IT NEWS

HBO Max subscribers Angel McDaniel and Constance Simon filed a class-action lawsuit against HBO on Tuesday, alleging that the company has violated their privacy by sharing subscriber viewing data with Facebook. Bursor & Fisher filed the case on behalf of McDaniel and Simon.

According to case documents, the suit asserts that HBO hands over customer lists to Facebook, which the social media company then uses to match customers’ viewing habits with their Facebook profiles. It alleges that because HBO didn’t ask for subscribers’ consent to share their data, this violates the Video Privacy Protection Act (VPPA), a bill that became law in 1988.

The VPPA was created to protect people from “wrongful disclosure of videotape rental or sale records [or similar audiovisual materials, to cover items such as video games and the future DVD format].” Although VHS and Betamax rentals from brick-and-mortar video shops haven’t been the norm for a very long time now, VPPA has newfound relevancy in cases involving computers and Internet of Things (IoT) devices, such as the smart TVs.

The suit further alleges that HBO partnered with Facebook to retarget Facebook ads to its subscribers. HBO Max’s privacy policy states this; however, per VPPA, subscribers are required to consent to share their viewing history first before companies can use this data. According to the suit, having a privacy policy is not enough for this.

Bursor & Fisher have been successful representing people fighting for their right to privacy in the past. The firm previously represented Josephine James Edwards, a lifestyle magazine subscriber, who filed a case against Hearst, a multinational conglomerate that owns several newspapers and magazines (among others) in 2015. The suit alleged that Hearst violated the Michigan Video Rental Privacy Act by selling magazine-subscriber data, which included age, race, religion, and income level, to third-party companies without subscribers’ consent.

The post HBO sued for sharing subscriber data with Facebook appeared first on Malwarebytes Labs.

Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article.

Not long ago, guessing a Windows Remote Desktop Protocol (RDP) password successfully was widely regarded as ransomware operators’ number one choice for breaching a target. It attracted a lot of press coverage three or four years ago, and interest in it was renewed in 2020 by the sudden addition of a million or so RDP-connected computers to the Internet, with the onset of the pandemic and wide-scale working from home.

Things have been a little quiet since, and in 2021 RDP was eclipsed—in the press at least—by ransomware gangs’ use of a whole host of different and diverting vulnerabilities, such as the ProxyLogon attack chain.

You’d be forgiven for thinking that RDP abuse was a thing of the past. It is not.

The Ransomware Delivery Protocol

RDP is a fantastically powerful feature of Windows that makes remote work and remote administration feel like it isn’t remote at all. If a Windows computer has an Internet connection, and RDP switched on, it can be used from anywhere by anyone with a valid username and password, with all the same features and access rights as if they were sat right in front of it.

RDP is so useful that millions of Internet-connected Windows computers have it enabled.

We know this because it is trivially easy to find them, and that’s a problem.

To see why, imagine that you work in an office building that doesn’t close its doors at night and instead lets criminals wander around, trying their luck at logging on to its computers. The criminals are in no hurry, they can come back night after night, so they have plenty of time to find a computer with a weak password, or to plug away at one computer trying more and more complex passwords.

The Internet is like that overly-permissive office—and thanks to RDP it has over four million computers exposed to every cybercrook in the world, and their password guessing software.

RDP password guessing has been an enormously important technique for ransomware gangs in the last few years, because it allows them to breach a victims’ network disguised as a legitimate employee. It has been so successful that it has spawned criminals who specialise in guessing RDP passwords, and markets where they can sell them to ransomware operators.

RDP brute-forcing is alive and well

The Malwarebytes Threat Intelligence team maintains RDP honeypots that track the effectiveness of Malwarebytes Brute Force Protection (BFP), a countermeasure against RDP password guessing. The honeypots provide a revealing insight into the enormous amount of RDP brute-forcing attacks happening in the background, all day, every day.

We took a slice of data from an unremarkable period of last year—the last 15 days of October 2021—to illustrate the scale of the problem.

The honeypot in our test was an Internet-connected Windows computer with RDP enabled on the non-standard port. It used out-of-the-box BFP rate-limits: Attackers were shut out for five minutes if they entered five incorrect passwords within the space of five minutes.

There is nothing about our honeypots that makes them tempting targets. If you have RDP-enabled computers, you can assume that each and every one is attracting a similar level of attention from password guessing attacks.

10,000 attacks a day

In the last 15 days of October, a five-minute BFP lockout was triggered 28,910 times, by attacks from 29 separate IP addresses. Because it takes five attempts to trigger a lockout, the total number of password attempts made against the honeypot during that test period was therefore 144,550, or about 10,000 per day. This figure is likey to be dampened considerably by the rate limiting—without it, the numbers would likely have been much higher.

The five IP addresses that probed the honeypot most frequently during that time all presisted for about ten days, in overlapping shifts. This similarity in the number of daily guesses they made, and the time they spent making guesses, may indicate that they come from the same attacker using multiple IP addresses.

Using a non-standard port is no protection

RDP normally uses port 3389. Since it is easy to scan the Internet for computers listening on port 3389 it is fairly common for RDP hardening advice to recommend assigning it a different port number.

The honeypots in this test do that: They are connected using a port from the dynamic port range, which is unlikely to be any hacker’s first guess. Despite that, our honeypots’ RDP ports receive heavy and continuous attention from brute-force password guessing programs.

It is our assessment that changing the port number does not provide any meaningful protection. It’s a cheap and easy change to make, and there is no harm in it, but you should look elsewhere for genuine hardening.

The effects of rate limiting

Rate limiting works by throttling the speed at which attackers can make password guesses, typically by shutting them out for a period of time after a small number of incorrect guesses. This is mildly inconvenient to a real user who is unlikely to make more than a handful of incorrect guesses before calling support, but represents a huge barrier for a computer program looking to race through tens or even hundreds of thousands of password attempts.

Rate limiting is what allows enormously important things like credit cards and smartphones to be secured with four- or six-digit PINs that are otherwise trivival to crack.

So how many guesses does rate limiting prevent?

In our test, attackers were shut out for five minutes if they entered five incorrect passwords within the space of five minutes. Our attackers were persistent over several days and received, on average, about 150 bans per day.

To trigger 150 bans per day, our attackers must have made 750 incorrect guesses and incurred 750 minutes of bans, leaving them 690 minutes of the day in which to guess passwords. 750 guesses in 690 minutes gives us a guessing rate of about one password every 55 seconds, or about 1,500 guesses per day.

At that guessing rate, rate limiting reduced the number of daily password attempts from 1500 to 750, halving the effectiveness of the attack and doubling the time a security team would have to react.

But 1,500 guesses per day is an extremely low guessing rate and a very poor use of an attackers’ resources. Other attackers are much more aggressive in their approach.

A few years ago I co-authored a research paper on RDP brute forcing. During our research we monitored an attacker who made 109,934 password guesses in ten days, at a rate of about 11,000 guesses per day, or about 7.5 guesses per minute.

Against that attacker, the rate limiting we used for this article would have been triggered every 40 seconds, allowing them just 1,270 guesses per day—reducing the guessing rate by 87%, giving a security team an additional two and a half months to respond to the attack.

Rate limiting is a powerful technique for limiting the effectiveness of brute-force attacks. However, in all areas of security we recommend a defense-in-depth approach over a reliance on any one tool or technique. For more information on how to protect your RDP connections read our article on how to protect your RDP access from ransomware attacks.

The post Blunting RDP brute-force attacks with rate limiting appeared first on Malwarebytes Labs.

A vulnerability in the Linux kernel, nicknamed “Dirty Pipe”, allows an unprivileged user to overwrite data in read-only files. This can lead to privilege escalation as a result of unprivileged processes being able to inject code into root processes.

If you’re not sure what that means but you think it sounds bad—you are correct!

The vulnerability was found and explained in detail by Max Kellerman of CM4all. The affected Linux kernel versions are 5.8 and above. The fixed versions are 5.16.11, 5.15.25 and 5.10.102.

CVE-2022-0847

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Dirty Pipe is the nickname for the vulnerability listed as CVE-2022-0847.

It is described as a flaw in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

To understand the name you need to know that a pipe is a data buffer in a Linux system’s memory that can be used as if it was a file. Pipes are used to pass information from one program to another by storing the output of the first program and then passing it to the second. For example, if you want to pass information from the list command ls to the paging program less, you’d join them with a pipe. On the command line, it looks like ls | less.

The Dirty Pipe vulnerability can be abused by creating a pipe—which the attacker has permission to change—and then confusing the Linux kernel into thinking that the pipe is a file the attacker doesn’t have permission to change.

If you are up for a full technical analysis, and would like to read about the journey of finding this vulnerability, feel free to read Max Kelderman’s post.

For those that want the short, less technical version, the confusion in the Linux kernel is created by making use of the caching pages. Caching pages are temporary copies of files in a system’s memory that are created to make the handling of frequently used files faster. The vulnerability allows the attacker to make changes to the cached copy of a file that should be “read-only” for a user without root permissions.

In this way, it is possible for an attacker to gain root privileges, which ultimately allows him to take control of an affected system.

Impact

The vulnerability is serious enough for the Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning about it. Maybe because this vulnerability is similar to an older vulnerability disclosed in 2016, Dirty COW (CVE-2016-5195), which has been actively exploited by malicious actors since then. And according to the experts, this vulnerability is easier to exploit than Dirty COW was.

Proof-of-Concept has already been published by several researchers.

And while many readers may think: “Oh, it’s Linux, nothing for me to worry about”, the Linux kernel underpins an enormous number of websites and cloud services, and is a base for many other operating systems.

The Linux kernel is an extremely important part of the software on nearly every Android device, and some smartphones are therefore vulnerable to Dirty Pipe.

Mitigation

The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102, so make sure to get those or a later one if you are a Linux user.

For Android users it is a bit more complicated. There are so many devices and kernel versions, that it is hard to give a clear statement. We can say that version 5.x under normal circumstances will only be found on the latest models. My smartphone (1 year old) and many other legacy devices are not vulnerable, because the vulnerability does not affect 4.x versions, which account for the majority of devices from Google and other vendors. You can view your kernel version under Settings > About phone > Android/Software version > Kernel version. Android users with 5.x versions should check whether they are vulnerable and, if so, be on the lookout for an update to be rolled out to fix this vulnerability.

Stay safe, everyone!

The post Linux “Dirty Pipe” vulnerability gives unprivileged users root access appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team continuously monitors the threat landscape to stay on top of existing and emerging attacks. In this February 2022 ransomware review, we go over some the most successful ransomware incidents based on both open source and dark web intelligence.

BlackByte

• Observed since: July 2021
• Ransomware note: BlackByteRestore.txt
• Ransomware extension: .BlackByte
• Kill Chain: Some victims reported that attackers used known Microsoft Exchange Server vulnerabilities to gain access to their networks. > BlackByte Ransomware 
• Sample hash: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad

HermeticRansom (PartyTicket)

• Observed since: February 2022
• Ransomware note: read_me.html
• Ransomware extension: <original file name>.[vote2024forjb@protonmail[.]com].encryptedJB
• Kill Chain:  On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack
• Sample hash: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SFile (Escal)

• Observed since: February 2022
• Ransomware note: .<company_name>.!README.log
• Ransomware extension: .<company_name>.<random>
• Kill Chain:  Smaller ransomware strains used in targeted attacks
• Sample hash: 6a7cef95a501cce16dce6f5a645fc97c4bcbb568c83dde5a7f2e4a0d7555dd98

LockBit 2.0

• Observed since: September 2019
• Ransomware note: Restore-My-Files.txt
• Ransomware extension: .lockbit
• Kill Chain: Brute force attack on a web server containing an outdated VPN service > LockBit
• Sample hash: 9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af

Magniber

• Observed since: October 2017
• Ransomware note: readme.txt
• Ransomware extension: dihlxbl
• Kill Chain:  Being Distributed via Microsoft Edge and Google Chrome (Korean users)
• Sample hash: 06ea8f2b8b70b665cbecab797125733f75014052d710515c5ca2d908f3852349

Surtr

• Observed since: December 2021
• Ransomware note: SURTR_README.hta
• Ransomware extension: .surtr
• Kill Chain:  Spear-Phishing > MalDoc > Surtr Ransomware
• Sample hash: 40e5bb0526169c02126ffa60a09041e5e5453a24b26bc837036748b150fa3fae

Sugar

• Observed since: January 2021
• Ransomware note: BackFiles_encoded01.txt
• Ransomware extension: .Encoded01
• Kill Chain:  Spear-Phishing > MalDoc > Sugar Ransomware
• Sample hash: 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058

Conti

• Observed since: June 2021
• Ransomware ext: .CONTI
• Ransomware notes: CONTI.txt – R3ADM3.txt – readme.txt – CONTI_README.txt
• Kill Chain: Spear-Phishing > Bazar backdoor, or IcedID  > Cobalt Strike > Conti Ransomware 
• Sample hash: 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59

Mitigations

Source: IC3.gov

• Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• Install and regularly update antivirus software on all hosts, and enable real-time detection.
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.
• Ensure routine auditing is conducted for all accounts.
• Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Recommended reading: How to protect your RDP access from ransomware attacks

The post Ransomware: February 2022 review appeared first on Malwarebytes Labs.

Brave is testing a new feature to stop bounce tracking, a sneaky method that websites use to load third-party tracking cookies so they can gather more information about who is visiting their site.

The Brave browser

As you may remember from our post about the best browsers for privacy and security, Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.

Brave Nightly is the version of Brave that is used for testing and development. The releases are updated every night, hence the name, and may contain bugs. Nightly automatically sends out crash reports when things go wrong. Nightly is now used to test a feature that’s designed to prevent what’s known as bounce tracking.

Why third party cookies are out of fashion

Many browsers and, especially, ad-blockers will refuse to load third-party cookies, which are cookies that do not originate from the site that you are currently visiting. From a website administrator’s point of view, third-party cookies are tracking codes that are placed on a web visitor’s computer after being generated by another website other than their own. When a web visitor visits their site and others, the third-party cookie tracks this information and sends it to the third-party who created the cookie. The most common third-parties are advertisers, marketers, and social media platforms.

Google has long since changed its ways and adopted other methods of tracking users. But not everyone is a tech giant with the necessary resources to pull that off, so some have resorted to bounce tracking.

Bounce tracking

Tracking protection has become a mainstream feature in many browsers these days, including Apple’s Safari, Mozilla’s Firefox, and Microsoft’s Edge. So the targeted ad industry felt it had to find a way to circumvent those measures. Enter Bounce tracking, also known as redirect tracking. Another, even more invasive method is fingerprinting, which identifies users based on their computers’ unique attributes.

Bounce tracking abuses the fact that browsers’ anti-tracking tools generally allow sites to store their own cookies so they can remember repeat visitors. To limit their tracking to first-party cookies, a site that wants to track you can load an intermediary site—or tracking site—first before transferring you to the intended destination. The intermediary site sets a first-party cookie along the way, and each time you cross through it, it gathers more information about where you’ve been and where you’re going.

But there are other methods of bounce tracking like link decoration, which means a website can add a unique identifier to the links you click on, serving as a flag to the next site you visit. The destination site can then store the identifier in a first-party cookie on the original site’s behalf, letting it track your activity. The more this happens on additional sites, the more the original site can track you without ever using third-party cookies. Facebook adverts use this method in the fbclid parameter which allows the destination site to recognize you as a specific Facebook user.

Stopping bounce tracking

Some browsers have some methods to detect and stop bounce tracking but it is not always easy, since the browser doesn’t know beforehand that it will be directed through a tracking site.

In a privacy update, Brave explained how it plans to improve the existing methods. It is calling the new feature Unlinkable Bouncing. The browser will notice when you’re about to visit a privacy harming (or otherwise suspect) website, and route that visit through a new, temporary browser storage. This prevents the site from identifying you by tying your footprint to that of previous visits, but allows the site to otherwise function as normal because your visit will look like a unique, first-time visit. The temporary storage is then deleted when you browse away from the suspect site, preventing the site from re-identifying you on future visits.

The Unlinkable Bouncing feature is now enabled in Brave Nightly, and will be in Brave’s full release on version 1.37.

A possible weak point in the Unlinkale Bouncing feature is that it relies on consulting filter lists, but you can think of it as an extra layer on top of the existing features designed to stop bounce tracking, like the query parameter stripping, debouncing, and bounce-tracking interstitial features.

Stay safe, everyone!

The post Brave browser goes the extra mile to block third party cookies appeared first on Malwarebytes Labs.

The FBI issued a public warning this week about a fraud scheme wherein scammers impersonate government officials and law enforcement personnel. According to the PSA, the scammers spoof legitimate numbers and names and use fake credentials of well-known members of the government and law enforcement agencies.

The scam starts off either as a call from the “police” or a text message from a “government agency”. The content of the calls and text messages vary, but they are all bogus.

In the case of phonecalls, victims are either informed that their identities have been used in a crime, such as drug dealing or money laundering, or told they missed jury duty. The victim is then pressed to verify their identity using their social security number (SSN) or date of birth (DOB). If the victim resists, they are threatened with fines, arrest and imprisonment.

The text messages don’t involve accusations but instead ask victims for information related to either passport, driver’s license, or medical license renewals. The scammers threaten the revocation of licenses or registration if the victims refuse to renew or hand over the information.

Other tactics include extorting money from romance scam victims to “clear their name for participating in a crime” or as means to aid law enforcement in capturing their romance scammer. The scammers also impersonate law enforcement and say they are collecting taxes and fees from lottery scam victims. Lastly, the scammers call victims to tell them they are due to recieve a government grant, but say they need to pay some money before they can claim it.

Victims are offered a variety of means of payment, including prepaid cards, wire transfers, and cash sent by mail or cryptocurrency ATMs.

The FBI says legitimate law enforcement personnel and government officials would never request payment via the above means. It also remindes people to never give out personal information over the phone without verifying that the caller is who they say they are.

The warning included some red flags to pick up on: “Scammers will use an urgent and aggressive tone, refusing to speak to or leave a message with anyone other than their targeted victim; and will urge victims not to tell anyone else, including family, friends, or financial institutions, about what is occurring.”

The post Extortion scheme impersonates government officials, law enforcement appeared first on Malwarebytes Labs.

Tor is getting another visibility boost for people who may not otherwise come into contact with it. The reason: an attempt to navigate increasing amounts of censorship.

What is Tor?

The Tor network is something designed to keep communications anonymous. A variety of tools exist to make use of it, including messaging, web browsers, and other clients. Most people new to this realm would likely have their first experience via the standalone Tor browser. This works like any other browser download, with a lot of the same functionality. The big difference is that when you load it up, it connects to the Tor network. From the Tor browser manual:

Tor is a network of virtual tunnels that allows you to improve your privacy and security on the Internet. Tor works by sending your traffic through three random servers (also known as relays) in the Tor network. The last relay in the circuit (the “exit relay”) then sends the traffic out onto the public Internet.

Additional security tools and precautions abound in the browser to reduce the risk of fingerprinting, unwanted tracking, and more. The default search engine in DuckDuckGo. All data vanishes when the browser is closed (think Incognito mode), and three levels of security increasingly strip out page aspects such as JavaScript and media which could present problems.

That’s not all. Many sites have a .onion version available to make it even harder to perform surveillance on the user. When an onion version of a page you’re on exists, an “Onion available” notification is displayed next to the URL bar. That is highly relevant in this instance.

Peeling the onion

Onion pages are considered to have more advantages than regular sites where anonymity and privacy are concerned. Going back to the Tor manual:

• Onion services’ location and IP address are hidden, making it difficult for adversaries to censor them or identify their operators.
• All traffic between Tor users and onion services is end-to-end encrypted, so you do not need to worry about connecting over HTTPS.
• The address of an onion service is automatically generated, so the operators do not need to purchase a domain name; the .onion URL also helps Tor ensure that it is connecting to the right location and that the connection is not being tampered with.

The second bullet is particularly useful for those perhaps increasingly rare occasions of dealing with a non HTTPs site. They do still exist! The third bullet is handy for service operators, and the first is good for everybody involved.

Why is the potentially obscure world of onion addresses (to regular web users at least) getting an airing in the media?

Social media makes the leap (again)

Twitter has launched an onion version of its service, available immediately. It now joins Facebook, who went live with its own onion service in 2014. While some may flag this as a response to events in Ukraine, it seems this has been in the works for some time. Indeed, one of the people behind it says they’ve been toying with the idea for several years.

Elsewhere, major news services have had onion pages for a few years now:

They’re also actively promoting relevant language specific pages:

So, then, it really depends what you’re looking for via Tor. If your personal circumstances currently require access to blocked services to communicate with friends and family, or you simply need a variety of news sources in a hurry, then you may well want to consider downloading the Tor browser, because there’s a good chance what you need is already available.

Just keep in mind that, as with all things, risks do exist, and factor in additional security precautions as appropriate. Navigating directly to the Onion pages from official links likely presents minimal risk, but forewarned is most definitely forearmed.

The post Twitter makes the leap to Tor appeared first on Malwarebytes Labs.

Azure is Microsoft’s cloud computing service providing a wide range of features for businesses worldwide. It’s particularly popular for its virtual machines and IaaS (infrastructure as a service). One useful Azure feature is Automation, which has been around for some years now. Management tasks can be automated across multiple external systems. This is where the latest vulnerability tale begins.

Researchers at Orca Security have discovered an issue with Azure which they’ve called “AutoWarp”. The issue allows for attackers to grab authentication tokens and grant unauthorised access to accounts. As per the research itself, AutoWarp could mean “…full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer”.

How could this issue be used in an attack?

The flaw enables interaction with servers managing sandboxes belonging to other entities. The tokens—used to confirm a user has the correct permissions to access Azure—could be grabbed via automation jobs.

Here’s a description of what went down from the Microsoft Security Response Center:

An Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token’s access is defined in Automation Account’s Managed Identity. Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.

A timeline of token disaster…almost

This flaw was reported to Microsoft on December 6, 2021 and it was fixed by December 10. The researchers then went hunting for other similar attacks. The good news is, they don’t appear to have found any. Not only that, but it also seems there’s no evidence of this having been exploited out in the wild.

As the Orca blog points out, you may well have been vulnerable to this problem before Microsoft fixed it if you used the Automation service and the related managed identity function was enabled by default. Even so: no examples of exploitation in the wild. That’s as good an end result as we can possibly hope for, given how many organisations may have been running with default configurations.

Why Azure is an appealing target for attackers

Anything cloud based is always going to be a hot target for people up to no good. Depending on the setup, attackers may be able to impact multiple people and companies all in one go. Exfiltration, ransomware, and blackmail all go well alongside vulnerable cloud services. This is why flaws like the above are taken so seriously.

Whether we’re talking about OMIGOD exposing virtual machines, the Mirai botnet, brute forcing, or four-year long source code leak bugs, the cloud space has been affected by many issues. Organisations place a lot of trust in cloud services, and they expect secure platforms and data that’s kept safe from prying eyes and sticky fingers.

You can’t guarantee something is 100% foolproof. Even so, the above is a great example of getting an issue resolved in a very short timeframe. We can only hope to see more of this the next time a cloud-based service runs into trouble.

The post Azure AutoWarp brings automation headaches appeared first on Malwarebytes Labs.

In a FLASH publication issued by the FBI in coordination with DHS/CISA, the FBI says it has identified at least 52 organizations across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including organizations in the critical manufacturing, energy, financial services, government, and information technology sectors.

Threat profile

RagnarLocker can be recognized by the extension of the encrypted files which contains “.RGNR_<ID>,”  or “.ragnar_<ID>” where <ID> is a hash of the computer’s NETBIOS name.

The ransom note is called “.RGNR_[extension].txt” and states the files and data have been encrypted by RAGNAR_LOCKER.

Exfiltrated data of victims that refuse to pay will be published on the “Wall of Shame” leak site.

RagnarLocker iterates through all running services and terminates services commonly used by Managed Service Providers (MSPs) to remotely administer networks. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files.

Don’t call the cops

In the past, RagnarLocker has warned victims explicitly against contacting the FBI, or other law enforcement agencies for that matter. In September 2021, the ransomware operators threatened to publish all the data of victimized organizations that seek help from law enforcement or investigators following ransomware attacks.

But, in the wake of recent high-profile cyber and ransomware attacks, Congress and the Biden administration have joined forces to drive policy changes that would require organizations to report certain cyberincidents to the federal government. Importantly, the legislation would give organizations 72-hours to report a cyberincident. Ransomware attacks by an entity believed to originate from the CIS would certainly qualify as such.

The FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks.

The FBI says it would like the following information:

Short term items:

• Copy of the ransom note (screen shot/picture/text file)
• Any discovered malicious IPs with time stamps/time zones (unusual RDP connections/unusual VPN connections/beacons to malicious IPs)
• Virtual currency addresses/amount of demand
• Any malicious files (executables/binaries)
• Summary of timeline of events (dates of initial observation/malicious activity)
• Evidence of data exfiltration

Long term items:

• Brief summary of where the IOCs came from
• Incident response report
• Copy of any communications with malicious actors
• Forensic images and memory captures
• Host and network logs
• Any available decryptor
• Scope of impact (amount of loss)

CIS

As mentioned in our blog post Ransomware’s Russia problem, RagnarLocker is believed to be of Russian origin and will try to avoid making victims in the Commonwealth of Independent States (CIS). To do so, Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine. If the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian,” the process terminates.

IOCs

In the pdf file that carries FLASH Number CU-000163-MW you can find the current IOCs, including IP addresses, Bitcoin addresses, and email addresses.

Mitigation

To stay out of the claws of the RagnarLocker group the usual mitigation techniques for ransomware apply. The FBI lists:

• Use multi-factor authentication with strong passwords, including for remote access services.
• Keep computers, devices, and applications patched and up-to-date.
• Monitor cyberthreat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
• Consider adding an email banner to emails received from outside your organization.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Implement network segmentation.

The FBI recommends backup strategies to speed up recovery from a ransomware attack:

• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
• Secure your backups and ensure data is not accessible for modification or deletion from the system where the data resides.

Stay safe, everyone!

The post RagnarLocker ransomware gang breached 52 critical infrastructure organizations appeared first on Malwarebytes Labs.

Our Threat Intelligence team has been closely monitoring cyber threats related to the war in Ukraine. Today, we discovered a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians.

Formbook is part of a long-running malspam operation that we observe on a regular basis. This time, the email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.

The email can be translated as:

Dear citizens, we inform you that you are not alone in this difficult time, we in the authorities are doing everything possible to protect our citizens.
 
All citizens receive support from the Federal Government in the amount of 15,000, we want to say that you must protect each other, this is a difficult time for everyone, together with God we will fight this difficult time.
 
Your letter of approval is added
 
Sincerely.

Upon opening the file called лист підтримки.xlsx (support letter.xlsx), an exploit for CVE-2017-11882 will attempt to compromise the machine in order to download the Formbook payload from a remote server.

This is not the first — and certainly won’t be the last — time we see threat actors taking advantage of crises. As heartless as it looks, we realize that malware and criminal operations are always ongoing.

Malwarebytes customers were protected from this attack thanks to our Anti-Exploit protection layer.

Indicators of Compromise

Email subject

лист схвалення касового забезпечення – міністр

Formbook maldoc

лист підтримки.xlsx
7d39e6ca46c053c1ad744de1ca8867217596bb17bb673785eb8827b00c5ae05b

Formbook URL

103.167.92[.]57/xx_cloudprotect/vbc.exe

Formbook payload

b5f79bb30d60794b7edbf486fa96a11c1ac3ba34592a496379020e8379f281be

The post FormBook spam campaign targets citizens of Ukraine️ appeared first on Malwarebytes Labs.