IT NEWS

Before Christmas was a busy time down at the fake job factory, with all manner of dubious antics out to ruin someone’s day. We’re now info February and the bogus job offers show no sign of abating. In fact, the FBI considers it to be such a problem that it’s issued an alert. This isn’t your typical warning about plain old fake job postings, or random messages sent via services like WhatsApp or Telegram though.

This one involves a dash of the old website exploitation.

Sounding the alarm

The alert begins as follows:

Malicious actors…continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money. These scammers lend credibility to their scheme by using legitimate information to imitate businesses, threatening reputational harm for the business and financial loss for the job seeker.

Since early 2019, the average reported loss from this scheme is nearly $3,000 per victim, and many victims have also reported that the scheme negatively affected their credit scores.

So, we have a scheme that’s been ticking along for a couple years. It’s also fairly profitable for whoever is pulling the strings.

How do these attacks work?

The FBI doesn’t go into detail as to how sites being referenced are exploited. They instead mention that the scammers go in for a variety of tactics. Some of their fake ads are posted to commonly-used employment-oriented networking portals. Others are a bit sneakier, being posted to “official company pages” due to the “lack of strong security verification standards on one recruitment website”.

This had an impact on both potential victims and the organisations being spoofed. It seems it was hard for the latter to tell which postings were genuine too. This is definitely not what you need when sifting through potential job opportunities. The FBI notes that they also replicated existing, legitimate postings, altered contact information, and sent them out into the wild too. All in all, a tangled mess of lurking menaces waiting to strike.

The scam gets underway

The links posted on the ads take would-be hires away from the job site(s). What they land on is a fake site sporting bogus contact details and phone numbers operated by fraudsters. Wary of people doing some digging to ensure the legitimacy of the posting, they also use contact details of genuine employees. Those details are likely harvested beforehand from sites like Linkedin, or even just browsing the company’s website or other directories.

Again, the FBI don’t go into specifics with regard to how money is extracted from victims. The most common methods used in these scams is to wire money to fraudsters. It might be a regular wire, or they may ask them to make cryptocurrency payments. These are usually accompanied by an explanation about paying for office equipment or other expenses, with the promise to send the money back to jobseekers once everything is set up. Of course, this doesn’t happen.

Considering the impact on businesses

It isn’t just the jobseekers at risk from these tactics. As the FBI notes, there’s the possibility of reputation damage to consider for the organisations being spoofed. It’s quite possible people caught by these scams will post negative reviews or comments in relation to the unwitting businesses being impersonate. This isn’t a straightforward problem to resolve, and before long half a dozen sites could be full of bad reviews, negative replies. These kind of things can spread rapidly.

Tips to avoid being stung

The FBI has listed a number of hints to try and keep job hunters safe:

• Conduct a web search of the hiring company using the company name only. Results that return multiple different websites for the same company may indicate fraudulent job listings.
• Verify job postings found on networking and third-party websites on the hiring company’s own website or through legitimate HR representatives at the hiring company.
• Provide PII face-to-face. Legitimate companies will only ask for personally identifiable information (PII) and bank account information for payroll purposes AFTER hiring employees. It is safer to provide this information in person, or via a video call where it is easier to verify everyone’s identity.
• Never send money to someone you meet online, especially by wire transfer.
• Never provide credit card information to an employer.
• Never provide bank account information to employers without verifying their identity.
• Never share your Social Security number or other PII that can be used to access your accounts with someone who does not need to know this information.

We wish you safe and prosperous job hunting.

The post FBI warns of bogus job postings on recruitment sites appeared first on Malwarebytes Labs.

Researchers have discovered a threat actor attempting to exploit a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform.

Zimbra is open source webmail application used for messaging and collaboration. Cross-site scripting is a type of injection attack wherein a vulnerability in a web application allows a threat actor to inject malicious code into the site’s content. In this case the target was a Zimbra email opened in a web browser.

Targets and threat actor

The entire campaign was targeted—predominantly at organizations in the European government and media realm. According to Zimbra, there are 200,000 businesses, and over a thousand government and financial institutions, using their software. How many of them fall into the target audience is unknown.

The researchers have dubbed the threat actor “TEMP_Heretic” and based on a number of observed factors they have reason to believe the threat actor is of Chinese origin.

The campaign

This campaign was named EmailThief by the researchers and consisted of two clear components. The first one was a reconnaissance mission to find people that were likely to open the second email. Using this method the attackers could weed out invalid and unresponsive receivers. The reconnaissance emails were sent on 14 December, 2021 and contained no malicious links. This first wave only contained embedded remote images in the body of email messages. These emails contained no content other than the remote image and had generic subjects often associated with non-targeted spam. These emails are unlikely to have attracted any negative attention because remote images are widely used in marketing emails to measure email open rates.

The image URLs were unique to each individual, enabling the threat actor to ascertain the validity of the email addresses, and to determine which accounts were more likely to open phishing email messages.

The second part of the campaign was only sent to the receivers that qualified as likely to open such an email in the first wave. This part of the campaign was done in four waves which were sent out at 16, 23, 24, and 27 of December, 2021. These spear-phishing waves were largely generic and mostly themed around the holiday season, notably purporting to be from various airlines or Amazon.

In these campaigns, the attacker embedded links to attacker-controlled infrastructure. Upon clicking the malicious link, the attacker infrastructure would attempt a redirect to a page on the targeted organization’s Zimbra webmail host. A specifically crafted URL format exploited a zero-day vulnerability, allowing an attacker to load arbitrary JavaScript into the page, in the context of a logged-in Zimbra session.

The overall effect of this attack is that by getting a user to click a link in an email and leave their browser window open for any length of time, the attacker can steal the contents of their mailbox.

Mitigation

Besides the theft of mailbox contents the vulnerability could also have been used to:

• Exfiltrate cookies, which could allow persistent access to a mailbox
• Send phishing messages to the user’s contacts
• Display prompts to download malware from trusted websites

At the time of writing, there is no official patch or workaround for this vulnerability, so it is a zero-day vulnerability. The researchers have notified Zimbra of the exploit and hopefully a patch will be available soon.

Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15 and testing of version 9.0.0 by the researchers indicates it is likely unaffected.

Possible workarounds are:

• Don’t log into the Zimbra webmail client from a web browser
• The good old “don’t click on links in emails” advice

Since this campaign seems to have run its course it’s important for possible targets to check whether they have fallen victim to this campaign. In which case email communications may have been intercepted by the threat actor.

The researchers have posted a full list of IOC’s on GitHub for your perusal.

Stay safe, everyone!

The post Threat actor steals email with Zimbra zero-day appeared first on Malwarebytes Labs.

If you’re a YouTuber, watch out for bogus Opera missives winging their way to you.

The Browser team has had to send out a warning in relation to scammy antics trading on their good name. At a time when people are stretched for cash, nothing could be better than a promo mail bearing good news landing in their mailboxes. Unfortunately, it’s not quite what it seems.

What’s happened?

A number of YouTube content creators have received mail which reads like this:

Hello, I am the manager of OperaSoftware.

Our company has paid attention to your channel and decided to make an offer. Our OperaGX browser lacks popularity, so we offer you to cooperate with us.

If you agree to cooperate with our company, please let us know and we will send you our terms.

Best regards, Manager of OperaSoftware

The mail, as confirmed by Opera, is bogus and should not be trusted.

OperaGX? What’s that?

OperaGX is a browser from Opera geared towards gamers. It comes complete with a bunch of features gamers and streamers may well make use of. I’ve no idea how popular it is, but I suspect it’s a bit more popular than the developers needing to beg YouTubers for promotion deals.

Is there a risk from this fake mail?

There absolutely is, most likely of the financial kind. Opera don’t dwell on the details too much, but do say the following:

From what we have observed, this particular scam is aimed at smaller YouTube creators in an attempt to get their personal information and subsequently get some form of payment from them.

You may think streamers shouldn’t fall for this, but that’s probably not very fair. The scammers likely target those without sponsorship or product placement deals. This is because they won’t know precisely how legitimate deals take place. The savvy streamer with half a million viewers and branded energy drink t-shirts up for sale? Those aren’t the hot targets.

Someone new to the scene with no deals and small view counts? It’s fake email deployment time. The scammers know the streamer won’t say no to more money. They also know there’s a good chance that stroking their ego (“Hi, we’re one of the biggest browsers around and we need your help”) will get the job done.

What’s the process for spotting a fake?

As far as this scam specifically goes, there’s a few ways to avoid the fake offer’s sting. Certain agencies perform outreach to streamers on Opera’s behalf. They will “identify themselves as such”, and they encourage recipients of such messages to check the email of the sender and verify on Linkedin. They also provide an email address to contact should people still be uncertain about messages they’ve received.

There’s several examples of bogus sponsorship mails on sites such as Reddit. Here’s one which tries its best to disguise the fake email address, while offering up a suspicious download. Here’s one from 4 months ago asking the recipient to download a “timetable of sponsorship prices”.

No matter which variation of mail you receive, go straight to the official source. Check with Opera directly, and keep one finger hovering over the delete button. You may very well need it.

The post Beware bogus OperaGX sponsorship offers appeared first on Malwarebytes Labs.

In April of 2021, Apple introduced AirTags to the world, making the small tracking devices—similar to a Tile— available for purchase at the end of that month. The circular, coin-like product is designed to be attached to or placed in objects that are commonly lost, such as keychains, wallets, purses, backpacks, etc.

You can track an AirTag with your iPhone in some powerful ways, enabling you to locate a set of keys that has fallen down between the cushions of a couch, for example. You can see its location on a map, and if you’re close to it, you can get a directional signal on newer iPhones. It can be put into lost mode, enabling someone who finds it to tap it with their phone and get information you supply, such as a phone number to call.

Sounds great, right? Everyone who has ever had something stolen—a laptop bag, for example—has fantasized about being able to track it down and get their property back. (The reality is a bit grittier. It’s not hard to find news stories of people using things like Find My iPhone to follow their stolen property directly into danger, being shot at when they approached the thief they’d tracked down.)

Unfortunately, there’s a dark side to AirTags: stalking.

Why are AirTags so good for stalking?

Although they are conceptually similar to a Tile, AirTags have far more stalking potential. A Tile that isn’t near you can only be tracked if it comes into proximity of someone with the Tile app open and active on their phone. If the Tile app can detect the Tile, it can report the location and the owner of the Tile can see where it is.

However, an AirTag’s location can be tracked any time it comes into proximity of any iPhone. The number of iPhones out there moving around in the world is substantially higher than the number of phones with a Tile app open and active. iPhones form a massive tracking network for AirTags that can be quite difficult to get away from. Long-time Mac expert and writer Kirk McElhearn sent an AirTag through the mail, as a test, and was able to follow its progress quite successfully.

AirTags are also rather small. They’re easily hidden in a bag, a vehicle, or anything else you might carry with you. There have been stories of people finding AirTags in their bags, various places on the exterior of their cars, hidden inside the frame of their bicycles, and more. Keep in mind, these are all folks who don’t actually own the AirTag in question!

Sounds terrifying! How can I avoid being tracked?

Apple has taken some measures to prevent AirTags from being used for stalking. Unfortunately, these measures are not 100% effective.

First, if you have an iPhone and an unknown AirTag is detected moving along with you for some period of time, your iPhone will notify you. (It’s unclear exactly how long it takes for this message to appear.) This is a reasonable measure, but there’s one major flaw: not everyone has an iPhone. Apple did recently release an Android app that can be used to help find unknown AirTags moving with you, but that requires you to take action proactively, and many probably will not do so.

If you don’t have an iPhone or the Android app, AirTags were, at the time of release, designed to start playing a sound periodically after they’d been separated from their owner for 3 days. After much criticism about this being far too long an interval, Apple shortened it to between 8 and 24 hours (the exact time is apparently random).

Unfortunately, there are a couple problems with this. For one, the sound isn’t that loud, and could easily be muffled if it were buried inside a bag, or completely inaudible if it were somewhere on the exterior of a car and you didn’t happen to be there when the alert sounded.

Another problem is that this only works when the AirTag has been away from its owner for at least 8 hours. This may work well in some situations, but it won’t work in the case of intimate partner abuse, in which the victim is in regular contact with their abuser. It also won’t work if the stalker only needs to track you for a few hours before getting the information they’re interested in, such as the location of your home.

Recently, yet another problem has arisen. It was discovered that someone was selling a “silent AirTag” on Etsy. The claim was that the seller had modified the hardware in order to disable the speaker, and was reselling it for a higher price. Fortunately, it appears that Etsy has taken this listing down, but the fact remains that if one person is doing these modifications, others are as well, and there’s nothing Apple can do about it.

We asked Eva Galperin for her thoughts, and as she told us, “This was very easy to see coming. I am absolutely not surprised and probably neither is anyone at Apple. Tiles have not been modified in a similar way because Tiles do not beep in the same way AirTags do.”

What do I do if I find an AirTag in my stuff?

Assuming you have an iPhone, you can unlock your phone and touch the back of the top of your phone to the AirTag. A notification should appear, offering to open found.apple.com in Safari. Tap the notification to open that site, and you’ll see some info about the AirTag as well as a link to instructions on how to disable it.

This advice is different for survivors of domestic abuse, though, because disabling an AirTag could alert an abuser. Similar to instances of stalkerware, domestic abuse survivors should consider their own safety planning before immediately disabling forms of digital stalking. The National Network to End Domestic Violence has many specialists trained on technology-enabled abuse, and can help those who need a safety plan before taking action.

If you don’t have an iPhone, or don’t have it with you, or just don’t feel comfortable scanning an unknown AirTag like this, the instructions to disable the AirTag aren’t very complicated. You simply press down and twist counterclockwise on the back of the AirTag. (The back is the shiny side with the Apple logo.) This should open the battery compartment cover, allowing you to remove the battery. Once the battery has been removed, the AirTag can no longer be tracked.

Note that scanning the AirTag gives you the serial number and the owner’s phone number, which may help in the event of legal action against a stalker. The phone number could be a fake one, but the AirTag has to be linked to someone’s Apple ID in order for them to track it. The serial number should help Apple identify the owner’s Apple ID.

Conclusion

I fully understand why Apple created the AirTag. People like Find My for locating lost or stolen devices, and they like being able to share their locations with friends and family via Find My. (“They” in this case meaning people in general… obviously, there are individuals who dislike such things.) There is a customer need for something like an AirTag. This need has sustained Tile for years.

That said, there’s a significant difference between AirTags and anything that came before them. iPhones are not cheap, so though you can track them in the same way as an AirTag, you wouldn’t exactly want to plant one in someone’s bag or on their car. Tiles are cheap, but can’t be tracked as thoroughly as an AirTag.

The fact that AirTags are cheap, disposable, and can be tracked with decent precision makes them an ideal tool for stalkers. Apple was aware of this, and to their credit, they put a lot of thought into prevention of such usage. However, it’s also obvious that Apple failed in the area they so often fail at: consulting with experts outside Apple. It wasn’t until after the release that Apple was informed, by experts in the fight against stalking, of some of the device’s flaws. Like, for example, the former 3 day interval before it starts making noise after being separated from its owner.

Apple’s secretive nature often makes Apple its own worst enemy. Most people these days know that having a diverse set of opinions and inputs makes for better decisions. By keeping itself so isolated, Apple loses the opportunity to learn from and collaborate with experts in the field.

Apple also missed the boat for folks who don’t own iPhones. According to Galperin, “Apple’s AirTag anti-stalking measures are not enough. The next step required cooperation between Apple and Google to get the same levels of protection from AirTags on Androids as you have if you own an IPhone.” We couldn’t agree more, yet neither are we surprised that Apple and Google didn’t work together to solve this problem.

If you choose to buy and use AirTags, I can’t blame you. After all, I own one, and I like the way it works for my purposes. However, I’m still conflicted about owning one, since I know how much potential harm they can cause.

The post A worrying Etsy listing reveals the stalking potential of Apple’s AirTags appeared first on Malwarebytes Labs.

By using an exploit in the software of crypto-trading platform Wormhole, threat actors have stolen an estimated $322 million in cryptocurrencies. The platform is offering a $10 million award for the  stolen money and details about the attack.

How they pulled it off

Wormhole Portal is a web-based application that allows users to convert one form of cryptocurrency into another. These portals are often referred to as blockchain bridges. Basically they use Ethereum smart contracts (computer code stored on a blockchain) to connect the input currency and the desired output currency.

The attacker is believed to have exploited this process to trick the Wormhole project into releasing Ether (ETH) and Solana (SOL) coins for a far greater value than their input value. Analysis by experts showed that the attacker created a guardian account by using information pointing back to an earlier, legitimate and much smaller, transaction.

The short version of what happened is easy. Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.

Earlier this year, Ethereum co-founder Vitalik Buterin already pointed out the fundamental security limits of bridges on Reddit, where he argued for a multi-chain blockchain ecosystem rather than the cross-chain applications, like bridges.

“it’s always safer to hold Ethereum-native assets on Ethereum or Solana-native assets on Solana than it is to hold Ethereum-native assets on Solana or Solana-native assets on Ethereum.”

Isn’t it ironic that he used exactly the currencies that were involved in this hack in his example?

Currency trading platforms

Crypto exchanges work like traditional money exchanges, setting prices for various currencies and taking a small fee to let users trade one. But while traditional exchanges are highly regulated by governments and international banks, it’s relatively easy to set up a cryptocurrency exchange nearly anywhere in the world and run it however you like. And under the hood they are just websites, websites that inherit all of the insecurities of the current state of web development in 2022 and inherit none of the considerable security inherent in blockchains, which are designed to prevent tampering, not theft.

Personally, I had never heard of the Wormhole platform before. That may be just me, but I’m guessing the same is true for many people. So how is it possible that someone can steal that amount of money from a platform most people have never even heard of? I was in no way shocked or surprised however to learn that such a platform can be hacked. It has happened before and it will happen again. In 2021 alone, there have been more than 20 incidents where a threat actor stole at least $10 million in digital currencies from a crypto exchange or project.

In this “industry” of fast moving money, huge profits–and losses–can be made and all that comes spiced with a hint of secrecy and hi-tech. But apparently it is more important to be the first to introduce new technologies than it is to check whether the security is in place to keep everything in check. We all know that we don’t need to invest in a fire-proof safe for the small amount of cash most people have. The investment would outweigh the risk. But if you are dealing in millions of dollars you might at least check that your account validation is waterproof, right?

The end?

Probably not. To be continued is more likely.

At the time of writing the Wormhole Portal is displaying a message stating:

“We’re actively working to get Portal back up and running.

A fix has been deployed and all funds are safe.

Thank you for your support and trust.”

In a message left on the blockchain we can read:

“We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at contact(@)certus.one”

Where we would like to take exception against the use of the term “bug bounty” which we would like to reserve for legitimate white hat hackers, working to make the world a safer place. This white hat guild holds no seat for a thief that exploits first and then sells the information about how they did it. Surely the only reason they would accept this deal is to avoid having a criminal complaint filed against them.

The only good news is that it looks like the exchange plans to carry on business so it did apparently not get robbed beyond recovery. Unfortunately, many others in the past have had to pull the plug after such an incident, leaving investors and traders in the cold.

The post $320 milllion stolen from Wormhole crypto-trading platform appeared first on Malwarebytes Labs.

Why do machines always throw a tantrum when you are in a hurry? It’s called Murphy’s Law which some people may know as the butter side down rule. Anything that can go wrong will go wrong. And usually at a time when it is most inconvenient.

That being said, there are ways to speed things up. Let’s have a look at some options to fix slow computers.

Why is my PC so slow all of a sudden?

If the speed change is sudden, your first port of call should be to run a malware scan. Malwarebytes can help with this. If your scan finds any threats then remove them from your computer and restart the system.

My PC is gradually slowing

Malware isn’t always the reason for a slow system. If the slowdown has been a gradual process, there may be other factors at play.

In these cases there are three main vectors to tackle speeding up a computer:

• Hardware
• Installed software
• Operating system

Replacing hardware

Modern computers consist of many components that have to work well together. The speed at which your computer operates varies according to the speeds of its individual components. There may be a component that is acting as a bottleneck and replacing it may be the key to success.

Replacing hardware can be an expensive way to speed up your computer, especially since many users will have to outsource the replacement. The computer parts that have the biggest influence on the system’s speed are:

• Memory. Computer memory is where data is processed and the instructions required for processing are stored. Upgrading or adding memory can have immediate results and is usually not very hard to do.
• CPU. The central processing unit is the most important chip in your system and has a big influence on speed. Both the processor cores and the clock speed are important to consider when you are looking for speed. Keep in mind that a degrading CPU cooling system can also be a speed limiter.
• Hard drives. The read/write speed of a hard drive is the factor that has the biggest influence on your overall speed. Due to technical differences, HDDs (hard-disk drives) cannot compete with SSDs (solid state drives) on speed. A SSD will decrease application loading times, so if you have one of each in your system install your operating system on the SSD.
• Video cards. A video card or graphics card generates the video signal that gets sent to a computer display. At the moment these are in short supply which makes them costly.

Software

Uninstalling software that you no longer use can free up storage space and memory. Go over your list of installed programs/apps and uninstall those that you never use anymore. These may include trial versions of software that came with the computer when you bought it, out-of-date antivirus programs, old software, and games that you no longer play.

For the software that you use on a regular basis, check if you are using the most current version. Improvements may have been made, and security vulnerabilities fixed, so checking for updates for the ones you use frequently may help as well.

The Operating System

Operating Systems like Windows are designed to satisfy the needs of a great variety of users. Unfortunately that means that your Windows system is running apps and services that you may never need. There are lists of services that may people don’t need. Remember the changes you made or create a restore point before starting, so you can go back if you need to.

Like with other software it, is important to keep your OS up to date, even if it hardly ever helps improve your speed.

Don’t make it worse by installing PUPs

Registry cleaners, defragmentation software, and other “speed up” utilities turn out to be potentially unwanted programs (PUPs) more often than they are useful.

Many of these programs clean up less than what you introduced to the system by installing them. They are known to use built-in Windows utilities to do the actual work, so you are basically installing a user interface rather than something useful. Others lure you into buying them by showing large amounts of results, that have almost no influence on your system’s speed, or don’t even exist at all.

Likewise, there are many PUPs that promise to perform a disk cleanup to remove unnecessary files to gain some free disk space. Installing such a program usually takes more disk space than it will free up and it’s better if you decide which files are unnecessary. There are some good guides for this. Personal experience tip: if you have a lot of pictures on your system, consider moving them to an external drive.

Other tips

If you are in the habit of letting your computer run for a long time, it may help to reboot more often. Restarting your PC clears out its memory. It also closes all the programs that are running, including those running in the background.

Delete temporary files and empty your recycle bin. When your hard drive memory is full, it slows your computer down because the operating system doesn’t have enough free space to work adequately.

Windows indexes your hard disk for speedier searching, but background indexing can slow down your computer’s overall performance. If your PC is dragging its heels, consider disabling this feature.

Too many icons on your desktop are almost as annoying as too many browser tabs open. They not only make it hard to find what you need, but they also slow down operations.

The post How to speed up your computer or laptop appeared first on Malwarebytes Labs.

A cyberattack has disrupted the activities in Germany of fuel supplier Oiltanking Deutschland GmbH & Co. KG. The supplier is, among others, responsible for deliveries to the thousands of Shell and Aral gas stations in Germany.  

The Oiltanking division of Hamburg-based Marquard & Bahls owns and operates 45 terminals in 20 countries. As far as we know only German branches of the firm are affected by the attack.

Distribution system blocked

The main problem for the supplier is that the automated systems that take care of loading the supply trucks are disabled. The underlying problem is that these systems can’t be operated manually and the automated system stopped working due to the attack. The company is using alternative loading points to fill part of the need and Shell is re-routing oil supplies to other depots. Aral, the largest petrol station network in Germany with around 2,300 stations, has also started supplying its stations from alternative sources in light of the disturbance.

Since there are a total of 26 similar companies in Germany and the disruption only blocks one specific part of the distribution chain, it seems unlikely that the consequences will be as severe as after the ransomware attack on Colonial Pipeline last year.

The attack

The attack struck two companies that are both subsidiaries of Marquard & Bahls. These companies, Oiltanking GmbH Group and mineral oil dealer Mabanaft GmbH & Co. KG Group, say they discovered on January 29 that they had been hit by an attack that disrupted their IT systems and caused a disruption of the supply chain.

The companies say they are undertaking a thorough investigation, together with external specialists, and are collaborating closely with the relevant authorities. They also said the attack has no influence on the safety of the terminal operations that were able to continue.

Warning

The attack follows closely after a warning was issued by the Bundesamt für Verfassungsschutz (Germany’s domestic security service) that it was expecting a surge in the number of China-sponsored cyberattacks on German organizations that play a key part in supply chains. The warning specifically mentioned APT27 aka Emissary Panda.

The German agency says APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, since March 2021. Last September the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warned in a joint advisory that advanced persistent threat (APT) groups were exploiting the very same vulnerability.

APT27 and other Chinese-backed hacking groups were also linked to attacks exploiting critical ProxyLogon bugs in early March 2021 that allowed them to take over and steal data from unpatched Microsoft Exchange servers worldwide. It can’t be ruled out completely that this attack was done by the APT27 group, but there are no indications that point to this group specifically. There is speculation about ransomware, but this has not been confirmed or denied by any of the parties involved.

The Bundesamt für Verfassungsschutz had also warned that cybercriminals, in addition to stealing business secrets and intellectual property, may also try to infiltrate the networks of (corporate) organizations or service providers to initiate a supply chain attack.

Stay safe, everyone!

The post Cyberattack on fuel supplier causes supply chain disruption appeared first on Malwarebytes Labs.

If you’re running Windows 10, it’s time to stop delaying those patches and bring your systems up to date as soon as possible.

Bleeping Computer reports that a researcher has come up with a bypass for an older bug, which could serve up some major headaches if left to fester. Those headaches will take the form of unauthorised admin privileges in Windows 10, alongside creating new admin accounts and more besides.

What happened the first time round?

Back in 2021, Microsoft patched an exploit which had been in use since mid-2020. Classed as “high-severity”, “CVE-2021-1732 – Windows Win32k Elevation of Privilege Vulnerability” allowed attackers to elevate privileges to admin level.

Fooling potential victims by having them open bogus email attachments is all it would take to get one foot in the door via code execution. It popped up in a targeted attack related to the Bitter APT campaign. According to the report, numbers were “very limited” and struck victims in China.

What’s happening now?

Multiple exploits have dropped for another elevation of privilege vulnerability known as CVE-2022-21882. This is a bypass for the previously mentioned CVE-2021-1732 which was fixed back in February 2021. CVE-2022-21882 was fixed by Microsoft via updates from January 2022. However, sys admins out there may well have skipped the updates due to various bugs which came along for the update ride.

Time to get fixing things?

It is absolutely time to get fixing things. The exploit is now out there in the wild, and as Bleeping Computer notes, it “affects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates”. 

Writers at Bleeping Computer were able to get it to work in testing, and others have confirmed it for themselves:

Is there any reason to wait for February’s Patch Tuesday?

If you’re one of the hold-outs who ran into errors last time around, waiting isn’t advisable. Microsoft already issued an OOB (out of band) update to address the multiple errors caused by the January patch. As per Microsoft’s January 17th notification about the release:

“Microsoft is releasing Out-of-band (OOB) updates today, January 17, 2022, for some versions of Windows. This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.”

Things being what they are, it’s likely time to get in there and apply the OOB update (if you haven’t already) and put this one to rest.

Microsoft is putting a fair bit of work into figuring out where weak points lie in the patching process, making use of its Update Connectivity data. The current estimate is a device needs a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably make it through the updating process.

If this sounds like your network, and if you’re still waiting to take the plunge, you’ve hopefully got little to lose by making that big update splash as soon as you possibly can.

The post Apply those updates now: CVE bypass offers up admin privileges for Windows 10 appeared first on Malwarebytes Labs.

Cleafy, a cybersecurity firm specializing in online fraud, has published new details about banking Trojan BRATA (Brazilian Remote Access Tool, Android), a known malware strain that first became widespread in 2019.

BRATA is now being used to perform factory resets on victims’ machines. It’s rare for malware to damage or wipe victims’ machines (there is rarely anything in it for the attackers) so what’s going on here?

According to Cleafy, the victim’s Android device is factory reset after the attackers siphon money from the victim’s bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.

Out with the old

BRATA used to target Brazilian banks exclusively, but Cleafy reports that the target list has now been expanded to include banks in Italy, the UK, US, Poland, Spain, and Latin America. It has also revealed a number of new capabilities, alongside the factory reset functonality:

• A GPS tracking capability
• Multiple methods of maintaining contact with command and control (C2) servers
• The ability to use a VNC (Virtual Network Computing) and keylogging to continuously monitor a victim’s bank account

But how does such dangerous malware end up on victims’ devices?

How BRATA is spread

A BRATA campaign starts off when a potential target receives an SMS claiming to be from their bank. The SMS contains a link to a website that encourages the target to download the BRATA malware. They also receive a call from an attacker, who pretends to work for the bank.

The app asks for multiple permissions that, to the trained eye, would raise some red flags, and might make users reluctant to install it. According to Cleafy, the caller’s first job is therefore to use social engineering tactics to convince victims to install it.

Once the app is installed, the fraudsters can remotely hijack the device whenever they want to, and can perform banking transactions without the target knowing. Not only that, the app can be used to initiate admin-level actions, such as locking the screen, changing the screen lock, and setting password rules. For the most recent BRATA strain, being an admin app also allows it to initiate a factory reset on the affected mobile device.

A two-factor authentication (2FA) code from the bank does not protect accounts here. Through BRATA, the 2FA codes from banks are intercepted and sent to the fraudster’s command and control sever.

Clearfy believes that current operators of the BRATA mobile malware are based in at least one country in Europe as mule accounts linked to this campaign were found in Italy, Lithuania, and the Netherlands.

Protect yourself from BRATA

The existence of this malware is a reminder to all Android users to avoid installing apps that don’t come from Google Play, and to pay attention to the permissions that apps ask for. For example, BRATA requests access to the “Erase all data” permission, and most of us don’t want apps that can do that running on our mobile devices.

Although this version of BRATA was not found on Google Play, in the past it has been found, called out, and removed from Google’s online store. So, even when you’re using Google Play, stay vigilant and make sure to keep your mobile antivirus running in real time and up to date.

IOCs:

• E00240F62EC68488EF9DFDE705258B025C613A41760138B5D9BDB2FB59DB4D5E – Malwarebytes detects it as Android/Trojan.Agent.PWSCR
• E769EF0D011CBF3322C9E85D4CDF70AF413F021D033AED884C1431F2B7861D0D – Malwarebytes detects it as Android/Trojan.Spy.Agent.GPPSSATB
• 2846C9DDA06A052049D89B1586CFF21F44D1D28F153A2FF4726051AC27CA3BA7 – Malwarebytes detects it as Android/Trojan.Spy.Brat.dsa
• F9DC40A7DD2A875344721834E7D80BF7DBFA1BF08F29B7209DEB0DECAD77E992 – Malwarebytes detects it as Android/Trojan.Spy.Brat.gvmb
• 4CDBD105AB8117620731630F8F89EB2E6110DBF6341DF43712A0EC9837C5A9BE – Malwarebytes detects it as Android/Trojan.Spy.Brat.oupa
• D9BC87AB45B0C786AA09F964A8101F6DF7EA76895E2E8438C13935A356D9116B – Malwarebytes detects it as Android/Trojan.Spy.Brat.prta
• 648A5A705BBE88E52569B3774A689A82F53962E8827B143189639D48727BD159 – Malwarebytes detects it as Android/Trojan.Spy.SpyNote.dcnp

The post Android malware BRATA can wipe devices appeared first on Malwarebytes Labs.

After making its first in-the-wild appearance in March 2021, Vultur—an information-stealing RAT that runs on Android—is back. And its dropper is equally nasty.

Vultur (Romanian for “vulture”) is known to target banks, cryptocurrency wallets, social media (Facebook, TikTok), and messaging services (WhatsApp, Viber) to harvest credentials using keylogging and screen recording.

According to ThreatFabric, the mobile security company that first spotted Vultur in 2021, the cybercriminals behind the malware have steered away from the common HTML overlay strategy usually seen in other Android banking Trojans. This approach usually requires time and effort for the attackers in order to steal what they want from the user. In steering away from this, the attackers made less effort but yielded the same results.

One of the Android dropper malware that drops Vultur (among others) is Brunhilda, a privately operated dropper. Initial variants of Vultur have been dropped by an Android app called “Protection Guard”, which have had 5,000 installs on the Google Play Store upon its discovery. Note, however, that there are many Brunhilda dropper apps on the Store, which suggests that infection count could be a lot higher.

ThreatFabric believes that the group behind this dropper and Vultur are one and the same. The company has linked the two for the following reasons:

• The command and control server (C2) of “Project Brunhilda” supports Vultur-specific bot commands
• Vultur is seen using the same C2 that Brunhilda used in the past
• Vultur is seen using the same icon and package name of a Brunhilda dropper
• Vultur uses JSON-RPC to communicate with its C2, a tactic that Brunhilda used to do

Moreover, the group behind Vultur can see every interaction the user does to their device, thanks to the real-time implementation of VNC (Virtual Network Computing) screen sharing. This a legitimate tool that allows one to remotely control a device, so whatever the user sees on his phone screen, the actors can see it, too. However, for VNC to work properly, Vutur uses ngrok, another legitimate tool that uses an encrypted tunnel to expose local systems behind firewalls and NATs (network address translation) to the public Internet.

Nasty new malware dropper spreads Vultur

Recently, researchers from Pradeo, another mobile security solutions provider, found a fresh variant of Vultur after they spotted a fake two-factor authenticator (2FA) app on the Google Play Store. The dropper app, aptly named “2FA Authenticator” is responsible for dropping Vultur onto Android devices. Pradeo didn’t specify in its report if this dropper app is Brunhilda.

“2FA Authenticator”, as Pradeo noted, used the open source code of the Aegis Authenticator app, a legitimate 2FA authenticator with a presence in the Play Store, but that had been modified to include malicious code. Users are likely to be less suspicious of apps that appear to be working as they should.

Creating a dropper malware that also works is a tactic not unheard of as this is also used by another Android malware called BRATA.

The automated Vultur attack comes in two stages: first is profiling. The dropper prompts the user for consent to access critical permissions which were never disclosed in its Play Store profile. These are:

• Take pictures and videos. This allows the dropper to collect information, such as application list and localization, about the user which the attackers can use to target other users in specific countries using certain applications.
• Disable your screen lock. This disables any form of phone security (passwords, unlock pattern) set up by the user.
• Full network access. This allows the dropper to download other third-party apps under the guise of updates.
• Run at startup. This allows the dropper to freely perform tasks even when the app is shut down.
• Draw over other apps. This allows the dropper to change the interface of other mobile apps—a permission that “very few apps should use”, according to Google.
• Prevent device from sleeping. This allows the dropper to continue running in the background.

The second stage is the installation of Vultur. Pradeo has noted that the dropper doesn’t just drop Vultur once it is executed. Instead, the attack escalates to this stage if the information the dropper has collected meets certain conditions.

If you have downloaded an app that you suspect could be malicious, go to Settings > Apps. Look for “2FA Authenticator” in the list and delete it.

Stay safe!

The post Duo of Android dropper and payload target certain countries and app users appeared first on Malwarebytes Labs.