)
End Destination : Saudi Arabia 

If you need any more information, please don't hesitate to contact us. 

Please acknowledge the email along with the attachment (download below) and confirm your willingness to quote

Best regards,

The attachments

The attached pdf file contained an embedded Excel object. The embedded object downloaded a remote template that exploits CVE-2017-11882 to download and execute the FormBook malware. This vulnerability exists in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 and allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. If the current user is logged on with administrative user rights, this means an attacker could take control of the affected system.

The attached Excel document has the same functionality as the embedded excel object in the pdf file.

IoCs for this campaign

Attachments

c421a4309d8fe9fa9bdfe1bde69ccce3

f260e184fb067d3b646af3574e901c05

da4fcf9512dbdf5fa8a6dc88a646100e

7f5da76f29cf8238ed1f944b1d0e587a

bb65278dd77988f8a7bad219b524384c

C2s

czuj.info

vzddc.com

habitatsaludable.website

modhotels.store

maxxflush.com

Malwarebytes

Malwarebytes users were protected against this campaign, because the Malwarebytes Anti-Exploit module blocked the execution of the malware.

Stay safe, everyone!

The post Beware of malware offering “Warm greetings from Saudi Aramco” appeared first on Malwarebytes Labs.