IT NEWS

Russia is in the midst of its fourth week of attack against Ukraine. People worldwide have been increasingly and passionately showing support for Ukrainians since day one while condemning the atrocities of Russian President Vladimir Putin, the Russian military, and Belarus, its allied country.

While there is truly increased risk against lives and property in the frontline, we have also seen certain risks online affecting individuals and businesses alike. There were scams; disinformation campaigns; and several wiper malware variants including HermeticWiper, IsaacWiper, and CaddyWiper. But one emerging trend we’re beginning to see play a part in the online impacts of the Russia-Ukraine war is the appearance of “protestware”.

When protestware doesn’t just protest

Protestware is a portmanteau of the words “protest” and “software.” It is software used in protest against something or someone—and we know what those are in the context of the current Ukraine crisis. Protestware is a very new term, but it has already come of age in a span of days.

Many open-source developers have started expressing their support (“We Stand With Ukraine”) on their official websites, either as content or banner. Some have also begun modifying their applications to include similar messages of support in the program’s UI or README text files.

One package, for example, called es5-ext, a small library (or a “shim”) that can be used in ECMAScript 5 or ECMAScript 6 environments, has been given a new dependency named postinstall.js, which displays a “call for peace” message when the shim is run on systems using a Russian IP address.

A portion of the message reads in English as follows:

Currently aware of 5000-11000 casualties among the Russian military and about 1500-3000 - among Ukranians, and also about 350 civilians killed, including 38 children.

The people of Ukraine are fully mobilized and ready to defend their country from the enemy invasion. 91% of Ukrainians fully support their President Volodymyr Zelensky and his response to the Russian attack.

The whole world condemned the unreasonable invasion and decided to enter unprecedented sanctions against Russia. With each new day, they will be felt more and more among the civilians citizens. It is predicted that within 2-3 years (with the current sanctions) Russia's GDP may reach the level of a small European country.

Fellow developers criticized medikoo, the brains behind es5-ext and postinstall.js, saying “the NPM package is not a place for politics.” One even went as far as calling this benign change to the shim “malware.” But medicoo stood his ground, saying he’ll only remove the dependency “once the aggression stops, and Ukrainians can live in peace in their own country.”

Not all changes to one’s work are benign, though. Several open-source developers have started gravely sabotaging their projects by adding code that, at its worse, would wreak havoc on systems that download and run them.

One popular application, node-ipc, was updated in early March to include code that, according to Liran Tal, a security researcher from cybersecurity company Snyk, “raised concerns for suspicious activity and potential abuse of the source code and the package’s behavior.” When executed on systems geolocated in Russia or Belarus, versions 10.1.1 and 10.1.2 completely wipe files from machines and replace them with the heart emoji.

node-ipc developer Brandon Nozaki Miller (also known as RIAEvangelist, Sparky, and Electric Cowboy) also created a new library called PeaceNotWar. It carries the same wiping capabilities as the node-ipc package. Miller added this library as a dependency of node-ipc version 11.0.0. So every time node-ipc is called by other dependencies that import it, PeaceNotWar executes as well. One of the library’s payloads is to drop a file named WITH-LOVE-FROM-AMERICA.txt into an affected user’s desktop and their OneDrive.

Miller did the same for node-ipc version 9.2.2, the latest stable version of the package that many projects rely on. But he also added the highly popular module, colors, as a dependency on this package. Doing so would pull in nasty code deliberately created to introduce an infinite loop to the source code, triggering a denial of service (DoS) to any Node.js server using it.

Suffice to say, servers using version 9.2.2 would be rendered useless.

Portions of PeaceNotWar‘s README page on Github says this:

This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users' desktops, and it will only do it if it does not already exist just to be polite.

...

I pledge that this module, to the best of my knowledge and skills, does not do any damage to anyone's data. If you do not like what this module does, please just lock your dependencies to any of my work or other's which includes this module, to a version you have code reviewed and deemed acceptable for your needs. Also, please code-review your other modules for vulnerabilities.

We have not confirmed that this module is already free of malicious code.

For those who are anti-war and pro-Ukraine, this form of protest may seem appropriate. But Snyk’s Tal raised questions that revealed a lack of foresight on the part of Miller in sabotaging his work and deploying his protestware.

“How does that reflect on the maintainer’s future reputation and stake in the developer community? Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?” Tal said in a post.

The US National Institute and Standards and Technology (NIST) recognizes the malicious package versions of node-ipc as a vulernability, which is tracked as CVE-2022-23812.

When protestware ripples out

Because of the new threat posed by protestware against Russia, Sberbank, Russia’s biggest state-owned bank, advised Russians to not update any software due to “increased cyberattacks.”

“We urge users to stop updating software now, and developers to tighten control over the use of external source code,” a press release from the bank states, “If there is an urgent need to use software, be sure to check all downloaded files with an antivirus, and when using someone else’s code in your programs, conduct a manual or automatic check, including, view the text of the source code.”

“In addition, various content and malicious code can be embedded in freely distributed libraries used for software development. The use of such software can lead to malware infection of personal and corporate computers, as well as IT infrastructure.”

The National Coordination Center for Computer Incidents (NCCCI), a Russian cybersecurity agency, also issued a list of recommended guidelines (text in Russian) for IT risk for Russian companies and organizations in light of sabotaged open-source software.

In an unfortunate and ironic turn of events, a Washington-based American NGO who monitors human rights in post-Soviet states is one of those affected by Miller’s protestware. A Github post, which has already been taken down but preserved for posterity here, details the harm that the protestware has caused the organization—and they are likely to seek litigation against the developer as a result:

Since our start in 2014, we have been in contact with 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.

Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus. Normally, we backup the received content to an external server on 20th day of every month, as this is reasonable given the volume we usually get, but since the start of the invasion on February 24th, traffic to our web service has increased over fiftyfold. Our staff has been working round the clock to accomodate the influx and during one of their tasks, package containing node-ipc module was updated on a production server, which resulted in executing your code and wiping over 30,000 messages and files detailing war crimes commited in Ukraine by Russian army and government officials. Due to the way the files were stored on the server, we are not able to recover any data and it's most likely gone forever. For some of the senders, this might as well have been their last contact with the outside world, as many of them were front-line soldiers that could've been killed in action during the offensive.

Personally, me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could.

Snyk has recommended that developers refrain from using affected packages of these modified FOSS (free and open source) projects altogether. If that is not possible, however, they should use an npm package manager to override poisoned versions and use a clean version instead.

When protestware becomes a point of no return

Protestware is one of the ways internet users have actively used tech to make a statement of support for Ukrainians, combat Russian government misinformation, and deliver news to Russian civilians who are victims of their own state’s propaganda and severe censorship.

Apart from the developers of these poisoned packages, no developer has been happy with what protestware had to offer. For one thing, a great majority of developers see the FOSS ecosystem as politically agnostic. Although the intent is understandable, many agree that there are better avenues for developers, especially those who maintain popular packages with millions of downloads, to exercise their support for a people or cause.

Protestware, whether seen as benign or malicious, throws a spanner in the face of developer trust. It has also, yet again, raised concerns about the safety and integrity of the software supply chain. All it takes is one developer deciding to turn things around and ruin everyone’s day. This is something any open-source software would start thinking more often, like a gray cloud hanging over their heads, uncertain of when sabotage might happen next.

“The Pandora’s box is now opened, and from this point on, people who use open source will experience xenophobia more than ever before, EVERYONE included,” writes GitHub user NM17. “The trust factor of open source, which was based on goodwill of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought was ‘the right thing to do.’ Not a single good came out of this ‘protest.’”

The post Anti-war open-source software developer targets Russians and Belarussians with “protestware” appeared first on Malwarebytes Labs.

In two security advisories, HP has alerted users to the existence of security vulnerabilities in several of its printer models.

In total, four vulnerabilities were patched, but three of those vulnerabilities are rated critical, and all of them can lead to remote code execution (RCE) when exploited.

Link-Local Multicast Name Resolution

CVE-2022-3942 is a vulnerability rated with a  CVSS score of 8.4 out of 10. As HP puts it: Certain HP Print products and Digital Sending products may be vulnerable to potential remote code execution and buffer overflow with use of Link-Local Multicast Name Resolution.

The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. Its main function is to resolve host names to facilitate communication between hosts on local networks.

HP Print devices

The second security advisory states that certain HP Print devices may be vulnerable to potential information disclosure, denial of service, or remote code execution. This is a set of three vulnerabilities, of which two have been rated as critical and one rated “high”.

• CVE-2022-24291 (CVSS 7.5 out of 10)
• CVE-2022-24292 (CVSS 9.8 out of 10)
• CVE-2022-24293 (CVSS 9.8 out of 10)

Which models are affected?

The list of printer models affected by the first vulnerability is almost endless. Users of every model of HP Color LaserJet, HP LaserJet, HP PageWide, HP Scanjet Enterprise, HP DeskJet, HP OfficeJet, HP DesignJet, and the HP Digital Sender Flow 8500 fn2 Document Capture Workstation are encouraged to check for updated firmware.

The models affected by the second set of vulnerabilities are:

• HP Color LaserJet Pro M453 – M454, MFP M2XX, MFP M478, M479
• HP LaserJet Pro M304, M305, M404, M405, MFP M428, M429, MFP M428, M429 F
• HP PageWide 352dw Printer, 377dw Multifunction Printer,
• HP PageWide Managed P55250dw Printer series, P57750dw Multifunction Printer
• HP PageWide Pro 452dn Printer series, 452dw Printer series, 477dn Multifunction Printer series, 477dw Multifunction Printer series, 552dw Printer series, 577 Multifunction Printer series
• HP OfficeJet Pro 8210 Printer series, 8216 Printer series, 8730 All-in-One Printer, 8740 All-in-One Printer series

How to update your printer

Patches are available for these vulnerabilities, so users can visit HP’s official software and driver download portal, navigate to their device model, and install the latest available firmware version.

An exception exists for the HP Color LaserJet Pro MFP M2xx models where remediation is pending. Users of these type of all-in-one printers will have to check later whether a patch has been made available.

Stay safe, everyone!

The post Update now! Many HP printers affected by three critical security vulnerabilities appeared first on Malwarebytes Labs.

Back in January, we wrote about how the Dark Souls games had their online components switched off for PC gamers. This is because someone figured out how to execute code remotely on the target’s PC. Given that the multiplayer angle of Souls games is rather important, this was quite a body blow for anyone playing. I fired up the first Dark Souls game a few days ago to see if the online services have been reinstated. They have not.

“Logging into the Dark Souls Remastered server” appears in the top right hand corner. A few moments later, I’m greeted with the following message:

Cannot log in to the Dark Souls Remastered game server because it has been stopped or is undergoing maintenance.

I haven’t tested the other two titles but it’s the same situation there too:

Note that this issue doesn’t affect console gamers; it’s PC specific.

The latest round of problems for Souls titles affect the latest game from the developer, FromSoftware. Interestingly, it may have its origins in one of the games which currently has its multiplayer component switched off.

Heavy souls and broken rings

The new game in the Souls line-up (in a roundabout fashion) is called Elden Ring. In the run up to launch, some wondered if it, too, would suffer from the same remote code execution attack forcing the brand new title to launch with its online capabilities disabled.

This did not happen, and a jolly multiplayer time was had by all. Well, for a little while at least. The exploits have arrived, despite the game itself making use of the anti-cheating service called Easy Anti-cheat.

What happened?

A little over a week ago, players of Elden Ring complained that their sessions were being invaded by “hackers”. Invading people’s games is a normal feature of the title, but being put into an endless death loop, not so much.

After the first time your character dies, you’re supposed to respawn at locations resembling a bonfire. Instead, in the death loop scenario the victim simply continues to die over and over again.

No detailed information has been released by the developer FromSoftware as to what is happening. One of the theories from players is that the invaders were able to edit their save files somehow while in game, or at least adjust some parameters related to the victim’s save points. In other words: you no longer spawn at the nearest bonfire. You respawn somewhere over the nearby ocean and die instantly on account of not being able to swim.

Avoiding the exploit

The solution, as with so many attacks of this nature, is to remove functionality from the title. Switching off online play is the only way to ensure you’re not caught by this. Anyone trapped in a death loop has to attempt an ALT + F4/rapid-fire sequence of button presses in menus to try to manually respawn at a bonfire. This, as it turns out, isn’t easy to do. At one point there were Twitch videos of people punching in the combination with the right timing.

Ouch.

Where did this come from?

One of the older Souls titles, Dark Souls 3 from 2016, suffered from the exact same problem. The hack there was described as being able to alter player save data and “lock them out of their save files”. The article above and most of the detailed warnings about this are from a year ago. However, there are multiple complaints about this going back to 2020.

One portion of the Elden Ring fix—using ALT + F4 to kill the game at the right moment—was even used for the fix in Dark Souls 3.

Has this been patched?

Good news! A patch was released yesterday for various game related issues. One note in particular is relevant here:

“Fixed a bug in multiplayer that allowed players to teleport others to incorrect map coordinates.”

No word as to the specifics of how they were doing it are given. Even so, this is hopefully the last we’ll see of game invading/save locking/character murdering exploits along these lines. Save points in Souls titles are supposed to be the one safe breathing space in the entire game. To have them corrupted or tampered with and cursed with instant death is probably a bridge too far for even the most hardcore of Souls players.

This hack comes hot on the heels of one which caused innocent players to receive bans.  Let’s hope fewer exploits manage to spawn in the next Souls title.

The post Elden Ring exploit traps players in infinite death loop appeared first on Malwarebytes Labs.

Through its usual means of communication, its Telegram channel, the LAPSUS$ group has posted screenshots of what appears to be superuser access to the Okta management console. As such, the group claims to have acquired “superuser/admin” access to Okta.com and gained access to Okta’s customer data, saying on Telegram:

BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA – our focus was ONLY on okta customers.

Yesterday morning, an Okta spokesperson said the company was investigating the matter, and admitted an attempted breach in late January 2022 in which customers were exposed for five days. The date visible in the LAPSU$ screenshots is 21 January, 2022. Okta provided a more detailed update later in the day, which we have summarised below.

Importantly, neither Okta nor LAPSU$ are claiming that Okta’s software has been compromised. Both are saying that the criminal hacking group acquired access to a user account with access to some customer data.

Okta

Okta is an access management company based in San Francisco. According to its own website, Okta serves over 15,000 organizations. Essentially, Okta software allows employees to log in using single sign-on—a central platform where employees can log in once in order to access resources that have been assigned to them by an organization’s IT staff. The kind of indentity-first approach to security is seen by some as an important underpinning of a Zero Trust security model.

LAPSUS$

LAPSUS$ is a relative newcomer to the cybercrime scene that first appeared in the summer of 2021. It has made a name for itself by leaking sensitive information from some big targets. The group is believed to hail from South America, based on its earliest targets and the near-native use of Spanish and Portuguese.

In recent events, LAPSUS$ claims to have hacked:

• Samsung (source code has been leaked)
• Nvidia (at least limited access has been proven)
• Mercado Libre (confirmed)
• Microsoft (under investigation)
• Okta (under investigation)

Okta’s statement

In an article on Okta’s website, CSO David Bradbury provided a timeline of the incidents which took place in January. According to Bradbury, a forensic examination identified a five-day window between January 16 and January 21 when a threat actor “had access to the Sitel environment”. Sitel is what Okta calls a “sub-processor”—a company that provides contract workers for Okta’s Customer Support Organization.

According to that post, the intruder “obtained remote access using RDP” to a Sitel-owned machine that was logged into Okta. The company says the access permissions of the user were limited, and that the tools support engineers have access to include Jira, Slack, Splunk, RingCentral, Salesforce, and an internally-built application called SuperUser.

The group has not explained how it got access to an RDP session. Brute-force attacks against RDP are common, as is phishing, but LAPSU$ is also known to bribe insiders for access. For example, on 10 March, it said it was looking to recruit tech company “employees/insiders” who were prepared to provide remote access, such as VPN or Citrix access.

To understand the scope of the breach, Bradbury says Okta examined all of the access performed by all Sitel employees to the SuperUser application for the five-day period in question. His conclusion was that the maximum potential impact of the breach is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel. Affected customers are promised “…a report that shows the actions performed on their Okta tenant by Sitel during that period of time”, so they can perform their own analysis.

In what is fast becoming a bizarre back-and-forth, LAPSU$ took to Telegram to respond to Okta’s assertions. Although the group doesn’t dispute that support engineers are limited to the applications Bradbury listed, it does take issue with whether that access is as benign as he suggests, commenting that it’s “…rather a bad security practice to store AWS keys in Slack channels”, and “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems”.

Advice for Okta customers

What Okta customers can do to keep any damage contained is hard to say while we are still waiting for details. But here are a few pointers:

• Keep an extra pair of eyes on your access logs.
• Same for threat hunting and other logs.
• Change the privileged Okta passwords.
• Wait for more information.
• Inform your customers that you are on the case.

The post Okta admits 366 customers may have been impacted by LAPSUS$ breach appeared first on Malwarebytes Labs.

On Monday, the White House told US business leaders to toughen up their cybersecurity defenses against a potential cyberattack from Russia.

“The Biden-Harris Administration has warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States in response to the unprecedented economic sanctions we have imposed.  There is now evolving intelligence that Russia may be exploring options for potential cyberattacks.”

Since Russian forces begun their attack against Ukraine on February 24, the US government and cybersecurity community have raised the possibility of a cyber arms conflict. The day Russian troops set foot in Ukraine, the Administration released a statement saying the US is prepared to respond to Russian cyberattacks if it comes to that.

“If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond. For months, we’ve been working closely with the private sector to harden their cyberdefenses [and to] sharpen our ability to respond [to] the Russian cyberattacks as well.”

In a business advisory, the FBI warned that US critical infrastructures, particularly entities within the financial, water, and energy sectors, are likely to be targeted. In fact, the FBI has already seen some abnormal “network scanning activity” from multiple IP addresses based in Russia, with an early stage of reconnaissance, a means to find vulnerabilities for potential future intrusions.

The FBI also revealed the at least five energy companies and at least 18 other US companies in different sectors (information technology, financial service, defense industrial base) have been subjected to these scanning activities.

With all this in mind, what should organizations be doing? Inspired by the Shields Up initiative, a campaign set up by the US Cybersecurity & Infrastructure Security Agency (CISA), here’s a list of things that business leaders can do to prepare.

• Update your systems. Your IT teams should prioritize patching vulnerable software that is currently being exploited.
• Change passwords across your networks. This is to ensure that any previously stolen or leaked credentials will no longer work when when used to access certain resources within your business network.
• Install good security software and make sure you keep it up to date.
• Create multiple backups of your data. It’s the key to bouncing back from a ransomware attack as quickly as possible, especially when done right—something one school district found out the hard way—and you want to avoid paying cybercriminals. And while we’re on the subject of backups, test your backup procedures, too.
• Require the use of multi-factor authentication (MFA) wherever you can.
• Educate your employees. Ensure that they know common threat tactics, such as social engineering ploys, that may be used against them. Lower your company’s threshold of reporting incidents, so if an employee notices that their computer or phone is starting to show unusual behavior, such as crashing or suddenly running slowly, they should report it.
• Keep an open line to your local FBI or CISA Regional Office. CISA has opened 24/7 reporting avenues via report@cisa.org and (888)282-0870 and encourages business organizations to report cyber incidents they may encounter.

You can also read about four key cybersecurity practices businesses can adopt when there’s a threat of “cyberwar”.

The Administration has made clear that the US government will do what it can to protect US businesses and critical infrastructure. But it also said they can’t defend without the help of the private sector, which owns and operates most of the big businesses and infrastructures the country relies on.

In the statement he made on Monday, Biden concluded:

“You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time—your vigilance and urgency today can prevent or mitigate attacks tomorrow.”

The post White House urges US businesses: Protect against potential Russian cyberattacks appeared first on Malwarebytes Labs.

It’s not unusual for sites and services to offer additional forms of protection on top of regular security features. Some of the bigger ones even go the extra mile, protecting from attacks up to a potential nation state level.

The most famous example of this recently is likely Google. Its Advanced Protection Program (APP) was deployed to warn people that Fancy Bear was on the prowl. We often see advanced security features like the APP feed back into security features for regular service users too. This is all very good.

What isn’t perhaps quite as good, is when not taking up the offer of additional security features results in a total lock out of your account. This is the complaint that’s been raised by many Facebook users over the last few days.

What happened?

Facebook has a service similar to Google’s APP which it is rolling out to users. That service is called Facebook Protect, and it’s being expanded to more and more countries. As per Facebook’s own description of what it does:

We’re expanding Facebook Protect, our security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials.

No action is required unless you’re prompted to enroll.

We’re also making it easier for these groups of people to set up two-factor authentication.

Sounds like a good plan! However, the roll out and various interactions with Facebook Protect haven’t gone well for everybody. At the beginning of March, people started to receive emails out of the blue which also included a clickable button to set everything up. It also pointed out that if recipients didn’t enable the feature, they’d be locked out of their account.

When is/isn’t the promise of a lockout real?

This immediately threw recipients into confusion, as they tried to figure out if they were being phished:

The fact that Facebook said everything was “fine” if they navigated to the site directly didn’t help ease the feelings of confusion. While the head of security policy at Meta confirmed the mails were real, once the deadline had passed people started to flag issues with getting back into the site:

The lockout begins

As it turns out, many people are now indeed experiencing some form of lockout. Worse, they’re having major issues trying to resume business as usual. Most of the complaints I’ve seen are focused on the fact that they thought the clickable button email was some sort of scam attempt:

This on its own is fairly problematic for those affected. It’ll no doubt be fixed, but if you’re one of the people who ignored the mail, unfortunately there’s no ETA for a fix. What I find particularly interesting in this story is the knock-on effect on additional Facebook/Meta services.

A virtual headache

At launch, users of the Oculus Quest 2 headset found they needed to have a Facebook account in order to play. If the account was banned, bad luck – no more Oculus Questing for you. While it’s been mentioned a few times that Facebook-free headsets will be with us at some point, this doesn’t help people caught by the Protect problem. This is because not only will you lose the ability to use your headset if banned, you’ll also suffer the same fate if the account is disabled for some reason.

Locked out due to not clicking through on an email from the start of March? It’s not just your social platform impacted, it’s your headset, too. As one device owner put it, they’ve had their headset “bricked” to protect them from hackers. They too are suffering from the various options to re-enable things not currently working.

As we mentioned above, this will no doubt be fixed down the line. However, a lot of people really need access to their accounts and devices as soon as possible. For now, it’s a case of the waiting game – all because of an unexpected email and a suspicious looking button.

The post Facebook users wary of security mail find themselves locked out of accounts appeared first on Malwarebytes Labs.

It’s not unusual to hear about malware created to affect automated teller machines (ATMs). Malware can be planted at the ATM’s PC or its network, or attackers could launch a Man-in-the-Middle (MiTM) attack.

Recently, a new rootkit, which the Mandiant Advanced Practices team have named CAKETAP, was found targeting Oracle Solaris systems running on ATM switch servers. This rootkit is a Unix kernel module that performs several malicious tasks to aid attackers—Mandiant tracks it as UNC2891 (aka LightBasin)—in conducting fraudulent ATM transactions.

CAKETAP has an impressive list of stealth capabilities to hide its presence and activities. It hides network connections, processes, and files. It removes itself from a list of loaded modules on execution and updates data in the last_module_id function to reflect data from a previously loaded module.

This rootkit can conduct fraudulent bank transactions by intercepting specific messages—card and PIN verification messages—sent to the ATM system’s Payment Hardware Security Module (HSM). Banks use this tamper- and intrusion-proof hardware component to generate, manage, and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. When threat actors use a fraudulent card on an affected ATM, CAKETAP alters card verification messages to disable card verification. This, in turn, creates a valid response from the HSM.

On the other hand, when a regular ATM user uses a valid card on an affected ATM, CAKETAP stores the verification message from a valid transaction, which essentially says that the card is not fraudulent, and forwards it to the HSM, allowing for routine transactions to continue uninterrupted. CAKETAP sends this stored verification message to the HSM to trick it into allowing a fraudulent transaction by sending the stored message.

“Based on Mandiant’s investigation findings, we believe that CAKETAP was leveraged by UNC2891 as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” Mandiant security researchers said in the report.

UNC2891 (aka LightBasin) are financially motivated and uses an arsenal of tools in their ATM attack campaigns: two of which are backdoors called TINYSHELL and SLAPSTICK; two decryptors called STEELCORGI and STEELHOUND; a network reconnaissance toolkit named SUN4ME; two keyloggers called WINGHOOK and WINGCRACK; and utilities named BINBASH, WIPERIGHT, and MIGLOCLEANER.

Mandiant has noted that, although LightBasin and another threat actor UNC1945 have overlapping operational tactics, they cannot readily conclude that they are the same. “For example, it is possible that significant portions of UNC2891 and UNC1945 activity are carried out by an entity that is a common resource to multiple threat actors, which could explain the perceived difference in intrusion objectives—a common malware developer or an intrusion partner, for example,” the report concludes.

The post A new rootkit comes to an ATM near you appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Beware of this bogus (and phishy) “Instagram Support” email
• Meet Exotic Lily, access broker for ransomware and other malware peddlers
• Double header: IsaacWiper and CaddyWiper
• How to protect RDP
• Online Safety Bill’s provisions for “legal but harmful” content described as “censor’s charter”
• Deepfake Zelenskyy video surfaces on compromised websites
• Gh0stCringe RAT makes database servers squeal for protection
• Clouding the issue: what cloud threats lie in wait in 2022?
• FBI catches up with one of its Most Wanted, arrests head of advance-fee crime network
• “Threatening and coercive” cold-callers who targeted the elderly hit with big fines
• CafePress faces $500,000 fine for data breach cover up
• Valorant cheats on YouTube are actually information-stealing malware
• Fake Royal Mail chatbot offers up…a new iPhone?
• Escobar is the new Android banking Trojan we’ve met before
• DDoS barrage against Israel described as the “largest ever” cyberattack its faced
• Update now! Apple fixes several serious vulnerabilities in iOS and macOS
• Stolen Nvidia certificates used to sign malware—here’s what to do
• De-Googling Carey Parker’s (and your) life: Lock and Code S03E06
• CISA list of 95 new known exploited vulnerabilities raises questions

Stay safe!

The post A week in security (March 14 – 20) appeared first on Malwarebytes Labs.

Watch out for bogus Facebook phishing messages winging their way to your mailbox. The ruse is quite simple: The mail senders are relying on the recipient’s sense of panic to respond without thinking about it.

The mail looks professional enough, and seeks to imitate what would be a fairly typical looking message from Facebook. As for the panic aspect, the phishers have pinned the hopes of this attack onto the old faithful “Someone is trying to login as you, so you’d better do something about it ASAP” routine.

The phish

The mail itself combines a fairly clean design with minimal messaging. There’s a tendency with some phish attempts to overstuff the mail with all manner of nonsense to look more convincing. When that happens, we often see increasing amounts of typos or broken mail design. This one simply gets to the point. It reads as follows:

Someone tried to Iog into Your Account, User lD 

A user just logged into your Facebook account from a new device Samsung S21. We are sending you this email to verify it’s really you.

Thanks,

The Facebook Team

So far, so good. However, it goes a bit off the rails with the two clickable buttons presented. The first one says “Report the user” which makes sense. The second one just says “Yes, me” instead of something more plausible such as “Yes, it’s me” or even just “It was me”. This may set some alarm bells ringing.

The functionality

What happens when you click the button(s)? The expected process is to be whisked away to a phishing page and enter your details. Not here. This one follows the same pattern as a mail we covered a little while ago.

You may remember the phish attempt claiming to have detected unusual sign-in activity from Russia. That mail didn’t bother with phishing pages. Instead, it popped open a pre-formatted mail in your client of choice for you to respond to the creators. Anybody replying would likely receive additional requests for login details or much more besides.

This phish follows the same path, opening one of two pre-filled response styles depending on which button you select. “Report the user” is the most interesting one, pre-filling the subject line as “Send statement”.

What is sent back may be a booby-trapped document of some kind, or perhaps phishing done through a form. It’s also possible the dialogue will simply continue via mail. Whatever they’re up to, they should be treated with the cold shoulder they so richly deserve.

Go to the source

Always remember to navigate directly to the sender of supposed security alerts. If it’s genuine, you should be able to address whatever issue you’ve been sent. If there’s no sign of it, consider sending it along to them directly. It may be a scam sample they’ve not seen before, and this can in turn help them to protect a wider userbase. Above all else: don’t panic, because this is how attackers can trick you into doing something you’ll regret.

Report, block, and go about your day.

The post Facebook phish claims “Someone tried to log into your account” appeared first on Malwarebytes Labs.

The FBI has issued an advisory about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector.

AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.

Threat profile

AvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim’s server and renames them with the “.avos” extension.

The AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.

Attention!

Your systems have been encrypted, and your confidential documents were downloaded.

In order to restore your data, you must pay for the decryption key & application.

You may do so by visiting us at <onion address>.

This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/

Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website.

Contact us soon, because those who don’t have their data leaked in our press release blog and the price they’ll have to pay will go up significantly.

The corporations whom don’t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at <onion address>

So, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim’s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.

The FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.

Exchange vulnerabilities

Since AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.

The Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.

CVE-2021-31207: a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.

CVE-2021-34523: a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.

CVE-2021-34473: a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.

This is exactly the same attack chain we described in August 2021. This chain of attack was generally referred to as ProxyShell.

Another RCE vulnerability in Exchange Server has been seen as well:

CVE-2021-26855: the ProxyLogon vulnerability which we discussed in detail in our article on Microsoft Exchange attacks causing panic as criminals go shell collecting. The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

Mitigation

As we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.

Microsoft’s team has published a script on GitHub that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.

Detection

Malwarebytes detects AvosLocker as Ransom.AvosLocker.

Stay safe, everyone!

The post AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI appeared first on Malwarebytes Labs.