IT NEWS

We’ve seen Esports occasionally become the focus of gaming or Steam scams. One particular tactic of note was to claim joining an official league is an easy process. Links to third-party hosted files would offer up a supposedly cracked ESEA Esports league client. In reality, it was a data stealing Trojan.

One current twist on Esports where Steam scams are concerned is the “vote for my team” fakeout.

Crying foul on bogus voting

This trick has been around for a while now, but shows no signs of going away. As some have noticed, it is indeed “flaring up again”. The scam routinely separates unwary gamers from their logins. It’s also used to spam people from compromised accounts. On top of all that, the social pressure of “Please help me out” is often too good to let go.

An additional headache here is that people change usernames on Steam all the time. As a result, some people assume the message sender is actually a friend and not a stranger. This makes it even more likely they’ll feel obliged to assist.

People want to be helpful, and this slice of social engineering takes full advantage of this.

How does it work?

A Steam user receives an unsolicited message from a stranger. It may be sent via Steam’s own messenger service, or it could be in a Steam-themed Discord channel. The scammer presents the “offer” as a way to help a fellow Steam enthusiast out, or tie it to fictional rewards if the message recipient takes part. The message may also be sent in a different language. Some scammers simply won’t care about this, on the basis they can just send it to a seemingly never-ending pool of other recipients.

After some small talk, the scammer will ask the message recipient if they want to join their Esports team. More likely, they’ll ask them to vote for their team in an upcoming competition, or do some form of nomination to take part.

Clicking into the site and hitting the specified team vote button will typically open up a phishing page or window. If the intended victim uses some form of account protection such as Steam Guard, they’ll be asked to switch it off. Once this is all done and dusted, the account is officially phished and at the mercy of the phisher(s).

What’s the impact from being phished in this manner?

We’ve touched on a few of the impacts, but they include:

• Spamming your friends. Not great, and they’ll likely unfriend you once they see suspicious messages rolling in.
• Losing your digital items. Hard-earned items will vanish, after being sent to other accounts. If you paid real money for those items then they’re at risk too. The scammer may even just choose to sell the entire account in one go. If you used money in your Steam wallet to purchase a valuable item, both money and item may be lost.
• Loss of access. Perhaps an obvious one, but you probably don’t need the hassle of trying to get through to customer support when the pandemic continues to cause significant delays on, well, everything.

Protecting your Steam account from esports voting scams

You’ll probably be familiar with some of these Steam security suggestions:

• Add additional protection to the email account tied to Steam. If 2FA style safeguards are available, be sure to use them. If you have a second, backup email account tied to the primary account, then make sure that’s locked down too.
• Enable Steam Guard. It’ll mean the scammers have to work harder to access your account. While it won’t tip everyone off, having to awkwardly ask you for your 2FA code may be enough to set alarm bells ringing.
• Unsure if an account is one of your friends sporting a new username? Hover over the username of the person messaging you on their profile. It’ll reveal a list of all the old names they’ve gone by. If you’re unable to view their profile at all, add that to the “probably suspicious” pile.
• Never, ever log into anything related to Steam via messages from friends or strangers. Even if you know the person sending the message, it’s possible they’ve been compromised and are being used to send more spam.

The post Fake Esports voting sites looking to phish Steam users appeared first on Malwarebytes Labs.

As war in Ukraine rages, new destructive malware continues to be discovered. In this short blog post, we will review IsaacWiper and CaddyWiper, two new wipers that do not have much in common based on their source code, but with the same intent of destroying targeted Ukrainian computer systems.

IsaacWiper

IsaacWiper was one of the artifacts security company ESET reported to be targeting Ukraine. Other artifacts were named as HermeticWiper (wiper), HermeticWizard (spreader) and HermeticRansom (ransomware). IsaacWiper is far less advanced than HermeticWiper, the first wiper that was found which we analyzed here.

IsaacWiper is made of an executable, compiled with Visual Studio. The executable has imported functions like DeviceIoControl, WriteFile, MoveFile, GetDiskFreeSpaceEx, FindNextFileW. Although these functions are legitimate, the combination of all these imports could be suspicious. Sections analysis, on other hand, is perfectly normal. No strange segments are found, and entropy has the expected values:

The sample is presented in DLL form with just one export, named _Start@4 that contains the main functionality of the malware:

The malware will iterate through all system disks, overwriting the first bytes of these disks:

The following chunk shows an extract of the code responsible for that behavior. Also, it can be seen how the volume is unlocked after write operations:

We have found that not only the physicalDrive but also partitions are wiped in the process. The wiper will iterate through the filesystem, enumerating files and overwriting them. This behavior is similar to ransomware activity, but in this case there is no decryption key. Once the data has been overwritten, it is lost:

The attackers left in the code various log strings. An example of one of these debug strings, being referenced inline is presented below:

In fact, these debug strings describe pretty well the malware functionality. All debug strings are presented below:

As it can be seen, the attackers’ goal is destroying data on victims systems. Affected users will lose their files, and their computers will be unbootable, forcing them to reinstall the OS.

CaddyWiper

CaddyWiper is a 3rd Wipper (after HermeticWiper and IzaakWiper) that was observed in this year’s attack on Ukraine. In contrast to HermeticWiper, this one is very small, and has less complex capabilities.

The sample is not signed and its compilation date is: 14 March 2022 07:19:36 UTC. The executable is dedicated to destroying files and partition information for each available disk.

The main function of the wiper can be seen below:

First, the wiper checks if it is running on the Primary Domain Controller. The malware will avoid trashing Domain Controllers, probably because it wants to keep them alive for the purpose of propagation.

If the current machine is not a Domain Controller, the wiping starts. It recursively wipes files in the C:Users directory. Then, it iterates over available hard disks, starting from “D:” and wipes recursively all the files it can access.

The wiping is done in the following way:

It tries to grant access to the files before writing:

All the files/directories are enumerated by well-known APIs: FindFirstFileA/FindNextFileA. If the found element is a directory, the function is called recursively. And if it is a file, a new buffer filled with 0s is allocated, and the file content is overwritten with it. The buffer is limited to 10 Mb max, so if the file is bigger than this, only the beginning of it will be wiped.

Interestingly, this enumeration starts from the drive letter D (treating C as a separate case), so if there are any disks mounted as A or B, they are skipped. Finally the malware wipes layout information of the available disks/partitions:

It starts from the \.PHYSICALDRIVE9, and at each iteration decrements the partition number by one.

The wiping of the partition layout is implemented via IOCTL sent to the drive device: IOCTL_DISK_SET_DRIVE_LAYOUT_EX. The malware sets an empty buffer as the new layout.

The sample is very mildly obfuscated and most of the used strings are stack-based. Also the Import Table is very small, containing only one function. All the needed functions are dynamically retrieved, with the help of a custom lookup routine:

CaddyWiper is extremely light in comparison to HermeticWiper, which was the most complex from all the wipers that have been associated with those attacks. There is no code overlap between each of them, and most likely they have been written by different authors.

Protection

Malwarebytes clients are protected against both of these wipers:

References

1. https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
2. https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-ukraine-hit-by-destructive-attacks-before-and-during-the-russian-invasion-with-hermet/

Indicators of Compromise

IsaacWiper

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

CaddyWiper

a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea

The post Double header: IsaacWiper and CaddyWiper appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization’s defenses, exploit that vulnerability, and sell the access to the victim’s network to an interested party, several times over with different victims.

Among these interested parties TAG found the Conti and Diavol ransomware groups. Because Exotic Lily’s methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.

Initial access broker

Like in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.

These initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.

Exotic Lily

From the TAG blog we can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.

Their email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.

Last year, researchers found that Exotic Lily used the vulnerability listed as CVE-2021-40444, a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a blog about attacks that exploited this vulnerability. Later, the group shifted to using customized versions of BazarLoader delivered inside ISO files.

Based on the fact that the Exotic Lily’s operations require a lot of human interaction, the researchers did an analysis of the “working hours” and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.

Social engineering

As with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a “spray-and-pray” attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.

Exotic Lily used identity spoofing where they replaced the TLD for a legitimate domain and replaced it with “.us”, “.co” or “.biz”.  At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using such spoofed accounts, the attackers would send spear phishing emails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project’s design or requirements.

IOC’s

SHA-256 hashes of the BazarLoader ISO samples:

• 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
• 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
• c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

SHA-256 hashes of the BUMBLEBEE ISO samples:

• 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
• 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
• 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
• 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
• 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

IP address of the C&C server:

• 23.81.246.187

Stay safe, everyone!

The post Meet Exotic Lily, access broker for ransomware and other malware peddlers appeared first on Malwarebytes Labs.

Recently, a fake Instagram email successfully bypassed Google’s email filters and made it into hundreds of employee inboxes used by a prominent US life insurance company based in New York.

This was revealed in a report by Armorblox, a cybersecurity company specializing in stopping business email compromise (BEC) campaigns. According to its threat research team, the spoofed email originated from “lnstagram Support” with the email address, membershipform@outlook.com.tr. The “l” you see in “Instagram” is actually a small letter “L”. It wouldn’t have been obvious—if not for Gmail automatically setting the first letter of a sender’s name in caps—as you can see from the screenshot below.

Clearly, threat actors have layered their campaign with a number of known fraud tactics, one of which is using a homoglyph (or homograph), making this a good example of a homograph attack, as well.

A homograph attack is a method of deception where threat actors take advantage of how certain character scripts look the same. In this case, a small “L” looks the same as a big “i”.

The initial scam email reads in full:

FROM: Lnstagram Support <membershipform@outlook.com.tr>
SUBJECT: Instagram Support
MESSAGE BODY:
You have been reported for sharing fake content in your membership. and approved by us.
You must Verify your membership. If You Can't Verify Within 24 Hours
Your membership will be permanently deleted from our servers.
You can continue by pressing the Verify button to verify your membership.

The phishing email tells the recipient that their Instagram account has been reported for spreading fake or false information, which nowadays is not unheard of and considered a serious breach of Instagram’s Terms of Service. The scammers then push the recipient to verify their “membership” within 24 hours else their Instagram account will be deleted. Incorporating a sense of urgency is a scam red flag because it aims to get users to act first and think later when it’s too late.

Clicking the verify button takes users to a Google’s Site page instead of the actual Instagram page—another red flag. Here, users are then asked for their credentials as a requirement for verification.

The phishing site also offers up some fraudulent text that can make the whole process feel more official. The text from the phishing site is as follows:

We have received numerous complaints that you violated our copyright laws regarding your account. If you do not give us feedback, your account will be removed within 24 hours. If you think this is wrong, please verify your information below. We ask for this information because we cannot verify that you are the real owner of your account.

Be on the lookout, dear Reader, for this or similar campaigns that might land in your work inbox in the future. We always advise caution when dealing with emails—both unsolicited and claiming to have come internally—especially those that want something from you and pressures you to act quickly “or else”. If you have an email that you’re unsure if it’s a phish, ask your colleagues or contact the person who sent you the email via other means. Better safe than sorry, as they say, because one small slip-up is all it takes for an entire organization to get compromised. After all, big attacks do start small.

Stay safe!

The post Beware of this bogus (and phishy) “Instagram Support” email appeared first on Malwarebytes Labs.

You didn’t really think that the ransomware wave was coming to an end, did you? You may be tempted to think so, given the decline in reports about massive ransomware campaigns. Don’t be fooled.

Over the last five years, one of the primary attack vectors for ransomware attacks has been the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, a tool for remotely controlling a PC that gives you all the power and control you would have if you were actually sitting behind it—which is what makes it so dangerous in the wrong hands.

Bruce-force attacks

Threat actors use brute-force password guessing attacks to find RDP login credentials. These attacks use computer programs that will try password after password until they guess one correctly, or run out of passwords. The passwords they guess can be sold via criminal markets to ransomware gangs that use them to breach their victims’ networks.

Once they have RDP access, ransomware gangs can deploy specialized tools to:

• Elevate their privileges (when needed)
• Leave backdoors for future use
• Gain control over wider parts of the infiltrated network
• Deploy ransomware and leave payment instructions

The first three steps are most important for businesses to pay attention to, as they need to be examined after a breach has been noticed. The easiest and cheapest way to stop a ransomware attack is to prevent the initial breach of the target, and in many cases that means locking down RDP.

Securing RDP

If you want to deploy software to remotely operate your work computers, RDP is essentially a safe and easy-to-use protocol, with a client that comes pre-installed on Windows systems and is also available for other operating systems. There are a few things you can do to make it a lot harder to gain access to your network over unauthorized RDP connections:

• Decide if you really need RDP. This is an important question and you should not be afraid to ask it. Even if you are hardened against brute-force attacks, there is always the chance that attackers will find a remote vulnerability in RDP and exploit it. Before you enable RDP for anyone, be sure that you need it.
• Limit access to the users who need it. Reduce the number of opportunities an attacker has to guess a weak password by following the principle of least privilege. This cannot be done from the Remote Desktop settings but requires security policies. We have included a guide on how to do this later in this article.
• Limit access to specific IP addresses. This is another form of following the principle of least privilege. There is simply no need for many IP addresses to have access to your RDP clients. Rather than banning the IP addresses that don’t need access, allow only those that do.
• Use strong passwords. Even the most persistent attacker will only ever guess very weak passwords because it is more cost effective to make a few guesses on a lot of computers than it is to make lots of guesses on one. So the first and most basic form of defence is to have users choose even moderately strong passwords—meaning passwords that don’t appear in lists of the most commonly used passwords, and aren’t based on dictionary words. Of course, getting users to actually do that is notoriously difficult, so you need to use other hardening measures as well.
• Use rate limiting. Rate limiting (such as Malwarebytes Brute Force Protection) has the effect of significantly strengthening the defenses of weak passwords. It works by reducing the speed at which attackers can make login attempts, typically by shutting them out for a period of time after a small number of incorrect guesses. This represents a huge barrier for a computer program looking to race through tens or even hundreds of thousands of password attempts.
• Use multi-factor authentication (MFA). MFA can stop password guessing in its tracks but it can be difficult to roll out and support. Any second authentication factor will make attacks significantly more difficult, but factors that don’t require user interaction—such as hardware keys and client certificates—are the most robust.
• Put RDP behind a VPN. Forcing users to connect to a VPN before they can log in to RDP effectively takes RDP off the Internet and away from password guessing attacks. This can be extremely effective but it comes at the cost of maintaining a VPN, and simply shifts the burden of securing your users’ point of access from RDP to the VPN. Diligent patching is essential. In the last few years ransomware gangs and other cybercriminals have made extensive use of vulnerabilities in popular, corporate VPNs.
• Use a Remote Desktop Gateway Server. This provides additional security and operational benefits, like MFA. The logs it takes of RDP sessions can prove very useful if you find yourself trying to figure out what might have happened after a breach. Because the logs are not on the compromised machine, they are harder for intruders to modify or delete.
• Do not disable Network Level Authentication (NLA). NLA offers an extra authentication level. Enable it, if it wasn’t already.

Other things that might help

The things in the list below aren’t effective enough to constitute genuine hardening, but might help reduce the volume of attacks you see. They are easy to do but they are not a substitute for the list above.

• Changing the RDP port. Some hardening guides recommend changing the RDP port so that it does not use the default port number, 3389. Although this might reduce the number of scans that find your RDP clients, our research suggests that plenty of attackers will still find you.
• Retire the Administrator username. Although some password guessing attacks use a variety of usernames, including automatically generated ones, many of them simply try to guess the password for the user named Administrator (or the local equivalent). However, because usernames are not treated as secrets by either users or systems, unlike passwords, you should not rely on the obscurity of your usernames to protect you.

Limiting access to the users that need it

The first step in this process is to create a user group that will be allowed remote access. You can do this in the Group Policy Management Console (GPMC.MSC).

• In this console, select Computer Configuration > Windows Settings > Security Settings > Restricted Groups.
• Right-click Restricted Groups and then click Add Group.
• Click Browse > type Remote > click Check Names and you should see “REMOTE DESKTOP USERS.”
• Click OK in the Add Groups dialog.
• Click Add beside the MEMBERS OF THIS GROUP box and click Browse.
• Type the name of the domain group, then click Check Names > click OK > OK.
• On the PC, run an elevated command prompt and type GPUPDATE/FORCE to refresh the GPolicy.
• You should see the group added under the SELECT USERS button on the REMOTE tab of the PC’s SYSTEM PROPERTIES.

Now you can open the related local policies by opening Control Panel > System and Security > Administrative Tools > Local Security Policy > User Rights Assignment.

Remove the “Administrators” group from the “Allow log on through Remote Desktop Services” policy and certainly do not grant access to the account with the username “Administrator.” That account is perfect for the intruders—they would love to take it over. Also remove the “Remote Desktop Users Group” as contradictory as that may seem. Because by default, the user group “Everyone” is a member of the “Remote Desktop Users” group.

Now, add the user(s) that you specifically want to have remote access to this system, and make sure that they have the rights they need—but nothing more. Restrict the actions they can perform to limit the damage that they can do if the account should ever become compromised.

Secure your network resources

In the context of RDP attacks, it is also important that you apply some internal safety measures. PCs that can be used remotely should be able to use network resources, but not be able to destroy them. Use restrictive policies to keep the possible damage at bay that any user, not just a remote one, can do.

Aftermath of an attack

If you have been impacted by a ransomware attack via RDP, you’ll need to take some steps to better secure your network and endpoints. After you have recovered your files from a backup or by forking over the ransom, you need to check your systems for any changes the attackers have made that would make a future visit easier for them—especially if you decided to pay the ransom. By paying the threat actors, you have essentially painted a bulls-eye on your own back. You are now a desirable target, because they know you will pay to get your files back, if necessary.

To be sure there are no artifacts left behind, check the computer that was used to access the network via RDP for Trojans and hacking tools, and also any networked devices that could have been accessed from the compromised machine.

This article was originally published in August 2018 and was extensively updated in March 2022. Since this article was first published, Malwarebytes has added Brute Force Protection to the Nebula cloud-based security console. Check it out.

The post How to protect RDP appeared first on Malwarebytes Labs.

The UK’s Online Safety Bill, a landmark piece of legislation that that aims to regulate the country’s online content, has just been introduced into Parliament after undergoing significant revisions.

The bill has been in progress for about five years and its main objective is to regulate online content in the UK to make it the safest in the world. It is perhaps most famous for legally requiring pornographic websites to verify users’ age, and, yes, that’s still in there.

According to The Independent, the government has strengthened several areas since the previous draft, one of which is shortening the time it takes for company executives to comply with requests for information from Ofcom, the UK’s communications regulator. The last draft proposed a time frame of two years after the bill is made law; the revised draft now proposes a time frame of two months before executives are held criminally liable.

What’s new and what was tweaked

There are other notable changes in the bill.

Company managers could also be held criminally liable by Ofcom if they (1) destroy evidence, (2) fail to attend interviews with the regulator, (3) provide false information in interviews with the regulator, and (4) obstruct Ofcom when it enters company offices.

Platforms that host user-generated content, such as social media platforms and search engines, would not only have a duty of care to protect users from scams and fraud conducted by other users, but also a duty to protect them from “pre-paid fraudulent ads,” which includes unlicensed financial promotions and ads from fake companies. To do this, the revised bill proposes that social media platforms and search engines must put in place “proportionate systems and processes to prevent the publication and/or hosting of fraudulent advertising on their service and remove it when they are made aware of it.”

“We want to protect people from online scams and have heard the calls to strengthen our new internet safety laws,” Culture secretary Nadine Dorries is quoted as saying in The Guardian, “These changes to the upcoming online safety bill will help stop fraudsters conning people out of their hard-earned cash using fake online adverts.”

Further into the list of changes, there is now a new requirement to report any incidents or encounters of child sexual abuse to the National Crime Agency (NCA).

News content will also be exempted from regulations to protect free speech.

Cyberflashing, or the act of sending unsolicited sexual images to receivers, who are usually girls and young women, would also be a crime. Users who cyberflashed would face the same maximum sentence as indecent exposure: A two-year stay in prison.

The bill also includes proposals to punish digital “pile-ons”, and the sending of threatening social media posts and hoax bomb threats.

Finally, arguably the most notable and controversial revision in the draft is how the Bill has changed its approach regarding “legal but harmful” content. As the phrase denotes, this refers to content that is not in itself illegal but could cause harm to whoever encounters it online.

The slippery slope of “legal but harmful” content

The updated bill demands that social media platforms address their approach to “legal but harmful” content in the terms of service (ToS) for their services. It also proposes that such platforms conduct a risk assessment of possible harms that users might encounter while using their service.

Many free speech advocates, including members of the UK’s governing Conservative party, have expressed concern over the possible removal or suppression of such content. In a post, Dorries reassures her readers: “Companies will only be required to remove ‘legal but harmful’ content if it is already banned in their own terms and conditions. This only applies to the biggest platforms carrying the highest risk, and we are updating the legislation to ensure platforms focus on priority categories of harm that are set out in secondary legislation.”

Judging by some of the comments on the post (highlighted in this Twitter entry), some readers at least were not moved by Dorries’ rhetoric. The Open Rights Group (ORG), a UK-based organization working to protect the digital rights and freedoms of individuals in the UK, discussed the harms of the Online Safety Bill in December 2021, calling for the “legal but harmful” clauses to be removed to “ensure that the focus of the legislation remains on its stated purpose—protecting the well being of individuals”.

Jim Killock, executive director of the ORG, describes “legal but harmful” as a censor’s charter. “Civil society groups have raised the warning, Parliament has raised the warning, the government’s own MPs have raised the warning but the government has ignored them all,” he said, “The online safety bill will outsource decisions about what we can see online from British courts, Parliament and police to the terms of service documents of social media platforms drafted by Silicon Valley lawyers.”

The post Online Safety Bill’s provisions for “legal but harmful” content described as “censor’s charter” appeared first on Malwarebytes Labs.

Some don’t mind putting extra effort into making their crime appear as legitimate as possible by perpetuating more lies as long as they are guaranteed money in the end.

Osondu Victor Igwilo is one such Nigerian scammer.

The “catchers”

52-year-old Igwilo has been on the Federal Bureau of Investigation’s watch list since 2018.

According to court documents, Igwilo was charged in 2016 in the US District Court, Southern District of Texas, Houston, Texas for “one count of wire fraud conspiracy, one count of money laundering conspiracy and one count of aggravated identity theft.” He is also the alleged ringleader of an international criminal network of “catchers.” Their main fraud technique is sending out phishing emails to potential victims, enticing them to false offerings of investment funding on behalf of BB&T Corporation, one of the largest banking and financial firms in the US.

Igwilo and his co-conspirators used fake email accounts and stolen identities of US government officials to net victims all over the world. When an organization in the US showed interest in the funding, Igwilo would dispatch hired US citizens to victim countries to pose as representatives of BB&T, meet them in person and sign a purported investment agreement. This only makes the entire scheme appear all the more authentic.

When ordered by Igwilo to visit victims from other countries, these fake bank officials were instructed to visit their local US embassy or consulate and fabricate documents with fake US government seals to further deepen the deception that the US government was sponsoring the funding.

Both “catchers” and representatives had the role of convincing victim organizations to wire advance payments to US bank accounts as a requirement for them to receive their funding. Owners of these accounts were deemed “money movers”, who then sent the money to Igwilo per his direction. This included the purchasing of luxury vehicles and shipping them to Nigeria.

Igwilo is said to have defrauded victims out of approximately $100M.

“Catchers” caught

On Monday, the Economic and Financial Crimes Commission (EFCC) of Nigeria released a press statement about the capture of Osondu Igwilo along with his accomplices, Okafor Nnamdi Chris, Nwodu Uchenna Emmaunel, and John Anazo Achukwu in a studio in Lagos. They were arrested on Thursday, 11 March 2022. According to the statement, five houses around Lagos belonging to Igwilo were recovered after the arrest.

The US Diplomatic Mission Nigeria praised the arrest, which was made possible by the partnership between the FBI and the EFCC.

Igwilo and his accomplices are expected to be formally charged in court soon.

The post FBI catches up with one of its Most Wanted, arrests head of advance-fee crime network appeared first on Malwarebytes Labs.

As more services move ever cloud-wards, so too do thoughts by attackers as to how best exploit them. With all that juicy data sitting on someone else’s servers, it’s essential that they run a tight ship. You’re offloading some of your responsibility onto a third party, and sometimes things can go horribly wrong as a result. Whether it’s the third party being exploited, or something targeting the cloud users themselves, there’s a lot to think about.

We offered some thoughts in a recent article on potential cloud issues. Below are some other areas of concern which spring to mind. The linked article focuses on misconfiguration, phishing issues, limiting data share, and the ever-present Internet of Things. Below, we dig into a few of those. We also offer some additional opinions on where other attacks of interest may lie.

Cryptocurrency wallet attacks

Digital wallet phish attempts are rampant on social media, and we expect this to rise. People new to cryptocurrency often gravitate to services which take the hassle out of setting everything up. Third party-services which look after your private keys are known as custodial wallets. Private keys are important because they’re your digital keys to your Bitcoin kingdom.

You’re essentially giving the third-party full control of managing things for you. If the third party is compromised or exploited in some way, what happens to your stolen funds may take some time to resolve. You may well get it back, but you likely won’t be able to put any timeline to that process.

Some folks may feel the above process isn’t as secure as storing their cryptocurrency on standalone devices. So-called “cold wallets” are typically offline hardware devices, with no internet capability and the ability to manage only a few types of digital currency.

This is at odds with the “hot” custodial wallets which typically plug into many forms of currency, and provide various online services. It’s a bit like the difference between using an online, cloud based password manager run by a third-party company, or running a totally local password manager operated by you and you alone.

If something goes wrong with your cold wallet, should you lose it or have it stolen, nobody is coming to help. This is a lot of responsibility if you’re dealing with large amounts of currency. On the other hand, do you want to take the risk of plugging large amounts into something whose management is up to someone else?

Even if people avoid being phished, stealer malware which hunts for private keys and/or logins are becoming increasingly popular. Users may also run into trouble if something goes wrong at the organisation looking after their private keys. It’s an incredibly complex landscape fraught with problems, and this is why we’ll continue to see people hit by all manner of cryptocurrency scams for some time to come.

Ransomware supply chain triple-threat

Ransomware will continue to cause problems in supply chains and leverage so-called triple threat attacks. This is where multiple forms of pressure are placed upon the victim to convince them to pay up. This method of attack is sure to remain popular, becoming a viable alternative to “just” using double extortion tactics.

For example, demanding ransom with the threat of leaking data could be considered a double threat extortion. Meanwhile, attacks like BlackCat went all-in on triple-threats towards the end of 2021. BlackCat didn’t only demand a ransom under threat of data leaks; it also promised to fire up a DDoS (distributed denial of service) if the ransom wasn’t paid.

Targets who keep all files in the cloud only (no local or offsite backups) are great marks for blackmailers. Indeed, even where backups exist, they may not be as effective as they once were due to additional threats beyond a ransom payment. Sure, you won’t lose your data if you have backups, the attackers will say – but they’ll make sure a lot of it ends up on an underground forum somewhere regardless.

This is why it’s crucial to try and stop ransomware authors getting one foot in the door in the first place. Training staff not to open attachments from untrusted senders, keeping security updates up to date, and reducing services needlessly visible online can all help with this.

The Metaverse

We expect to see various forms of harassment increase in virtual worlds as more people jump on the Metaverse bandwagon, with security and safety settings playing catch up. 

The possibility exists for rogue advert manipulation and phishing should Meta decide to push ahead with virtual ad placement. There are also issues with augmented reality privacy concerns, data breaches, and photo realistic representations of your living space for all to see. All this, before we even touch on the very big problem of harassment in virtual spaces. Placing virtual bubbles around users so others can’t digitally grope them is just one sorely needed tool to help combat harassers, but more needs to be done.

Cloud services which reduce VR processing strain on user’s machines could also become popular targets, especially where gaming is concerned. With more slices of the gaming pie being offloaded away from the user’s machine, it’s only natural to think they may take a hit.

As we’re seeing, it’s not only game developers at risk from being targeted. With hardware shortages generally making it more difficult to get hold of graphics cards and chips, subscription cloud services are viewed as an important alternative. Becoming a crucial tool in the battle against lack of components will mean they catch the eye of people with bad intentions. 

Misconfigured services

We finish off with that constant thorn in the side of the cloud: basic errors which consistently lead to security woes.

Every year organisations fail to secure their cloud services and data is leaked, exposed, and scraped by third parties. Even apps aren’t free of cloud risks, with tools designed to monitor children’s online use accidentally exposing user IDs, plaintext passwords, and more thanks to missing security measures.

Exposed data can lurk for months without discovery. It can also be used for blackmail and profit, and once it’s online there’s no going back. People often talk about “leaky buckets” in relation to misconfigured services. They’re called buckets because they hold your data; unfortunately those leaks don’t stand a chance of being fully plugged anytime soon.

Whether your area of interest is IOT, ransomware, or even the Metaverse, it’s well worth digging into some of these topics and keeping one eye on the news. Whether you’re involved with the cloud at home or in the workplace, bad actors are figuring out ways to cause trouble – but that doesn’t mean we have to let them.

The post Clouding the issue: what cloud threats lie in wait in 2022? appeared first on Malwarebytes Labs.

Researchers have found that the Gh0stCringe RAT is infecting Microsoft SQL and MySQL, and seems to focus on servers with weak protection. The Gh0stCringe RAT communicates with a command and control (C&C) server to receive instructions and is capable of exfiltrating information.  

SQL

SQL is short for Structured Query Language and usually pronounced as “sequel.” SQL is a standard language used to query and change the content of databases. It was originally designed to perform business analyses. But with the implementation of product-specific application programming interfaces (API) and the growth of online applications, it quickly became more widely used.

Gh0stCringe

Gh0stCringe, also known as CirenegRAT, is a malware variant based on the code of Gh0st RAT. The Gh0st RAT source code was publicly released, so we’ve seen quite a lot of malware based on this code. Remote Access Trojans (RATs) are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim system.

Gh0stCringe RAT is a RAT malware that connects to a C&C server and performs various malicious actions after receiving commands from the attacker. The attacker can designate various settings to Gh0stCringe just like other RAT malware. One of those options the Gh0stCringe RAT provides is a keylogger. Keylogging enables the threat actor to steal login credentials and other sensitive information.

For a full technical analysis we would like to refer you to the researchers’ post.

Security

According to the researchers, the threat actors behind Gh0stCringe are targeting poorly secured database servers with weak account credentials and no oversight. On the infected servers they found evidence of previous infection by miners usually distributed through brute force attacks.

Security of SQL Server environments is considered to be among database administrators’ prime responsibilities. It is up to each database administrator to configure security features, or use additional security measures as needed, to address the security and compliance requirements of their data and applications.

Microsoft SQL Server provides several built in features that enable security, including encrypted communication over SSL/TLS, the Windows Data Protection API used to encrypt data at rest, authentication and authorization.

MySQL provides robust data security to protect data including secure connections, authentication services, fine-grained authorization and controls, and data encryption.

The problem is that there are a few very different security issues to be considered when it comes to an internet-facing SQL server. Administrators have to implement security to protect their system(s) against SQL database vulnerabilities, SQL injection attacks, and brute-forcing SQL credentials on top of every other security measure that applies to such servers.

How to avoid RATs

There are some basic actions that can be taken to lessen the chance of RATs and miners making use of your SQL servers.

• Use a strong password policy, keeping in mind the importance of the server and the data on it.
• Apply patches in a timely manner and keep the number of applications, which all need to be patched, to a minimum.
• Actively manage the user accounts that have access, and their privileges.
• Use monitoring and logging to keep an eye on what is going on.

There are some tell tale signs that could give away the presence of the Gh0stCringe RAT. The method of keylogging it uses is know to cause high CPU-usage. And below are some IOCs.

IOCs

Filename:

• mcsql.exe

C&C servers:

• tuwu.meibu.net
• 172.86.127.224

MD5:

• bd8611002e01d4f9911e85624d431eb0
• 9adc9644a1956dee23c63221951dd192
• 782cbc8660ff9e94e584adfcbc4cb961

Stay safe, everyone!

The post Gh0stCringe RAT makes database servers squeal for protection appeared first on Malwarebytes Labs.

Valorant, the popular free-to-play team based shooter, is attracting the attention of scammers. It’s reported that a malware distribution campaign is leveraging YouTube to push infection files. The campaign distributes a file known for password theft, and hunts for those passwords in browsers, cookies, a variety of cryptocurrency wallets, VPN clients, and many more besides. It then zips the stolen data and sends it via a Discord webhook (a method for sending updates to Discord channels).

When history repeats itself

As mentioned by Bleeping Computer, using YouTube in this way is not a new tactic. It’s a quick, easy way to try and make malicious off-site links go viral.

How do they convince people to run the infection file? They tell people to download a file and run it with security software switched off. They then disable the comments to avoid awkward questions, or leave them on and fill with scammer-controlled spam saying how good the file is. Then they ruthlessly delete all the other replies posting warnings.

This is the basis of a basic YouTube scam. We note that some of the above techniques are being used in the malware distribution campaign referenced.

What is the bait being used?

Cheats will cheat for many reasons in a video game, especially if it’s competitive. Why spend hours practising the game to meet your cheat-laden objectives if you can just cheat some more? Aim-bots have been a plague in the shooter landscape for many years, and there’s no shortage of fakes alongside the genuine articles.

At the most basic level, aim-bots will help you target other players more easily. They may include wall-hacks, rapid fire, radar interference, the sky’s the limit. Online titles frequently include several forms of anti-cheat to detect hacks and (potentially) contribute toward a ban. As a result, top-tier cheat tools which try and bypass the detection on offer can fetch a pretty price.

An aim-bot or other cheat tool offered up for free on YouTube sounds too good to be true, and that’s precisely because it is indeed too good to be true. Although the example from the article leads to a sharing site called “Anonfiles”, a lot of the time more well-known file sharing portals are used. There may well be an advert or survey to click through on those sites too, which means potential extra revenue.

Finally, many scams of this nature use URL shortening services. This helps to hide the real landing page from casual observers, adds another layer of familiarity (“Oh, it’s Bit.ly”), and may also give the malware authors detailed clickthrough statistics.

How to avoid being caught by these scams

We may have touched on a few of these above, but even so, they’re worth repeating.

• Do not, under any circumstances, switch off your security protection. There’s no reason to do this when installing games in almost any situation I can think of. It’s pretty rare these days to run into an issue where a legitimate game file is prevented from performing a task by security software. I think that’s happened to me perhaps twice in something like 10 years, and I install a lot of games on PC.
• Check out the comments. Are they all strangely positive? Do they all claim the thing being offered worked like a charm with no problems whatsoever? Are the accounts brand new, or old accounts which seem to have only recently taken an interest in cheating? Alternatively, are the comments simply switched off? Both of these can be massive red flags when dealing with game cheat files.
• What other content is the account promoting cheat software pushing? Is it a bunch of identical cheat videos with a few bits of text switched around? Surveys? Millions of free [insert game currency here] points via some sort of website-based generator tool? These are all signs that something is most definitely not right.
• Finally: even if the source is entirely legitimate and the supposed cheat tool does in fact work? You’re playing with fire. Game cheats are routinely banned in huge numbers for all sorts of reasons. Steam, Epic store, PlayStation network, it doesn’t matter. Valorant has its own anti-cheat system and it’s quite unlikely you’re going to find a YouTube freebie which gets around it.

Do the sensible thing and give game cheating tools a very wide berth. It’s simply not worth risking your gaming accounts being stolen, or your account being banned, or a horrible combination of both.

The post Valorant cheats on YouTube are actually information-stealing malware appeared first on Malwarebytes Labs.