IT NEWS

As war in Ukraine rages, new destructive malware continues to be discovered. In this short blog post, we will review IsaacWiper and CaddyWiper, two new wipers that do not have much in common based on their source code, but with the same intent of destroying targeted Ukrainian computer systems.

IsaacWiper

IsaacWiper was one of the artifacts security company ESET reported to be targeting Ukraine. Other artifacts were named as HermeticWiper (wiper), HermeticWizard (spreader) and HermeticRansom (ransomware). IsaacWiper is far less advanced than HermeticWiper, the first wiper that was found which we analyzed here.

IsaacWiper is made of an executable, compiled with Visual Studio. The executable has imported functions like DeviceIoControl, WriteFile, MoveFile, GetDiskFreeSpaceEx, FindNextFileW. Although these functions are legitimate, the combination of all these imports could be suspicious. Sections analysis, on other hand, is perfectly normal. No strange segments are found, and entropy has the expected values:

The sample is presented in DLL form with just one export, named _Start@4 that contains the main functionality of the malware:

The malware will iterate through all system disks, overwriting the first bytes of these disks:

The following chunk shows an extract of the code responsible for that behavior. Also, it can be seen how the volume is unlocked after write operations:

We have found that not only the physicalDrive but also partitions are wiped in the process. The wiper will iterate through the filesystem, enumerating files and overwriting them. This behavior is similar to ransomware activity, but in this case there is no decryption key. Once the data has been overwritten, it is lost:

The attackers left in the code various log strings. An example of one of these debug strings, being referenced inline is presented below:

In fact, these debug strings describe pretty well the malware functionality. All debug strings are presented below:

As it can be seen, the attackers’ goal is destroying data on victims systems. Affected users will lose their files, and their computers will be unbootable, forcing them to reinstall the OS.

CaddyWiper

CaddyWiper is a 3rd Wipper (after HermeticWiper and IzaakWiper) that was observed in this year’s attack on Ukraine. In contrast to HermeticWiper, this one is very small, and has less complex capabilities.

The sample is not signed and its compilation date is: 14 March 2022 07:19:36 UTC. The executable is dedicated to destroying files and partition information for each available disk.

The main function of the wiper can be seen below:

First, the wiper checks if it is running on the Primary Domain Controller. The malware will avoid trashing Domain Controllers, probably because it wants to keep them alive for the purpose of propagation.

If the current machine is not a Domain Controller, the wiping starts. It recursively wipes files in the C:Users directory. Then, it iterates over available hard disks, starting from “D:” and wipes recursively all the files it can access.

The wiping is done in the following way:

It tries to grant access to the files before writing:

All the files/directories are enumerated by well-known APIs: FindFirstFileA/FindNextFileA. If the found element is a directory, the function is called recursively. And if it is a file, a new buffer filled with 0s is allocated, and the file content is overwritten with it. The buffer is limited to 10 Mb max, so if the file is bigger than this, only the beginning of it will be wiped.

Interestingly, this enumeration starts from the drive letter D (treating C as a separate case), so if there are any disks mounted as A or B, they are skipped. Finally the malware wipes layout information of the available disks/partitions:

It starts from the \.PHYSICALDRIVE9, and at each iteration decrements the partition number by one.

The wiping of the partition layout is implemented via IOCTL sent to the drive device: IOCTL_DISK_SET_DRIVE_LAYOUT_EX. The malware sets an empty buffer as the new layout.

The sample is very mildly obfuscated and most of the used strings are stack-based. Also the Import Table is very small, containing only one function. All the needed functions are dynamically retrieved, with the help of a custom lookup routine:

CaddyWiper is extremely light in comparison to HermeticWiper, which was the most complex from all the wipers that have been associated with those attacks. There is no code overlap between each of them, and most likely they have been written by different authors.

Protection

Malwarebytes clients are protected against both of these wipers:

References

1. https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
2. https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-ukraine-hit-by-destructive-attacks-before-and-during-the-russian-invasion-with-hermet/

Indicators of Compromise

IsaacWiper

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

CaddyWiper

a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea

The post Double header: IsaacWiper and CaddyWiper appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization’s defenses, exploit that vulnerability, and sell the access to the victim’s network to an interested party, several times over with different victims.

Among these interested parties TAG found the Conti and Diavol ransomware groups. Because Exotic Lily’s methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.

Initial access broker

Like in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.

These initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.

Exotic Lily

From the TAG blog we can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.

Their email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.

Last year, researchers found that Exotic Lily used the vulnerability listed as CVE-2021-40444, a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a blog about attacks that exploited this vulnerability. Later, the group shifted to using customized versions of BazarLoader delivered inside ISO files.

Based on the fact that the Exotic Lily’s operations require a lot of human interaction, the researchers did an analysis of the “working hours” and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.

Social engineering

As with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a “spray-and-pray” attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.

Exotic Lily used identity spoofing where they replaced the TLD for a legitimate domain and replaced it with “.us”, “.co” or “.biz”.  At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using such spoofed accounts, the attackers would send spear phishing emails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project’s design or requirements.

IOC’s

SHA-256 hashes of the BazarLoader ISO samples:

• 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
• 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
• c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

SHA-256 hashes of the BUMBLEBEE ISO samples:

• 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
• 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
• 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
• 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
• 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

IP address of the C&C server:

• 23.81.246.187

Stay safe, everyone!

The post Meet Exotic Lily, access broker for ransomware and other malware peddlers appeared first on Malwarebytes Labs.

Recently, a fake Instagram email successfully bypassed Google’s email filters and made it into hundreds of employee inboxes used by a prominent US life insurance company based in New York.

This was revealed in a report by Armorblox, a cybersecurity company specializing in stopping business email compromise (BEC) campaigns. According to its threat research team, the spoofed email originated from “lnstagram Support” with the email address, membershipform@outlook.com.tr. The “l” you see in “Instagram” is actually a small letter “L”. It wouldn’t have been obvious—if not for Gmail automatically setting the first letter of a sender’s name in caps—as you can see from the screenshot below.

Clearly, threat actors have layered their campaign with a number of known fraud tactics, one of which is using a homoglyph (or homograph), making this a good example of a homograph attack, as well.

A homograph attack is a method of deception where threat actors take advantage of how certain character scripts look the same. In this case, a small “L” looks the same as a big “i”.

The initial scam email reads in full:

FROM: Lnstagram Support <membershipform@outlook.com.tr>
SUBJECT: Instagram Support
MESSAGE BODY:
You have been reported for sharing fake content in your membership. and approved by us.
You must Verify your membership. If You Can't Verify Within 24 Hours
Your membership will be permanently deleted from our servers.
You can continue by pressing the Verify button to verify your membership.

The phishing email tells the recipient that their Instagram account has been reported for spreading fake or false information, which nowadays is not unheard of and considered a serious breach of Instagram’s Terms of Service. The scammers then push the recipient to verify their “membership” within 24 hours else their Instagram account will be deleted. Incorporating a sense of urgency is a scam red flag because it aims to get users to act first and think later when it’s too late.

Clicking the verify button takes users to a Google’s Site page instead of the actual Instagram page—another red flag. Here, users are then asked for their credentials as a requirement for verification.

The phishing site also offers up some fraudulent text that can make the whole process feel more official. The text from the phishing site is as follows:

We have received numerous complaints that you violated our copyright laws regarding your account. If you do not give us feedback, your account will be removed within 24 hours. If you think this is wrong, please verify your information below. We ask for this information because we cannot verify that you are the real owner of your account.

Be on the lookout, dear Reader, for this or similar campaigns that might land in your work inbox in the future. We always advise caution when dealing with emails—both unsolicited and claiming to have come internally—especially those that want something from you and pressures you to act quickly “or else”. If you have an email that you’re unsure if it’s a phish, ask your colleagues or contact the person who sent you the email via other means. Better safe than sorry, as they say, because one small slip-up is all it takes for an entire organization to get compromised. After all, big attacks do start small.

Stay safe!

The post Beware of this bogus (and phishy) “Instagram Support” email appeared first on Malwarebytes Labs.

The UK’s Online Safety Bill, a landmark piece of legislation that that aims to regulate the country’s online content, has just been introduced into Parliament after undergoing significant revisions.

The bill has been in progress for about five years and its main objective is to regulate online content in the UK to make it the safest in the world. It is perhaps most famous for legally requiring pornographic websites to verify users’ age, and, yes, that’s still in there.

According to The Independent, the government has strengthened several areas since the previous draft, one of which is shortening the time it takes for company executives to comply with requests for information from Ofcom, the UK’s communications regulator. The last draft proposed a time frame of two years after the bill is made law; the revised draft now proposes a time frame of two months before executives are held criminally liable.

What’s new and what was tweaked

There are other notable changes in the bill.

Company managers could also be held criminally liable by Ofcom if they (1) destroy evidence, (2) fail to attend interviews with the regulator, (3) provide false information in interviews with the regulator, and (4) obstruct Ofcom when it enters company offices.

Platforms that host user-generated content, such as social media platforms and search engines, would not only have a duty of care to protect users from scams and fraud conducted by other users, but also a duty to protect them from “pre-paid fraudulent ads,” which includes unlicensed financial promotions and ads from fake companies. To do this, the revised bill proposes that social media platforms and search engines must put in place “proportionate systems and processes to prevent the publication and/or hosting of fraudulent advertising on their service and remove it when they are made aware of it.”

“We want to protect people from online scams and have heard the calls to strengthen our new internet safety laws,” Culture secretary Nadine Dorries is quoted as saying in The Guardian, “These changes to the upcoming online safety bill will help stop fraudsters conning people out of their hard-earned cash using fake online adverts.”

Further into the list of changes, there is now a new requirement to report any incidents or encounters of child sexual abuse to the National Crime Agency (NCA).

News content will also be exempted from regulations to protect free speech.

Cyberflashing, or the act of sending unsolicited sexual images to receivers, who are usually girls and young women, would also be a crime. Users who cyberflashed would face the same maximum sentence as indecent exposure: A two-year stay in prison.

The bill also includes proposals to punish digital “pile-ons”, and the sending of threatening social media posts and hoax bomb threats.

Finally, arguably the most notable and controversial revision in the draft is how the Bill has changed its approach regarding “legal but harmful” content. As the phrase denotes, this refers to content that is not in itself illegal but could cause harm to whoever encounters it online.

The slippery slope of “legal but harmful” content

The updated bill demands that social media platforms address their approach to “legal but harmful” content in the terms of service (ToS) for their services. It also proposes that such platforms conduct a risk assessment of possible harms that users might encounter while using their service.

Many free speech advocates, including members of the UK’s governing Conservative party, have expressed concern over the possible removal or suppression of such content. In a post, Dorries reassures her readers: “Companies will only be required to remove ‘legal but harmful’ content if it is already banned in their own terms and conditions. This only applies to the biggest platforms carrying the highest risk, and we are updating the legislation to ensure platforms focus on priority categories of harm that are set out in secondary legislation.”

Judging by some of the comments on the post (highlighted in this Twitter entry), some readers at least were not moved by Dorries’ rhetoric. The Open Rights Group (ORG), a UK-based organization working to protect the digital rights and freedoms of individuals in the UK, discussed the harms of the Online Safety Bill in December 2021, calling for the “legal but harmful” clauses to be removed to “ensure that the focus of the legislation remains on its stated purpose—protecting the well being of individuals”.

Jim Killock, executive director of the ORG, describes “legal but harmful” as a censor’s charter. “Civil society groups have raised the warning, Parliament has raised the warning, the government’s own MPs have raised the warning but the government has ignored them all,” he said, “The online safety bill will outsource decisions about what we can see online from British courts, Parliament and police to the terms of service documents of social media platforms drafted by Silicon Valley lawyers.”

The post Online Safety Bill’s provisions for “legal but harmful” content described as “censor’s charter” appeared first on Malwarebytes Labs.

Some don’t mind putting extra effort into making their crime appear as legitimate as possible by perpetuating more lies as long as they are guaranteed money in the end.

Osondu Victor Igwilo is one such Nigerian scammer.

The “catchers”

52-year-old Igwilo has been on the Federal Bureau of Investigation’s watch list since 2018.

According to court documents, Igwilo was charged in 2016 in the US District Court, Southern District of Texas, Houston, Texas for “one count of wire fraud conspiracy, one count of money laundering conspiracy and one count of aggravated identity theft.” He is also the alleged ringleader of an international criminal network of “catchers.” Their main fraud technique is sending out phishing emails to potential victims, enticing them to false offerings of investment funding on behalf of BB&T Corporation, one of the largest banking and financial firms in the US.

Igwilo and his co-conspirators used fake email accounts and stolen identities of US government officials to net victims all over the world. When an organization in the US showed interest in the funding, Igwilo would dispatch hired US citizens to victim countries to pose as representatives of BB&T, meet them in person and sign a purported investment agreement. This only makes the entire scheme appear all the more authentic.

When ordered by Igwilo to visit victims from other countries, these fake bank officials were instructed to visit their local US embassy or consulate and fabricate documents with fake US government seals to further deepen the deception that the US government was sponsoring the funding.

Both “catchers” and representatives had the role of convincing victim organizations to wire advance payments to US bank accounts as a requirement for them to receive their funding. Owners of these accounts were deemed “money movers”, who then sent the money to Igwilo per his direction. This included the purchasing of luxury vehicles and shipping them to Nigeria.

Igwilo is said to have defrauded victims out of approximately $100M.

“Catchers” caught

On Monday, the Economic and Financial Crimes Commission (EFCC) of Nigeria released a press statement about the capture of Osondu Igwilo along with his accomplices, Okafor Nnamdi Chris, Nwodu Uchenna Emmaunel, and John Anazo Achukwu in a studio in Lagos. They were arrested on Thursday, 11 March 2022. According to the statement, five houses around Lagos belonging to Igwilo were recovered after the arrest.

The US Diplomatic Mission Nigeria praised the arrest, which was made possible by the partnership between the FBI and the EFCC.

Igwilo and his accomplices are expected to be formally charged in court soon.

The post FBI catches up with one of its Most Wanted, arrests head of advance-fee crime network appeared first on Malwarebytes Labs.

As more services move ever cloud-wards, so too do thoughts by attackers as to how best exploit them. With all that juicy data sitting on someone else’s servers, it’s essential that they run a tight ship. You’re offloading some of your responsibility onto a third party, and sometimes things can go horribly wrong as a result. Whether it’s the third party being exploited, or something targeting the cloud users themselves, there’s a lot to think about.

We offered some thoughts in a recent article on potential cloud issues. Below are some other areas of concern which spring to mind. The linked article focuses on misconfiguration, phishing issues, limiting data share, and the ever-present Internet of Things. Below, we dig into a few of those. We also offer some additional opinions on where other attacks of interest may lie.

Cryptocurrency wallet attacks

Digital wallet phish attempts are rampant on social media, and we expect this to rise. People new to cryptocurrency often gravitate to services which take the hassle out of setting everything up. Third party-services which look after your private keys are known as custodial wallets. Private keys are important because they’re your digital keys to your Bitcoin kingdom.

You’re essentially giving the third-party full control of managing things for you. If the third party is compromised or exploited in some way, what happens to your stolen funds may take some time to resolve. You may well get it back, but you likely won’t be able to put any timeline to that process.

Some folks may feel the above process isn’t as secure as storing their cryptocurrency on standalone devices. So-called “cold wallets” are typically offline hardware devices, with no internet capability and the ability to manage only a few types of digital currency.

This is at odds with the “hot” custodial wallets which typically plug into many forms of currency, and provide various online services. It’s a bit like the difference between using an online, cloud based password manager run by a third-party company, or running a totally local password manager operated by you and you alone.

If something goes wrong with your cold wallet, should you lose it or have it stolen, nobody is coming to help. This is a lot of responsibility if you’re dealing with large amounts of currency. On the other hand, do you want to take the risk of plugging large amounts into something whose management is up to someone else?

Even if people avoid being phished, stealer malware which hunts for private keys and/or logins are becoming increasingly popular. Users may also run into trouble if something goes wrong at the organisation looking after their private keys. It’s an incredibly complex landscape fraught with problems, and this is why we’ll continue to see people hit by all manner of cryptocurrency scams for some time to come.

Ransomware supply chain triple-threat

Ransomware will continue to cause problems in supply chains and leverage so-called triple threat attacks. This is where multiple forms of pressure are placed upon the victim to convince them to pay up. This method of attack is sure to remain popular, becoming a viable alternative to “just” using double extortion tactics.

For example, demanding ransom with the threat of leaking data could be considered a double threat extortion. Meanwhile, attacks like BlackCat went all-in on triple-threats towards the end of 2021. BlackCat didn’t only demand a ransom under threat of data leaks; it also promised to fire up a DDoS (distributed denial of service) if the ransom wasn’t paid.

Targets who keep all files in the cloud only (no local or offsite backups) are great marks for blackmailers. Indeed, even where backups exist, they may not be as effective as they once were due to additional threats beyond a ransom payment. Sure, you won’t lose your data if you have backups, the attackers will say – but they’ll make sure a lot of it ends up on an underground forum somewhere regardless.

This is why it’s crucial to try and stop ransomware authors getting one foot in the door in the first place. Training staff not to open attachments from untrusted senders, keeping security updates up to date, and reducing services needlessly visible online can all help with this.

The Metaverse

We expect to see various forms of harassment increase in virtual worlds as more people jump on the Metaverse bandwagon, with security and safety settings playing catch up. 

The possibility exists for rogue advert manipulation and phishing should Meta decide to push ahead with virtual ad placement. There are also issues with augmented reality privacy concerns, data breaches, and photo realistic representations of your living space for all to see. All this, before we even touch on the very big problem of harassment in virtual spaces. Placing virtual bubbles around users so others can’t digitally grope them is just one sorely needed tool to help combat harassers, but more needs to be done.

Cloud services which reduce VR processing strain on user’s machines could also become popular targets, especially where gaming is concerned. With more slices of the gaming pie being offloaded away from the user’s machine, it’s only natural to think they may take a hit.

As we’re seeing, it’s not only game developers at risk from being targeted. With hardware shortages generally making it more difficult to get hold of graphics cards and chips, subscription cloud services are viewed as an important alternative. Becoming a crucial tool in the battle against lack of components will mean they catch the eye of people with bad intentions. 

Misconfigured services

We finish off with that constant thorn in the side of the cloud: basic errors which consistently lead to security woes.

Every year organisations fail to secure their cloud services and data is leaked, exposed, and scraped by third parties. Even apps aren’t free of cloud risks, with tools designed to monitor children’s online use accidentally exposing user IDs, plaintext passwords, and more thanks to missing security measures.

Exposed data can lurk for months without discovery. It can also be used for blackmail and profit, and once it’s online there’s no going back. People often talk about “leaky buckets” in relation to misconfigured services. They’re called buckets because they hold your data; unfortunately those leaks don’t stand a chance of being fully plugged anytime soon.

Whether your area of interest is IOT, ransomware, or even the Metaverse, it’s well worth digging into some of these topics and keeping one eye on the news. Whether you’re involved with the cloud at home or in the workplace, bad actors are figuring out ways to cause trouble – but that doesn’t mean we have to let them.

The post Clouding the issue: what cloud threats lie in wait in 2022? appeared first on Malwarebytes Labs.

Researchers have found that the Gh0stCringe RAT is infecting Microsoft SQL and MySQL, and seems to focus on servers with weak protection. The Gh0stCringe RAT communicates with a command and control (C&C) server to receive instructions and is capable of exfiltrating information.  

SQL

SQL is short for Structured Query Language and usually pronounced as “sequel.” SQL is a standard language used to query and change the content of databases. It was originally designed to perform business analyses. But with the implementation of product-specific application programming interfaces (API) and the growth of online applications, it quickly became more widely used.

Gh0stCringe

Gh0stCringe, also known as CirenegRAT, is a malware variant based on the code of Gh0st RAT. The Gh0st RAT source code was publicly released, so we’ve seen quite a lot of malware based on this code. Remote Access Trojans (RATs) are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim system.

Gh0stCringe RAT is a RAT malware that connects to a C&C server and performs various malicious actions after receiving commands from the attacker. The attacker can designate various settings to Gh0stCringe just like other RAT malware. One of those options the Gh0stCringe RAT provides is a keylogger. Keylogging enables the threat actor to steal login credentials and other sensitive information.

For a full technical analysis we would like to refer you to the researchers’ post.

Security

According to the researchers, the threat actors behind Gh0stCringe are targeting poorly secured database servers with weak account credentials and no oversight. On the infected servers they found evidence of previous infection by miners usually distributed through brute force attacks.

Security of SQL Server environments is considered to be among database administrators’ prime responsibilities. It is up to each database administrator to configure security features, or use additional security measures as needed, to address the security and compliance requirements of their data and applications.

Microsoft SQL Server provides several built in features that enable security, including encrypted communication over SSL/TLS, the Windows Data Protection API used to encrypt data at rest, authentication and authorization.

MySQL provides robust data security to protect data including secure connections, authentication services, fine-grained authorization and controls, and data encryption.

The problem is that there are a few very different security issues to be considered when it comes to an internet-facing SQL server. Administrators have to implement security to protect their system(s) against SQL database vulnerabilities, SQL injection attacks, and brute-forcing SQL credentials on top of every other security measure that applies to such servers.

How to avoid RATs

There are some basic actions that can be taken to lessen the chance of RATs and miners making use of your SQL servers.

• Use a strong password policy, keeping in mind the importance of the server and the data on it.
• Apply patches in a timely manner and keep the number of applications, which all need to be patched, to a minimum.
• Actively manage the user accounts that have access, and their privileges.
• Use monitoring and logging to keep an eye on what is going on.

There are some tell tale signs that could give away the presence of the Gh0stCringe RAT. The method of keylogging it uses is know to cause high CPU-usage. And below are some IOCs.

IOCs

Filename:

• mcsql.exe

C&C servers:

• tuwu.meibu.net
• 172.86.127.224

MD5:

• bd8611002e01d4f9911e85624d431eb0
• 9adc9644a1956dee23c63221951dd192
• 782cbc8660ff9e94e584adfcbc4cb961

Stay safe, everyone!

The post Gh0stCringe RAT makes database servers squeal for protection appeared first on Malwarebytes Labs.

Valorant, the popular free-to-play team based shooter, is attracting the attention of scammers. It’s reported that a malware distribution campaign is leveraging YouTube to push infection files. The campaign distributes a file known for password theft, and hunts for those passwords in browsers, cookies, a variety of cryptocurrency wallets, VPN clients, and many more besides. It then zips the stolen data and sends it via a Discord webhook (a method for sending updates to Discord channels).

When history repeats itself

As mentioned by Bleeping Computer, using YouTube in this way is not a new tactic. It’s a quick, easy way to try and make malicious off-site links go viral.

How do they convince people to run the infection file? They tell people to download a file and run it with security software switched off. They then disable the comments to avoid awkward questions, or leave them on and fill with scammer-controlled spam saying how good the file is. Then they ruthlessly delete all the other replies posting warnings.

This is the basis of a basic YouTube scam. We note that some of the above techniques are being used in the malware distribution campaign referenced.

What is the bait being used?

Cheats will cheat for many reasons in a video game, especially if it’s competitive. Why spend hours practising the game to meet your cheat-laden objectives if you can just cheat some more? Aim-bots have been a plague in the shooter landscape for many years, and there’s no shortage of fakes alongside the genuine articles.

At the most basic level, aim-bots will help you target other players more easily. They may include wall-hacks, rapid fire, radar interference, the sky’s the limit. Online titles frequently include several forms of anti-cheat to detect hacks and (potentially) contribute toward a ban. As a result, top-tier cheat tools which try and bypass the detection on offer can fetch a pretty price.

An aim-bot or other cheat tool offered up for free on YouTube sounds too good to be true, and that’s precisely because it is indeed too good to be true. Although the example from the article leads to a sharing site called “Anonfiles”, a lot of the time more well-known file sharing portals are used. There may well be an advert or survey to click through on those sites too, which means potential extra revenue.

Finally, many scams of this nature use URL shortening services. This helps to hide the real landing page from casual observers, adds another layer of familiarity (“Oh, it’s Bit.ly”), and may also give the malware authors detailed clickthrough statistics.

How to avoid being caught by these scams

We may have touched on a few of these above, but even so, they’re worth repeating.

• Do not, under any circumstances, switch off your security protection. There’s no reason to do this when installing games in almost any situation I can think of. It’s pretty rare these days to run into an issue where a legitimate game file is prevented from performing a task by security software. I think that’s happened to me perhaps twice in something like 10 years, and I install a lot of games on PC.
• Check out the comments. Are they all strangely positive? Do they all claim the thing being offered worked like a charm with no problems whatsoever? Are the accounts brand new, or old accounts which seem to have only recently taken an interest in cheating? Alternatively, are the comments simply switched off? Both of these can be massive red flags when dealing with game cheat files.
• What other content is the account promoting cheat software pushing? Is it a bunch of identical cheat videos with a few bits of text switched around? Surveys? Millions of free [insert game currency here] points via some sort of website-based generator tool? These are all signs that something is most definitely not right.
• Finally: even if the source is entirely legitimate and the supposed cheat tool does in fact work? You’re playing with fire. Game cheats are routinely banned in huge numbers for all sorts of reasons. Steam, Epic store, PlayStation network, it doesn’t matter. Valorant has its own anti-cheat system and it’s quite unlikely you’re going to find a YouTube freebie which gets around it.

Do the sensible thing and give game cheating tools a very wide berth. It’s simply not worth risking your gaming accounts being stolen, or your account being banned, or a horrible combination of both.

The post Valorant cheats on YouTube are actually information-stealing malware appeared first on Malwarebytes Labs.

The US Federal Trade Commission (FTC) has announced that it took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach.

CafePress is a popular online custom T-shirt and merchandise retailer. According to Samuel Levine, Director of the FTC’s Bureau of Consumer Protection:

“CafePress employed careless security practices and concealed multiple breaches from consumers.”

CafePress waited seven months to publicly disclose a 2019 breach, and only did so after it had been reported in the news.

The FTC complaint also takes issue with the way CafePress handled customer information, saying that CafePress “misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.” This is considered an unfair and deceptive practice under Section 5 of the FTC Act.

The breach

In February 2019, a threat actor was able to access millions of email addresses and passwords. According to the complaint by the FTC this was made possible because CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network.

The passwords are said to have been protected by “weak encryption”, an absolute security no-no. Passwords that are secured using a properly configured password hashing function—such as bcrypt or scrypt—take so long to crack that they are essentially useless to attackers, even if they are leaked.

Leaked email addresses and passwords are a serious problem because many people re-use their passwords across multiple websites and services. Cybercriminals know this and will try stolen usernames and passwords in as many different places as they can—a practice known as credential stuffing.

The threat actor also captured millions of unencrypted names, physical addresses, and security questions and answers. As well as over 180,000 unencrypted Social Security Numbers (SSNs), along with tens of thousands of partial payment card numbers (last 4 digits) and expiration dates. A treasure trove for social engineers.

Informing customers

Despite warnings from several sides, including a foreign government, CafePress decided not to inform its customers, but instead only told customers to reset their passwords as part of an update to its password policy. CafePress apparently patched the vulnerability the cybercriminals made use of, but failed to properly investigate the breach for several months despite additional warnings.

Data from the breach eventually ended up in Troy Hunt’s HaveIBeenPwnd (HIBP) database, which tipped off journalists. It wasn’t until news of the breach was reported in the press that CafePress actually informed its customers.

Lax security

In the complaint the FTC mentions several cases of bad security practices, before and after the breach. According to the FTC, CafePress…

• Failed to investigate the source of several malware infections that occurred on its network prior to the 2019 attack.
• Failed to implement reasonable security measures to protect the sensitive information of buyers and sellers.
• Stored SSNs and password reset answers in clear text, alongside millions of unencrypted names and physical addresses.
• Retained customers’ data longer than was necessary.
• Failed to apply readily available protections against well-known threats and to adequately respond to security incidents.
• Continued to allow people to reset their passwords by answering security questions known to the attackers.

As a result of its lax security practices, it should not come as a surprise that CafePress’ network was breached multiple times.

Proposed settlement

As part of the proposed settlement, Residual Pumpkin and PlanetArt (the previous and current owners of CafePress) will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures—such as security questions—with multi-factor authentication methods, minimizing the amount of data it collects and retains, and encrypting SSNs.

PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third-party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

In addition, Residual Pumpkin will have to make a $500,000 payment to data breach victims, the FTC said in the statement. CafePress has already settled with seven US states as a result of this data breach.

Reusing passwords

We have warned users often against reusing passwords across different services. This case is a prime example that shows why this is important. Users were left in the dark about their compromised passwords for several months. This gave the criminals behind the breach plenty of time to perform credential stuffing attacks on other services.

Since shopping services usually store credit card details and people’s home addresses alongside login credentials, there is no reason to treat these accounts as if they have a lower security priority. On the contrary, it could turn out to be a costly mistake. Use a password manager to make it easier to create and use strong, unique passwords for each service you use.

Lessons for web shops

What can web shops do to avoid becoming the next CafePress?

• In the long run, the chance you can keep a breach secret is slim to none.
• Deploy strong policies and controls and inform the public about them on your website.
• Disclose breaches to your customers early, with as much detail as you can. This will reduce the damage to them, and to your brand, and reduce the chance of being fined.
• Utilize best practices such as strong password hashing and rate limiting password attempts.
• Encourage customers to use Multi-factor Authentication (MFA).

Keep your customers safe and happy and they will come back.

Stay safe, everyone!

The post CafePress faces $500,000 fine for data breach cover up appeared first on Malwarebytes Labs.

Every so often, fines hit the news as a result of phone/communication spam. Much of it targets older members of society. Sometimes folks say these calls are “just” irritants and nothing to particularly worry about. But it can be really serious, resulting in big chunks of people’s savings being wiped out.

Now, five companies have been fined a grand total of £405,000 for such practices—with the potential for more to come.

Listing all the possibilities

Several companies have had these fines issued for collectively making huge numbers of calls to people registered to the TPS (Telephone Preference Service).

The TPS is the equivalent of a “do not call” service and is the UK’s sole register for this purpose. People who sign up their mobile and/or landline numbers are placed into the TPS register and are opted out of receiving any and all unsolicited calls. Supposedly.

However, one organisation alone made 229,483 unwanted calls to people on the TPS service over the course of around seven months. They were hit with a £100,000 fine. Another made 412,556 calls to people on the TPS service over a period of around eight months. For this, they received a fine totalling £110,000.

The ICO (Information Commissioner’s Office), which ensures that UK organisations do the right thing where data protection and communications are concerned, suspects that at least some of the companies involved were sharing information on their cold-call targets.

The calls themselves asked for personal information of people aged 60 and over who owned their own homes and possessed landline numbers. This primarily seems to have tied back to insurance services for household products, and complaints allege the calls to have been both “threatening and coercive”. That they did this to people who may have felt less comfortable dealing with confrontation over the phone is particularly awful.

So what’s the point in the TPS?

Crucially, it’s a legal requirement that companies do not call people on the TPS register without their consent. The aim is to significantly reduce live (not automated) cold-calling, and businesses are supposed to check their call lists against the TPS register every 28 days.

Where this goes wrong for potentially unsuspecting cold-callers is that TPS contacts the callers over every complaint made, and these complaints are also fed back to the ICO. You can imagine how seriously the ICO took hundreds of thousands of complaints lighting up against the same organisations on a daily basis.

Mistakes can happen; according to the TPS site, legislation allows companies a maximum of 28 days to update their lists of who to call (and not call). Despite this, nobody is making simple mistakes hundreds of thousands of times.

Avoiding nuisance calls

As far as this story is concerned, the primary tactic to avoid nuisance calls is to sign up to the TPS list. You can also make use of additional services from your network providers in terms of blocking spam or even automated calling when possible. Some mobile operators will, for example, tell you if a number calling is suspect. Keep in mind that these may or may not be paid services.

Cold-call campaigns may make use of data from third-parties, or even scraped from various sources without permission. If an organisation has their database stolen or scraped, there isn’t a lot you can do about that. However, you can try to limit your exposure.

You could use forwarding numbers for services you sign up to, which helps shield your real number. If you sign up for something make sure the right tick boxes are checked (or unchecked!) to prevent someone sharing your details or contacting you.

Combining these tactics should stand you in good stead for keeping pesky cold-callers at bay.

The post “Threatening and coercive” cold-callers who targeted the elderly hit with big fines appeared first on Malwarebytes Labs.