IT NEWS

As more services move ever cloud-wards, so too do thoughts by attackers as to how best exploit them. With all that juicy data sitting on someone else’s servers, it’s essential that they run a tight ship. You’re offloading some of your responsibility onto a third party, and sometimes things can go horribly wrong as a result. Whether it’s the third party being exploited, or something targeting the cloud users themselves, there’s a lot to think about.

We offered some thoughts in a recent article on potential cloud issues. Below are some other areas of concern which spring to mind. The linked article focuses on misconfiguration, phishing issues, limiting data share, and the ever-present Internet of Things. Below, we dig into a few of those. We also offer some additional opinions on where other attacks of interest may lie.

Cryptocurrency wallet attacks

Digital wallet phish attempts are rampant on social media, and we expect this to rise. People new to cryptocurrency often gravitate to services which take the hassle out of setting everything up. Third party-services which look after your private keys are known as custodial wallets. Private keys are important because they’re your digital keys to your Bitcoin kingdom.

You’re essentially giving the third-party full control of managing things for you. If the third party is compromised or exploited in some way, what happens to your stolen funds may take some time to resolve. You may well get it back, but you likely won’t be able to put any timeline to that process.

Some folks may feel the above process isn’t as secure as storing their cryptocurrency on standalone devices. So-called “cold wallets” are typically offline hardware devices, with no internet capability and the ability to manage only a few types of digital currency.

This is at odds with the “hot” custodial wallets which typically plug into many forms of currency, and provide various online services. It’s a bit like the difference between using an online, cloud based password manager run by a third-party company, or running a totally local password manager operated by you and you alone.

If something goes wrong with your cold wallet, should you lose it or have it stolen, nobody is coming to help. This is a lot of responsibility if you’re dealing with large amounts of currency. On the other hand, do you want to take the risk of plugging large amounts into something whose management is up to someone else?

Even if people avoid being phished, stealer malware which hunts for private keys and/or logins are becoming increasingly popular. Users may also run into trouble if something goes wrong at the organisation looking after their private keys. It’s an incredibly complex landscape fraught with problems, and this is why we’ll continue to see people hit by all manner of cryptocurrency scams for some time to come.

Ransomware supply chain triple-threat

Ransomware will continue to cause problems in supply chains and leverage so-called triple threat attacks. This is where multiple forms of pressure are placed upon the victim to convince them to pay up. This method of attack is sure to remain popular, becoming a viable alternative to “just” using double extortion tactics.

For example, demanding ransom with the threat of leaking data could be considered a double threat extortion. Meanwhile, attacks like BlackCat went all-in on triple-threats towards the end of 2021. BlackCat didn’t only demand a ransom under threat of data leaks; it also promised to fire up a DDoS (distributed denial of service) if the ransom wasn’t paid.

Targets who keep all files in the cloud only (no local or offsite backups) are great marks for blackmailers. Indeed, even where backups exist, they may not be as effective as they once were due to additional threats beyond a ransom payment. Sure, you won’t lose your data if you have backups, the attackers will say – but they’ll make sure a lot of it ends up on an underground forum somewhere regardless.

This is why it’s crucial to try and stop ransomware authors getting one foot in the door in the first place. Training staff not to open attachments from untrusted senders, keeping security updates up to date, and reducing services needlessly visible online can all help with this.

The Metaverse

We expect to see various forms of harassment increase in virtual worlds as more people jump on the Metaverse bandwagon, with security and safety settings playing catch up. 

The possibility exists for rogue advert manipulation and phishing should Meta decide to push ahead with virtual ad placement. There are also issues with augmented reality privacy concerns, data breaches, and photo realistic representations of your living space for all to see. All this, before we even touch on the very big problem of harassment in virtual spaces. Placing virtual bubbles around users so others can’t digitally grope them is just one sorely needed tool to help combat harassers, but more needs to be done.

Cloud services which reduce VR processing strain on user’s machines could also become popular targets, especially where gaming is concerned. With more slices of the gaming pie being offloaded away from the user’s machine, it’s only natural to think they may take a hit.

As we’re seeing, it’s not only game developers at risk from being targeted. With hardware shortages generally making it more difficult to get hold of graphics cards and chips, subscription cloud services are viewed as an important alternative. Becoming a crucial tool in the battle against lack of components will mean they catch the eye of people with bad intentions. 

Misconfigured services

We finish off with that constant thorn in the side of the cloud: basic errors which consistently lead to security woes.

Every year organisations fail to secure their cloud services and data is leaked, exposed, and scraped by third parties. Even apps aren’t free of cloud risks, with tools designed to monitor children’s online use accidentally exposing user IDs, plaintext passwords, and more thanks to missing security measures.

Exposed data can lurk for months without discovery. It can also be used for blackmail and profit, and once it’s online there’s no going back. People often talk about “leaky buckets” in relation to misconfigured services. They’re called buckets because they hold your data; unfortunately those leaks don’t stand a chance of being fully plugged anytime soon.

Whether your area of interest is IOT, ransomware, or even the Metaverse, it’s well worth digging into some of these topics and keeping one eye on the news. Whether you’re involved with the cloud at home or in the workplace, bad actors are figuring out ways to cause trouble – but that doesn’t mean we have to let them.

The post Clouding the issue: what cloud threats lie in wait in 2022? appeared first on Malwarebytes Labs.

Researchers have found that the Gh0stCringe RAT is infecting Microsoft SQL and MySQL, and seems to focus on servers with weak protection. The Gh0stCringe RAT communicates with a command and control (C&C) server to receive instructions and is capable of exfiltrating information.  

SQL

SQL is short for Structured Query Language and usually pronounced as “sequel.” SQL is a standard language used to query and change the content of databases. It was originally designed to perform business analyses. But with the implementation of product-specific application programming interfaces (API) and the growth of online applications, it quickly became more widely used.

Gh0stCringe

Gh0stCringe, also known as CirenegRAT, is a malware variant based on the code of Gh0st RAT. The Gh0st RAT source code was publicly released, so we’ve seen quite a lot of malware based on this code. Remote Access Trojans (RATs) are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim system.

Gh0stCringe RAT is a RAT malware that connects to a C&C server and performs various malicious actions after receiving commands from the attacker. The attacker can designate various settings to Gh0stCringe just like other RAT malware. One of those options the Gh0stCringe RAT provides is a keylogger. Keylogging enables the threat actor to steal login credentials and other sensitive information.

For a full technical analysis we would like to refer you to the researchers’ post.

Security

According to the researchers, the threat actors behind Gh0stCringe are targeting poorly secured database servers with weak account credentials and no oversight. On the infected servers they found evidence of previous infection by miners usually distributed through brute force attacks.

Security of SQL Server environments is considered to be among database administrators’ prime responsibilities. It is up to each database administrator to configure security features, or use additional security measures as needed, to address the security and compliance requirements of their data and applications.

Microsoft SQL Server provides several built in features that enable security, including encrypted communication over SSL/TLS, the Windows Data Protection API used to encrypt data at rest, authentication and authorization.

MySQL provides robust data security to protect data including secure connections, authentication services, fine-grained authorization and controls, and data encryption.

The problem is that there are a few very different security issues to be considered when it comes to an internet-facing SQL server. Administrators have to implement security to protect their system(s) against SQL database vulnerabilities, SQL injection attacks, and brute-forcing SQL credentials on top of every other security measure that applies to such servers.

How to avoid RATs

There are some basic actions that can be taken to lessen the chance of RATs and miners making use of your SQL servers.

• Use a strong password policy, keeping in mind the importance of the server and the data on it.
• Apply patches in a timely manner and keep the number of applications, which all need to be patched, to a minimum.
• Actively manage the user accounts that have access, and their privileges.
• Use monitoring and logging to keep an eye on what is going on.

There are some tell tale signs that could give away the presence of the Gh0stCringe RAT. The method of keylogging it uses is know to cause high CPU-usage. And below are some IOCs.

IOCs

Filename:

• mcsql.exe

C&C servers:

• tuwu.meibu.net
• 172.86.127.224

MD5:

• bd8611002e01d4f9911e85624d431eb0
• 9adc9644a1956dee23c63221951dd192
• 782cbc8660ff9e94e584adfcbc4cb961

Stay safe, everyone!

The post Gh0stCringe RAT makes database servers squeal for protection appeared first on Malwarebytes Labs.

Valorant, the popular free-to-play team based shooter, is attracting the attention of scammers. It’s reported that a malware distribution campaign is leveraging YouTube to push infection files. The campaign distributes a file known for password theft, and hunts for those passwords in browsers, cookies, a variety of cryptocurrency wallets, VPN clients, and many more besides. It then zips the stolen data and sends it via a Discord webhook (a method for sending updates to Discord channels).

When history repeats itself

As mentioned by Bleeping Computer, using YouTube in this way is not a new tactic. It’s a quick, easy way to try and make malicious off-site links go viral.

How do they convince people to run the infection file? They tell people to download a file and run it with security software switched off. They then disable the comments to avoid awkward questions, or leave them on and fill with scammer-controlled spam saying how good the file is. Then they ruthlessly delete all the other replies posting warnings.

This is the basis of a basic YouTube scam. We note that some of the above techniques are being used in the malware distribution campaign referenced.

What is the bait being used?

Cheats will cheat for many reasons in a video game, especially if it’s competitive. Why spend hours practising the game to meet your cheat-laden objectives if you can just cheat some more? Aim-bots have been a plague in the shooter landscape for many years, and there’s no shortage of fakes alongside the genuine articles.

At the most basic level, aim-bots will help you target other players more easily. They may include wall-hacks, rapid fire, radar interference, the sky’s the limit. Online titles frequently include several forms of anti-cheat to detect hacks and (potentially) contribute toward a ban. As a result, top-tier cheat tools which try and bypass the detection on offer can fetch a pretty price.

An aim-bot or other cheat tool offered up for free on YouTube sounds too good to be true, and that’s precisely because it is indeed too good to be true. Although the example from the article leads to a sharing site called “Anonfiles”, a lot of the time more well-known file sharing portals are used. There may well be an advert or survey to click through on those sites too, which means potential extra revenue.

Finally, many scams of this nature use URL shortening services. This helps to hide the real landing page from casual observers, adds another layer of familiarity (“Oh, it’s Bit.ly”), and may also give the malware authors detailed clickthrough statistics.

How to avoid being caught by these scams

We may have touched on a few of these above, but even so, they’re worth repeating.

• Do not, under any circumstances, switch off your security protection. There’s no reason to do this when installing games in almost any situation I can think of. It’s pretty rare these days to run into an issue where a legitimate game file is prevented from performing a task by security software. I think that’s happened to me perhaps twice in something like 10 years, and I install a lot of games on PC.
• Check out the comments. Are they all strangely positive? Do they all claim the thing being offered worked like a charm with no problems whatsoever? Are the accounts brand new, or old accounts which seem to have only recently taken an interest in cheating? Alternatively, are the comments simply switched off? Both of these can be massive red flags when dealing with game cheat files.
• What other content is the account promoting cheat software pushing? Is it a bunch of identical cheat videos with a few bits of text switched around? Surveys? Millions of free [insert game currency here] points via some sort of website-based generator tool? These are all signs that something is most definitely not right.
• Finally: even if the source is entirely legitimate and the supposed cheat tool does in fact work? You’re playing with fire. Game cheats are routinely banned in huge numbers for all sorts of reasons. Steam, Epic store, PlayStation network, it doesn’t matter. Valorant has its own anti-cheat system and it’s quite unlikely you’re going to find a YouTube freebie which gets around it.

Do the sensible thing and give game cheating tools a very wide berth. It’s simply not worth risking your gaming accounts being stolen, or your account being banned, or a horrible combination of both.

The post Valorant cheats on YouTube are actually information-stealing malware appeared first on Malwarebytes Labs.

The US Federal Trade Commission (FTC) has announced that it took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach.

CafePress is a popular online custom T-shirt and merchandise retailer. According to Samuel Levine, Director of the FTC’s Bureau of Consumer Protection:

“CafePress employed careless security practices and concealed multiple breaches from consumers.”

CafePress waited seven months to publicly disclose a 2019 breach, and only did so after it had been reported in the news.

The FTC complaint also takes issue with the way CafePress handled customer information, saying that CafePress “misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.” This is considered an unfair and deceptive practice under Section 5 of the FTC Act.

The breach

In February 2019, a threat actor was able to access millions of email addresses and passwords. According to the complaint by the FTC this was made possible because CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network.

The passwords are said to have been protected by “weak encryption”, an absolute security no-no. Passwords that are secured using a properly configured password hashing function—such as bcrypt or scrypt—take so long to crack that they are essentially useless to attackers, even if they are leaked.

Leaked email addresses and passwords are a serious problem because many people re-use their passwords across multiple websites and services. Cybercriminals know this and will try stolen usernames and passwords in as many different places as they can—a practice known as credential stuffing.

The threat actor also captured millions of unencrypted names, physical addresses, and security questions and answers. As well as over 180,000 unencrypted Social Security Numbers (SSNs), along with tens of thousands of partial payment card numbers (last 4 digits) and expiration dates. A treasure trove for social engineers.

Informing customers

Despite warnings from several sides, including a foreign government, CafePress decided not to inform its customers, but instead only told customers to reset their passwords as part of an update to its password policy. CafePress apparently patched the vulnerability the cybercriminals made use of, but failed to properly investigate the breach for several months despite additional warnings.

Data from the breach eventually ended up in Troy Hunt’s HaveIBeenPwnd (HIBP) database, which tipped off journalists. It wasn’t until news of the breach was reported in the press that CafePress actually informed its customers.

Lax security

In the complaint the FTC mentions several cases of bad security practices, before and after the breach. According to the FTC, CafePress…

• Failed to investigate the source of several malware infections that occurred on its network prior to the 2019 attack.
• Failed to implement reasonable security measures to protect the sensitive information of buyers and sellers.
• Stored SSNs and password reset answers in clear text, alongside millions of unencrypted names and physical addresses.
• Retained customers’ data longer than was necessary.
• Failed to apply readily available protections against well-known threats and to adequately respond to security incidents.
• Continued to allow people to reset their passwords by answering security questions known to the attackers.

As a result of its lax security practices, it should not come as a surprise that CafePress’ network was breached multiple times.

Proposed settlement

As part of the proposed settlement, Residual Pumpkin and PlanetArt (the previous and current owners of CafePress) will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures—such as security questions—with multi-factor authentication methods, minimizing the amount of data it collects and retains, and encrypting SSNs.

PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third-party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

In addition, Residual Pumpkin will have to make a $500,000 payment to data breach victims, the FTC said in the statement. CafePress has already settled with seven US states as a result of this data breach.

Reusing passwords

We have warned users often against reusing passwords across different services. This case is a prime example that shows why this is important. Users were left in the dark about their compromised passwords for several months. This gave the criminals behind the breach plenty of time to perform credential stuffing attacks on other services.

Since shopping services usually store credit card details and people’s home addresses alongside login credentials, there is no reason to treat these accounts as if they have a lower security priority. On the contrary, it could turn out to be a costly mistake. Use a password manager to make it easier to create and use strong, unique passwords for each service you use.

Lessons for web shops

What can web shops do to avoid becoming the next CafePress?

• In the long run, the chance you can keep a breach secret is slim to none.
• Deploy strong policies and controls and inform the public about them on your website.
• Disclose breaches to your customers early, with as much detail as you can. This will reduce the damage to them, and to your brand, and reduce the chance of being fined.
• Utilize best practices such as strong password hashing and rate limiting password attempts.
• Encourage customers to use Multi-factor Authentication (MFA).

Keep your customers safe and happy and they will come back.

Stay safe, everyone!

The post CafePress faces $500,000 fine for data breach cover up appeared first on Malwarebytes Labs.

Every so often, fines hit the news as a result of phone/communication spam. Much of it targets older members of society. Sometimes folks say these calls are “just” irritants and nothing to particularly worry about. But it can be really serious, resulting in big chunks of people’s savings being wiped out.

Now, five companies have been fined a grand total of £405,000 for such practices—with the potential for more to come.

Listing all the possibilities

Several companies have had these fines issued for collectively making huge numbers of calls to people registered to the TPS (Telephone Preference Service).

The TPS is the equivalent of a “do not call” service and is the UK’s sole register for this purpose. People who sign up their mobile and/or landline numbers are placed into the TPS register and are opted out of receiving any and all unsolicited calls. Supposedly.

However, one organisation alone made 229,483 unwanted calls to people on the TPS service over the course of around seven months. They were hit with a £100,000 fine. Another made 412,556 calls to people on the TPS service over a period of around eight months. For this, they received a fine totalling £110,000.

The ICO (Information Commissioner’s Office), which ensures that UK organisations do the right thing where data protection and communications are concerned, suspects that at least some of the companies involved were sharing information on their cold-call targets.

The calls themselves asked for personal information of people aged 60 and over who owned their own homes and possessed landline numbers. This primarily seems to have tied back to insurance services for household products, and complaints allege the calls to have been both “threatening and coercive”. That they did this to people who may have felt less comfortable dealing with confrontation over the phone is particularly awful.

So what’s the point in the TPS?

Crucially, it’s a legal requirement that companies do not call people on the TPS register without their consent. The aim is to significantly reduce live (not automated) cold-calling, and businesses are supposed to check their call lists against the TPS register every 28 days.

Where this goes wrong for potentially unsuspecting cold-callers is that TPS contacts the callers over every complaint made, and these complaints are also fed back to the ICO. You can imagine how seriously the ICO took hundreds of thousands of complaints lighting up against the same organisations on a daily basis.

Mistakes can happen; according to the TPS site, legislation allows companies a maximum of 28 days to update their lists of who to call (and not call). Despite this, nobody is making simple mistakes hundreds of thousands of times.

Avoiding nuisance calls

As far as this story is concerned, the primary tactic to avoid nuisance calls is to sign up to the TPS list. You can also make use of additional services from your network providers in terms of blocking spam or even automated calling when possible. Some mobile operators will, for example, tell you if a number calling is suspect. Keep in mind that these may or may not be paid services.

Cold-call campaigns may make use of data from third-parties, or even scraped from various sources without permission. If an organisation has their database stolen or scraped, there isn’t a lot you can do about that. However, you can try to limit your exposure.

You could use forwarding numbers for services you sign up to, which helps shield your real number. If you sign up for something make sure the right tick boxes are checked (or unchecked!) to prevent someone sharing your details or contacting you.

Combining these tactics should stand you in good stead for keeping pesky cold-callers at bay.

The post “Threatening and coercive” cold-callers who targeted the elderly hit with big fines appeared first on Malwarebytes Labs.

Royal Mail scams are always popular techniques for people up to no good. We’ve covered them several times over the last year or so. A quick reminder:

Your parcel is waiting for delivery

This is the go-to tactic for fake Royal Mail phishing attacks. You receive a text claiming there’s a parcel in your name, waiting for collection. The SMS contains a link to a fake Royal Mail website. There, you’re asked to pay a small charge for “settlement”. Once payment details are entered, they’re in the hands of the scammer. With your payment details, they can take litterally everything.

Something frequently overlooked is the impact wrought on people by these attacks. It isn’t “just” a throwaway phish. Like any bogus website asking for payment information, it can have a severe impact on people who’ve handed over their card details. Losing all your money, and access to payment methods, during times where people are essentially trapped indoors is plumbing the depths of awfulness.

Avoiding analysis

We’ve seen evidence of otherwise standard Royal Mail phishing sites attempting to evade detection and analysis. They do this by borrowing techniques from malware trying to avoid inspection in virtual machines. Anything from forms of rendering associated with VMs to causing issues in anonymising browsers such as TOR will do the job. They really don’t want people interfering with this particular money stream.

This is what they’ve been up to over the last year or so. We haven’t really seen any major developments in fake Royal Mail land for a while. This may be about to change, however. Step up to the plate, Which? Magazine.

A new year brings new tactics

Which? brings word of a new round of bogus messages. So far, so much business as usual although it mentions these messages are arriving via email rather than SMS. This doesn’t mean fake SMS messages are AWOL this time around, but email seems to be the focus here. People clicking links in the email are taken to a website which now seems to be offline. It’s also not stored in any search engine caches or the Internet Archive, so all we have to go on is video footage.

Here’s what happens (well, happened) while people visited the site in question:

Visitors are greeted by a “chatbot”, talking to them directly about a missing parcel. The chatbot cycles through some text, claiming the parcel is damaged in some way. It reads as follows:

Hello, welcome to the interactive parcel management system. I’m your virtual guide Suzy and I’ll be helping you today. Please confirm that this is your tracking number: [tracking number]. We have a parcel with you as a recipient, but the label was damaged—attached is a picture of your parcel.

It then asks if they should “deliver this parcel to a private or business address”. Once a reply is given, it then goes on to say:

Thank you, in order to deliver your parcel, we need to get your details, as we currently only have your name and phone number / email address on record. The rest of the label is not readable. I will direct you to a form where you can fill in your delivery details. As the details of the sender also are not readable on the label, we have to charge you for the manual handling of the package, as we cannot bill it back to an unknown sender. Since you used this automated flow, the price will be less than $3

You’ll note a potentially glaring error in that the “chatbot” that’s supposed to be part of the UK postal service, the Royal Mail, mentions dollars rather than UK pounds. This may well have tipped a few people off that what they were dealing with isn’t genuine.

From Royal Mail chatbots to…something completely unexpected

If the person in front of the screen clicks the schedule delivery and pay button, they’re taken to a distinctly non-Royal-Mail-looking website. It appears to be a sign-up form to get your hands on a “new iPhone 12”. There’s also a sign-up for a monthly rolling subscription, at a cost of £59 every 30 days.

Essentially, the scammers came up with an idea for an evolving Royal Mail phish—AI chatbots—and then inexplicably undermined themselves with a completely unrelated landing page promoting mobile phone competitions. You’d hope this would lower the chances of people signing up, but you never know.

As for the chatbot itself, there’s no way to know for sure how it operated. It may be like one of those pornography chatbots on spam sites which run through the same handful of replies no matter what you type. Perhaps it was coded to detect a handful of different responses. It might even have been the scammer themselves, for that added splash of interactivity.

The site sporting the competition itself informed Which? magazine that an affiliate is responsible for this one and they’ve refunded 3 people who fell for it. Hopefully this low number does indeed indicate that starting off with a Royal Mail delivery and ending with mobile phones is a bridge too far. This is definitely a better end result than if the landing page was a carefully crafted Royal Mail fakeout, so it’s possible we’ve all scored a lucky break here.

As with all these scams: Should you find a mysterious text or mail telling you a parcel is waiting, contact your local Royal Mail depot. Sites asking for delivery fees should be viewed with skepticism, and that goes double for offers of a distinctly non-postal variety.

The post Fake Royal Mail chatbot offers up…a new iPhone? appeared first on Malwarebytes Labs.

Aberebot, a known Android banking Trojan, has changed its name and returned loaded with new features. First spotted by @MalwareHunterTeam in early March, this mobile variant was renamed “Escobar”—a homage to the Colombian drug baron—and disguised itself as a McAfee app. It went by the package name of com.escobar.pablo and the application name of “McAfee”.

BleepingComputer found a post on a Russian-speaking hacking forum that says Escobar’s creators are renting the beta version of the malware for $3,000 a month and plan to increase it to $5,000 once development is finished:

Hello dear {redacted}. I came to this group with an advice and recommendation of a friend. I am an Android malware developer and I want to start renting my private Android banking bot here. The bot is still in BETA version and it is possible to encounter errors and bugs so for this month I will rent the bot to maximum 5 customers.

This new Aberebot variant widens its information-stealing capabilities by accessing features built-in to smartphones to get as much information as it can, to take complete control of victim accounts, empty accounts, and perform unauthorized transactions.

Among the 25 permissions it asks from users, it abuses 15, enabling the malware to (among other things) record audio, read and send SMS messages, take screenshots, uninstall apps, get the precise location of device, and download media files from victims’ devices.

Escobar can steal Google Authenticator multi-factor authentication (MFA) codes, SMS call logs, key logs, and notifications, which it sends to its C2 server.

Lastly, Escobar gives device control to affiliate malware distributors using VNC Viewer, a screen-sharing tool with remote control features. Once the phone is unattended, threat actors can, essentially, do what they want with the device.

Cyble, the cybersecurity company that wrote extensively about Aberebot and Escobar, asserts that highly sophisticated malware like Escobar can only be distributed from sources outside the Google Play Store.

Google Play is far from perfect, but the best way to minimize the chance of becoming infected with Escobar is to stick to downloading apps from there. Android users should also enable Google Play Protect on their device, and use a mobile security solution.

Malwarebytes users are already protected from Escobar. We detect it as Android/Trojan.BankBot.Esco.c.

Stay safe!

The post Escobar is the new Android banking Trojan we’ve met before appeared first on Malwarebytes Labs.

Apple has released patches for macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4. In these security updates, released on March 14, 2022, Apple tackles 39 vulnerabilities, several of which could allow an attacker to execute arbitrary code on an affected device.

One of the vulnerabilities can be exploited by having the victim open a crafted PDF file, and a few just require the victim to visit an specially crafted website.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that jumped out at us.

Accelerate Framework

CVE-2022-22633

Opening a maliciously crafted PDF file can lead to arbitrary code execution. The vulnerability exists due to a boundary error when processing PDF files within Accelerate Framework. The vulnerability was caused by a memory corruption issue, that was addressed with improved state management.

An attacker would need to trick the victim into opening their PDF file. Anything that can be triggered just by a victim opening a file that can be sent as an attachment is of great value to cybercriminals. In a “spray and pray” attack there is a reasonable chance of success. This might also be useful to attackers performing a targeted attack on an individual.

AppleAVD

CVE-2022-22666

Processing a maliciously crafted image may lead to heap corruption. AppleAVD is a decoder that handles certain media files. The vulnerability exists due to a memory corruption issue, that was addressed with improved validation. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

AVEVideoEncoder

The AVEVideoEncoder is a component that is used when creating video files. This round there were three vulnerabilities fixed in this component.

CVE-2022-22634

A malicious application may be able to execute arbitrary code with kernel privileges. The vulnerability exists due to a buffer overflow, that was addressed with improved bounds checking. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

CVE-2022-22635

An application may be able to gain elevated privileges. The vulnerability exists due to an out-of-bounds write issue, that was addressed with improved bounds checking. If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions. This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

CVE-2022-22636

An application may be able to execute arbitrary code with kernel privileges. Another out-of-bounds write issue, that was addressed with improved bounds checking.

GPU Drivers

CVE-2022-22667

An application may be able to execute arbitrary code with kernel privileges. This vulnerability exists due to a use after free issue, that was addressed with improved memory management. An attacker would need authenticated access to exploit this vulnerability. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

ImageIO

The Image I/O framework allows applications to read and write most image file formats. Two vulnerabilities were fixed during this round.

CVE-2022-22611

Processing a maliciously crafted image may lead to arbitrary code execution. This vulnerability exists due to an out-of-bounds read, that was addressed with improved input validation. An out-of-bounds read means that the software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. But it can also allow an attacker to run any commands or code in the target process.

CVE-2022-22612

Processing a maliciously crafted image may lead to heap corruption. This vulnerability exists due to a memory consumption issue, that was addressed with improved memory handling. The heap is the name for a region of a process’ memory which is used to store dynamic variables.

The usuaul suspects

Besides these specific CVEs there were vulnerabilities found in what we would call the usual suspects. The kernel and WebKit are both very important components of Apple’s operating systems. Not only because everyone uses them, but also because they are attractive targets for attackers.

Kernel

The kernel is a core component of any operating system and serves as the main interface between the computer’s physical hardware and the processes running on it. As such, the kernel is responsible for low-level tasks such as disk management, memory management, task management, etc.

Seven vulnerabilities were fixed during this round. Most of them cause an application to be able to execute arbitrary code with kernel privileges. Something you really don’t want to happen. Running arbitrary code with kernel privileges means that an attacker basically owns your system.

WebKit

WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux. Six vulnerabilities in WebKit were fixed this round. Most of them have the worrying description of processing maliciously crafted web content may lead to arbitrary code execution. What that means is that all an attacker has to do is lure a victim to their malicious site.

As far as we are aware none of these vulnerabilities are used in the wild, which doesn’t mean that they won’t be in the future. So, our advice, as always, is to get the updates at your earliest convenience.

Stay safe, everyone!

The post Update now! Apple fixes several serious vulnerabilities in iOS and macOS appeared first on Malwarebytes Labs.

Several government websites in Israel—those using the .gov.il domain—were inaccessible after a distributed denial of service (DDoS) attack hit Israel’s telecommunication provider, Cellcom. NetBlocks, a network disruption watchdog, initially detected “a significant disruption” aimed at the provider, which appeared to have also affected another provider, Bezeq, before the Israeli National Cyber Directorate confirmed the cyberattack in a tweet.

According to Haaretz, an Israeli newspaper, websites of the health, interior, justice, and welfare ministries were taken offline. The website of the Office of the Prime Minister was also affected. The newspaper’s source is also quoted saying that the incident was “the largest-ever cyberattack carried out against Israel.”

Ram Levi, CEO of Konfidas, a cybersecurity consulting firm, told Jerusalem Post that the cyberattack started at 6:15 PM and ended at 7:30 PM, declaring Tehran hackers behind the attack.

However, Mike Sexton, a cyber and Middle East policy expert, called the attack “unsophisticated, but something that nonetheless requires significant resources.”

“Israel and Iran have recently been engaged in a low-level cyber tit-for-tat, so Iran is an obvious source to attribute, but we should not jump to conclusions,” Sexton told The National, “Iran possesses much more sophisticated capabilities, so I think it would be unusual for them to use this sort of primitive attack.

Sexton also asserted that this cyberattack is likely linked to the crisis in Ukraine, given that Israel has just joined other countries in sanctioning Russia after remaining neutral. “This kind of attack is very characteristic of Russian patriotic hackers. We saw them use this same kind of attack against the Estonian government in 2006,” he said.

The post DDoS barrage against Israel described as the “largest ever” cyberattack its faced appeared first on Malwarebytes Labs.

As we wrote on March 3, 2022 Nvidia, was recently attacked by the LAPSUS$ ransomware group. The ensuing data leak included two of NVIDIA’s code signing certificates. Those certificates are now being used to sign malware.

Leaked signing certificates from major vendors like Nvidia come with huge security implications. And the fact that the certificates have expired does not lessen the burden much.

A code signing certificate is used to authenticate the identity of a software developer or publisher, and it provides cryptographic assurance that a signed piece of software has not been altered or tampered with. Signing certificates are considered trustworthy because they are cryptographically signed by a Certificate Authority (CA). This creates a “chain of trust” between a signature on a piece of software and a CA—like DigiCert or Let’s Encrypt—that operating systems trust.

Code signing is used by Windows and macOS to ensure that users only run software from trusted sources. This is a powerful security feature, provided that code signing certificates are kept out of the hands of cybercriminals.

Leaked Nvidia certificates

The data the LAPSUS$ group stole from Nvidia contained two code signing certificates. As is often the case in ransomware attacks, the exfiltrated data was published on a leak site. From there, any cybercriminal that wanted to could grab the certificates and use them to sign their malware.

The two leaked Nvidia certificates have expired, being valid from 2011 to 2014 and 2015 to 2018. But, Windows will accept expired certificates for drivers, which makes the leaked certificates very useful to cybercriminals.

So useful, in fact, that the first malware samples signed with these certificates started to show up only one day after they were leaked.

Expired certificates

A compromised certificate can only be revoked by its CA. CAs maintain Certificate Revocation Lists (CRLs) which—as the name implies—list certificates that have been revoked. But certificates only get revoked if they are compromised before their expiration date.

Unless a system knows that a certificate has been revoked or suspended, the system will continue to trust that certificate.

Microsoft has always made an exception for signed drivers, so that drivers don’t brick a system just because the certificate that signed them has expired. To prevent these drivers from getting loaded, it requires that the certificates are added to the CRL. Then your system needs to be made aware of the revocation. Which basically means they get added to the “Untrusted Certificates” after a Windows update. Microsoft may be reluctant to do this because doing so could block legitimate Nvidia drivers.

But until then, malware can get loaded as a driver that’s been signed with these leaked certificates.

Mitigation

There are some additional protection mechanisms that can protect you from malicious signed drivers.

• Normally, users running a system protected by Secure Boot would be protected because Secure Boot does not allow certificates without a time-stamp. Unfortunately an exception was made for certificates that were created before July 29, 2015. And both of the leaked certificates were created before that date. One of them just barely (by two days).

• The signing certificates do not stop anti-malware solutions from recognizing the malware.

Should you decide to update your Nvidia drivers, make sure to get them from the Nvidia download site and check the installer before you run it, to see that the driver’s certificate is still valid and not expired or revoked. To check, right click and select Properties, look at the Digital Signatures tab and select the Nvidia signature > click on the Details button > on the General tab click on View Certificate > then look at the Details tab for the Valid to date.

For system administrators, David Weston, Vice President of OS Security and Enterprise at Microsoft, has tweeted some guidance on how you can configure Windows Defender Application Control policies to control which Nvidia drivers can be loaded.

If you want to check if any of the leaked certificates are on your systems, the serial numbers of the leaked certificates are:

43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518

There is also a Yara rule to be found on GitHub that can be used by security teams to search for files signed with these certificates in their environments.

Stay safe, everyone!

The post Stolen Nvidia certificates used to sign malware—here’s what to do appeared first on Malwarebytes Labs.