IT NEWS

Malwarebytes Evaluation of the MITRE ENGENUITY ATT&CK Round 4 Emulations 

The results of the MITRE Engenuity ATT&CK Evaluation of the Wizard Spider and Sandworm adversaries were officially released1 last week. We are very proud of the Malwarebytes EDR results in the MITRE Engenuity test, which are the direct reflection of a relentless core EDR team and the learnings from participation in prior MITRE Engenuity testing rounds.

MITRE Engenuity provides the results in a structured format which allows for deeper understanding of the products being tested. Thanks to this level of reporting, we can see how well each product is prepared to detect, and ideally prevent, attacks by advanced adversaries.

The MITRE Engenuity data also allows anybody to determine the level of visibility and the level of analytics coverage of each EDR product tested. But it allows much more than that. Based on the data, anybody can also derive the level of configuration required for best detection, the level signal to noise ratio, the level of investigation needed to understand and act on alerts, and many more things.

As a summary of our analysis of the data so far, we believe that the MITRE Engenuity results back up our claims that Malwarebytes EDR:

  1. Needs little or no need to customize configurations
  2. Provides best analytics coverage, useful alerts, and high signal-to-noise ratio
  3. Is effective at preventing advanced attacks

MITRE Engenuity ATT&CK Emulations 101

MITRE Engenuity replicates well known hacking attacks, by reconstructing the various steps of attacks on enterprise networks, from the initial compromise to the exfiltration of sensitive data and persistence. In the MITRE Engenuity Round 4 evaluation, the attacks replicated were those of the cybercrime groups Wizard Spider and Sandworm. Each attack step includes several sub-steps that go in-depth into how the attack is carried out. The higher the number of sub-steps identified by the security software, the greater the visibility of that attack step and thus the possibility for the product and a customer to identify and react to the attack.

Prior to the 4 days of intense testing, vendors are allowed to configure and deploy their products to their optimum settings. After the emulation is carried out by MITRE Engenuity on the victim machines, vendors need to show MITRE Engenuity how their product has performed against each sub-step of the attack. For each sub-step, vendors can showcase “No detection,” “Telemetry detection,” “General detection,” or higher quality detections such as MITRE Engenuity-mapped Tactic and Technique detections. MITRE Engenuity gathers details of every little step of the way during investigation and reporting of findings.

Overall raw visibility results

The MITRE Engenuity ATT&CK Evaluation of Wizard Spider and Sandworm involved 109 sub-steps altogether. The emulations which focus on the Windows platform account for most of the steps, i.e. 90 out of the 109 sub-steps are exclusive to Windows OS. The remaining 19 steps are carried out in the Linux platform. Vendors are evaluated based on the number of detections over the corresponding number of sub-steps for the platforms they participated in. For vendors who did not participate on the Linux emulation, the total number of sub-steps is 90. For vendors who participated in in the Linux emulation, the total number of sub-steps is 109.

Malwarebytes did not participate in the Linux test because our EDR product for Linux was not yet available during the MITRE Engenuity evaluation in October 2021. However, Malwarebytes EDR for Linux is available in beta today with similar detection capabilities as the Malwarebytes EDR for Windows agent.

The following “overall raw visibility” ratios are based on the corresponding number of sub-steps for each vendor. When reviewing the results or calculating scores, pay attention to the total number of sub-steps (90 or 109) to ensure accurate scores.

1 MITRE Visibility including config

A very important note about Modifiers and “Configuration Changes”

During the evaluation vendors cannot change the configuration of the tested product, as this would have affected the accuracy of the results. However, MITRE Engenuity does allow configuration changes to be made to the EDR product if the vendor can provide better, higher quality details for a specific sub-step, or after a miss of a specific sub-step. Sub-steps which are detected by the product after a configuration change are marked with a “Config Change” modifier. These change modifiers allow us to better understand the limitations of each product to deal with attacks from advanced adversaries. These modifiers indicate which changes, tweaks, or manual detections the vendor added during the test in order to be able to detect a specific sub-step which was not detected to the vendor’s liking by the product the first time it was tested. Based on the MITRE Engenuity methodology2:

  • The vendor is allowed to perform changes to the product such as obtaining telemetry from alternative data sources, which may not yet be readily available to the typical enterprise customer. These modifiers are labeled as “Config Change (Data Source)”.
  • The vendor is allowed to create or provide a higher quality detection by modifying the detection logic and triggering new alerts. These modifiers are labeled as “Config Change (Detection Logic)”.
  • The vendor is allowed to change the UI of the product to provide better mapping to MITRE Engenuity Tactics and Techniques. These modifiers are labeled as “Config Change (UX)”.
  • The vendor and product may trigger an alert after a delayed period of time, typically because of a manual submission to a sandbox by the EDR operator, or from a Managed Detection and Response (MDR) team. These modifiers are labeled as “Delayed Detection

Vendors are allowed to make use of Configuration Changes and Delayed Detections after the first pass of testing with the original config.

At Malwarebytes we believe any EDR product should strive to be easy to use out-of-the-box and without requiring advanced configuration, especially given the high demand and low supply of specialized IR personnel.

2 MITRE number config changes delayed detections

Overall raw visibility results without configuration changes

We wanted to get an interpretation of the data which would represent what an out-of-box experience would be for a typical customer. Therefore, in the following data analysis we discard all detections from any vendor which are the result of a Configuration Change. Config Change detections are not representative of the typical experience that a customer would have with the EDR product. These detections derive from the vendor itself re-configuring the product to detect something that wasn’t detected during initial MITRE Engenuity testing.

For the following graph, higher quality detections such as Technique are downgraded to Telemetry detections if they are the result of a “Config Change (UX)” or “(Detection Logic)”. Telemetry-only detections are discarded if there is an associated “Config Change (Data Source)” modifier.

Our parser3 is available to replicate this analysis of discarding Configuration Changes and Delayed Detections. If we discard Configuration Changes and Delayed Detections during the test, then the “overall raw visibility” results vary not so slightly:

3 MITRE Visibility wihtout config

The MITRE Engenuity Analytics Coverage—a focus on detection quality

The above approach which looks only at “overall raw visibility” is the quickest, although also probably the most incorrect way, to interpret the data. Looking only at “overall raw visibility” does not take into account aspects which are critical to understanding the quality of the EDR product being evaluated.

MITRE Engenuity provides a much more interesting and useful datapoint to determine EDR detection quality, which is “Analytics Coverage”. As defined by MITRE Engenuity, Analytics Coverage is “the ratio of sub-steps with detections enriched with analytics knowledge (e.g. at least one General, Tactic, or Technique detection category)”.

An Analytics Coverage index highlights which detections are higher quality detections which make it easier for the user or practitioner to act upon and to initiate response and remediation actions. By contrary, too many detections deriving from “Telemetry” events or delayed detections which were manually added later by the vendor are indicative of EDR solutions which require large, specialized teams to operate.We believe a quality EDR product should be quick to identify and highlight the root problem of each incident in an easy-to-understand manner which facilitates response and remediation. If we focus on the Analytics Coverage indicator of quality alerts for each vendor, the results vary considerably:

4 MITRE Analytic coverage windows

MITRE Engenuity results for Windows

The MITRE Engenuity test involved 109 steps altogether, of which 90 were executed in the Windows OS platform. In this section we will analyze the results of each vendor against the Windows attacks only.

We plot both the “Overall Raw Visibility” and “Analytics Coverage” datapoints from the above paragraphs into a quadrant to see where each EDR products’ capabilities fall within these dimensions.

Just like before, we discard detections which come from a Configuration Change or Delayed Detection due to these being considered “misses” by us at the time of the test, and not representative of the customer experience without a specialized and dedicated SOC.

5 MITRE MQ graph

Protection

While all EDR products should be able to DETECT, not every EDR product has the ability to PREVENT advanced attack tactics.

Prevention and real-time blocking of advanced attack tactics is a delicate matter which involves balancing effective real-time protection through advanced exploit mitigations, AI/ML, behavior monitoring, sandboxing, and heuristics on one side, and minimizing conflicts and the need for highly specialized configurations and tuning on the other side.

We are very glad and humbled to be amongst good company in this challenging test.

6 MITRE protection efficacy

Summary

Malwarebytes is one of the very few companies during the MITRE Engenuity Round 4 Evaluation who did not need to make any Config Changes to trigger quality detections, and at the same time achieved some of the top scores in visibility and analytics. This points to Malwarebytes as one of the top EDR leaders.

We believe that the MITRE Engenuity Round 4 results are a true representation of the Malwarebytes EDR strengths as a better out-of-the-box solution:

  1. Little or no need to customize highly specialized configurations
  2. High quality alerts and signal-to-noise ratio
  3. Effective not just at detecting, but also preventing advanced attacks

MITRE Engenuity does not offer its own interpretation or ranking of the test results. But if we were to apply our own interpretation of the results to a ranking methodology and framework similar to those used by testing organizations AV-Comparatives, MRG-Effitas, etc., it could look something like this:

Leaders Contenders Challengers
Cybereason Microsoft Check Point Software
SentinelOne Trend Micro Symantec
Palo Alto Networks CrowdStrike FireEye
Malwarebytes Fortinet McAfee
Cynet ReaQta
Cylance** Cisco
VMware Carbon Black** AhnLab
CyCraft
Sophos
Leaders Ranking Criteria* Contenders Ranking Criteria Challengers Ranking Criteria
90%+ analytics coverage out-of-the-box (without config changes)
90%+ Protection scores
80%+ analytics coverage out-of-the-box (without config changes)
80%+ Protection scores
40%+ analytics coverage out-of-the-box (without config changes)
40%+ Protection scores

* The ranking criteria could be stricter if instead of looking at e.g. “90%+ analytics coverage” we set the criteria of “90%+ Technique coverage”, as suggested4 by Josh Zelonis. We fully agree with Josh’s point of view that the market needs to evolve to using Technique detections as the most important metric.

** Vendors that achieve the CHALLENGERS criteria but who also achieve 80%+ protection rates get bumped to CONTENDERS since we believe that effective prevention is more cost-effective than detection.

*** Vendors shown are listed in order or higher Analytics Coverage. Not all vendors who participated in the MITRE Engenuity Round 4 evaluations are included in the ranking above. Those that didn’t participate in the Protection test and/or who achieved low analytics coverage or protection scores may not fit the ranking criteria and thresholds as defined above.

This post was authored by Bogdan Demidov, Marco Giuliani, and Pedro Bustamante.

The post Malwarebytes Evaluation of the MITRE ENGENUITY ATT&CK Round 4 Emulations  appeared first on Malwarebytes Labs.

A week in security (April 4 – 10)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (April 4 – 10) appeared first on Malwarebytes Labs.

Credential-stealing malware disguises itself as Telegram, targets social media users

A credential-stealing Windows-based malware, Spyware.FFDroider, is after social media credentials and cookies, according to researchers at ThreatLabz.

The version analyzed by the researchers was packed with Aspack. The spyware is offered on download sites pretending to be installers for freeware and cracked versions of paid software. The analyzed version of Spyware.FFDroider disguises itself on victim’s machines to look like the instant messaging application “Telegram”. Several campaigns were found to push out this spyware, but all of them were easily connected by the malicious program embedded in the cracked versions of installers, and freeware.

Browsers

After checking the IP of the affected machine by querying the legitimate service at iplogger.org, Spyware.FFDroider starts its cookies and credentials stealing routine. It uses specific methods for each browser to exfiltrate the data stored in the target browsers:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Microsoft Edge

The target websites it looks for are:

  • www.facebook.com
  • www.instagram.com
  • www.amazon.ca/cn/eg/fr/de/in/it/co.jp/nl/pl/sa/sg/es/se/ae/co.uk/com/com.au/com.br/mx/tr
  • www.all-access.wax.io
  • www.ebay.com
  • www.etsy.com
  • www.twitter.com

The malware also plans to steal saved VPN/dial up credentials from the AppdataMicrosoftNetworkConnectionsPbkrasphone.pbk and Pbkrasphone.pbk phonebooks if present.

Social media

For Facebook and Instagram, the stealer has another trick up its sleeve. If the malware manages to grab cookies for facebook.com or instagram.com from any of the target browsers, the cookies are replayed on the social media platforms.

First, the malware checks whether it is able to authenticate using the stolen cookies. If the cookies are valid and provide proper authentication, it sends a GET /settings request using the Access Token to facebook.com along with the authenticated cookies so it can fetch the User Account settings of the compromised account.

Next, it checks whether the compromised account is a business account and has access to Facebook Ads Manager and fetches the following details using the stolen cookies by parsing the responses:

  • Fetch Account Billing and Payment Information from the Facebook Ads Manager.
  • Fetch the users’ Facebook pages and bookmarks.
  • Enumerate the number of Facebook friends and other user related information.

Since all the stolen information is sent to a command and control (C&C) server, it is likely that this information will be leveraged later to run malicious advertisements from the victims’ account and use the compromised account’s payment method to spread the malware further.

In a very similar way, Spyware.FFDroider looks for valid session cookies for Instagram to exfiltrate personal information such as the email address, the Instagram userID, the saved password, and the phone number from the Instagram account edit webpage and send it to the C&C server.

Other functionality

Spyware.FFDroider creates an inbound whitelisting rule in the Windows Firewall to allow itself to communicate, which requires administrative privileges. This will enable normally disallowed connections to the affected system.

After stealing and sending the stolen details from the target browsers and websites to the C&C server, Spyware.FFDroider tries to upgrade itself by downloading other modules from an update server.

If the filename at the time of execution is renamed to test.exe then the malware goes into its debug state and pops up messages on every loop. It then prints out the stolen cookies and the results which are created to be sent to the C&C holding the information collected from each targeted browser for the target websites. The debug state is very likely what the malware authors used to check the malware’s functionality during development.

IOCs

Files and folders:

The malware creates a directory in %UserProfile%Documents named VlcpVideov1.01

In this folder it drops the file:

Install.exe

The malware is hosted online as:

vinmall880.exe

vinmall1.exe

lilay.exe

SHA256 hashes:

3596982adf10806e7128f8f64621ec7546f4c56e445010523a1a5a584254f786

7eb7bd960e43164184e41cdacf847394a5aa8b7bce357d65683bc641eef3381b

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474

d7e81d5c26a9ff81d44ff842694b1a8732211e21ac32a471641c4277c1927ca5

All detected by Malwarebytes as Spyware.FFDroider

Malwarebytes blocks Spyware.FFDroider

Subdomain:

download.studymathlive.com

Malwarebytes blocks the subdomain download.studymathlive.com

IPs:

C2: http://152.32.228.19/seemorebty

Update server: http://186.2.171.17/seemorebtu/poe.php?e=<filename>

Malwarebytes blocks the IP 186.1.171.17

Registry key:

HKCUSoftwareffdroiderFFDroider

Stay safe, everyone!

The post Credential-stealing malware disguises itself as Telegram, targets social media users appeared first on Malwarebytes Labs.

Old Play Store apps served notice by upcoming API level changes

Starting very soon, old and outdated apps on the Google Play Store will no longer be available to download. A major clearout is coming, and if you’re an app developer it may be time to overhaul your product or face Android-centric oblivion.

What’s happening?

Android makes use of APIs (application program interfaces) as a way of helping to figure out what runs where, as well as how apps work alongside security measures and other features.

What we have is a sliding scale for apps becoming increasingly outdated and unsupported. Lag behind too much, and you may have a problem.

In other words: do you own an old Android phone? You may find that newer versions of apps simply refuse to install. The older devices are essentially trying to play catch-up, with applications increasingly outrunning them. This is perfectly normal, as newer apps rely on more modern features and functionality that old Android OS versions simply cannot handle.

By the same token, old outdated apps are increasingly discouraged from running on newer devices. Android is tightening restrictions on old apps in order to keep users secure, via their target API level policy.

Current and future API restrictions

Android’s target API level is the previously mentioned sliding scale for applications. Google doesn’t want you running a bunch of very old and potentially insecure apps on your device. 

Current requirements expect new apps and updates to target an Android API level “within one year of the latest major Android OS version release”. As a result, any app which falls behind this level requirement can’t be published on Google Play. This is all about to change.

From November 1, as per the Android blog:

“Existing apps that don’t target an API level within two years of the latest major Android release version will not be available for discovery or installation for new users with devices running Android OS versions higher than apps’ target API level. As new Android OS versions launch in the future, the requirement window will adjust accordingly.

The requirement for apps to focus on API levels inside of one year within the most recent OS has been for new apps only, up to this point. The changes coming in November broaden this out quite a bit. From that point on, all apps will be required to keep up with a Target API within two years of the most recent OS. New? Old? Already in the store? It no longer matters. You’ll have to play by the rules if you want to remain visible and updated.

According to Ars Technica, old apps already on the Google Play Store not targeting Android 11 and up will be hidden from store listings. Apps not targeting Android 12 and up will still be visible, but they won’t be able to update anymore.

All my apps gone?

Not exactly. It isn’t the case that all of these old apps will just vanish completely into the ether. Going back to the Android blog:

“Current users of older apps who have previously installed the app from Google Play will continue to be able to discover, re-install, and use the app on any device running any Android OS version that the app supports.

Depending on your current mobile situation, you should in theory be able to reinstall apps you simply can’t do without. Your old apps will still work with your old phone. At some point though, you may simply have to move on to app pastures new as the future ultimately looks bleak for the abandoned and the no-longer-updated.

Playing the long game

Despite these fairly major changes in Android land, developers now have quite a bit of time to figure out what to do with their apps. We can safely assume anything not updated by the time two years rolls around is probably fine to be hidden from view.

This feels like a fairly flexible setup for devs to get their app affairs in order, especially given they can ask for a six month extension should they need more time for migration. The timer is most definitely ticking, but this is ultimately what’s best for keeping Android owner’s security and privacy at the forefront of Play Store activities.

The post Old Play Store apps served notice by upcoming API level changes appeared first on Malwarebytes Labs.

Denonia cryptominer is first malware to target AWS Lambda

Security researchers at Cado Security, a cybersecurity forensics company, recently discovered the first publicly-known malware targeting Lambda, the serverless computing platform of Amazon Web Services (AWS).

Though Lambda has been around for less than ten years, serverless technology is considered relatively young, according to Matt Muir, one of Cado’s researchers. Because of this, security measures for such a technology is often overlooked.

This lack of oversight has now bore fruit.

The malware in question, dubbed “Denonia,” is a cryptominer, which is software that allows the mining of cryptocurrency on computers and servers. The malware’s name is inspired by the domain the threat actors behind the cryptominer communicate with.

A cryptominer may not be among the ranks of ransomware, worms, and general Trojans. Still, the possibility of them taking advantage of Lambda is already here; a Pandora’s Box that can no longer be sealed.

Denonia, realized

Denonia is a Go-based wrapper that contains a modified version of the popular, open-sourced cryptomining software, XMRig.

Though not inherently malicious, XMRig came into prominence after an increase in cryptojacking was recorded in mid-2017, most of which was attributed to XMRig activity maliciously mining Monero. Since then, it has gained the reputation of being the miner of choice of cryptojackers.

Upload dates of Denonia samples on VirusTotal—one was in February, and an earlier sample in January—suggest attacks may have already been going on for months.

Denonia uses a unique evasion technique around address resolution to hide its command and control (C2) domain and traffic, making it difficult to detect using typical measures while making communicating with other servers easier. We have yet to find the actors behind Denonia as they left behind little forensic clues.

Because of these, Cado researchers think the actors behind such attacks possess advanced cloud-specific knowledge to take on a complex infrastructure. Thankfully, this cryptominer has limited distribution.

It’s unknown how actors deploy Denonia, but the researchers suspect that they likely used stolen or leaked AWS access and secret keys, which has happened before. AWS confirmed that actors didn’t breach Lambda via a vulnerability, saying in a follow-up statement to VentureBeat: “the software described by the researcher does not exploit any weakness in Lambda or any other AWS service.”

“The software relies entirely on fraudulently obtained account credentials,” the statement continues. It also stresses that Denonia shouldn’t be considered malware “because it lacks the ability to gain unauthorized access to any system by itself.”

“What’s more, the researchers even admit that this software does not access Lambda — and that when run outside of Lambda in a standard Linux server environment, the software performed similarly.”

The researchers explained in their post how this is possible: “We suspect this is likely due to Lambda ‘serverless’ environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox.”

Can organizations protect against Denonia and other Lambda-focused attacks?

Lambda is becoming popular because its cheap to run and easier to maintain. Organizations only have to pay for its runtime, not a full server to run their applications. This is a huge money-saver, allowing organizations to allocate money they saved to other matters that may need more financial support.

When it comes to security, however, serverless environments have some catching up to do.

A good starting point for organizations is to secure root credentials and access keys. This is in accordance with AWS’s shared responsibility model, wherein AWS is responsible for taking care of and securing Lambda, but organizations are responsible for securing their own content and functions (programs or scripts) that run on Lambda.

  • Refrain from using root access to perform daily tasks. Instead, use it only to (1) create an AWS IAM (Identity and Access Management) admin user account or (2) carry out access and account management tasks.
  • Lock away your root access credentials.
  • Use a strong AWS root account password. (We have a podcast about that!)
  • Enable multi-factor authentication (MFA) on your AWS root account.
  • If you have an access key for your AWS root account, delete it. If you must keep it, change the access key regularly.
  • Never share your AWS root credentials or access key with anyone.
  • Encrypt your data. AWS has an encryption solution you can use.
  • Use TLS 1.2 or later to communicate with your AWS resources.

Amazon has more in-depth IAM, access key, and data protection best practices for further reading and consideration.

Stay safe!

The post Denonia cryptominer is first malware to target AWS Lambda appeared first on Malwarebytes Labs.

Ransomware: March 2022 review

The Malwarebytes Threat Intelligence team continuously monitors the threat landscape to stay on top of existing and emerging attacks. In this March 2022 ransomware review, we go over some of the most successful ransomware incidents based on both open source and dark web intelligence.

The March data was consistent with the first two months of the year, and the most active ransomware gangs during this month continued to be LockBit, followed by Conti, with an increase in BlackCat (ALPHV), a suspected rebrand of the DarkSide & BlackMatter ransomware groups.

Ransomware Attacks by Gang

R 02 March

Ransomware Attacks by Country

R 001 March

Ransomware Attacks by Industry

R 03 March 3

Ransomware Mitigations

Source: IC3.gov

  • Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
  • Implement network segmentation, such that all machines on your network are not accessible from every other machine.
  • Install and regularly update antivirus software on all hosts, and enable real-time detection.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Use double authentication when logging into accounts or services.
  • Ensure routine auditing is conducted for all accounts.
  • Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

2022 04 08 19 06 09

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

The post Ransomware: March 2022 review appeared first on Malwarebytes Labs.

Why data protection and privacy are not the same, and why that matters: Lock and Code S03E09

There’s a mistake commonly made in the United States that a law that was passed to help people move their healthcare information to a new doctor or provider was actually passed to originally implement universal, wide-ranging privacy controls on that same type of information. This is the mixup with HIPAA—the Health Insurance Portability and Accountability Act—and while the mixup can be harmless most of the time, it can also show up in misunderstandings of other privacy concepts around the world.

Importantly, the mixup colors how we approach data protection, as a requirement and a set of rules, and privacy, as a right granted to certain sectors of our lives. In the European Union, this split is spelled out more clearly in their laws, but in the US, this split is still muddled—there are data protection laws in the United States that aim to achieve data privacy, and there is an entire realm of privacy law that was developed before our current understanding of data.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Gabriela Zanfir-Fortuna, the vice president for global privacy at Future of Privacy Forum, to finally clear up the air on these related but not interchangeable topics. As Zanfir-Fortuna explained in our conversation, data protection can achieve privacy, but it isn’t the only goal that data protection should care about.

“The challenge with data protection, though, is that it needs to balance all of the rights, and sometimes they’re competing rights. That’s challenging indeed. But it’s important to note that the ultimate purpose of data protection is not to achieve privacy at all costs.”

Gabriela Zanfir-Fortuna, vice president for global privacy at Future of Privacy Forum

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs. 

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why data protection and privacy are not the same, and why that matters: Lock and Code S03E09 appeared first on Malwarebytes Labs.

YouTube channels of Taylor Swift, Justin Bieber, Harry Styles, and other musicians compromised

Some of the biggest stars around have seen content placed on their YouTube accounts without permission over the last couple of days. Taylor Swift has around 40 million subscribers. Justin Bieber? 68 million. Harry Styles, a respectable 12 million. You can even add Eminem and Michael Jackson to the list of those taken over.

Big names, and even bigger numbers.

The last time I can remember an all-out targeted attack on social media musicians was way back in 2007 during Ye Olde Myspace days. While the threat for mischief there was big, this new attack far surpassed it in terms of people seeing dubious content.

Using Vevo as a stepping-stone to musician channels

According to The Record, the attack specifically targeted accounts using Vevo. The people behind it didn’t promote malware links, or spam, or phishing. Instead, they opted to post about a bizarre scam involving a security guard.

The scam involved a man claiming to have “2,000 tumours”, sentenced to 2 years in jail for grabbing around $319,000 in donations for his non-existent terminal illness. The group claiming to be behind the compromise demanded he be set free via their Twitter account.

If you’ve ever watched a music video from a major artist, there’s a good chance you’ll have seen the Vevo logo in the bottom right hand corner. This is the Vevo channel, where content is uploaded. As Gizmodo notes, videos are merged with the musician’s separate YouTube channel. Existing YouTube accounts can also be merged to create Official Artist Channels.

Speaking to The Verge, Vevo said “Some videos were directly uploaded to a small number of Vevo artist channels earlier today by an unauthorized source.”

This is what Vevo’s FAQ page has to say on the subject of how uploads work:

Vevo does not provide access directly to artists. If your music videos have been delivered to Vevo, you must work with your existing Content Provider/Label who will have access to perform these updates.

What about your YouTube security?

You may not be a multi-million album seller signed up to Vevo on YouTube, but you still need to lock down your YouTube account. Any compromise can lead to masses of spam or videos leading users off-site to phishing or malware.

Signing into YouTube requires a Google account. As such, good Google security hygiene means good YouTube security hygiene too. We’ve covered many Google-centric security concerns previously, but here’s some things you can do now to lock down your account:

  • Create a strong password, and enable two-factor authentication (2FA). Use the Google Auth app for 2FA rather than SMS codes, this will help you avoid the threat of SIM-swap attacks.
  • Don’t share sign-in information with others. If someone contacts you promising riches beyond your wildest dreams, they may ask for your login details to set up some sort of “affiliate” or partnership status. This is a bad idea, and you shouldn’t do it.
  • Use Google’s security checkup. This informs you at a glance about recent login activity, device sign-ins, Gmail settings, and more. It’s a handy, focused way to make sense of the sometimes overwhelming range of options available.
  • Remove sites and apps you don’t need or recognise. As with many social accounts, you’re able to connect to a variety of services. View connected apps here.
  • Keep an eye on the comments posted to your videos. There’s a lot of spam out there and it may sully your reputation if followers end up in bad places via your content.

This should be enough to get your account moving to a place where it’s a lot more secure than before. While the chance of you being hit by an attack like the one above targeting very well known accounts is low, people regularly look to hijack regular YouTube accounts. Let’s not make it easy for them!

The post YouTube channels of Taylor Swift, Justin Bieber, Harry Styles, and other musicians compromised appeared first on Malwarebytes Labs.

Successful operations against Russian Sandworm and Strontium groups targeting Ukraine revealed

The US Department of Justice (DoJ) and Microsoft have taken the sting out of two operations believed to be controlled by the Russian Federation’s Main Intelligence Directorate (GRU).

On Wednesday, the DOJ announced that it had disrupted GRU’s control over thousands of internet-connected firewall devices compromised by the Russian Sandworm group.

One day later, Microsoft disclosed information about the steps it took to disrupt cyberattacks it had seen targeting Ukraine. These attacks came from Strontium, another GRU-connected threat actor.

In light of world news, it’s important to note that the Sandworm group has always been known to target Ukrainian companies and government agencies. It has been held responsible for destroying entire Ukrainian networks, triggering blackouts by targeting electrical utilities, and releasing the NotPetya malware.

Shutdown operation

Although the DOJ announcement came just two days ago, the takedown operation actually occured a little earlier, in March 2022. And the story starts before that, with a joint advisory released on 23 February by law enforcement agenices in the UK and the USA, about Cyclops Blink malware targeting network devices manufactured by WatchGuard and ASUS.

Cyclops Blink surfaced as a replacement for VPNFilter malware, which the DOJ disrupted with an operation in 2018. Both Cyclops Blink and VPNFilter are generally attributed to the Sandworm group, which has always been seen as a Russian state-sponsored actor.

On the same day the advisory was released, WatchGuard published a diagnosis and remediation plan, and ASUS released its own guidance. However, despite their advice, a botnet of “thousands of infected network hardware devices” running Cyclops Blink remained.

In March the DOJ set out to fix that by targeting the Command and Control (C2) servers that orchestrated the botnet. The department says it did this by copying and removing Cyclops Blink malware from the C2 devices, and closing the external management ports that the Sandworm group used to access them.

WatchGuard users that need the external management ports can reverse the closure through a device restart, but they are advised to follow this knowledge base article about remote management.

Although this stopped Sandworm from controlling the thousands of compromised WatchGuard and ASUS devices, it did not remove the malware from them.

According to Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division:

This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal. By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.

Sinkhole

On the same day that the DOJ announced its Cyclops Blink takedown, Microsoft obtained a court order authorizing it to take control of seven internet domains being used by the Strontium group.

The Strontium group, often referred to as Fancy Bear or APT28, is another GRU-connected threat actor known to target Ukrainian institutions, as well as government institutions and think-tanks in the United States and the European Union involved in foreign policy.

After taking control of the domains, Microsoft re-directed them to a sinkhole under its control. A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security professionals. Sinkholes are most often used to seize control of botnets.

Microsoft describes this disruption as part of an ongoing long-term campaign, started in 2016, to take legal and technical action to seize infrastructure used by Strontium. The company has established a legal process that enables it to obtain rapid court decisions for this work. Prior to this week, it says it had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains.

Good riddance

While these attacks are just a small part of the cyber-activity we are seeing in Ukraine, it does help to take out a few of these active major threats.

The FBI is urging people to contact their local field office if they believe they have a compromised device. The agency says it “ontinues to conduct a thorough and methodical investigation into this cyber incident.”

The post Successful operations against Russian Sandworm and Strontium groups targeting Ukraine revealed appeared first on Malwarebytes Labs.

Don’t enter your recovery phrase! Phishers target Ledger crypto-wallet users

Ledger is one of the biggest hardware cryptocurrency wallets around and scammers have noticed. Phishing mails are in circulation, hoping to snag Ledger users with a sneaky request for passphrases.

What is a Ledger recovery phrase?

A recovery phrase is an incredibly important combination of words that act as the literal keys to your digital crypto kingdom. The phrase is a human-readable version of a private key—a unique secret that must keep private, because it’s the cornerstone of the cryptography that says you own a crypto-someting rather than somebody else.

The Ledger recovery phrase also acts as a backup for everything in your hardware wallet, to the extent that if Ledger ceased operations, you’d still be able to access your crypto-assets via a compatible wallet service. As it put its:

When starting to use your Ledger hardware wallet, you will receive a random set of 24 words. This is also known as your Recovery Phrase. It’s a key element in using a hardware wallet and it must be kept secure and offline at all times.

As we can see, it’s critical to the wellbeing of your digital cash.

What’s the scam?

Phising emails are being sent that refer to a non-existent breach. The “solution” to this breach is to update the 24 word phrase as soon as possible and set up a new wallet PIN.

The mail reads:

If you’re receiving this e-mail, it’s because you’ve been affected by the breach. To protect your assets, please update your 24-Word Phrase and follow the instructions to set up a new PIN for your wallet.

Sincerely, Support Team

The mail also provides a link to a website called “Ledgerphrase(dot)com”.

Should you visit the website without the userID included in the email, the page won’t resolve. If you follow any of the links directly from the email, you’ll be greeted with a passphrase update page that asks users to enter their 24-word passphrase:

ledgerphishing
A fake Ledger passphrase update page

Anyone progressing past this point is playing with fire and likely to lose all of their crypto-assets.

How to foil the phishers

Ledger has confirmed this is a phishing attempt:

It also provides a list of security measures to ward off further attempts.

The most important thing to never, ever give anybody your 24 word passphrase. Only ever enter it on your device, and never hand it over to anyone claiming to need it or to websites requesting you enter it. Whether code converter websites, or apps, YouTube livestream giveaways, or even browser extensions claiming to be official products, the advice is still the same.

No matter which form of digital wallet you use, your recovery phrase is your last line of defence to keep bad people away from your funds.

The post Don’t enter your recovery phrase! Phishers target Ledger crypto-wallet users appeared first on Malwarebytes Labs.