IT NEWS

Steer clear of these Instagram “Get rich with Bitcoin” scams

I don’t know about you, but I open Instagram to look at cool photos of pets, not to make a fortune via suspicious claims of riches by strangers.

Despite this, following someone whose photos I liked resulted in a very peculiar message.

It’s possible I waved goodbye to a path to untold riches. Maybe if I’d stayed the course I’d now have my own “Become a millionaire in six months or less” e-book.

However, it’s more likely I dodged a Bitcoin scam. The kind of scam where I’d have to use screenshots of my bank account slowly being drained of all available funds for my next blog post.

Shall we take a look?

Introducing my good friend, Steven McBitcoin

This is the message that greeted me from my newest Instagram contact, who for ease of reference I’ve dubbed Steven McBitcoin:

Steven: Hello 

Good day

Are you interested in bitcoin mining?

I mean, oh boy am I ever. Possibly not quite in the way they were expecting, though. I decided to go with the “I don’t know anything, tell me more approach” with the vaguely non-committal:

Me: Hello possibly, how come?

Steven: I’m willing to teach you about bitcoin, coach you on how to invest and earn your profits as soon as possible. With a minimum investment of $1,000 I guarantee you of making $10,000 directly into your bank account, bitcoin wallet or any withdrawal method of your choice.

Understood?
insta1
A definitely real promise of money beyond my wildest dreams

Well now, that’s quite the promise. $10,000 dollars from $1,000 guaranteed? What could possibly go wrong…apart from everything?

How do I make this kind of money?

The messages continue to rumble on. Now we’re getting into the nuts and bolts of how this stack of digital currency shall be mine.

Me: Where would I invest and how?

Steven: Do you have cashapp, coinbase, crypto.com or Trust wallet?

It appears I’ve reached the “pretend you have one of the options mentioned and see what he says next” stage of the proceedings.

Me: Cashapp

Steven: OK good

Now go to your cashapp main page and send me the screenshot so I can give you direct guidelines on how to get paid.

You got it?

Generally speaking, sending people screenshots of the inside of your payment or bank portals is not a great idea—you can give away a lot about yourself.

This is also often used as a distraction by people who simultaneously ask for other details, such as logins. Consider it a distant cousin of the “please turn off your anti-virus while installing the dolphin.exe file you got from Limewire” technique.

The pinky-swear of digital currency

I wanted to know a little more about the guaranteed return of $10,000. That’s quite the generous deal. Some people would say it’s almost too good to be true.

I am absolutely one of those people.

Me: i have a question. How do you guarantee that i make $10,000 from $1,000? is there a time limit on when i should hit the 10k? what happens if i don't or I end up with less? is the guarantee in writing or anything?

Let’s see what cast-iron agreement he has in store. I simply cannot wait to find out how good this is. Getting it in writing? Of course I’ll be getting it in writing.

Steven: You profit is safe and guaranteed that I can very well assure you and you'll also get your money in less than 2 hours

You won't end up less than but instead even an higher profit from your trade.

I need you to believe me when I say that you have absolutely nothing to worryabout, just follow my lead and you'll be the one to thank me later OK.

Send me the screenshot let's proceed with your trade now.

Turns out the guarantee is “dude, trust me”. At this point, in the best documentary tradition, I made my excuses and left (by which I mean I blocked and reported him).

Notice how insistently pushy he becomes towards the end of the conversation. I imagine he’s already moved on to beguiling the next victim with tales of gigantic Bitcoin victory. Hopefully they block and report Mr McBitcoin too.

Common Instagram Bitcoin scams

Sadly, people promising get rich quick Bitcoin schemes on Instagram are a growing market of garbage and dross. There is currently no end of people on Facebook bemoaning the loss of their account to any one of the scams listed below:

  1. Big wins, short timespan: Claims that you’ll make big returns on smaller investments rapidly are a red flag, as is pressure to transfer funds as quickly as possible. If someone you know suddenly starts talking about all the money they’re making thanks to their “Bitcoin mentor”—run away. It’s another very common scam related to compromised accounts.
  2. Send me the money: On a similar note, asking you to go off and buy digital currency then send it to another person’s wallet to “invest” are likely going to get you nothing but an empty wallet.
  3. Held hostage to cryptocurrency: Many videos regarding wild claims of Bitcoin success are actually incredibly creepy hostage videos. This is where people previously scammed out of their cash are made to film promos to keep the scam going.
  4. A change in circumstances: If you’re asked to change your login details / email address to something somebody else has given you, you’ll simply be locked out of your account and it’ll be used to spam others.
  5. When profit becomes taxing: Here’s one which started with a $1,000 deposit—just like the messages I received—and actually did finish up with a supposed profit of $15,000. Unfortunately for the victim, the scammer then asked for a $15,000 “tax payment” in order to release the now stolen funds. The thousand dollars are not coming back.

If you receive a get rich quick missive, you may wish to report it and block the sender. You can do this on Instagram by selecting the “…” next to the Follow button, then choosing Report > report account > posting content that shouldn’t be on Instagram > scam or fraud.

At the risk of resurrecting the “if it’s too good to be true…” dead horse, it has a fair bit of merit here. If someone had the secret to huge amounts of wealth, they wouldn’t be sharing it with random people on Instagram. Sadly, the only people making bank from this kind of deal or offer are the scammers pulling the strings in the first place.

The post Steer clear of these Instagram “Get rich with Bitcoin” scams appeared first on Malwarebytes Labs.

It’s business as usual for REvil ransomware

After the FBS arrested 14 of its members in January, and a subsequent lull in action, the REvil ransomware gang appears to be back. We say “appears” because it’s still unclear whether the group’s operations have indeed restarted.

To the trained eye, REvil’s movements seem out of sorts. When REvil’s old Tor infrastructure came back to life in April, it was modified to redirect visitors to URLs owned by a new ransomware group. The sites the nodes point to looked nothing like REvil’s. And its data leak blog is prepopulated with new ransomware victims and old REvil victims.

“And they are recruiting,” added Malwarebytes Threat Intelligence Analyst Marcelo Rivero.

REvil ransomware: a brief look back

When the REvil ransomware gang began its operations in 2019, it started strong. REvil, also known as Sodinokibi or Sodin, was the new RaaS (ransomware as a service) of the criminal underground, filling the hole GandCrab left behind.

Like any “big-game hunting” operator, REvil only targets high-earning organizations. The logic behind this is that such targets are presumed to pay up, even a high ransom. They presumed correct.

2021 was the ransomware gang’s last year of activity. REvil attacked JBS, one of America’s largest meat and poultry processors, in June. JBS underwent recovery proceedings immediately after the attack, unlike other ransomware victims. It was revealed months after that the company paid REvil to the tune of $11M (£7.8M).

In July, REvil attacked Kaseya, the company behind Kaseya VSA, a popular remote monitoring and management software. The ransomware gang asked for a whopping $70M ransom, but the company didn’t pay. Instead, it used a decryption key “from a third party” to decrypt all its encrypted files.

Many suspected that something was up. Kaseya could not give any more details, as it was bound by an NDA (non-disclosure agreement), but the ransomware gang claimed that the decryptor was leaked by one of its operators.

Is REvil really back?

A ransomware sample is needed to dispel speculations on whether REvil has re-emerged or not. Sure enough, cybersecurity researcher Jakub Kroustek (@JakubKroustek) discovered one recently.

Multiple security researchers who looked into the sample said they noticed a few changes to the code based on old REvil ransomware code. The most notable changes in the encryptor are the version, the new accs configuration option, and the campaign and affiliate identifiers.

In an interview with BleepingComputer, Advanced Intel CEO Vitali Kremez said he believes this option “is used to prevent encryption on other devices that do not contain the specified accounts and Windows domains, allowing for highly targeted attacks.”

When asked about his thoughts, Rivero said, “I think this REvil sample is just a test file because it doesn’t encrypt.”

On top of this, the sample also adds a random extension name to affected files and creates a ransom note—both as text and HTML files—identical to old REvil’s. The web version of the ransom note links users back to new paid Tor sites and the new data leak blog.

mwb tor ransom note revil
The new REvil ransomware note.

Malwarebytes detects this new REvil sample as Sodinokibi.Ransom.Encrypt.DDS.

What should previous victims do now?

When REvil’s servers disappeared on an early Tuesday morning in July 2021, current victims of the ransomware gang were left stumped, not knowing what to do next. They were stuck in mid-negotiations, fearing they might never hear from the gang again, leaving their essential files encrypted forever.

With REvil back and the new operators apparently inheriting former victims of the old ransomware gang, what does this mean for victims?

It’s almost a year since REvil’s infrastructure went dark, and victim companies may have already moved on or sought help from law enforcement. Either way, REvil might one day come knocking at their digital doors to pick up where it left off.

The post It’s business as usual for REvil ransomware appeared first on Malwarebytes Labs.

Google fixes two critical Pixel vulnerabilities: Get your updates when you can!

Google has made updates available for Android 10, 11, 12 and 12L. The May Android Security Bulletin contains details of security vulnerabilities affecting Android devices.

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices. Pixel phones are Google’s “pure Android” phones.

In total, these two bulletins mention three vulnerabilities rated as critical. Two of those vulnerabilities only concern Pixel users.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below we will discuss the CVEs that were rated as critical.

Bootloader

CVE-2022-20120: A remote code execution (RCE) vulnerability in the bootloader. On Android, the bootloader is a piece of software that loads the OS every time you boot your phone. By default, it will only load software that was signed by Google. But if you unlock the bootloader, it will load whatever software you tell it to. The exact issue has (not yet) been disclosed, but depending on the level of access needed to exploit this vulnerability, this could be very serious.

Titan-M

CVE-2022-20117: An information disclosure (ID) vulnerability in Titan M. Titan M is an enterprise-grade security chip custom built for Pixel phones to secure the most sensitive on-device data and operating system. Titan M helps the bootloader make sure that you’re running the right version of Android. Again, details about the issue have (not yet) been disclosed. But being able to steal information from the part that is supposed to secure the most sensitive data doesn’t bode too well.

Qualcomm

Qualcomm’s chipsets are the most common ones in the Android smartphone space. The severity assessment of their issues is provided directly by Qualcomm.

CVE-2021-35090: CVSS 9.3 out of 10. Listed by Qualcomm as a Time-of-check Time-of-use (TOC TOU)  Race Condition in Kernel. And specified as a possible hypervisor memory corruption due to TOC TOU race condition when updating address mappings. In general a TOC TOU occurs when a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used, invalidating the results of the check. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

Mitigation

None of the vulnerabilities have been flagged as being used in the wild. Google discloses that the most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege (EoP) with user execution privileges needed, but does not tell us which of the four candidates that is.

For Google and other Android devices, security patch levels of 2022-05-05 or later address all issues in these bulletins. To learn how to check a device’s security patch level, see Check and update your Android version. We encourage all users to update to the latest version of Android where possible.

The Pixel 3a and Pixel 3a XL series will receive security updates for the last time this month. Then they reach the End-of-Life (EOL) stage when it comes to support. For the Pixel 4 and Pixel 4 XL, this will be the case in October 2022.

Stay safe, everyone!

The post Google fixes two critical Pixel vulnerabilities: Get your updates when you can! appeared first on Malwarebytes Labs.

Nigerian Tesla: 419 scammer gone malware distributor unmasked

Agent Tesla is a well-known data stealer written in .NET that has been active since 2014 and is perhaps one of the most popular payloads observed in malspam campaigns.

While looking for threats targeting Ukraine, we identified a group we call “Nigerian Tesla” that has been dabbling into phishing and other data theft activities for a number of years. Ironically, one of the main threat actors seemingly compromised his own computer with an Agent Tesla binary.

In this blog, we expose some of the activities from a scammer who started off with classic advance-fee schemes and is now successfully running Agent Tesla campaigns. In the past two years, this threat actor was able to collect close to a million credentials from his victims.

Spam campaign

Our investigation started with an email targeting titled Остаточний платіж.msg (Ukrainian for Final payment.msg). It contained a link to a file sharing site that downloads an archive containing an executable file.

email
Figure 1: Spam email with Agent Tesla

This executable is actually an Agent Tesla stealer, capable of exfiltrating data in multiple ways, though most commonly using SMTP. The technique is really simple as it only requires an email account that sends messages to itself containing stolen credentials for each victim that executed the malware on their computer.

Test successful!

The attacker sent a number of messages containing the body “Test successful!” from the same machine. Those emails should have been deleted for obvious reasons but this threat actor did not and leaked his own IP address allowing us to locate them in Lagos, Nigeria.

image test
Figure 2: Test emails sent by the attacker

These messages are checks done by the threat actor to make sure communication with Agent Tesla is configured properly. This is typical and is often described in hacking forums where users ask for help with the ‘software’.

image 4
Figure 3: Forum post complaining about issue not receiving logs

There were an additional 26 emails sent from the same IP address that weren’t test emails but came from a real Agent Tesla execution. We don’t know exactly how, but the attacker managed to infect his own machine.

image 5
Figure 4: Information exfiltrated from the attacker’s machine

Here is a list containing some of the services that the Nigerian Tesla threat actor used:

  • PerfectMoney
  • Glassdoor signupanywhere (could be a source to get victims emails)
  • omail.io (service for extracting emails)
  • warzone.ws (Warzone RAT)
  • worldwiredlabs (NetWire RAT)
  • le-vpn.com and bettervpn.com zenmate.com tigervpn hotvpn (VPN provider)
  • securitycode.eu cassandra.pw (Code Protector)
  • esco.pw (office document protection)
  • monovm hostwinds.com firevps dynu 4server.su (VPS and dedicated servers)
  • dnsomatic.com cloudns.net (DNS services)
  • spam-lab.su
  • filesend.io 4shared (hosting files)
  • avcheck.net (offline av test)
  • bitshacking.com
  • archive.org (used like cloud storage)
  • xss.is hackforums.net exploit.in
  • titan.email (.pw accounts, various scams)

Rita Bent, Lee Chen and John Cooper are some of the names that have been used in the past along with dozens of different email accounts with passwords containing the string ‘1985’. The following image shows the activity from user rita398 in hackforums asking about Esco Crypter:

image 5
Figure 5: Rita398 interested in Esco Crypter

In that case, we see Rita complaining about some RDP suspension that happened eventually to one of his registered domains.

image 7
Figure 6: RDP shutdown complain

The following email accounts were used in various phishing and data stealing operations:

  • along.aalahajirazak.ibrahim@gmail.com
  • administracion@romexpert.es
  • administracioneforce@eforce.es
  • soceanwave244@gmail.com
  • barristeradamssetien@gmail.com
  • catalinafuster@palmaprocura.com
  • david01smith@yandex.com
  • davidsmith.ntx31@yandex.com
  • davids27smith@yandex.com
  • elisabet.valenti@ag.barymont.com
  • gestor3@afectadosvolkswagenabogados.com
  • info@borrellacerrajeros.com
  • info@crmarismas.org
  • info@cristaleriagandia.com
  • infogestinsur@grupogestinsur.com
  • instalaciones@gopamar.com
  • isabel@grupoatu.com
  • m.lopez@forestadent.es
  • nacho@alasvigilnevot.com
  • restaurante@elsecretodechimiche.com
  • soceanwave244@gmail.com
  • tienda@di-tempo.com
  • torremolinos3@copiplus.es
  • v.reino@gooddental.es
  • victor@sugesol.com
  • vives@viveselectricitat.com

Based on these profiles, we can see this threat actor has an extensive criminal record starting at least from 2014. Back then, they performed classic scams under the Rita Bent moniker.

image 4
Figure 7: Scam conducted by the same attacker in the past

One of their preferred scams was phishing for Adobe login pages. We have records indicating that several Adobe fake pages were deployed from 2015 until recently. Landing pages looked like the following:

image 1
Figure 8: Fake Adobe login page

Fast forward to 2020, and the threat actor has graduated to malware distributor. He protects his binaries with the Cassandra Protector obfuscator and then checks them against AVcheck[.]net.

cassandra
Figure 9: Cassandra Protector
av
Figure 10: AVcheck[.]net

Who is behind these attacks?

The threat actor shared photos of himself back in 2016 and for some reason forgot about them.

photo1
Figure 11: Photos of the threat actor

E.K. was born in 1985 according to his driver license. Remember that 1985 was used in a lot of passwords collected from accounts that conducted these illegal activities.

photo2
Figure 12: Threat actor’s drivers license

At the moment, we do not have much information about other members in the team. But E. K. seems to be the most relevant figure, at least the one who started the scheme.

From 419 scams to Agent Tesla

Nigerian Tesla stole more than 800,000 different credentials from about 28,000 victims. This shows how simple and yet effective running one of these campaigns can be. In this case we see an interesting evolution from a threat actor that was performing the classic advance-fee scam (419 scam) before moving into the malware distribution world, more or less for the same end goal.

Malwarebytes users are protected against Agent Tesla. We detect this sample as Spyware.Password.Stealer.

The post Nigerian Tesla: 419 scammer gone malware distributor unmasked appeared first on Malwarebytes Labs.

The $43 billion Business Email Compromise threat

The FBI has released a public service announcement regarding the ever-present threat of Business Email Compromise (BEC). This comes hot on the heels of an earlier release from the Las Vegas FBI department in April. Losses continue to mount, and we’re currently facing a scam racking up domestic and international losses of $43 billion.

What is Business Email Compromise?

BEC attacks, also known as CEO/CFO fraud, is financial in nature and targets organisations of all sizes The basic game plan is to pretend to be someone at executive level, and then convince an employee to help them wire funds outside of the company. Loss numbers are frequently significant, and it’s a very appealing tactic for scammers looking to get rich quick.

As the FBI points out, the goal is not always a direct fund transfer:

One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets.

With any foothold gained inside the organisation, BEC attempts which run into frustration can potentially pivot into other areas of attack as we’ll mention later. With so many avenues of approach, it’s no wonder BEC attracts the attention of law enforcement at the highest levels.

The FBI BEC numbers game

  • $43 billion vanished between June 2016 and December 2021. There were 241,206 domestic and international incidents between those two dates.
  • The FBI observed a 65% increase in losses suffered between July 2019 and December 2021, which feels like a significant ramp-up.
  • The overwhelming number of organisations filing victim complaints to the IC3 between October 2013 and December 2021 were based in the US.

The report goes into more detail, but the short version is that US organisations are suffering quite a bit from this type of attack. It’s possible that BEC still isn’t as well known as it should be. It’s also possible that the pandemic has contributed to a lack of funds for appropriate security measures and training for employees. Whatever the reason, we’ve definitely reached the part where alarm bells are ringing loud and clear.

The rise of cryptocurrency in BEC fraud

As with so many forms of online criminal activity, law enforcement is noticing an increase in cryptocurrency use. This area of concern is particularly fascinating, first identified in BEC attacks in 2018 and continuing to build through to 2021 with just over $40m in exposed losses. This will almost certainly continue to increase. No BEC fraudster will turn down the chance of fast transactions easily made online with a degree of anonymity attached to the process. Here’s what the FBI has to say about some of the cryptocurrency tactics deployed:

The IC3 tracked two iterations of the BEC scam where cryptocurrency was utilized by criminals. A direct transfer to a cryptocurrency exchange (CE) or a “second hop” transfer to a CE. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.

220504 3
Source: FBI report on BEC losses

6 tips to avoid BEC scams

  1. Your business should have an approved method for money transfers and anything of a financial nature. If cash goes out of the organisation in any way, it has to stick to the process. Deviating under any circumstance is a tiny gap in your armour that could prove fatal. “We only did it one time” often results in “We just lost a terrifying amount of money somehow”. Urgent same-day requests for wire transfers? Head straight to the page which hopefully insists upon no urgent same-day wire transfer requests ever.
  2. Some form of authentication to confirm your CEO/CFO is pulling the money-lever for real should be in place. Phone conversations are great for this. Any accounts tied to exec level should also have some form of Multi-Factor Authentication (MFA) attached to it whether or not there’s financial activity involved. Email accounts? Internal logins? Anything at all? App-based authentication or a physical hardware token is the way to go. Sometimes attackers aren’t just spoofing real emails, they’re compromising them to send money requests too. Authentication will go a long way to ward this threat off.
  3. You can’t realistically hide who your executives are from the world at large. One way or another, they’re going to be on an “About Us” page. Limit the amount of data exposure. Consider placing generic “catch-all” email addresses on the contact page. It doesn’t have to be their actual, personal email address. Don’t tell everyone on social media that the CEO is on vacation for a week, or even just travelling. When people targeted by BEC scams are potentially hard to get hold of, BEC fraudsters will likely strike.
  4. Email security plays a big part in cutting these attacks off at source. Deactivate accounts belonging to former employees, especially if they were part of the exec team: Malicious activity is a feature of old, abandoned addresses. Rules for suspicious looking emails coming into the organisation and also being sent around internally should be made use of. Any form of digital authentication/digital signatures to verify the sender will also help. Prominent “external sender” flags on mails are very handy tools to cut down on mail imitation.
  5. If the BEC tactics aren’t working, the attacker could decide to switch to malware instead. Emails from random addresses containing attachments such as fake invoices should be quarantined, especially when mail security tools detect potential keywords or phrases related to BEC indicators. Boobytrapped Excel sheets, for example, are one of the mainstays of ransomware compromise. Don’t dodge the BEC bullet only to be taken down by file encryption on a massive scale instead.
  6. Tell employees that it’s totally fine to question requests for payment or money transfer, especially if totally out of the blue. Even more so if it’s not something they’d have any involvement in. Why is the CEO asking someone in building maintenance to help them wire $30,000 through Hong Kong at 3 in the morning?

The challenge of BEC compromise

This is clearly a tricky problem to get to grips with, or else the FBI wouldn’t be publishing multiple alerts and public service announcements about it. The ever-increasing losses speak for themselves. The slowly growing relevance of cryptocurrency to BEC attacks paints a stark picture of where this tactic is headed. Try to implement as many of the tips above as possible.

Most importantly, don’t be pressured into sending money without doing some additional digging first. It may well prove to be one of the smartest work decisions you’ll ever make.

The post The $43 billion Business Email Compromise threat appeared first on Malwarebytes Labs.

Ransomware: April 2022 review

The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.

April 2022 was most notable for the emergence of three new ransomware-as-a-service (RaaS) groups—Onyx, Mindware, and Black Basta—as well as the unwelcome return of REvil, one of the world’s most notorious and dangerous ransomware operations.

An old enemy returns

REvil (aka Sodinokibi) first appeared in May 2020 and has been responsible for numerous high-profile ransomware attacks, including arguably the biggest ransomware attack of all time—a supply-chain attack on Kaseya VSA in July 2021 that is thought to have affected over 1,000 businesses.

REvil disappeared shortly after the Kaseya attack, only to emerge again a few months later, before being forced offline on October 21, 2021, by a multi-country operation. A string of arrests followed, and then in January—in an act of unprecedented co-operation—Russia’s Federal Security Service (FSB) announced that it had dismantled the REvil group and charged its members, thanks to the information provided by the USA.

REvil now seems to have returned to the fray with new payloads, and a new leak blog displaying a mixture of new victims and old victims known to have been attacked by REvil.

New gangs emerge

Black Basta made a name for itself very quickly by coming out of nowhere and carrying out at least eleven successful breaches in April 2022. That ability to perform so many attacks so quickly has led some to speculate that Black Basta is a re-brand of an existing group that already has affiliates.

Onyx is a new ransomware gang based on the old Chaos builder. At first, some suspected that Onyx may be a wiper rather than ransomware because it destroyed files larger than 2MB instead of encrypting them. It seems likely that this behavior is the result of a bug in the notoriously poorly-written ransomware builder though.

Another newly-emerged gang is Mindware, which appears to have started operations in mid-March using a well-known ransomware strain called SFile2 (aka Escal)—but it was not until April that it began to practice “double extortion”, where data is stolen before it’s encrypted so that victims are faced with the twin threats of data they can’t decrypt, and leaks of sensitive information.

Ransomware attacks in April 2022

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

Attacks by ransomware type

Despite its rapid start, the activities of Black Basta and the other newly-emerged types of ransomware were dwarfed in April by three established threats: LockBit, Conti, and AlphV, which made up 60 percent of all the known breaches in our analysis.

Ransomware attacks in April 2022 by type of ransomware
Known ransomware attacks in April 2022 by type of ransomware
Known ransomware attacks in April 2022 by country
Known ransomware attacks in April 2022 by country
RW apr 03 1
Known ransomware attacks in April 2022 by industry

Ransomware mitigations

Source: IC3.gov

  • Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
  • Implement network segmentation, such that all machines on your network are not accessible from every other machine.
  • Install and regularly update antivirus software on all hosts, and enable real-time detection.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Use double authentication when logging into accounts or services.
  • Ensure routine auditing is conducted for all accounts.
  • Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

2022 04 29 20 09 50

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

The post Ransomware: April 2022 review appeared first on Malwarebytes Labs.

Fake Cyberpunk Ape Executives target artists with malware-laden job offer

The wacky world of ape jpegs are at the heart of yet another increasingly bizarre internet scam, which contains malware, stolen accounts, a faint possibility of phishing, and zips full of ape pictures.

The Ape Executives have a job offer you can, and must, refuse

Lots of people with art profiles on social media in Japan and elsewhere have reported messages from people claiming to be from the “Cyberpunk Ape Executives”. These messages promoted some sort of upcoming project related to both cyberpunk and apes.

Users on several sites including DeviantArt and Pixiv were sent identical missives from a variety of accounts:

“We appreciate your artwork…”

The messages received by these artists reads as follows:

Hi! We appreciate your artwork! Cyberpunk Ape Executives is inviting 2D-artists (online / freelance) to collaborate in creating NFT project. As a 2D-artist you will create amazing and adorable NFT characters. Your characters will become an important part of our NFT universe! Our expectations from the candidate: 1) Experience as a 2D-artist 2) Experience and examples of creating characters 3) Photoshop skills

Main tasks: 1) Creating characters in our NFT style 2) Interaction with Art Team Lead on task setting, feedback. For further communication check out the examples of our NFT works: [url removed] and send a reply (CV + examples of your works) for this position. Approximate payment per day = $200-$350. We make payments to Paypal, BTC, ETH, LTC.

Anyone clicking the link was directed to a MEGA download page. The .rar file to download weighs in at 4.1MB, and comes with the password “111” supplied. Artists expecting to find ape jpegs are in for a horrible surprise, not least because it does in fact contain several ape jpegs. It also contains something else pretending to be an ape jpeg. Observe:

cyberpunk ape executive files

Can you spot the ape doing his own thing? Note that without “view file extensions” enabled, you wouldn’t notice the odd one out. Cyberpunk Ape Executive #19 is up to no good, with the gif.exe extension. Disguising executables as image files is an ancient technique, but it seems profitable in ape jpeg land. Artists opening up the file would infect their system with a form of infostealer which Malwarebytes detects as Spyware.PasswordStealer.EnigmaProtector.

Message spam galore

Many people are pointing out that their accounts started spamming the same bogus promotional messages seen up above. Here’s one example found on ArtStation from last week:

There is clearly some form of account compromise taking place, however at time of writing it’s difficult to 100% pin this on the infection file. Those who’ve suffered an account breach typically don’t confirm one way or the other if the infection or phishing of some kind is responsible (warning: very angry and swear filled artist Tweets ahoy).

What we’ve observed that it connects to a server, sending some basic system information like Operating System and various system parameters. There’s no direct evidence of password theft (yet), though it could be waiting for direct orders or certain conditions to swipe data.

Keeping your accounts safe

It’s possible there’s a phishing aspect to this independent of the infostealer. Perhaps there’s a second set of messages aimed at tricking people into visiting fake logins, though we stress there is currently no evidence of this. The executable seems the most likely candidate. Either way, our tips are as follows:

  1. Do not download the .rar containing the apes. If you have, do not open up the .gif.exe file. Proceed to running security scans at this point, and ensure whatever you have on board is quarantined and stripped out from your system.
  2. If there are messages from so-called Cyberpunk Ape Executives bouncing around somewhere sending you login links, don’t enter the credentials they happen to be asking for. Done this already? Log in and change your password. If they’ve already changed your login, contact support as soon as possible. Again: we don’t know if a phish campaign is operating in tandem with the infection file campaign, and we’d suggest you’re most likely to fall foul of login compromise via the system infection.

All my apes giving security advice

Possibly the most amazing thing here is that the Cyberpunk Ape Executives actually do appear to exist. Here’s the genuine Ape Executives themselves, warning artists about the fakers:

Accept no ape imitations.

We’ll continue to observe this one and add to the post should any fresh information come to light. For now, keep a close eye on messages sent your way. There’s nothing better for an artist than receiving the possibility of a well paying commission. Unfortunately, all you’ll be paying with here is system data, and quite possibly your logins too.

The post Fake Cyberpunk Ape Executives target artists with malware-laden job offer appeared first on Malwarebytes Labs.

8 security tips for small businesses

Small businesses and startups are known to face some extra challenges when it comes to cybersecurity. Because they don’t have the size or budget to have a fully-fledged dedicated security team, it often comes down to a smaller staff that doesn’t have the time to do everything that is recommended or even required. Often security issues are just dealt with when the need arises.

There is the first issue right there. When the need arises, it’s often already too late. An infection has been found, a breach was discovered, or ransomware has disabled systems or made files unretrievable.

Small businesses also often do not consider themselves to be a target, but you don’t have to be explicitly targeted to get breached or infected. Depending on how small your business is, the tips below may be more or less important in your circumstances and for your threat model. Your threat model depends more on the line of business that you are in than it does on the size of your company.

1. Enable your staff

Your staff need to know what is expected of them, and what not to do.

  • Make cybersecurity a company-wide issue, but also appoint a go-to person that has a responsibility, along with the time and the tools to perform that task.
  • Train your employees in security awareness, so they can recognize phishing attempts and know what they can and can’t do on company-issued hardware.
  • Consider outsourcing time-consuming and specialized tasks. In the end this may turn out to be more cost-effective than trying to do it with your own staff.

2. Know your equipment

It is important to be aware of your networking equipment, endpoints, and devices. Not only to know what needs to be protected, but also to know where weaknesses may lie.

  • Pay special attention to devices that are used to work from home (WFH) or included in a BYOD program. Make it clear that mixing work and pleasure on the same device comes with security risks.
  • Audit your environment on a regular basis, especially if you are a fast growing small business. That way you’ll know what you are using and what may need to be upgraded, replaced, or updated.

3. Get your patches and updates asap

Once you have established the hardware and software in your environment you need to perform effective patch and vulnerability management.

If having specialized software for this task or outsourcing it is not an option, it might be a good idea to keep an eye on the Known Exploited Vulnerabilities Catalog which is maintained by the Cybersecurity and Infrastructure Security Agency (CISA). This catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization. Even if your organization isn’t a FCEB agency that needs to follow the Binding Operation Directive 22-01, the CISA list acts as a good guide for your patch management strategy.

And keep an eye on security news sites (like this!) in order to stay alerted to the biggest and most important updates and patches.

4. Lock things down

Having a strict policy to protect your important assets with strong passwords and multi-factor authentication (MFA) should be a no-brainer. Consider making it easier for your staff by using a single-sign-on service or alternatively by providing them with a password manager.

Very important files and documents can be encrypted  or stored in password protected folders to keep them safe from prying eyes. A stolen or lost device is stressful enough without having to worry about confidential information.

5. Use a firewall and VPN

A firewall protects an entry point to a network while a VPN creates an encrypted tunnel between two networks. Both can be used to protect your network.

If your company has internet facing assets—and who doesn’t—it is important to apply network segmentation. The process of network segmentation separates a computer network into subnetworks, and allows for each segment of the network to be protected with a different set of protocols. By separating each segment according to role and functionality, they can be protected with varying levels of security. A common step for small organizations is to separate the systems that require internet access from those that don’t.

Remote desktop protocol (RDP) is a network communications protocol that allows remote management of assets. It allows users to remotely login to systems and work on them as if they were physically there. RDP is a necessary evil sometimes, but there are ways to make it more secure.

6. Protect your systems

Make sure your servers and endpoints are all protected by anti-malware solutions, preferably EDR (endpoint detection and response). Logs created by your endpoint protection software should be easy to digest and easy to understand, regardless of whether the readers are your own employees or those of a provider. A lot of needless alerts will interrupt your workflow, but you do not want to miss the important ones. So balance is important, especially with a limited staff.

7. Consider your supply chain safety

Businesses need to understand what level of protection their providers or others with access to their resources have in place. Ransomware is contagious, so if your providers have it you likely will too. Supply chain attacks can come from your most trusted provider and still be disastrous. 

Check for compliance and certifications. Depending on the type of supplier and the level of access to your assets, there is nothing wrong about setting some standards. For example, your IT services supplier can demonstrate a good level of cybersecurity by having achieved a cyber certification. It may also help to know that your supplier is aligned with a standard of cybersecurity deemed good enough by government organizations.

8. Have a recovery strategy

When a security issue arises despite all of your efforts to secure your environment, you should have a plan ready to contain and deal with the consequences.

  • Backups. Make sure you have backups that are as recent as possible and that are easy to deploy. Create backups in an environment that can’t be ruined by the same mishap that destroyed the original (preferably on a different carrier, physical location, and network).
  • Know what legal body you need to inform in case of a breach. This is especially important if Personally Identifiable Information (PII) is involved. It is hard to give guidelines here, since every US state has different data breach notification laws, so plan this ahead of time for your jurisdiction. And have a critical communications plan in place that details how you will inform your customers in case of a breach.

Stay safe, everyone!

The post 8 security tips for small businesses appeared first on Malwarebytes Labs.

Unfixed vulnerability in popular library puts IoT products at risk

Researchers have found a vulnerability in a popular C standard library in IoT products that could allow attackers to perform DNS poisoning attacks against a target device.

The library is known to be used by major vendors such as Linksys, Netgear, and Axis, but also by Linux distributions such as Embedded Gentoo. Because the library maintainer was unable to develop a fix, this vulnerability remains unpatched. For this reason, the affected devices were not mentioned in detail.

Libraries

In computing, a library is a set of resources that can be shared among processes. Often these resources are specific functions aimed at a certain goal. These functions can be called upon when needed so they do not have to be included in the code of the software that uses it. Another example of such a library that caused some havoc was Log4j.

A C standard library is a library for the C programming language itself. Such a library provides macros, type definitions, and functions for tasks such as string handling, mathematical computations, input/output processing, memory management, and several other operating system services. As you can imagine, such a standard library is called numerous times by many programs that depend on these basic functions.

uClibc

In this case, the library at hand is uClibc, one of the possible C standard libraries available, which focuses specifically on embedded systems because of its size. Because uClibc is a relatively small C standard library intended for Linux kernel-based operating systems for embedded systems and mobile devices. Features can be enabled or disabled to match space requirements.

The alternative uClibc-ng is a fork of uClibc that was announced after more than two years had passed without a uClibc release, citing a lack of any communication from the maintainer. Unfortunately uClibc-ng shares the same vulnerability.

Similar to other C standard libraries, uClibc provides an extensive DNS client interface that allows programs to readily perform lookups and other DNS-related requests.

DNS poisoning

DNS poisoning, also known as DNS cache poisoning or DNS spoofing, is a cyberattack method in which threat actors redirect web traffic, usually toward fake web servers and phishing websites.

In a typical home setup, there is:

  • A modem provided by your Internet Service Provider (ISP) which is your connection to the outside world.
  • A router that distributes the internet connection across all the devices (often wireless).
  • The devices like your laptop, phones, tablets and IoT (Internet of Things) devices such as TVs, temperature sensors, and security cameras.

These days, the modem and router are usually combined in the same device.

A DNS poisoning attack enables a subsequent Machine-in-the-Middle (MitM) attack because the attacker, by poisoning DNS records, is capable of rerouting network communications to a server under their control.

The vulnerability

One of the main ingredients to protect us against DNS poisoning is the transaction ID. This is a unique number per request that is generated by the client, added in each request sent, and that must be included in a DNS response to be accepted by the client as the valid one for that particular request. So while this transaction ID should be as random as possible, the researchers found that there is a pattern. At first the transaction ID is incremental, then it resets to the value 0x2, then it is incremental again.

While figuring out where this pattern comes from, the researchers eventually found out that the code responsible for performing the DNS requests is not part of the instructions of the executable itself, but is part of the C standard library in use, namely uClibc 0.9.33.2.

code snippet
Image courtesy of Nozomi networks

Given that the transaction ID is now predictable, to exploit the vulnerability an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server. As the function does not apply any explicit source port randomization, it is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port.

Mitigation

Since the library maintainer has indicated he is unable to develop a fix, this vulnerability remains unpatched. The researchers are working with the maintainer of the library and the broader community in order to find a solution. The maintainer explicitly asked to publicly disclose the vulnerability, hoping for help from the community.

Because of the absence of a fix, the researchers did not disclose the specific devices that they found to be vulnerable. They did however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure.

The vulnerability was disclosed to 200+ vendors invited to the VINCE case by CERT/CC since January 2022, and a 30-day notice was given to them before the public release.

If you suspect that your router has been affected by DNS cache poisoning, have a look at our article DNS Hijacks: Routers where you will find some information on how to resolve such matters. When it is purely a case of router DNS caching, I have yet to find a router where resetting the router and leaving it off for at least 30 seconds did not clear the cache. But note that this does not resolve an ongoing attack or remove the vulnerability. It’s just a matter of symptom management.

Stay safe, everyone!

The post Unfixed vulnerability in popular library puts IoT products at risk appeared first on Malwarebytes Labs.

Airdrop phishing: what is it, and how is my cryptocurrency at risk?

Airdrop phishing is a really popular tactic at the moment. It emerged alongside the explosion of Web3/NFT/cryptocurrency popularity, and ensures scammers get a slice of the money pie. You may well have heard the term in passing, and wondered what an Airdrop is. Is your iPhone about to be Airdrop phished?

It doesn’t really help that the term tied up into lots of new forms of tech you might never have experienced directly. It’s one of those odd scams, doing weird things, to accounts you have no idea about.

Fret no more, because we’re going to walk you through an actual Airdrop phish example. No apes were harmed in the making of this documentary.

What is an Airdrop?

Confusingly, the term has multiple uses jostling for attention. The older, more familiar term is the one related to Apple devices. An Apple Airdrop is where Bluetooth is used to send files to other people. If you’re not an Apple user, it’s likely you’ve only ever seen Airdrop in relation to trolling. If you’re out and about, you may walk into an unintended crossfire of memes, and in the worst case scenario, it might be objectionable unsolicited images.

In terms of security concerns specifically, research has shown how it could potentially aid spear phishing in the right circumstances. Crucially, none of these things are related to the Airdrops we’re talking about today.

What type of Airdrop are we talking about?

The Airdrops of the moment are promotional tactics aimed at cryptocurrency/Web3 people. Airdrops typically reward early adopters of certain currencies or communities. This type of reward can also be given out as no strings attached freebies to anyone who wants in on the action, and they’re great ways to keep people emotionally invested in their Web3 activities. There’s a lot of real world examples listed here.

In terms of how you receive the Airdrop, there are a few different ways. Those early adopters may find the free Airdrop distributed to their address automatically, assuming they have some level of investment in the service giving it away. A big red flag is when a supposed Airdrop asks for funds (for a freebie?), or even worse, your login/recovery phrase.

Nobody should ever be asking for that.

Airdrops are very popular, and this is where phishing attacks come in.

Common Airdrop phishing tactics

Airdrop phish pages try to ensnare as many cryptocurrency users as possible. No matter how obscure your digital currency of choice is, or how unusual your wallet is, there’s a scam just waiting for you.

Our bogus site below is quite slick looking, complete with ticker at the top. “Claim reward bonus/Airdrop”, they implore.

airdrop1 edited
An Airdrop phish

Hitting the button takes you to the select a wallet page. There is, quite simply, a ridiculous amount of wallets and services listed. MetaMask, Solflare, Binance, Digitex, Argent, the works. If you use any form of cryptocurrency wallet or service, there’s a good chance it’s on the list somewhere.

airdrop2 edited
Wallets galore

Clicking any of the wallets results in you being informed that an error has occurred. Connecting manually is what you’re now asked to do. From here, you’re asked to send them your phrase, private key, or keystore.

Hitting connect pauses the site for a second, then dumps you onto a 404 Page not found containing “sent” in the URL. At this point, it’s probably a good idea to hope the 404 is genuine and nothing has been sent to the scammers.

Some sites target users of one wallet only. Here’s one targeting MetaMask users, asking for their recovery phrase:

airdrop12 edited
“Type your secret phrase…”

As MetaMask’s official support says:

The ape themed Airdrop phish

Apes are, of course, the hottest draw in town where Airdrop phishing is concerned. Just recently, close to $3m worth of Ape NFTs were stolen via an Instagram compromise. Anything ape related is a giant dollar sign in the sky for fraudsters, and the variety of fake pages out there reflects this.

airdrop6
All my apes soon to be gone

This particular site asked visitors to claim up to 10 Bull & Ape NFTs, then asked for a variety of password/recovery phrases. The supposed T&C page leads to a 404, and the cookies and privacy policy pages go to pages from an unrelated wallet app. Does this really sound like something you want to hand over your recovery phrase to?

The “Connect your wallet” Airdrop phish

This is where a scam site checks to see if you have a wallet installed, and if not, tells you to install one and then connect it to the site.

Here’s an account with 60k followers, claiming to be the Moonbirds project offering up an NFT airdrop:

fake twitter account airdrop
A fake Twitter account offering up bogus airdrops

When people started calling out the tweet, they locked people’s ability to reply under the guise of “safety” so nobody else could highlight the scam.

airdrop9 1
“We are worried about your safety…”

This is the genuine Moonbirds account. Note the verified status, which the imposter lacks:

Below, you can see my already installed MetaMask extension opening in the top right corner when I click the “Connect Wallet” button on the fake Airdrop page.

airdrop11
Connecting an extension to a scam site

Connecting your wallet to Decentralised Applications (Dapps) is common. What you need to be careful of is connecting to rogue sites. If you start granting permissions, or signing transactions, you may find your wallet draining of funds. It’s up to you to ensure that you don’t simply say “yes” to everything a site asks you. From the MetaMask FAQ:

Be careful about which Dapps you connect to, and what permissions you give them. 

Certain types of transaction require granting a Dapp permission to access your funds–infinite amounts of your funds.

In fact, there have been cases of Dapps being created specifically with the intent to defraud users and steal all of their funds once they’ve granted this kind of access.

Where Airdrops are concerned: safety first, every single time

Nobody needs the stress of losing all their digital currency because of phishing, no matter which form it arrives in. Whether it’s websites asking for recovery phrases or Dapp style sites connecting wallets, be very careful what you do with your wallet. You almost certainly won’t get a second chance if things go wrong.

The post Airdrop phishing: what is it, and how is my cryptocurrency at risk? appeared first on Malwarebytes Labs.