Last week on Malwarebytes Labs:
Stay safe!
The post A week in security (Dec 13 – 19) appeared first on Malwarebytes Labs.
I’ve been quite vocal on the impact of deepfakes, in terms of where the most harm takes place. Back in 2019, we looked at malign interference campaigns. I took the line that, other than revenge porn, this was where deepfakes were likely to have the most influence. Although people keep talking about major election interference, nothing of significance ever happens. Indeed, election fakes tend to be pretty bad.
Meanwhile, in smaller scale but significantly more personal cases, horrible fakes of teenagers were the order of the day. When you make fakery easily available to all on DIY mobile apps, the results are inevitable: People are going to be awful to one another. Deepfake shenanigans are primarily all about mass producing harmful fake porn of individuals without consent.
On that subject specifically, there’s news of yet another site offering easy DIY deepfake porn.
The unnamed site in question uses AI to generate nude images of women. Sites in the past along these lines have tended to operate in isolation. This time, the site is using “partner agreements” and referral systems to generate look-alike services. If one site goes down, others are ready and waiting to take its place.
Researchers claim the images are “hyper realistic” and are able to generate nude / pornographic imagery even if the photo submitted contains fully clothed individuals. Site operators say they’re building a decentralised model to help ward off the threat of takedowns while raking in the cash. Wired reports up to 50 million visits between January and October of 2021. One day alone apparently saw hundreds of thousands of image uploads run through the fakery tool. These are big numbers, with big money implications.
When action started to be taken against the main site with payment accounts suspended and hosting removed, numbers fell, which seems to have kickstarted the partner program drive. Wired states that a spin-off site operator claims to be paying about $500 to the main site in return for being able to generate up to 10,000 naked edits.
With the traffic numbers these sites are doing, many would view $500 as a small outlay to generate so many fakes. The spin-off sites funnel image creators down the payment route after allowing visitors to generate some free images initially. It’s a guaranteed money spinner, and fake DIY sites aren’t exactly difficult to find online. As many sites and creators go off and promote their content on social media, it’s becoming increasingly easier to find dubious services along these lines and make use of them.
The majority of non-consensual deepfake imagery targets women, and always has done. For every vaguely humorous fake of Tom Cruise being Tom Cruise, there’s a significant amount more women placed into content they want no part of. Laws continue to struggle with dealing with the problem. With anonymous creators generating thousands of images on the fly in other jurisdictions, it’s an uphill struggle to take the reins on the situation.
Deepfakes appear to be seeping into most aspects of technological life. Witness someone resurrect their father, then be utterly mortified by what they’ve done. You’ve got those who continue to talk about the risk it poses to business. Elsewhere, the tattered remnants of “deepfakes could derail the US elections” continue to burn out quietly in the corner.
For most everyone else, though, the only real probable harm is from what pretty much kicked things into the mainstream arena in the first place: Pornographic images created without permission. I’m willing to bet that’s going to be the biggest issue for a long time to come.
The post When a deepfake “empire” continues to grow appeared first on Malwarebytes Labs.
In August, the NFT for a cartoon rock sold for $1.3 million, and ever since then, much of the world has been asking: What the heck is going on?
NFTs, or non-fungible tokens, have skyrocketed in popularity this year, with the NFTs for several artworks selling for more than $2 million each; the most expensive sale being that of the NFT for the piece “Everydays: The First 5,000 Days,” which sold for $69 million. Many celebrities, including Jay-Z, Steph Curry, Elijah Wood, Reese Witherspoon, and Lindsay Lohan have either purchased, sold, or expressed interest in NFTs, as well.
But just what exactly is an NFT, and when people buy an NFT associated with a piece of art, do they also buy that artwork itself?
Not exactly, as we explain in today’s episode of Lock and Code, with host David Ruiz. An NFT is not the artwork itself, but rather a way to prove that the artwork in question is owned by the NFT’s purchaser. Think of it as a car title—it’s a way to prove that something you say is yours is actually yours. But with a car title, it’s hard to imagine someone purchasing just the slip of paper and not also wanting access to the car. After all, what good is ownership of a thing if you can’t do anything with it?
To answer this and many, many other questions about NFTs, we spoke to three experts on three separate NFT topics: The basics of NFTs and the cryptocurrency-related technology behind them, the implied value of NFTs and why people are paying so much money for them, and the future of NFT’s both within the art world and beyond it.
As to why NFTs are demanding such high prices for such basic art? According to our guest Lucas Matney, a writer for TechCrunch who covers NFTs, it’s that owning a small digital image isn’t just about being able to display it on, say, a Twitter profile. Instead, it’s also about being part of something potentially bigger.
“The idea of ownership is more about it being an investment in something that is, you know, provably yours, you know, that’s how NFTs work, but it’s more about it being kind of a share of a larger product.”
Lucas Matney, TechCrunch
As to whether or not NFTs are a safe or smart investment vehicle? Well, you’ll have to listen to our full episode to learn more.
You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.
The post Everything you always wanted to know about NFTs (but were too afraid to ask): Lock and Code S02E24 appeared first on Malwarebytes Labs.
Dating network Grindr has been slapped with a US$7.7 million fine by Norwegian regulator Datatilsynet for sharing data with advertisers.
Grindr—which call itself the world’s largest social networking app for gay, bi, trans, and queer people—sold data which includes GPS, IP address, age, and gender.
The Norwegian Data Protection Authority (Datatilsynet), ruled that the way in which Grindr collected user consent did not meet with the regulations stipulated in the EU GDPR. And, as such, the disclosure of personal data was in breach of the Privacy Ordinance.
Users had to accept the privacy statement in its entirety to use the app, and they were not specifically asked if they would consent to disclosure to third parties for marketing purposes. In addition, information about the disclosure of personal information was not clear or accessible enough to users.
The fine covers the period from July 2018, when the “Law on the Processing of Personal Data (Personal Data Act)” was established, until April 2020, when Grindr changed the consent solution. Whether Grindr’s current consent solution meets with the legal demands has not been established yet.
Grindr disclosed information about a user’s GPS location, IP address, mobile phone advertising ID, age and gender to several third parties for marketing purposes. With this information, users could be identified, and third parties could potentially share this data further.
According to GDPR, the personal data that companies must protect includes any information that can “directly or indirectly” identify a person—or subject—to whom the data belongs or describes. Included are names, identification numbers, location data, online identifiers like screen names or account names, and even characteristics that describe the “physical, physiological, genetic, mental, commercial, cultural, or social identity of a person.”
The authority emphasized that the information that a person is a Grindr user establishes a special category of personal information, because it strongly indicates that they belong to a sexual minority. Information about someone’s sexual orientation has a special protection in the Privacy Ordinance. And since the consent Grindr collected was invalid, Grindr was not legally entitled to share such information.
It is customary in dating apps to be very careful about the information you share. Many users choose not to enter their full name or upload photos of their face so that they can be discreet. Nevertheless, identifiable information about them and their use of Grindr was passed on to an unknown number of companies for marketing purposes.
Datatilsynet initially fined Grindr around US$12.2 million following an initial ruling in January 2021, but later revised this amount down to 7.7 million, after reviewing Grindr’s turnover figures. Nevertheless, this is the highest fee to date from the Norwegian Data Protection Authority.
Despite reconsidering the amount, Norway considers the offence by Grindr to be “grave” – most likely because the data collected, including gender, falls under the GDPR rules. According to Datatilsynet:
“Because thousands of users in Norway have had their personal information illegally disclosed for Grindr’s commercial interests, including location data and that they are Grindr users. Business models based on behavior-based marketing are common in the digital economy, and it is important that the infringement fee for offenses acts as a deterrent and contributes to compliance with the privacy regulations.“
Grindr has not responded to the fine and now has three weeks to appeal the verdict. The app has previously confirmed that the fined offenses were committed before April 2020, when its terms of use were updated.
It is not the first time Grindr has raised privacy concerns. Earlier action against the app was sparked by an NPR news report exposing Grindr’s practice of sharing the most personal and sensitive information of its users with third-party analytics firms, without their informed consent. That data included personally identifiable and sensitive user information such as HIV status, email address, telephone number, precise geolocation, sexuality, relationship status, ethnicity and “last HIV tested date.”
The post Grindr fined for selling user data to advertisers appeared first on Malwarebytes Labs.
For anyone about to sit back after checking their environment for the Log4j vulnerabilities and applying patches where needed, here are some more things that need patching.
In 2021’s final Patch Tuesday, Microsoft included a total of 67 fixes for security vulnerabilities. The total set of updates includes patches for six publicly known bugs and seven critical security vulnerabilities.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.
CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution vulnerability. Due to a flaw in the password reset request process, an attacker can reset someone else’s password. The attack may be launched remotely. No form of authentication is required for exploitation.
CVE-2021-43905 Microsoft Office app Remote Code Execution vulnerability. This vulnerability was rated 9.6 out of 10 on the CVSS vulnerability-severity scale, and Microsoft thinks it is likely to be exploited.
CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution vulnerability. This vulnerability was rated 9.8 out of 10 on the CVSS vulnerability-severity scale, even though Microsoft says it’s not likely to be exploited. You will need to install the Microsoft Wireless Display Adapter app from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Once installed, use the Update & security section of the app to download and install the latest firmware.
CVE-2021-43890 Windows AppX Installer Spoofing vulnerability. This vulnerability allows an attacker to create a malicious package file and then modify it to look like a legitimate application. We reported on this vulnerability being used in the wild by Emotet (among others).
CVE-2021-43883 Windows Installer Elevation of Privilege vulnerability. This is a patch to patch a bypassed patch in Windows Installer that was initially fixed in November. By exploiting this vulnerability, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.
CVE-2021-43215 iSNS Server Memory Corruption vulnerability can lead to remote code execution (RCE). An attacker could send a specially crafted request to the Internet Storage Name Service (iSNS) server, which could result in an RCE. The Internet Storage Name Service (iSNS) protocol is used for interaction between iSNS servers and iSNS clients.
CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution vulnerability. An attacker could cause a buffer overflow write leading to unauthenticated non-sandboxed code execution. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how EFS makes connections from client to server. When the second phase of Windows updates become available in Q1 2022, customers will be notified via a revision to the security vulnerability.
CVE-2021-41333 Windows Print Spooler Elevation of Privilege vulnerability. Exploit code for this vulnerability is available and the code works in most situations where the vulnerability exists., which makes it a priority to fix, even if we haven’t seen any attacks using this in the wild.
Apple has also published security updates. The update includes fixes for the remote jail-breaks that were demonstrated at the TianfuCup in October.
Apple has issued security updates for the WebKit in Safari 15.2 and for a total of 42 vulnerabilities in iOS 15.2 and iPadOS 15.2. Included in the patches were several security vulnerabilities that allowed anyone with physical access to a device to view contacts on a locked device, and to view stored passwords without authentication.
Other vendors that issued updates to keep an eye on were:
Stay safe, everyone!
The post After Log4j, December’s Patch Tuesday has snuck up on us appeared first on Malwarebytes Labs.
As you may already know, the business, tech, and cybersecurity industries have been buzzing about Log4Shell (CVE-2021-44228), aka Logjam, the latest software flaw in an earlier version of the Apache Log4j logging utility. As the name suggests, a logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.
Understandably, this may be the first time you’ve been told explicitly about the Log4j tool, but what many don’t realize is that hundreds of millions of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, rely on it. The software and online services you use in your business may be Java-based, too, thus opening you up for possible exploitation.
Exploiting this flaw allows hackers to worm their way into unpatched systems to take control. It’s seriously bad to have this on any endpoint because of its ultra-wide attack surface and the accompanying damage potential that could bring.
Probably the worst since Heartbleed, I would say.
The attack surface is incredibly broad.
— April King
(@CubicleApril) December 10, 2021
Read everything you need to know about Log4Shell in our blog post,
“Log4j zero-day ‘Log4Shell’ arrives just in time to ruin your weekend.”
Because of all of this, there is a great need for businesses, particularly SMBs, to protect themselves against threats that take advantage of the Log4shell vulnerability. Most certainly now that Microsoft has started seeing underground groups they dub as “access brokers,” those exploiting Log4Shell to infiltrate and gain initial access from target company networks in the hopes of selling them to ransomware threat actors.
According to the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender Threat Intelligence Team in a blog post: “We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.”
Ransomware is not the only concern here, too. Threat actors can also install cryptominers, malware that turns devices into bots and making them part of a botnet—which Mirai bot herders have already started doing—and Cobalt Strike, which cybercriminals abuse to perform network surveillance.
SMBs who use Linux can start off by checking if the version of the platform they are using is affected. TechRepublic published a nifty guide on just how to do that.
SMB Windows users, on the other hand, should expect to be vulnerable as Microsoft uses Java-based apps in their products. The company has provided a lengthy guidance on the matter of Log4j here, which they have regularly updated with observations on criminal movement involving the abuse of the Log4Shell flaw. It is essential to continuously return to that blog post for updates.
Once you have determined that your platform is impacted by Log4Shell, you must upgrade to the latest version of Apache Log4j, which is 2.15.0. If you’re using versions between 2.10 and 2.14.1 but can’t update to the newest version yet, RiskIQ advises organizations to change the following JVM parameter value to “true” and restart the Java process:
(@CubicleApril) -DLog4j2.formatMsgNoLookups=true“Organizations who are unclear where to include this parameter must check the documentation of the related Java project/product in use for the correct place,” the company further advises. “Alternatively, they may set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to force this change. Kubernetes deployments may use this environment variable approach to set it across Kubernetes clusters, effectively reflecting on all pods and containers automatically.”
Finally, the Cybersecurity & Infrastructure Security Agency (CISA) encourages users and business administrators to visit the review this Apache Log4j Security Vulnerabilities page to apply other recommended mitigations steps as soon as possible.
The post What SMBs can do to protect against Log4Shell attacks appeared first on Malwarebytes Labs.
Human resources platform provider UKG has put out a statement saying it’s fallen prey to ransomware that has disrupted the Kronos Private Cloud. It expects the service to be out for several weeks.
The statement came after the company posted a message on the Kronos community message board, explaining that staff noticed unusual activity impacting UKG solutions using Kronos Private Cloud.
It’s unfortunate timing, given that the outage will likely cause Kronos customers to miss payroll for this week. Of course that’s never welcome, but it’s extra painful now, considering how close Christmas is. Kronos’ work management software is used by dozens of major corporations, local governments, and enterprises.
UKG describes Kronos Private Cloud as a secure storage and server facility hosted at third-party data centers. It is used across UKG companies.
Other services impacted by the incident include Healthcare Extensions, UKG TeleStaff, and Banking Scheduling Solutions. The company is not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud.
The company engaged cybersecurity experts to assess and resolve the situation, and has notified the authorities. The investigation remains ongoing, as it works to determine how bad and widespread the incident is. The company would not answer questions about which ransomware group was behind the attack.
UKG has urged customers to evaluate and implement alternative business continuity protocols related to the affected UKG solutions.
Given the nature of the company and the fact that there is talk of ransomware, there is fear that private data may have been stolen. Many ransomware families steal confidential information before encrypting the files on the compromised network. They then use these data as extra leverage, threatening to publish the data if the victim refuses to pay the ransom.
UKG states that currently, there is no indication of compromise to employee data, but it is part of the ongoing investigation. Other sources have said that UKG contacted them and other clients to tell them that the ransomware attack may have compromised employee information like names, addresses, social security numbers, and employee IDs.
While it is important to know if your personal details or credentials have been leaked, it is significantly more important to act on it. What do you do now, knowing that your account has been compromised?
This all depends on what has been stolen, but let’s assume the worst and say it is your Social Security Number. A malevolent person who has your Social Security Number can use it to get other personal information about you. A few important things to remember:
UKG has promised to post regular updates on its website. If you are a customer, you can reach out to UKG or have a look at its community message boards. If we find out more about this attack, we will keep you posted here.
Stay safe, everyone!
The post Kronos crippled by ransomware, service may be out for weeks appeared first on Malwarebytes Labs.
A little more than 20 months ago, many people around the world were asked or instructed to work from home to help slow the spread of COVID-19. It caused a seismic change to the way we all do business.
Now, our latest research reveals how IT decision makers’ security concerns have been changed by enduring from home for so long; how they’ve adapted with new tools and training; and how confident they now are in their remote employees’ approach to security.
It also sounds a warning: That while employees care about getting security right, many are also suffering from “fear fatigue”. Adrenaline-fuelled anxiety and adaptation have left them feeling jaded or overwhelmed, making them vulnerable to simple security mistakes.
The novel coronavirus outbreak of 2019 was declared a pandemic on 12 March 2020, and by April half the world’s population had been asked or ordered to stay at home. We have since learned that breaking transmission between co-workers—by asking them to work from home—is an effective way to slow the spread of the virus. As such, it has become a mainstay of our collective response to outbreaks and looks set to be a feature of working life for the foreseeable future.
What was once a novelty for many organizations has now become decidedly normal. The initial period of rapid, violent change forced businesses to implement expedient solutions, which created enormous headaches for IT and security teams, and new opportunities for attackers. Since then, the businesses that have survived the slings and arrows of the pandemic have had some time to take stock and look for better ways to work from home.
So, in the summer of 2021 we decided to survey 200 IT decision makers to find out how 18 months of working from home during a pandemic has changed the way organizations think about security, and how they have had to adapt.
This is what we learned:
Working from home has changed the devices and applications that employees use to get work done. Most obviously, home work requires communication and collaboration tools where employees can work together. They are the bricks and mortar of the virtual shared spaces that have replaced offices.
Unsurprisingly, more than 70% of our respondents told us their organizations now make greater use of video conferencing platforms like Zoom, use more cloud storage, and rely more heavily on instant messaging solutions, like Slack.
That’s important, because when employees change the way they use their computers, it changes the IT and security functions they rely on.
Changes in where and how work is done have altered the risks that organizations care about. Chief among their concerns are how to control company data in the dispersed, cloud-dependent world of remote work.
63% of the IT decision makers we surveyed listed “exposing data or information accidentally” as one of their greatest cybersecurity concerns, while 52% listed the difficulty in off-boarding remote employees to prevent unauthorized future access.
A change in security concerns calls for a change in the way security is practiced, and it’s clear there have been significant changes here too.
When security concerns change, it’s only right that the way we practice security changes too. 74% of the IT decision makers we spoke to told us they’d responded to changing conditions by implementing new tools to enhance security, while 71% have rolled out new forms of training.
Our research reveals a reported increase in the use of cybersecurity and antivirus tools, password managers, Virtual Private Networks (VPNs), and two-factor authentication (2FA) among businesses working from home.
However, that work appears unfinished. Despite this investment in tools and training, decision makers also told us that finding the right cybersecurity tools and training to support remote work are still among their biggest challenges. In fact the only thing that ranked higher was the challenge of working with limited IT resources.
Those challenges notwithstanding, progress appears to have been made—in some organizations at least.
April 2020 and the months that followed were a time of enormous, acute upheaval, and the eighteen months from then until we conducted our research continued to pose significant challenges for businesses. Nevertheless, some appear to have made progress towards a safer form of remote work.
62% of the decision makers we surveyed told us that their employees were either “very” or “acutely” aware of the security best practices they need to follow. And they aren’t simply passive observers: 83% want to do the right thing, and care about their security responsibilities. Overall, 56% of our respondents said their organizations had become slightly or significantly more secure since they began working from home, although it is worth noting that one quarter believe they are still less secure.
Overall, our decision makers appear to believe their employees know and care about security. However, our research also hints that, unmanaged, that caring could itself become a problem.
Stress is an overused and undervalued word. It is a normal, physiological response to being threatened or feeling pressure, and if it’s sustained over a lengthy period of time it can lead to exhaustion and burnout. After 18 months of the COVID-19 pandemic, almost 80% of our survey respondents reported some level of jadedness or “fear fatigue” in their organization.
This should not be a surprise—the threat of the novel coronavirus, and everything that made up the response to it, provided no end of potential sources of stress. Among them is the need to keep remote employees appraised of the increased cyberthreats they now face, and informed about how to deal with them. Alarmingly, a quarter of our decision makers reported that employees seemed “overwhelmed” by threats and jaded by security procedures.
It is a warning shot: It is good, imperative even, that remote employees care about the security threats they face and know what to do when they meet them. But the pandemic is far from over, and organizations need to tread a fine line between equipping their employees and overwhelming them.
To learn more about how the world of work is adapting to cyberthreats in the age of remote work, and how to deal with the looming threat of fear fatigue, read our report Still Enduring from Home.
The post 5 security lessons from 18 months of working from home appeared first on Malwarebytes Labs.
Last week on Malwarebytes Labs:
Stay safe!
The post A week in security (Dec 6 – 12) appeared first on Malwarebytes Labs.
There are many types of phishing attack nowadays, to the extent it can be tricky to keep up with them all. We have unique names for mobile attacks, postal attacks, threats sent via SMS and many more besides. However, we often see folks mix up their spears and their whales, and even occasionally confuse them with regular phish attempts. We’re here to explain exactly what the difference between all three terms is.
Think of this as the main umbrella term for all phishing attempts. It doesn’t matter if it’s a spear, a whale, a smish or a vish, or anything else for that matter. They’re all able to be grouped under the banner of “phishing”. This is where someone tries to have you login on an imitation website. This site may emulate your bank, or a utility service, or even some form of parcel delivery.
They get you on the site in the first instance by sending a fake email, or text, or some other missive. The bogus message will emulate the real thing, and may be very convincing in terms of looking like the genuine article. They may also use real aspects of the actual website inside the email.
The phishing page, too, may steal real images or text from the genuine website. It’ll ask you for logins, or payment details, or both. Depending on what the phishers intend to do with stolen accounts, you may find they change your logins too.
Regular phishing attacks are blasted out to random recipients in their hundreds, thousands, or hundreds of thousands. The sky is the limit. The attackers are hoping that if just a few people respond, they’ll be able to make their ill-gotten gains pay off. It’s potentially low risk, high reward.
Spear phishing, by contrast, is when the phisher targets specific people. It could be individuals, or people at a certain business. The intent may be financial, or it could be a nation state attack targeting folks in human rights, or legal services, or some other sensitive occupation.
Whaling is the gold standard for targeted phish. They’re the biggest and most valuable people or organisations to go after. “Whales” are typically CEOs or other people crucial to the running of a business. They’ll have access to funds or be deeply embedded in payment processes/authorisation.
CEO/CFO fraud, where scammers convince employees that the CEO/CFO needs large sums of money wired overseas, is common. This is also more broadly known as a business email compromise scam.
The only way you’ll likely run into this attack if you’re not a CEO/CFO/similar is if you work in a department tied to money transfers. For example, in payroll, or some other financial aspect of the organisation. You’ll need to keep an eye out for bogus wire transfer requests, and the business should have processes and safeguards in place to combat CEO/CFO fraud attempts.
We have a longer guide to avoiding spear phishing here. We also have a more general guide to detecting phishing attacks, which will hopefully help keep you safe from harm no matter what variety of phish you’re facing.
The post Spear phish, whale phish, regular phish: What’s the difference? appeared first on Malwarebytes Labs.