IT NEWS

A week in security (March 28 – April 3)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (March 28 – April 3) appeared first on Malwarebytes Labs.

Update now! Zyxel patches critical firewall bypass vulnerability

In a security advisory Zyxel has urged customers to update because a security flaw can lead to the circumvention of firewall protection in several Zyxel products.

Zyxel is a Taiwanese producer of modems and other networking equipment and its products are sold in over 150 countries.

The vulnerability

Zyxel says the vulnerability, listed as CVE-2022-0342, is an authentication bypass vulnerability caused by the lack of a proper access control mechanism, which has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device.

The Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program, typically to process user requests.

Affected series

Zyxel has published a list of vulnerable products that are within their warranty and support period, and has released updates to address the issue.

Affected series Affected firmware version Patch availability
USG/ZyWALL ZLD V4.20 through ZLD V4.70 ZLD V4.71
USG FLEX ZLD V4.50 through ZLD V5.20 ZLD V5.21 Patch 1
ATP ZLD V4.32 through ZLD V5.20 ZLD V5.21 Patch 1
VPN ZLD V4.30 through ZLD V5.20 ZLD V5.21
NSG V1.20 through V1.33 Patch 4 Hotfix V1.33p4_WK11* available now
Standard patch V1.33 Patch 5 in May 2022

From the security advisory it is unclear whether there are vulnerable products that are outside of the support period.

How to fix the Zyxel vulnerability

Administrators of the NSG V1.20 through V1.33 Patch 4 need to reach out to their local Zyxel support team for the file, or wait until May when standard patch V1.33 Patch 5 is scheduled to be released.

Owners of the other affected products can search for their updated firmware by model number on the Zyxel support download page. Please note that the patches should have a release date of 03/29/2022 or later.

For firewalls it is always a good idea to restrict the IP addresses that are permitted to access the management interface.

Stay safe, everyone!

The post Update now! Zyxel patches critical firewall bypass vulnerability appeared first on Malwarebytes Labs.

“Free easter chocolate basket” is a social media scam after your personal details

Holidays inspire fraudsters and scammers to create timely and effective ways to string people along and get them to give up either their money or their personal information. This is the case in this chocolate-themed scam.

Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam making the rounds on WhatsApp and other social media sites like Facebook.

Users of WhatsApp have reported receiving links to a web page where they can claim a “free Cadbury easter chocolate basket.”

When they open the link, users are presented with a short list of questions to answer—purportedly as part of an “Easter Egg Hunt”—before they are prompted to enter their personal details.

The Dorset Police Cyber Crime Unit posted an appeal about this scam to its Facebook page.

“DON’T CLICK THE LINK.” the post reads, the text bookended with the warning sign emoji. “Our Cyber Protect Officer has done it for you.”

The post continues with how the scam works:

“The site looks fairly convincing, however the only buttons that actually work are the ones to answer the questions. The search icon and the three little lines do nothing at all.

Once you answer those question [sic], you’re taken to a little game where you have to ‘find your prize’. Conveniently, your first and second tries won’t be successful, but you’ll ‘win’ on your third go! At that point, to claim your “prize”, you’ll be asked to hand over all sorts of personal information. That’s where the scam comes in!”

Looking at the shortened URL link (“tinyurl2.ru“) used in this campaign and how this scam campaign itself was formatted, it resembles the Amazon International Women’s Day 2022 Giveaway scam that is said to have gone viral in February.

It’s highly likely that scam links similar to these two can only be accessed via mobile devices.

This isn’t the first time Cadbury’s name has been dragged into a scam campaign. On December 2021, a Facebook scam about Cadbury reportedly giving away hampers of chocolate for Christmas did the rounds.

How to avoid falling for a scam like this

Warn your less security-savvy friends and family: When it comes to giveaways, think twice before clicking or sharing with friends, family, and social contacts. Scammers have always been on the prowl and do not rest until they get what they want. They are patient and have only got better at attempting to social engineer anyone who has a soft spot for anything—dogs, cats, commemorations, pizza, and, as we’ve just seen, chocolates.

Err on the side of caution. If you see a giveaway post in your feed, visit the official website of this brand to see if it’s genuine. Or, if they have a social media presence, which they usually do, ask on Twitter or Facebook. Send screenshots if you can.

It’s always a good idea to verify. But it’s not a good idea to click links thoughtlessly, and give your details away for delicious, delicious chocolate you can just buy from the shops.

Stay safe!

The post “Free easter chocolate basket” is a social media scam after your personal details appeared first on Malwarebytes Labs.

5 ways to spring clean your security

It is now officailly spring in the Northern Hemisphere, and with spring and the longer days comes the inescapable urge to shake off the lethargy of Winter and embrace the need to go through your stuff, throw a bunch of it out, and give the rest of it a shiny new lustre.

And in our increasingly digital lives, more and more of our stuff exists as bits and bytes on our phones, tablets, laptops and desktop computers. With the trees now full of blossom and the air prickling with pollen, the may feel an urge to straigten out your digital mess too.

If you do, we’ve got your back, and we humbly suggest that when you’re done tagging your dog in every photo and getting your folder names just so, you turn your attention to your device security and give that a little dust off as well. After all, nothing makes a bigger mess of your digital life than malware rummaging through it.

1. Say “yes” to software updates

Patching (downloading software updates) is like fixing the broken locks on the front doors of your digital life—the updates contain code that fixes weaknesses that thieves could otherwise jimmy open with their digital crowbars.

Start your spring clean by downloading all the software updates you’ve been putting off. Especially the big ones.

And yes, you’ve heard this advice before (we hope). Maybe you’ve heard it a hundred times, and maybe you’re heard it so often that you’re tired of hearing it and looking for some other advice. Well, fine, there’s some other advice below, but this is number one in our list for a reason, so please don’t skip it. This is the first and most important thing you can do to give your digtal security a spring boost.

2. Say “no” to duplicate passwords

How many online accounts do you have? Twenty, thirty, one hundred? And how many different passwords do you have for all those accounts? If the answer to these two questions isn’t exactly the same number—meaning that you have as many different passwords as you have different accounts—then you have some cleaning up to do.

Criminal hackers love it when you use the same password for more than one account. Once they’ve done the hard work of cracking one of your passwords they aren’t going to waste it, they’re going to try it on a laundry list of other websites to see what else it can unlock for them. It’s like a twofer at the grocery store for them: Hack one account, get one free!

The way to stop this is to create a unique password for each of your accounts, no exceptions. If you’re up for a deep clean then get yourself a password manager to make the job of creating and storing all those passwords easy. It’s a little more effort upfront, but well worth it.

3. Lose what you don’t use

We’re going to leave you to decide where you want to take this one and how far you want to go with it. We’ll just get you started with this simple line of thinking: From a security perspective, “more” is often worse. More apps means more places a hacker might find a broken lock or an open window they can use to break into your device. The same thing goes for your online accounts—each one is a potential way in to your digital life (particularly the accounts you haven’t used for a while, aren’t paying much attention to, or didn’t bother to lock down very well).

It’s amazing how many rarely-if-ever-used apps we accumulate on our devices, and how many accounts we open and then abandon online.

So why not lose some things? Ditch some apps you don’t need, clear out your unused browser add-ons, and delete some accounts you don’t use. The more you lose, the better.

4. Get on top of your email

Criminals use email to spread malware, fakes, and scams, so it is worth paying some attention to. Getting your unread email count to zero is immensely satisfying, and if you do it the right way it can give your security a spring in its step too.

Start by unsubscribing from all the mailing lists and newsletters you never read. You want the email that arrives in your inbox to be full of things that actually interest you, so it’s easier for you (and your spam filter) to spot anything that is slightly off. It’s just like step #3—lose what you don’t use.

Now go through your email and mark the things that look like scams, spams, malware, or junk as “Junk” or “Spam.” Every time you do that instead of just deleting shady emails you are actually training your email’s spam filter to work more effectively (if you want to know why, read our article on Bayesian Filtering). To work correctly your spam filter needs a few thousand up-to-date examples of both “good” emails and “bad” emails, so you want your inbox to be full of good things you care about, and your spam folder to be full of bad things that are malicious or spammy.

5. Run a malware scan

Spring cleaning is about the satisfaction of a job well done, and the peace of mind that comes with knowing your environment isn’t harbouring any nasties. To get that same sense of inner calm from your computer, put down the bleach and pick up a malware scanner.

A malware scanner is the quintessential deep clean for your device. It will pick over your files and apps, one by one, and run through them with a fine tooth comb, weeding out any malware that’s lurking in there undetected.

Now, we’re going to toot our own horn a little on this one. We try to give good, sensible, impartial advice on this blog, without somehow making everything about us and the things we make. Well it so happens that our scans are famous for their ability to pick up things that others miss, and it wouldn’t make any sense if we didn’t mention it when other people will happily tell you the same thing. So, if you want to scrub all the dark and difficult corners of your desktop or laptop computer, we honestly think the best advice we can give you is to run our anti-malware scanner. Sorry, not sorry.

The post 5 ways to spring clean your security appeared first on Malwarebytes Labs.

GitLab issues security updates; watch out for hard coded passwords

GitLab has issued several critical security updates, with users of the version control software urged to upgrade their installations as soon as possible. One of the fixes is for a hard coded password issue.

What is distributed version control?

Distributed version control is a way for an organisation’s codebase to be mirrored on the devices of anyone who needs access. Where people occasionally become confused is when they see a number of services using the word “Git” in their name. They’re not all the same thing, and we shouldn’t unnecessarily worry that one issue affects lots of different services due to naming conventions.

Are GitHub and GitLab the same thing?

They are not! If you’re reading about this update, you’re reading about an update for users of GitLab specifically. GitHub isn’t affected by this, and so users shouldn’t worry about missing security updates for hard-coded passwords. Hub and Lab are similar, but most definitely not the same.

What’s happened with GitLab?

There’s been a critical security release, addressing multiple issues. No fewer than 17 elements have been addressed, with one rated critical, two rated high, and nine rated medium. Here’s the rundown of the issue rated critical from their release page:

Static passwords inadvertently set during OmniAuth-based registration

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162.

This vulnerability has been discovered internally by the GitLab team.

Note: We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.

What are hardcoded passwords, and why are they bad?

Hardcoded passwords, also known as embedded credentials, make using the software or device they’re attached to a risky business. If your cheap, off the shelf router has the same single password in use for every single device, that’s bad. Someone who owns one of these devices now knows the password for all of those devices. If your forum software has a single, unchangeable password buried in the code, that’s bad. Somebody with dubious intentions may well have the keys to the kingdom for all versions of that forum.

It’s a similar story here – with a few caveats. According to The Register, accounts created through OmniAuth using fewer than 21 characters for the password were vulnerable to the default password. A script has also been released which, in GitLab’s words, “…can be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162”.

Time to update

If you think you may be impacted by this, make haste and check out the list of updates. You don’t want to leave an easy way in for attackers to exploit your business.

The post GitLab issues security updates; watch out for hard coded passwords appeared first on Malwarebytes Labs.

New UAC-0056 activity: There’s a Go Elephant in the room

This blog post was authored by Ankur Saini, Roberto Santos and Hossein Jazi.

UAC-0056 also known as SaintBear, UNC2589 and TA471 is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia. The group is known to have performed a wiper attack in January 2022 on multiple Ukrainian government computers and websites.

Earlier in March, Cert-UA reported UAC-0056 activity that targeted state organizations in Ukraine using malicious implants called GrimPlant, GraphSteel as well as CobaltStrike Beacon. Following up with that campaign, SOCPRIME and SentinelOne have reported some similar activities associated with this actor.

In late March, the Malwarebytes Threat Intelligence Team identified new activity from this group that targeted several entities in Ukraine, including ICTV, a private TV channel. Unlike previous attacks that were trying to convince victims to open a url and download a first stage payload or distributing fake translation software, in this campaign the threat actor is using a spear phishing attack that contains macro-embedded Excel documents. In this blog post, we provide a technical analysis of this new campaign.

Attack process

The following picture shows the overall attack procedure used by this actor. The attack starts with malicious documents sent as attachment to a phishing email. The document contains a malicious macro that drops an embedded payload within the document. The next stage payloads are being downloaded from the attacker server in Base64 format.

Screenshot 2022 03 31 at 10.23.05 PM
Figure 1: Attack process

Phishing email

The actor has distributed phishing emails at least from March 23th to March 28th. The email subject is Заборгованість по зарплаті (wage arrears) and the body of all the emails is the same:
Заборгованість по зарплаті. Оновлюється автоматично. Просимо надіслати вашу пропозицію для скорочення заборгованості по зарплаті. (Wage arrears. Updated automatically. Please send your offer to reduce your salary arrears.)

email
Figure 2: Phishing email

Excel document:

The attached document has the same name as email subject “Заборгованість по зарплаті” and it seems the actor has used a legit document as decoy.

uac doc
Figure 3: Macro-embedded excel document

This document contains an embedded macro that drops the first stage payload called “base-update.exe”. The payload has been saved in a “very hidden sheet” named “SheetForAttachedFile”. The sheet contains the filename, the date the payload is attached (21th March 2022), the file size and the content of the attached file in hex format.

uac hidden sheet
Figure 4: Hidden Sheet

The macro reads the content of the embedded file in the hidden sheet and writes it into the defined location for this payload which is the “AppDataLocalTemp” directory. The macro used by the actor is taken from a website that described and provided code for a method to attach and extract the files from an Excel workbook.

uac macro
Figure 5: Macro

Elephant Dropper (Base-Update.exe)

Elephant Dropper is the initial executable deployed in this attack; as the name suggests this is a simple dropper which deploys further stages. This executable is written in the Go programming language and is signed with a stolen Microsoft certificate. The strings in the binary suggest that it was actually named as Elephant Dropper by the attackers themselves.

It checks if the “C:Users{user}.java-sdk” directory exists on the system and creates it if it does not. The strings in the binary are encoded and are only decoded when they are required to be used.
The dropper decodes the C2 address from a string and then downloads a Base64 encoded binary from the C2 and writes it to “C:Users{user}.java-sdkjava-sdk.exe”. This downloaded binary is named as Elephant Downloader by the attackers judging from the strings present. java-sdk.exe is then executed by the dropper with the following arguments, “-a 0CyCcrhI/6B5wKE8XLOd+w==”. The argument “-a” refers to address and the Base64 string is the C2 address in AES encrypted format.

Screenshot 2022 04 01 at 12.52.21 AM
Figure 6: Elephant Dropper

Elephant Downloader (java-sdk.exe)

Elephant Downloader is also written in the Go Programming Language and is executed by the Dropper. The main purpose of this payload is to maintain persistence on the system and also deploy the next two stages of the attack. The strings in this executable are encoded in the same way as in the Dropper. It makes itself persistent through the auto-run registry key. To do so, it creates a registry key under “SoftwareMicrosoftWindowsCurrentVersionRun” named as “Java-SDK” with value “C:Users{user}Desktopjava-sdk.exe -a 0CyCcrhI/6B5wKE8XLOd+w==”.

Screenshot 2022 04 01 at 2.44.46 PM
Figure 7: Registry Key for Persistence

The downloader is responsible for getting the implant and the client; the URL paths for the payloads are stored in encoded form in the binary. It downloads the implant and the client from http://194.31.98.124:443/m and http://194.31.98.124:443/p respectively in Base64 encoded format.

After this, it decodes the file names which are stored as well in encoded format and creates the file in the earlier mentioned directory .java-sdk. The file name of the implant is oracle-java.exe and the client is microsoft-cortana.exe. The downloader executes both payloads and passes “-addr 0CyCcrhI/6B5wKE8XLOd+w==” as arguments to both. Again the Base64 string is the C2 address in AES encrypted format.

Screenshot 2022 04 01 at 3.01.54 PM
Figure 8: Implant and Client being dropped

Elephant Implant (oracle-java.exe)

Elephant Implant (also tracked as GrimPlant backdoor) seems to be one of the most important payloads in this attack. This executable communicates with the C2 on port 80. Similar to earlier payloads, strings are encoded in the same fashion is in this binary as well, and it also gets the C2 address encrypted from its parent process. The implant makes use of gRPC to communicate with the C2, it has a TLS certificate embedded in the binary and makes use of SSL/TLS integration in gRPC. This allows the malware to encrypt all the data that is being sent to the C2 via gRPC.

Screenshot 2022 03 31 at 5.40.52 PM
Figure 9: Embedded TLS Certificate in the Implant

The implant uses the MachineID library to derive a unique id for each machine. It also gets the IP address of the machine by making a request to “https://api.ipify.org/”.
It also collects information related to the OS in a function named GetOSInfo, as part of this the malware collects the hostname, OS name and number of CPUs in the system. A function named GetUserInfo collects the Name, Username and path to Home directory of the current user.

Screenshot 2022 04 01 at 9.22.06 PM
Figure 10: getSystemInfo function

The Implant can communicate with the C2 by using 4 types of RPC requests:

  • /Implant/Login – This is the initial RPC request that is sent to the C2. Along with this RPC request the earlier retrieved ID and system information is sent to the C2 as well.
  • /Implant/FetchCommand – This RPC request is used to retrieve the command that the actor wants to execute on the target machine. The retrieved command is executed via “%windir%SysWOW64WindowsPowerShellv1.0powershell.exe“. An AdminId and Command to be executed is received as a response to this command.
  • /Implant/SendCmdOutput – This is used to send the output of an executed command by sending a
    SendCmdOutput RPC request to the C2. An AdminId and Command Output is sent with this request.
  • /Implant/Heartbeat – A Heartbeat RPC request is made to C2 to send the status to the C2 at regular intervals. The machine id and system info retrieved earlier is sent with this request.
Screenshot 2022 04 01 at 9.29.30 PM
Figure 11: RPC Requests

Elephant Client (microsoft-cortana.exe)

The last payload that will be described is this blog is the one named elephant_client by the actor (also tracked as GraphSteel backdoor). The functionality suggests that this final payload is a data stealer.
Similar to other payloads in this attack chain, this payload receives the C2 server as a parameter in Base64 format (0CyCcrhI/6B5wKE8XLOd+w==) which is AES encrypted format of the server. Decoding the Base64 string gives us the C2 IP address in AES encrypted format: d02c8272b848ffa079c0a13c5cb39dfb. The actor uses the following key to AES decrypt (ECB-NoPadding mode) the C2 address: F1D21960D8EB2FDDF2538D29A5FD50B5F64A3F9BF06F2A3C4C950438C9A7F78E.

Once the sample has established its connection with its C2 server, it starts collecting data and exfiltrating them into the server. At first it collects some basic info about the user and send it to the server as shown in Figure 12. (some info has been removed for privacy). The collected data is Base64 encoded, and includes hostname, OS name(windows), number of CPUs, IP address, Name, Username and home directory.

image 22
Figure 12: Collect user info

After that, the client tries to steal credentials from the victim’s machine. The actor steals data from the following services:

  • Browser credentials
  • WiFi information
  • Credentials manager data
  • Mail accounts
  • Putty connections data
  • Filezilla credentials

We have installed some of these services for testing purposes. Figure 13 shows how the stolen data is being sent to C2 server:

image 24
Figure 13: C2 communications

Base64 decoding data shows what data has been exfiltrated:

image 25
Figure 14: Stolen data

For example, to recover Wifi data, the command netsh wlan show profiles (that list all SSIDs saved in the machine) has been used. Once all the SSIDs are gathered, if any, it will launch the command netsh wlan show profile [SSID] key=clear, revealing all saved wifi passwords:

image 27
Figure 15: Wifi data exfiltration commands

The following image shows an example of the command execution, where you can see some of the commands executed in the process:

image 26
Figure 16: Used commands

Figure 17 shows another example of exfiltration in which an encoded PowerShell command is used to steal the data from the Secure Vault:

image
Figure 17: PS command for exfiltration

In addition to stealing credentials, the actor steals all the files from the victim’s machine. To collect the data it iterates through all the files in the user directory and hashes each of them. All of these collected hashes will be sent to the actor’s C2 server. Finally, the malware will send to the attackers all these files.
Note that all the collected data are AES encrypted before being sent to C2 server, so packet inspection will not reveal any useful information.

image 1
Figure 18: Stealing files activity

Conclusion

UAC-0056 aka UNC2589, TA471, or SaintBear is an active actor that has been performing cyber espionage campaigns against Ukraine since 2021. The group is known to have performed the WhisperGate disruptive attack against Ukraine government entities in early 2022. Recently we have observed new activity associated with this actor that used macro-embedded excel documents to drop its malicious software on victims machines. In this blog we provided a technical analysis of this campaign.

Screen Shot 2022 04 01 at 1.38.25 PM

The Malwarebytes Threat Intelligence team continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.

IOCs

Emails:
1ce85d7be2e0717b79fbe0132e6851d81d0478dba563991b3404be9e58d745b1
58c93b729273ffa86ed7baa7f00ccd9664ab9b19727010a5a263066bff77cee8
ed0128095910fa2faa44e41f9623dc0ba26f00d84be178ef46c1ded003285ae3
Excel doc:
c1afb561cd5363ac5826ce7a72f0055b400b86bd7524da43474c94bc480d7eff
Elephant dropper (base-update.exe):
9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a
Elephant downloader (java-sdk.exe):
8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1
Elephant Implant (oracle-java.exe):
99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532
Elephant Client (microsoft-cortana.exe):
60bdfecd1de9cc674f4cd5dd42d8cb3ac478df058e1962f0f43885c14d69e816
C2:
194.31.98.124

The post New UAC-0056 activity: There’s a Go Elephant in the room appeared first on Malwarebytes Labs.

Hive ransomware impacts California non-profit health organisation

Ransomware authors are once again targeting health services, holding important files to ransom and impacting potentially vital services. On this occasion, the victims are a non-profit organisation assisting people with their healthcare needs in California.

When Hive ransomware strikes

The victim, Partnership HealthPlan of California, has apparently been struggling since at least March 24 with this outbreak of Hive ransomware. Hive ransomware has been around since June 2021, and is a typical targeted ransomware-as-a-service (RaaS). It leverages threats to publish exfiltrated data to pressure victims to pay up. The ransomware group is known to work with affiliates that use various methods to compromise company networks.

Last August, the FBI published a paper detailing indicators of Hive compromise, along with additional tactics and techniques used by the ransomware operators. It is not a threat to be taken lightly.

The impact of ransomware

The website for the embattled provider currently reads as follows:

Partnership HealthPlan of California recently became aware of anomalous activity on certain computer systems within its network. We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation. Should our investigation determine that any information was potentially accessible, we will notify affected parties according to regulatory guidelines. We appreciate your patience and understanding and apologize for any inconvenience.

They go on to list what to do if you’re a partnership member or provider, along with the warning not to send any PII via email. As noted on VentureBeat, setting up alternate methods of contact (in this case, Gmail addresses) is a smart move in case their regular email comms are also compromised.

A slice of data exfiltration to round things off

Any impact on medical services can be extremely serious. Anything from routine appointments and check-ups to delayed operations or medical assistance can be the end result. The affected organisation in this case serves upwards of 600,000 people in the California region.

Additionally, the ransomware operators claim to have stolen 400GB of files. This allegedly includes 850k PII records which includes names, addresses, and social security numbers. This is less than ideal, though investigations are still ongoing. The primary concern right now has to be that services are restored to full functionality. The human impact of healthcare attacks is significant, and the kind of additional worry that people using said services don’t need to be dealing with.

This story is still developing, and we’ll add any important information to the blog as it comes to light. If you think you may be affected by this incident, you should contact the affected organisation using the contact details they’ve provided as soon as you can.

The post Hive ransomware impacts California non-profit health organisation appeared first on Malwarebytes Labs.

Update now! Apple patches two zero-day vulnerabilities that may have been actively exploited

Apple has released security updates for macOS Monterey 12.3.1, iOS 15.4.1, iPadOS 15.4.1, tvOS 15.4.1, and watchOS 8.5.1. The update patches two vulnerabilities about which the advisory states that Apple is aware of a report that this issue may have been actively exploited for both vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the vulnerabities that were patched in the updates:

  • CVE-2022-22674
  • CVE-2022-22675

Intel Graphics Driver

The vulnerability listed as CVE-2022-22674 exists in the Intel Graphics Driver and is described as an out-of-bounds read issue that may lead to the disclosure of kernel memory and that was addressed with improved input validation. Impacted devices are Macs running macOS Monterey. The graphics drivers are built into the Mac operating system.

AppleAVD

The vulnerability listed as CVE-2022-22675 exists in the AppleAVD audio and video decoding component and is described as an out-of-bounds write issue that was addressed with improved bounds checking. Impacted devices include:

  • Macs running macOS Monterey
  • iPhone 6s and later
  • iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Out-of-bounds read

If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions. This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Specific details about the vulnerabilities have not been disclosed which is habitual, since Apple wants to give as many users as possible a chance to update before giving others a chance to abuse them.

Stay safe, everyone!

The post Update now! Apple patches two zero-day vulnerabilities that may have been actively exploited appeared first on Malwarebytes Labs.

Globant suffers network breach due to LAPSUS$ compromise

Globant, an IT and software development firm with offices all around the globe, recently admitted in a press statement Wednesday that it has suffered a breach in their network. Affected data includes (but may not be limited to) some source code and certain project documentations of clients.

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation,” company officials wrote. “To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected. We are taking strict measures to prevent further incidents.”

The breach allegedly represents the latest work from the increasingly popular threat actor group LAPSUS$, which claimed responsibility for the attack this week. In a message sent on Telegram to 45,000 followers, individuals who claim to be behind LAPSUS$ first announced that they were “officially back from vacation.”

arstechnica lapsus telegram
The Telegram message sent by LAPSUS$ to its channel. It’s business as usual. The message contains links related to the Globant breach, including a screenshot of the data the group has taken. Some of the folders were clearly labeled “apple-health-app,” “Facebook,” and “DHL.” (Source: Ars Technica)

A follow-up message sent shortly after reads:

For anyone who is interersted about the poor security practices in use at Globant.com. I will expose the admin credentials for ALL their devops platforms below.

As of this writing, Globant never confirmed when they were breached nor did they mention if a group has already approached them for ransom.

More about LAPSUS$

Globant is the latest company in a lengthening list of huge names compromised by LAPSUS$, a relatively new group in the online extortion gig. This list already includes Microsoft, Nvidia, Samsung, LG, and Okta.

If you’re wondering if LAPSUS$ has always targeted such large companies, the answer is yes. When LAPSUS first grabbed the attention of the cybersecurity community, they had already compromised companies like Impresa, the largest media conglomerate in Brazil; Claro, one of Brazil’s telecommunications operators; and Brazil’s Ministry of Health.

These early attacks have led people to believe that LAPSUS$ hailed from South America. Notably, their use of Spanish and Portuguese was akin to native speakers. Microsoft tracks the group as “DEV-0537”.

As a criminal group, their primary focus is to hack companies, steal their data, and demand a ransom. In some cases, they have used ransomware and phishing (among other social engineering tactics) as a precursor to get inside target systems. LAPSUS$ is known for not only stealing data but also for stealing code from companies they target. It is said that they use stolen code to better hide their malware. To date, they have reportedly pilfered a total of $14 million (£10.6 million)

Before revealing that the group breached Globant and stole the company’s data, LAPSUS$ claimed that some of their members were taking “a vacation”. In cybersecurity, we have learned that this could either mean that threat actors are moving away from the spotlight to lay low—because of the pressure to evade law enforcement—or the actors have somehow already been captured. It appears that the latter applies in LAPSUS$’s case.

In late March, cybersecurity researchers investigating these big-named hacks were able to trace the attacks to a 16-year old teenager in Oxford, England. The teen, who remains unnamed due to his age, goes by the online monikers “White” and “Breachbase” and is believed to be the group’s mastermind. It is said that the Oxford teen hacker’s personal information, including those of his parents, was leaked by rival hackers. On top of that, forensic investigators used evidence from the hacks and public information to tie the teen to the hacking group.

Another suspected LAPSUS$ member is also a teenager but based in Brazil. According to Bloomberg, this teen is “so skilled at hacking—and so fast—that researchers initially thought the activity they were observing was automated.”

Investigators looking into the hacks have found a total of seven unique accounts associated with the extortion group. This indicates that there are likely more members of LAPSUS$ that are involved.

On March 21, the FBI launched a public appeal for information about the group. Four days later, news of the UK police arresting seven teenagers between the ages of 16 and 21 broke. It was part of an international police investigation into the LAPSUS$ gang. Today, according to the BBC, two of the teens (aged 16 and 17) have been formally charged with “three counts of unauthorised access to a computer with intent to impair the reliability of data, one count of fraud by false representation, and one count of unauthorised access to a computer with intent to hinder access to data.”

The 16-year-old, whom we believe could be the teen from Oxford, is also charged with “one count of causing a computer to perform a function to secure unauthorised access to a program.”

The post Globant suffers network breach due to LAPSUS$ compromise appeared first on Malwarebytes Labs.

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Cybersecurity can be complex work, as security teams need to regularly decipher and prioritize alerts, protect against daily threats, and possibly implement product configuration changes, all while staying abreast of the latest intelligence on new and evolving threats. For organizations that lack fully staffed, internal security teams, or sometimes even one security hire, cybersecurity is then a function of simplicity and time: Any good cybersecurity product must be effective and intuitive out of the box.

With the results of this year’s MITRE ATT&CK® Evaluation, announced today, Malwarebytes’ standout performance proves that our Endpoint Detection and Response (EDR) solution is just that type of product.

In the two categories of Protection and No Delays or Configuration Changes, we achieved a 100 percent success rate, meaning that our business product stopped every tested cyberthreat before it reached a machine, and we did it “out of the box,” meaning that we did not have to change any configuration settings to achieve total protection. For the many businesses that lack a SOC, this simple, intuitive protection is vital to their daily operations, as it allows those businesses to focus on any threats that do manage to get through.

We also detected 83 out of 90 steps that were included in the MITRE ATT&CK Evaluation, and of the corresponding 83 alerts for those steps, 82 were of the highest quality, providing actionable insight that could help stop an attack as it happens. Combined with our 100 percent protection score and our user-friendly simplicity, Malwarebytes can give even small businesses everything they need to get back to doing what they do best—their jobs.

MITRE results 2022 final image

In this post, we will focus less on how Malwarebytes performed in the MITRE ATT&CK evaluation, and more on what the test means and how it can be best interpreted by businesses of all sizes.

Why MITRE ATT&CK matters to you 

Choosing a cybersecurity product can be just as difficult as understanding its advertising. Vendors constantly vie for customers, promising new capabilities baked into varying, three-letter acronyms coupled with the “latest,” “greatest,” “best-in-class” features. Adding to this complexity is the fact that, seemingly every day, a new cyberthreat emerges that can derail any business, small or large, and it’s difficult to know if any product under consideration will be effective against evolving attacker techniques.

Fortunately for customers, there are multiple third-party tests that can provide better insight into how cybersecurity products would perform under real-world testing. Interpreting those results, though, and actually applying them to the real world can be challenging. For the many businesses that still see cybersecurity as a solution that can hopefully be implemented directly “out of the box,” how do the various comparison graphs and tables of stats reveal which solution will deliver on that promise?

We’re going to help explain the 2022 MITRE Engenuity ATT&CK Evaluation results with the same approach we take to cybersecurity overall: We want to make it simple and actionable for you.

The MITRE ATT&CK Evaluation third-party test involves the work of cybersecurity researchers testing individual cybersecurity vendors’ products against documented attack methods. This year the testing was modeled after real-world threat actors Wizard Spider and Sandworm. MITRE Engenuity’s researchers record how a product performs across separate activities: Did a product catch every “substep” of an attack? Did it provide a quality alert that provided robust information to the end-user? During Protection evaluation, did it prevent an attack that could have distracted an end-user from the primary attack? And did a vendor go into the product and change any settings to improve results after missing a step?

To understand the results this year, we are going to explain three evaluation categories that provide the best judgment opportunity for businesses choosing a cybersecurity vendor. Those categories are Visibility, Analytic Coverage, and Protection. We will also explain the importance of configuration changes.

Visibility 

Cyberattacks do not happen in a vacuum. Instead, when attackers pull off something like a ransomware attack, they are often planning and implementing the attack over a period of weeks or days, leaving behind clues that they have breached a network and started to spread laterally before delivering a final payload. And while spending weeks on an attack may seem long to some, it’s important to remember that these very same attacks used to take months. Threat actors are working faster and more efficiently than ever before, often equipped with many automated technologies, which is why these types of third-party tests are so important: Organizations have to more quickly recognize warning signs and respond to them to avoid falling victim to an attack. As always, it is better to stop an attack at the start of its chain rather than trying to recover after it has struck, especially when an attack results in encrypted data, like the attack used in this year’s MITRE evaluation.

Without good visibility, your cybersecurity team is lost. With no prior warnings sent to your team, every cybersecurity event will be an emergency, noticed likely by an employee with seemingly isolated computer issues. In actuality, that one employee’s problems could be replicated across your business, indicative of an attack that began months ago and which you and your teammates are only seeing the results of today.

Strong cybersecurity products provide visibility into those attacks as they happen, warning users about suspicious activity along the way and helping provide information so that an attack can be stopped before it escalates. In fact, in this year’s MITRE ATT&CK testing, one of the attacks started in the simplest way—a user accidentally opening a malicious file.

Others steps in the attack included access using unsecured credentials, lateral movement through Remote Desktop Protocol, and multiple instances of Ingress Tool Transfer, which could point to threat actors bringing their own files or tools into your now-compromised network. The sequence of attacks recorded in the evaluation show a clear concept of “attack flow,” from an attack’s earliest stages, including the execution of a malicious file, to its later progression through other tactics like credential access, discovery, defense evasion, and lateral movement, until, at the completion of the attack, a victim’s data is encrypted.

The MITRE ATT&CK Evaluation’s 90 steps show a clear intent of attack, and a good cybersecurity product will catch these types of activities and warn your security team about them when they happen. In the testing, the number of steps detected provided the product’s “Visibility” score, because the more steps a security team is warned about, the clearer a picture they have to stop an attack as it happens.

Malwarebytes detected 83 out of 90 steps, or 92 percent of all steps.

Alert quality 

As we explained above, visibility is a crucial component for any cybersecurity product, as a collection of warnings can provide some patterns for the human users on the other end to interpret. But warnings themselves are not always enough. Often, security teams need to know more about a specific warning to understand whether it is an issue or not, and how, specifically, they should respond, depending on what a warning tells them. After all, a non-informative warning can be as ineffective as a non-existent one.

This is where alert quality comes into play.

Not every alert is equal. Some provide far more detailed information that can be acted upon by security teams, while other alerts only notify a security team of a problem. In the MITRE ATT&CK evaluation results, alerts are given three tiers of specificity, from least to most specific—General, Tactic, and Technique.

Techniques are the types of alerts that empower security teams to solve problems faster. Going beyond a basic description of what happened, like whether a PowerShell script was executed on a machine, a Technique alert will explain the surrounding context. That can include what threat actors are trying to accomplish with the script—like persisting in an environment even after a system reboot—and how threat actors could achieve that—by changing a registry value to leverage a Winlogon key to execute arbitrary binaries upon logon or logoff.

These quality alerts will help not just small- to medium-sized businesses equipped with equally small IT teams, it will also help the Managed Service Providers who often support these businesses. For small IT teams, quality alerts will help prioritize what problems need to be addressed, while MSPs can also gain better intelligence for the SOCs. In our MITRE results this year, Malwarebytes delivered 82 Technique alerts out of the 83 alerts delivered in total, meaning that nearly every piece of information that we offered to security teams was of the highest quality.

Protection 

Nearly every important component of the MITRE ATT&CK Evaluation results fits into the broader umbrella of actionable intelligence. Quality alerts help all teams—from small to large to MDR to MSP—prioritize the cybersecurity issues that will affect them most, while raw telemetry across the landscape of the attack gives more evidence of what is happening and when.

But the value of both components could diminish under an onslaught of cyberevents that bog down any response. What helps in these situations is protection—preventing attacks before they happen. Without protection, even a wealth of high-quality alerts will only stretch your IT team to its limit, unable to meaningfully prioritize, forced to make every alert a priority.

Here, Malwarebytes stands particularly proud, having achieved a 100 percent success rate in the Protection category for Windows.  We must note that for this latest MITRE ATT&CK round, we did not submit our solution for Linux testing—a process that, while entirely optional, still impacted vendors’ Visibility scores. Malwarebytes recognizes the importance of cybersecurity for every operating system within any organization, and our EDR solution for Linux will be available on April 5.

A note on configuration changes 

Designing a third-party cybersecurity test isn’t easy, as any meaningful evaluation must consider how a product is used by real organizations, from the smallest nonprofit to the largest enterprise. But what’s good for one subset of organizations isn’t necessarily good for the other.

One of the allowances MITRE Engenuity gives their participants is the ability to change configuration settings in a security product once an evaluation has already begun. This reflects the real-world application of larger enterprise companies that have security professionals who prefer a robust interface of settings and configurations that they, personally, can adapt to their own business environment.

There is a flip side to this, though, in that there are countless customers who do not have the time to configure their security product’s settings. There are just as many customers who do not have the internal or external resources for such a project. For these customers, endpoint security is still a product that needs to function as a “set it and forget it” tool. Importantly, these customers may actually lose some value if they try to implement the same types of configuration changes that MITRE Engenuity allows, as these changes will likely produce a greater quantity of alerts, leaving these customers to spend more time deciphering the importance of these alerts and how to respond. This adversely affects the visibility and alert quality components as customers spend time sifting through a potentially significant number of additional, low-quality alerts in order to determine priority actions. A productivity loss no organization—big or small—is willing to accept. Malwarebytes completed the MITRE ATT&CK Evaluation completely without delays or configuration changes, so our results reflect the out-of-box efficacy customers expect.

We consistently want to provide cybersecurity in a simple, accessible, and effective way, and that means developing a product that responds to cyberthreats even without any configuration changes. This isn’t easy, as every business environment is different, but it’s worth the trouble if it means our users are safer than they were without us.

Making use of MITRE 

Third-party tests should empower your team to choose the right cybersecurity product for their own business goals. No matter your organization’s size or complexity, though, a few criteria must be met: Your solution must catch the warning signs of an attack in progress, it must provide the highest-quality alerts possible, and it must prevent as many attacks as possible, so as to not overwhelm your security team and your employees.

The MITRE ATT&CK Evaluation thankfully evaluates many cybersecurity tools on these exact metrics. We hope that, with our breakdown on what matters when reading the results, you and your business are able to thrive, away from cyberthreats.

If you want to learn more about how Malwarebytes performed in the MITRE ATT&CK Evaluation, you can contact us here.

The post MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks appeared first on Malwarebytes Labs.