IT NEWS

Why MITRE matters to SMBs

Running a small- to medium-sized business (SMB) requires expertise in everything, from marketing and sales to management and hiring, but in the ever-expanding list of executive responsibilities, one particular item demands attention: Cybersecurity.

Cyberattacks can—and have—shuttered entire businesses. Cyberattacks can ruin reputations. Cyberattacks can lock up your workforce, grind revenue to a halt, send clients and customers looking for alternatives, and cost millions of dollars in recovery.

Running an SMB today, then, requires effective cybersecurity. But cybersecurity vendors don’t make it easy. Every few months another vendor promises the best, fastest, and most effective protection, appending new, three-letter acronyms to features that may not appropriately serve your business, or may require a level of time and resources that your business can’t afford.

For SMBs, one particular third-party evaluation can help clear up some of the clutter. The MITRE ATT&CK Evaluation, run by cybersecurity researchers at MITRE Engenuity, analyzes the performance of dozens of cybersecurity vendors against known, real-world attacks, testing their capabilities not against theoretical damage, but actual harm.

According to the researchers at MITRE:

“While organizations know that robust security solutions are imperative, determining what’s best is no easy feat. There is often a disconnect between security solution providers and their users, particularly related to how these solutions address real-world threats.

Our mission is to bridge this gap by enabling users to better understand and defend against known adversary behaviors through a transparent evaluation process and publicly available results – leading to a safer world for all.”

Though the MITRE ATT&CK results are not quick to comprehend—after all, MITRE does not rank or select any “winners” or “losers” in its testing—they are important to understand. MITRE results can reveal which vendors can best prevent incoming cyberattacks, which can provide high visibility into current problems, and which can detail the most information about those problems.

Crucially, MITRE results can detail which cybersecurity vendor will offer your business the most effective “out-of-the-box” experience, protecting your business from cyberattacks while requiring less daily input from you and your team.

Here’s what the MITRE researchers evaluate in their testing and why it matters to your SMB.

Protection

“Protection” is a term that describes whether a cybersecurity product can prevent an attack before it even reaches your computers or systems. Protection is the first line of defense for any business and its significance cannot be overstated. Preventing an attack is always preferrable to responding quickly to an attack after it has happened.

The MITRE ATT&CK Evaluation does not require its participants to be tested on their protection capabilities. In the most recent testing by MITRE, 22 out of 30 vendors entered the protection test. Just 10, including Malwarebytes, scored 100 percent on protection.

While no cybersecurity product can stop every single cyberthreat in existence—it just isn’t possible as cybercriminals constantly advance their tactics—a good cybersecurity product will still rank highly on MITRE’s protection analysis.

Visibility and alert quality

Cyberattacks do not happen in seconds. Instead, cybercriminals can plan their attacks for days or even weeks, brute-forcing their way into an insecure Remote Desktop Protocol port or simply tricking an employee into opening a malicious email attachment which then allows them to gain remote control of a machine, where they will then spread laterally through a network, deploying dangerous hacking tools along the way, until they launch a massive attack that can derail any business.

Any decent cybersecurity product should be able to flag any malicious or suspicious behavior happening on a network and deliver related warnings to the end-user. This capability to see potential attacks as they’re happening and then signal those attacks to users is called “Visibility,” and MITRE tests this in its own evaluations. The Visibility score reflects the number of dangerous steps that a cybersecurity solution caught and sent warnings about during a simulated attack.

Visibility is just one half of a cybersecurity response, though. The other half is “Alert quality.”

As we explained in our previous article describing the most recent MITRE ATT&CK Evaluation results:

“Not every alert is equal. Some provide far more detailed information that can be acted upon by security teams, while other alerts only notify a security team of a problem. In the MITRE ATT&CK evaluation results, alerts are given three tiers of specificity, from least to most specific—General, Tactic, and Technique.

Techniques are the types of alerts that empower security teams to solve problems faster. Going beyond a basic description of what happened, a Technique alert will explain the surrounding context. That can include what threat actors are trying to accomplish with a malicious script.”

Cybersecurity products that achieved both high Visibility and Alert Quality in the most recent MITRE testing can equip SMBs with the support they need: A product that will not only tell you when something is wrong, but also what, specifically, is happening, and what the outcome could be.

Malwarebytes detected  83 out of 90 steps involved in the MITRE ATT&CK Evaluation—a rate of 92 percent—and of those 83 alerts, 82 were Technique alerts.

“Out-of-the-box” experience

The reality that many SMBs face is that they do not have the time or the budget for an in-house security team or even a single devoted security hire. But that shouldn’t mean that these same SMBs are left vulnerable to cyberattacks. What they need most is a cybersecurity product that works seemingly “out of the box,” which could approach a level of “set it and forget it” ease.

The MITRE ATT&CK Evaluation does not incorporate any of this rhetoric in its testing, but there is a way to interpret MITRE results that takes into account just how engaged a business must be to achieve solid cybersecurity.

Here, we have to explain “configuration changes.” Configuration changes are settings that a cybersecurity vendor can change while MITRE is actually analyzing that vendor’s product. These configuration changes reflect the real-world use of cybersecurity products by some enterprise companies—changes in what a product notifies its end-users about that may help catch emerging threats as they evolve every few weeks.

But, as we wrote before, such configuration changes are not universally applied by businesses everywhere, and in fact, these changes could lead to adverse results:

“Importantly, these customers may actually lose some value if they try to implement the same types of configuration changes that MITRE Engenuity allows, as these changes will likely produce a greater quantity of alerts, leaving these customers to spend more time deciphering the importance of these alerts and how to respond. This adversely affects the visibility and alert quality components as customers spend time sifting through a potentially significant number of additional, low-quality alerts in order to determine priority actions. A productivity loss no organization—big or small—is willing to accept.”

Configuration changes can be a powerful tool specifically for the businesses that have the resources to implement them responsibly and nimbly. But for the countless number of businesses that would not realistically take advantage of these settings, any cybersecurity product worth its cost should provide efficient and effective cybersecurity with zero configuration changes made during the MITRE ATT&CK Evaluation.

Malwarebytes is one of the few cybersecurity vendors that achieved its results with zero configuration changes. For a full breakdown on how Malwarebytes ranks with this frame of analysis, read our full blog here.

Understanding MITRE for your SMB

The MITRE ATT&CK Evaluation can be overwhelming to understand at first glance, but interpreting the results is worth the effort. By looking at what products can offer your business effective cybersecurity while respecting your limited resources, you can better protect your business for the future.

The post Why MITRE matters to SMBs appeared first on Malwarebytes Labs.

Apple’s child safety features are coming to a Messages app near you

Apple will soon be rolling out its promised child safety features in the Messages app for users in Australia, Canada, New Zealand, and the UK. The announcement comes four months after the features’ initial launch in the US on the iOS, iPad, and macOS devices.

To make communicating with Messages safer for Apple’s youngest users in the countries getting the rollout, it will start using machine learning to scan messages sent to and from an Apple device, looking for nudity to blur. Because scanning is done on-device, meaning the images are analyzed by the phone rather than in the Cloud, end-to-end encryption is not compromised.

“Messages analyses image attachments and determines if a photo contains nudity, while maintaining the end-to-end encryption of the messages,” Apple said in a statement. “The feature is designed so that no indication of the detection of nudity ever leaves the device. Apple does not get access to the messages, and no notifications are sent to the parent or anyone else.”

Of course, parents would have to enable this feature on their child’s iPhones first.

apple child safety
Children are given the power to make a safe choice with what they want to see and do on Messages. (Source: Apple)

If the setting for this feature is on and a child receives a nude photo, Messages blurs it, warns the child of sensitive content, and points them to resources supported by child safety groups. If the child is about to send nude photos, the feature flags the picture and encourages them not to send the image. They could also talk to an adult they trust using the “Message a Grown-Up” button.

Note that the AI does not scan photos your child keeps in their Photo Library.

There have been some changes to these features since they were initially reported in August last year. Originally parents were also alerted if their young child (a child under 13) sent or received images that contained nudity. Privacy advocates and critics quickly pointed out that doing this could out queer kids to their parents, which could expose them to harm.

Apple is also delaying the rollout of an AI component that can scan photos in iCloud and compare them to a child sexual abuse material (CSAM) database. The company has yet to announce the date of this component’s release.

According to The Guardian, Apple will also introduce features that will kick in when users search for child exploitation content in Spotlight, Siri, and Safari.

How to enable Apple’s safety features

Parents/Carers/Guardians, you need to set up Apple’s Screen Time feature on your child’s phone first, which requires Family Sharing (If you haven’t done that already, go to the Set up Family Sharing help page for the steps).

Once you have Screen Time enabled and the communications safety features are already available in your country, please do the following:

  1. On your Apple device, open Settings.
  2. Choose Screen Time.
  3. Swipe down and choose your child’s device.
  4. Choose Communications Safety.
  5. Toggle Check for Sensitive Photo.

Stay safe!

The post Apple’s child safety features are coming to a Messages app near you appeared first on Malwarebytes Labs.

Why software has so many vulnerabilities, with Tanya Janca: Lock and Code S03E09

Less than one year ago, the worst ransomware attack in history struck dozens of organizations. Threat actors had exploited a serious flaw in the remote monitoring and management tool Kaseya VSA that, when discussed on the Lock and Code podcast, was revealed to be “not advanced at all.”

This was far from the only software vulnerability that the public learned about last year.

When Lock and Code discussed the efforts by agricultural companies to turn their physical equipment, like tractors and combines, into smart devices, we learned about simple flaws that allowed a group of hackers to uncover user IDs for pretty much every registered device in a company’s database. And we learned that the IDs could, through a simple comparison search with the Fortune 500, reveal what companies were clients of that agricultural company.

And when we discussed the famous app Clubhouse, we learned about an eavesdropping flaw that was discovered with no technical hacking requirements—all that was necessary was two iPhones.

These examples and many, many more throughout cyber-history beg the question: What is going on with how our applications are developed?

Today on the Lock and Code podcast with host David Ruiz, we speak to returning guest Tanya Janca to understand the many stages of software development and how security trainers can better work with developers to build safe, secure products. According to Janca, a good security team takes the security of their developers’ products as their own responsibility.

“It’s our job to help them make their software secure. If at the end, they have all these things wrong, guess what, it’s because our team, the security team, is not doing a good job”

Tanya Janca, Director of developer relations of Bright, founder of the online training academy We Hack Purple and author of Alice and Bob Learn Application Security.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why software has so many vulnerabilities, with Tanya Janca: Lock and Code S03E09 appeared first on Malwarebytes Labs.

Watch out for this SMS phish promising a tax refund

Imagine logging into your bank’s website after responding to a text message claiming you’re due a refund, only to see a warning to watch out for bogus texts:

dbphish7
Beware of SMS phishing!

For those who don’t read Dutch, the warning reads:

Never respond to unusual emails or texts!

Fraudsters often send e-mails under the guise of renewing your debit card or digipas. Never go into that. They refer to websites that are not owned by Argenta. Argenta will also never ask you to provide your card number by telephone because you will allegedly receive a new debit card or digipas.

Do you still receive suspicious messages?

Have you already passed on codes over the phone? Or has money already been withdrawn from your account? Please contact us immediately on (available 24/7 for victims of phishing).

The warning above is genuine, on a real bank’s website. But the warning, in this case, comes too late because this is the last and only legitimate stop in a victim’s passage through a phishing scam.

The bogus SMS trail begins

Here’s one of the suspect SMS messages, as tweeted by Twitter user @ypselon:

it has been decided that you will receive a refund. to receive this amount you can visit our website [url removed]

The text claims to be from “FOD”. This is the Federale Overheidsdienst Financien in Belgium. The suspect URL includes a domain registered just this month (often a red flag), in India, rather than Belgium.

Visiting the site presents you with a message that says:

dbphish1
A fake FOD website offering fake refunds

Refund:

In order to receive a refund of your personal income tax, you must verify your account so that we can transfer the full amount of €278.35 to the correct account.

It is important to carry out a one-time verification as a check. Afterwards you will receive the amount on your account within a few working days.

For “one-time verification” read “send us money”.

We all love a tax refund so it’s an effective hook to lure in potential victims. Continuing reveals a large assortment of banks commonly used in Belgium.

A slippery phish

The scam site includes customised pages for each popular bank. Some ask for card details, others for account numbers. All are fake, all are trying to hoover up information that can be used to steal your money.

dbphish5
A phishing site asks for credit card details for a “one-time verification”

No matter which route you go down, entering your details will neither verify your identity nor secure you a tax refund. But all will leave you poorer and eventually redirect you to your bank’s real website (where you might encounter a warning about falling for scams like the one you’ve just fallen for).

At this point, your only option is to contact the bank for real, and tell them what’s happened. If you’re lucky, you may be able to have them shut things down. If not, days or weeks of hassle might lie in wait.

Faking it to make it

Fake tax refunds are hugely popular. They’re especially rampant during (or immediately following) any tax season. The Federale Overheidsdienst Financien has some advice for avoiding scams like this..

  • If the FOD helped you with a tax return the previous year, it may contact you by phone. The organisation warns that if the caller doesn’t know your name; asks for payment for assistance; asks to come to your home; or requests passwords, PINs, email, or address, then you should hang up.
  • Report any request to provide confidential data related to banking you receive by email, text, or WhatsApp.
  • If you’re asked to make a payment to the FOD directly, check their site because there’s only a limited number of ways to make a payment to an official account.

The post Watch out for this SMS phish promising a tax refund appeared first on Malwarebytes Labs.

Beware of fake Twitter philanthropists offering to put $750 into your Cash App account

Twitter philanthropists are a controversial emergence on the social media platform. In essence, Twitter-based philanthropy is about incredibly rich people helping out those who need it. The help is random, and often focused around performing a task like listening to a podcast or simply retweeting something. Of course, not everyone can “win” and many, many people miss out.

Unfortunately there is no shortage of people who could use some assistance. So it was probably inevitable that copycats and scams offering false hope would jump in, ready to leave victims worse off than when they started.

The biggest name in Twitter philanthropy is probably William J. Pulte. His account, specifically, has developed a few barnacles of the copycat variety. Shall we take a look?

Fake it till you make it

Spot the problem below:

william1
Williams galore

The bio and profile on both accounts is a straight copy of the real thing. Well, almost. The fake profiles aren’t verified so they edit the profile picture to include a blue Twitter bird. It’s not going to pass as verified for experienced social media users, but it’s the only option the scammers have.

The fake accounts take the unusual decision to retweet the real William a few times. They then drop their own bogus tweets into the mix.

william2
$750 to your Cash App account? Nope.

One of them says:

Your chance to get $750 to your Cash App account.
Please Confirm your email now!
Click here [URL removed]
Have a good life with the $750
Good luck

It’s not a Lorem Ipsum page, but it’s close

The above tweet already sounds quite a bit different to the genuine article from “the inventor of Twitter philanthropy”. There, money is given directly with no use of shortening links or external sites (not that I’ve seen, anyway!)

For argument’s sake, let’s assume you’re convinced by the fake profile and you’re ready to click the bit.ly link. Before clicking, imagine the following scenario: You are William. You are rich. Staggeringly rich. So rich, you can give away a million dollars on social media over the course of a pandemic.

You then decide to put together the worst looking website anybody has ever seen and throw it on a free hosting service…

william4
Maybe…he spends his fortune on other things?

The site reads as follows:

Congratulation!

Your chance to get $750 to your Cash App account.

Please Confirm Your Email Now!

The link is only aimed at residents of the US. Should you click it from outside the desired region, you’ll be bounced off to a random assortment of other promo-style websites.

When free money isn’t free money…

Assuming you are indeed in the US, you’ll end up on the below page:

william5
Where is my Twitter philanthropist?

The offer has shifted gears abruptly from “rich person on Twitter might give me money I may urgently need” to “complete twenty deals to claim $750.”

Wait, what?

Yes, the fake profiles have quite cruelly sent people to some sort of sign-up offers deal. Not only that, but it’s the type which requires some form of monetary outlay in the first place. In fact, it’s entirely possible taking part could leave them less well off in total than if they’d tried to save up. Under the “how fast can I get my reward?” section, it says you can “typically complete” the required sponsored deals “within 5 – 7 days.” It also says some may take “up to 60” days to complete.

This does not really sound like what was originally promised by fake William.

Closing out the deal

Anyone genuinely giving away huge sums of money on Twitter is almost certainly going to have a verified profile. At the very least, you should be very cautious around non-verified profiles where promises of money are concerned. Even where profiles are verified, they can still be compromised and used for scams. Anything falling outside the typical posting pattern of accounts which do give away money to those in need should be treated with suspicion.

While the concept of free money from Twitter philanthropists is a potentially good one, simply ensuring the deck hasn’t been stacked against you may be too much of a risk itself. Stay safe out there!

The post Beware of fake Twitter philanthropists offering to put $750 into your Cash App account appeared first on Malwarebytes Labs.

Pegasus spyware found on UK government office phone

“When we found the No. 10 case, my jaw dropped.”

John Scott-Railton recalled after finding out on July 7, 2020 that Pegasus, the highly sophisticated flagship spyware of Israel’s NSO Group, was used to infect a phone linked to the network at 10 Downing Street, the UK Prime Minister’s home and office.

For years, the Citizen Lab, a specialized research group based at the University of Toronto where Scott-Railton works as a senior researcher, has been investigating Pegasus and its misuse by governments—usually authoritarian ones—who bought the spyware from NSO.

The Pegasus infection at Downing Street was unearthed in The New Yorker article entitled “How democracies spy on their citizens,” an investigative look at governments’ use of Pegasus. A UK official confirmed the network had been compromised.

The National Cyber Security Centre (NCSC), a British intelligence body, painstakingly but thoroughly tested phones at Downing Street, including Boris Johnson’s, the current UK Prime Minister. However, they were unable to identify the infected device.

Based on the servers this device was said to phone back to, the United Arab Emirates (UAE) may be behind the hacking and spying against Downing Street.

“I’d thought that the US, UK, and other top-tier cyber powers were moving slowly on Pegasus because it wasn’t a direct threat to their national security,” Scott-Railton was quoted saying, “I realized I was mistaken: even the UK was underestimating the threat from Pegasus, and had just been spectacularly burned.”

Citizen Lab further revealed that phones connected to the Foreign Office, pre- and post-merger, were hacked via Pegasus on at least five more occasions. Again, based on destination servers, the UAE, India, and Cyprus were named potential instigators.

The UAE’s link to the hack only deepened after a British court revealed that Pegasus was used to spy on Princess Haya, former wife of current Prime Minister of Dubai Sheikh Mohammed bin Rashid al-Maktoum. The Sheikh was in a custody dispute with Haya, who fled to the UK with her children. Pegasus was also found to have been used to target Haya’s British attorneys.

David Ruiz, senior privacy advocate, spoke at length about Princess Haya’s case—and other Pegasus infections—in an earlier episode of the Malwarebytes podcast Lock and Code, which can be listened to in full here.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

After an alert reached the NSO Group regarding the use of Pegasus against Princess Haya, the UAE shut down its spyware system, and NSO announced that its software would no longer target UK phone numbers the same way it has avoided targeting US numbers.

Goodbye, Pegasus. Hello, Maestro?

NSO consistently touted Pegasus as an aid to law enforcement in combating criminal organizations and terrorists. The New Yorker article and many others, however, only detail harrowing accounts of abuse: from hacking government officials’s phones via a WhatsApp zero-day exploit to tracking Loujain al-Hathloul, a women’s rights activist in Saudi Arabia. Her iPhone could easily have been patient zero to a vulnerability that bypasses Apple’s BlastDoor security feature using a malformed PDF.

As Pegasus has become publicly scrutinized, NSO Group has expanded its product line. This latest release is called Maestro, an AI tool that “scrutinizes surveillance data, builds models of individuals’ relationships and schedules, and alerts law enforcement to variations of routine that might be harbingers of crime.” One of product’s designers was quoted saying, “Turning every life pattern into a mathematical vector.”

NSO Group revealed that a handful of countries already use Maestro. Perhaps it’s only a matter of time for Maestro to become another controversy like Pegasus, and one that groups like Citizen Lab will investigate and reveal its potential dangers to the world.

The post Pegasus spyware found on UK government office phone appeared first on Malwarebytes Labs.

It’s legal to scrape public data—US appeals court

Web scraping—the automated extraction of data from websites—has been around for a long time. Simultaneously cursed and praised, with nobody being able to quite land the decisive blow about whether it should be allowed, one way or another.

This may have changed, thanks to a recent US appeals court ruling.

A tangled web of scraped content

LinkedIn (and, by extension, Microsoft) is not impressed with people or organisations scraping publicly available data from its site. In fact, they’re so massively not impressed by the practice that things became legal in 2017 via a LinkedIn cease-and-desist. The social network objected to a company scraping public data from its pages, and the story rumbled into 2019 with another setback for the LinkedIn / Microsoft combo.

Last year, the data scraping saga was given one final chance to swing a decision in favour of scraping being viewed as a very bad thing. The decision has now been made, and it’s not good news for LinkedIn. Scraping public data is not considered to be a violation of the Computer Fraud and Abuse Act.

LinkedIn has vowed to keep on fighting this one. However: Is scraping really that big a deal?

The case for

  1. The main argument in favour of scraping is that it is not a violation of privacy. It’s simply making use of content that has already been shared publicly.
  2. It’s fantastic for archival purposes. Thanks to link rot and link reuse, huge chunks of the Internet simply vanish on a daily basis: Websites go bust, pages are moved or removed.

The case against

  1. People who agree to share data on a site like LinkedIn probably don’t expect their data to be hoovered up by third-parties, and may not even realise it’s possible. So they don’t understand the implications of sharing their personal information publicly. If the only safe course of action is to simply post nothing, that feels like quite a big chilling effect.
  2. Sometimes pages or sites go missing because the site owner wants them to go missing. There may be privacy reasons, or security issues, or something else altogether involved. Some archival sites and services will allow you to block their crawlers, but it can be a convoluted process and often involves a certain time and effort investment. Should people have to pre-emptively hunt down all the archival services in the first place to ensure something isn’t immortalised online forever?
  3. Scraping can have a big impact on sites and services generally. It can be a little overwhelming for a small site owner to try and stop content thieves and scrapers repurposing their content for ad clicks. Sometimes sites will grab content and place it alongside malware or phishing for an additional twist of “please stop doing that”.

It’s verdict time

As you can see, I’m probably leaning more towards siding with LinkedIn on this one. Even so, with this latest decision in place and with so many frankly worrying ways scraped data can be misused, perhaps we are edging towards that previously mentioned chilling effect. One thing’s for sure, we’ll see this one back in a courtroom somewhere down the line.

As far as your own data goes, keep all of the above in mind. That one random photograph could be sucked up into a facial recognition platform. Your tweet from 11 years ago could be aggregated with other data about you in ways you hadn’t anticipated. That incredibly awesome public work profile you created may just pull in a bunch of spammers and con artists.

Prune accordingly, and keep the really sensitive stuff away from public view. That way, no matter the end result of any number of court cases, you’ll still hopefully have a firm grip of where your most important data ends up.

The post It’s legal to scrape public data—US appeals court appeared first on Malwarebytes Labs.

US warns of APT groups that can “gain full system access” to some industrial control systems

An “exceptionally rare and dangerous” advanced persistent threat (APT) malware kit, containing custom-made tools designed to target some of North America’s industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices, appears to have been caught before it could be let loose on America’s oil refineries and power grids.

Multiple US federal government agencies, including the FBI, NSA, and CISA, have released a joint advisory about this kit dubbed PipeDream. It features one-of-a-kind tools designed to work against systems belonging to Schneider Electric, OMRON, and the Open Platform Communications Unified Architecture (OPC UA).

While CISA has declined to name the state actor behind the tools, Mandiant and Dragos, two cybersecurity companies specializing in advanced persistent threats (APTs) that partnered with the agency, said that the tools’ behavior pointed to Russia as the likely source. However, this link, they say, is “largely circumstantial”.

Once inside ICS/SACADA operational technology (OT) networks, PipeDream can gain full system access to target devices, allowing them to scan, control, and compromise Windows-based engineering workstations using an exploit. Having full access also enables threat actors to elevate privileges, move laterally within the OT environment, and disrupt critical systems. Such disruptions could lead to machinery getting physically destroyed and, worse, loss of human lives.

Since the invastion of Ukraine began, President Biden has urged businesses to strengthen their security against possible Russian cyberattacks. However, cyberthreats against vital US infrastructure have been a concern for years, not least since Stuxnet successfully compromised nuclear centrifuges in Iran more than a decade ago.

ICS attacks—scary, but very hard to do

The outcome of a successful attack against vital infrastructure—such as a power grid, power station or water treatment plant—could be very bad indeed. And although we have yet to learn of a nation state successfully attacking one in the US, we can get a glimpse of the possible disruption by looking at other, similar forms of attack.

For example, a ransomware attack against Colonial Pipeline in 2021 caused it to halt operations for six days. Long lines of US motorists began queuing up at gas stations to panic buy fuel, causing prices to go up on the East Coast. A similar attack happened a month later, against meat processing giant JBS, stirring fear of shortages and price rises.

With catastrophic possibilities forecasted before any actual events ever happen, it is easy to get caught in the hype and assume that a critical infrastructure “big one” will play out sooner than expected. But such a possibility is, in fact, very slim, according to Lesley Carhart, principal threat hunter with Dragos.

Carhart spoke to Malwarebytes podcast host David Ruiz on an episode of the Lock and Code podcast last year all about disaster planning and the slim chance of a critical infrastructure “big one.”

Internet-connected ICS may be easy to find, but they are difficult to exploit in reality. Carhart attests to this. “These systems are honestly so complex and so distributed and so heterogeneous that they are really difficult to attack at scale,” she said.

The problem for attackers is that OT environments are all about risk mitigation. Their designers and operators spend their lives thinking about the risks in their environment and coming up with ways to mitigate them. Even if an attacker can compromise a computer and use it to make an environment do something it’s not supposed to, there are typically controls and operators primed to identify and stop errant systems before they can cause any harm.

“A more sophisticated, determined adversary has to think about how to get around those mitigations,” Carhart added.

A successful attack also demands a lot of time, resources, and preparation. According to Carhart, attackers oftentimes sit in networks for months and even build their own industrial facility to learn more about it. ICS attacks are “astronomically expensive”, she says.

Manufacturers of such systems are also increasingly creating them with security in mind. Despite what you might hear, Carhart does not think the dangers of an ICS “big one” are increasing. “In a lot of ways, people are more aware of the threats,” says Carhart. “They’re deploying more security monitoring, and they’re starting to build incident response plans for their industrial environments specifically. They’re starting to do threat hunting, penetration testing, [and] red teaming in their industrial environments.”

To learn more about the reality of defending critical infrastructure, listen to the podcast, embedded below.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post US warns of APT groups that can “gain full system access” to some industrial control systems appeared first on Malwarebytes Labs.

Oracle releases massive Critical Patch Update containing 520 security patches

Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates may need your urgent attention if you are a user of the affected product.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that look most urgent.

Oracle Communications Applications

The update contains 39 new security patches for Oracle Communications Applications. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS score of 10 out of 10. Supported versions that are affected by this flaw are 12.0.0.4 and 12.0.0.5.

CVE-2022-23305 is a Log4j vulnerability with a CVSS score of 9.8. It affects the Oracle Communications Messaging Server and allows attackers to manipulate a database by entering SQL strings into input fields or headers. (Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.) The same Log4j vulnerability affects the Cartridge Deployer Tool component of Oracle Communications Network Integrity and the Logging component of Oracle Communications Unified Inventory Management. It also affects several components of Oracle Fusion Middleware.

CVE-2022-23990 is a vulnerability in the user interface (LibExpat) component of the Oracle Communications MetaSolv Solution, and it also has a seriously high CVSS score of 9.8. LibExpat versions before 2.4.4 have an integer overflow in the doProlog function that allows an attacker to inject an unsigned integer, leading to a crash or a denial of service.

Oracle Blockchain Platform

The update contains 15 new security patches for Oracle Blockchain Platform. 14 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2021-23017 is a security issue in nginx resolver with a CVSS score of 9.8. It could allow an attacker who is able to forge UDP packets from the DNS server to cause a 1-byte memory overwrite.

Oracle GoldenGate

The update contains 5 new security patches plus additional third-party patches for Oracle GoldenGate.  4 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2021-26291 is a security issue in Apache Maven with a CVSS score if 9.1. it affects the Oracle GoldenGate Big Data and Application Adapters. Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.

Oracle Communications

The update contains 149 new security patches plus additional third party patches noted below for Oracle Communications. 98 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2022-22947 is another vulnerability with a CVSS score of 10. It is a vulnerability in Spring Cloud Gateway that affects Oracle Communications Cloud Native Core Network Exposure Function and Oracle Communications Cloud Native Core Network Slice Selection Function. In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Oracle Java SE

The update contains 7 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication.

CVE-2022-21449 is a vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle Java SE with a CVSS score of 7.5. The 7.5 is a very low score due to the wide range of impacts on different functionality in an access management context. This vulnerability applies to Windows systems only, but an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update. An elaborate analysis of this vulnerability was published by ForgeRock.

Mitigation

For a complete list of the security vulnerabilities have a look at the Oracle security alerts page. Several of the discussed vulnerabilities in this Patch Update are vulnerabilities in third-party components which you may have patched earlier, but it’s definitely worth looking into.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. You can follow the links in the Patch Availability Document column on the Oracle page to access the documentation for patch availability information and installation instructions.

Stay safe, everyone!

The post Oracle releases massive Critical Patch Update containing 520 security patches appeared first on Malwarebytes Labs.

The fake Elon Musk Bitcoin giveaway marathon will NOT make you rich

Today we look at a fakeout which begins with Elon Musk, and ends with a trip to Mars (or, if you’re really lucky, the Sun).

One of the most annoying “features” of Twitter is being added to lists without permission. It’s a theoretically useful way to keep track of certain topics. It’s often also used for trolling or spam. A friend of mine was added to a list over the weekend by what appeared to be Elon Musk.

It was not Elon Musk.

Dodging detection

The account in question is doing a pretty good job of not attracting attention while getting up to mischief. As you can see from the profile, it has an almost perfect no followers / no following ratio. There’s no tweets, no replies, no likes…nothing.

elonmarathon1

The account would simply pass you by, if you were looking for people up to no good.

Except.

Check out the account’s Twitter lists. This is done by clicking into the “…” and then hitting lists in the dropdown menu. With this done, we see a so-called “giveaway marathon” list. The giveaway isn’t detailed with text, so it is again very easy to miss. Rather, it’s a picture of a fake Elon Musk tweet which reads as follows:

elonmarathon4
The Elon “giveaway marathon”

I decided to randomly choose 1000 new followers, who can participate to the biggest crypto giveaway. Hurry up to join at [url removed].

For flying under the radar purposes, it’s almost perfect. Shall we take a look at this “biggest crypto giveaway”?

Behold, the “biggest crypto giveaway”

“5,000 BTC giveaway”, screams the banner.

elonmarathon3
“Enjoy – Elon Musk”

They say:

Our marketing department here at Tesla HQ came up with an idea: to hold a special giveaway event for all crypto fans out there.

For those keeping score, 5,000 Bitcoin totals somewhere in the region of $200,000,000. Not bad for a giveaway pot!

How do you get your hands on this amazing slice of cash, I hear you cry? Well, you have to guess which planet “Tesla” is trying to explore. You do this by clicking on the planet we’re supposed to be exploring.

elonmarathon5
Space! Contentious planet listings! It’s all here!

Some observations:

  1. You can click on Earth, or indeed the Sun.
  2. The image includes Pluto—a big salute to “Team Pluto is Definitely a Planet”. That muddy ball of ice and rock couldn’t have done it without you.
  3. I did say we’d be going to Mars at the start of this blog, but the truth is, you can click anywhere you like to proceed. Yes, even the Sun.

I guess what I’m trying to say is I doomed humanity with an all-expenses paid trip to the Sun. With a payoff like that, I sure hope we’re about to get rich off the back of this giveaway.

Getting rich quick off the back of this giveaway

The site presents itself as being a giveaway specifically from Tesla.

elonmarathon6
A step-by-step guide

It makes the following claim:

To verify your address, just send from 0.02 to 1 BTC to the address below and get from 0.10 to 10 BTC back.

Well, that’s a bold strategy. They’re saying that if you give them $40,000 then you’ll get $400,000 back at the upper contribution level. The advice is to use any wallet which supports Bitcoin, and then “select the amount you want multiplied…for example, to get 10 BTC, send 1 BTC.”

There’s also a fake “free Bitcoin remaining” timer counting down which tries to panic you into getting involved. Refreshing the page restarts the timer.

Speeding things up

One thing which people may not know about Bitcoin transactions is that there can be a delay with regard to transaction confirmation. This is down to verification and recording of new transactions. Essentially: You perform an action of some kind, and you have to wait for the Bitcoin blockchain to do blockchain things and confirm that you did, in fact, send cryptocurrency to somebody and it all went through as planned.

You’ll note that our Sun-bound BTC giveaway says “Still waiting for transaction? Click here!”

You’d assume it would mention the possibility of transaction notifications being delayed. To be fair, it does – but then adds a little something extra:

elonmarathon7
You want me to send you Bitcoin how many times?

“Sometimes transaction network is under load and it can take more time. You can speed up the transaction by sending the same amount again to our address. This is an official promotion and every transaction address we receive gets their bonus back”

Considering we arrived here in the first place from Fake Elon, and this “official” Tesla giveaway is absolutely not an official Tesla giveaway, I’m not entirely sure I believe them. They’re asking you to send, at the upper donation limit, roughly $80,000 to try and help nudge the first transaction through.

In what may be the most not-needed spoiler warning of all time: This probably isn’t going to end well.

Aborting launch

All in all, we’d have to suggest giving this one a big miss. You’re not going to magically generate tons more money than you put in, and as fun as it is to suggest sending humanity into the fiery heart of the Sun it probably won’t make you very rich in the meantime.

Sorry, Fake Elon, but we’re going to have to pass.

The post The fake Elon Musk Bitcoin giveaway marathon will NOT make you rich appeared first on Malwarebytes Labs.