IT NEWS

Multi-factor authentication (MFA) has been around for many years now, but few enterprises have fully embraced it. In fact, according to Microsoft’s inaugural “Cyber Signals” report, only 22 percent of all its Azure Active Directory (AD) enterprise clients have adopted two-factor authentication (2FA), a form of MFA. That leaves 78 percent that only require usernames and passwords to authenticate account users.

A 22 percent adoption rate is meager, especially in the face of the multiple online threats that enterprises face daily. For example, from January to December 2021, Microsoft detected a jaw-dropping 25.6 billion account hijacking attempts using brute-forced stolen passwords. Other cybercrimes that specifically target accounts are spear phishing, social engineering attacks, and password sprays—basic password attack tactics that nation-states carry out against target companies and governments.

There’s low MFA adoption elsewhere, too

Microsoft is not the only company to reveal that internet users have been reluctant to adopt MFA.

In July 2021, Twitter disclosed in its transparency report that only 2.5 percent of its active users have “at least one 2FA method enabled”. Most of those using 2FA have at least SMS authentication (77.7 percent) enabled, and a portion has enabled the option of using an authentication app (30.1 percent). Although that’s an improvement on the previous report, MFA adoption remains low overall.

Google introduced 2FA to Gmail in 2011. Seven years later, in the words of The Register, “virtually no one is using it.” This claim was backed up by Grzegorz Milka, a Google software engineer who presented at the Usenix’s Enigma 2018 security conference. Milka revealed that, at the time of his talk, less than 10 percent of Google accounts used 2FA.

Low MFA adoption is also common for developers. Npm stands for Node Package Manager. It’s a widely used JavaScript package manager and the largest repository of computer programming packages on the Internet. According to ZDNet, only 9.27 percent of npm developers use 2FA to secure their accounts. So, if attackers successfully compromise the accounts of these developers, they could freely plant malicious code into packages primarily used by other software developers worldwide.

MFA adoption struggles are real

Whenever we ask why there’s low MFA adoption, the overall reason is that change is hard and it’s inconvenient.

To encourage users to enable MFA on their accounts, making it easy for them is key. Google and Twitter have already changed their MFA features to make them more straightforward and user-friendly. And while this is a great move, we expect (and encourage) these big organizations to make it mandatory for all users to have MFA enabled.

The risks are just too high for a little bit of inconvenience.

The post Microsoft: Slow MFA adoption presents “dangerous mismatch” in security appeared first on Malwarebytes Labs.

The most critical updates for this “Patch Tuesday” come from Firefox and Adobe. While Microsoft addresses 70 vulnerabilities in its February 2022 Patch Tuesday release, none of them are ranked as critical. Firefox and Adobe however have fixed a few issues that could be qualified as critical.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the ones that jumped out at us.

Firefox

Mozilla fixed a dozen security vulnerabilities in its Firefox browser. The two most important ones are both permissions issues:

• CVE-2022-22753 A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access. This bug only affects Firefox on Windows. Other operating systems are unaffected.
• CVE-2022-22754 If a user installs an extension of a particular type, the extension could have auto-updated itself and, while doing so, bypass the prompt which grants the new version the new requested permissions.

Two other vulnerabilities were classified as high. Those two are both memory safety bugs that with enough effort could have been exploited to run arbitrary code. These vulnerabilities were found by Mozilla developers.

Adobe

Adobe released updates to fix 17 CVEs affecting Premiere Rush, Illustrator, Photoshop, After Effects, and Creative Cloud Desktop. Of these 17 vulnerabilities, five are rated as critical.

• CVE-2022-23203 A buffer overflow vulnerability that could lead to arbitrary code execution in Photoshop 2021 and Photoshop 2022 for Windows and macOS.
• CVE-2022-23186 An out-of-bounds write vulnerability that could lead to arbitrary code execution in Illustrator 2021 and Illustrator 2022 for Windows and macOS.
• CVE-2022-23188 A buffer overflow vulnerability that could lead to arbitrary code execution in Illustrator 2021 and Illustrator 2022 for Windows and macOS.
• CVE-2022-23200 An out-of-bounds write vulnerability that could lead to arbitrary code execution in Adobe After Effects 18.4.3, 22.1.1 and earlier versions for Windows and macOS.
• CVE-2022-23202 Uncontrolled search path element vulnerability that could lead to arbitrary code execution in the Creative Cloud Desktop Application installer 2.7.0.13 and earlier versions on Windows.

Microsoft

Even though no Microsoft vulnerabilities were listed as critical, there are a few that deserve some attention.

• CVE-2022-21989 a Windows Kernel elevation-of-privilege vulnerability. According to the Microsoft advisory, successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. But in such a case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
• CVE-2022-21996 a Win32k elevation of privilege vulnerability listed as more likely to be exploited. The exploitation is known to be easy. The attack may be initiated remotely, but requires simple authentication for exploitation.
• CVE-2022-22005 a Microsoft SharePoint Server Remote Code Execution vulnerability. The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability. This permission however is often present for an authenticated user.
• CVE-2022-21984 a Windows DNS Server Remote Code Execution vulnerability. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. An attacker might take control of your DNS and execute code with elevated privileges if you have this set up in your environment.

Given the amount of available stolen login credentials, organizations shouldn’t disregard the vulnerabilities that require authentication, especially where it concerns public-facing servers. We hope this quick summary makes it easier for you to prioritize your updating jobs.

Stay safe, everyone!

The post Update now! Firefox and Adobe updates are more critical than Microsoft’s appeared first on Malwarebytes Labs.

If you dislike the use of facial recognition technology in relation to essential services, you’re in luck. One such proposition has been removed.

Last year, the IRS announced it would be using facial recognition selfies to confirm identity. If you wanted the convenience of making payments online, updating addresses, or performing several other tasks, you could have it, but facial recognition was going to become a requirement.

New accounts would have no say in the matter. Older accounts were likely to be switched over to the new service at some point in the immediate future. It seemed folks were going to get used to facial recognition whether they liked it or not.

How was the new service supposed to work?

The proposed system, ID(dot)me, was to take a video selfie alongside the uploading of various identity documents. Often this type of service is restricted to specific devices only, so it did at least offer up alternatives where required.

This was, as you may expect, met with many questions and a sizeable slice of anger. Objections came from a wide range of politicians and protestors. Multiple letters demanding more information or simply just objecting to the switchover were put forth to the IRS. As one congress member wrote:

Any government agency operating a face recognition technology system — or contracting with a third party — creates potential risks of privacy violations and abuse. We urge the IRS to halt this plan and consult with a wide variety of stakeholders before deciding on an alternative.

Objection!

One of the strongest objections came from Senate Finance Committee Chair Ron Wyden:

Some of his main points are highlighted below:

While the IRS had the best of intentions — to prevent criminals from accessing Americans’ tax records, using them to commit identity theft, and make off with other people’s tax refunds — it is simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online, including to access essential government programs. Furthermore, many facial recognition technologies are biased in ways that negatively impact vulnerable groups, including people of color, women, and seniors.

He goes on to mention that facial recognition would not be needed if they “cleared out red tape” preventing use of images already verified and held by other agencies such as the DMV and Social Security Administration. There’s also some additional requests for what the IRS should do in terms of alternatives to simply dropping facial recognition on everyone:

First, the IRS should redouble its efforts to remind taxpayers that facial recognition scanning is not now and has never been necessary to file taxes or receive a refund, as well as educate taxpayers on ways to access other IRS services without the use of facial recognition technology. Second, as a stopgap measure, the IRS should promptly revert its decision to require use of ID.me to transact online through the IRS’ website, delay the phase out of IRS.gov accounts created prior to the implementation of ID.me, and restore the ability of taxpayers to create new IRS.gov accounts, which does not use facial recognition. And finally, in the longer term, the IRS should migrate away from third-party identity verification services and utilize GSA’s government-wide login.gov service. 

Well, that’s a lot of requests, demands and more general annoyance. The question is, did the IRS listen?

A surprising response

The answer is yes, it did. From the announcement:

The IRS announced it will transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts. The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season.

During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said IRS Commissioner Chuck Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

Down but not out?

It isn’t just the IRS that was considering facial recognition. Other services were (or still might be) getting ready to make the leap. Plenty of concerns remain over the use of facial recognition more broadly, with some organisations moving away from a field fraught with issues.

You may well have dodged facial recognition from embedding itself in your tax affairs, but it could easily show up in other areas of your day to day workings. For those not sold on this use of technology, your good news is that campaigning and protesting does seem to work at least some of the time. It remains to be seen whether or not this rollback is a one off, or a gradual push-back against certain private sector technologies tied to Government services.

The post IRS abandons facial recognition plans for online services appeared first on Malwarebytes Labs.

Apple’s release of iOS 15.4 beta 2 completes the fix for a bug that may have recorded interactions with Siri without permission on some devices. Apple has fixed this bug that was introduced in iOS 15 and accidentally kept some recordings, regardless of whether you opted out or not.

The bug was actually fixed in iOS 15.2 but users have only learned about this now that the latest beta has started asking for permission again.

The bug

The Improve Siri & Dictation setting was turned off in 15.2 to fix a bug that was introduced in iOS 15. This bug enabled the setting for some users who had previously opted out. In other words, recordings were being kept for some users who had opted out of the setting instead of being deleted. Once Apple discovered the bug, the company turned off the setting for the affected Siri users with the release of iOS 15.2. The same update also fixed the bug.

Now, in iOS 15.4, which is still in beta, users will be asked if they want to opt-in and help improve Siri and Dictation by allowing Apple to review recordings of voice interactions to improve both services. If you opt-out, your voice interactions with Siri or the voice dictation tool on your iPhone aren’t recorded and shared with Apple.

Users that want to get the fix for the Improve Siri & Dictation bug should make sure they have iOS 15.2.

Saved recordings

What is painful is that the bug affected mostly people that had on purpose opted out from being recorded. Since identifying the bug, Apple has stopped reviewing and started removing audio received from all affected devices.

One thing that is unfortunately considered standard behavior for Apple is that it kept the information under its hat until it was fixed. It is clear from its statements that the company has known about the bug at least since before the introduction of version 15.2 (December 13,  2021).

Why not let your customers know what is going on? Let them know what happened and that you’re working on it. This is nothing like a vulnerability that you need to keep the lid on, in case a cybercriminal abuses it. This is a privacy issue that users need to be informed about as soon as possible.

Why record at all?

Apple likes to review recordings of voice interactions to improve both Siri and Dictation. However, every user should be asked if they want to submit their recordings. And if they decide to opt-out, their voice interactions with Siri or the voice dictation shouldn’t be recorded and shared with Apple.

Apple’s regular privacy information outlines the default behavior for Siri and Dictation. If you opt in to Improve Siri and Dictation, additional data is collected, stored, and reviewed. For more information, visit www.apple.com/legal/privacy/data/en/improve-siri-dictation.

Not its first rodeo

In 2019 Apple contractors revealed to the Guardian they regularly heard confidential medical information, drug deals, and recordings of couples having sex, as part of their job providing quality control, or “grading”, for the company’s Siri voice assistant. At the time, it was found that a small proportion of Siri recordings would get passed on to contractors working for the company around the world. These contractors were tasked with grading the responses on a variety of factors, including whether the activation of the voice assistant was deliberate or accidental, whether the query was something Siri could be expected to help with, and whether Siri’s response was appropriate.

Not having learned from that incident and taking the wrong turn again on the same issue does not bode well for the future.

The post Apple accidentally kept some Siri recordings from iPhones, even for opted-out users appeared first on Malwarebytes Labs.

There’s trouble brewing in the Metaverse, but the trouble isn’t a particularly new problem. In fact, it’s been an issue for years – and so have many of the solutions. Strangely, Meta is having to play catch-up where some basic security and safety settings are concerned in the virtual realm.

At Malwarebytes Labs, we’ve kept an eye on many areas for concern in the VR realm. We’ve dug into the possibilities of ad network compromise, and explored the not very successful attempts at ad trials in paid-for VR games. We’ve also looked at the risks of placing your entire home into a virtual space. There’s even been the occasional data leak. Unfortunately, this barely scratches the surface.

Scaling up harassment

One of the biggest, most pressing issues in VR spaces has always been that of sexual harassment and abuse. VR platforms have come and gone through the years, and many had security settings to prevent abuse from happening. The absence of these options for users can result in genuinely unpleasant scenarios (fair warning, some of the descriptions here are horrifying).

Where a lack of settings exists, and where existent settings are hard to find, horrible behaviour rushes in to fill the vacuum. Many people struggle to find certain options on a plain old Windows desktop. In VR, many settings are available outside of the helmet. That is to say, you may only be able to set things to your liking on a website or portal. If you can’t even get that far, you’re going to be stuck with defaults which may not be very optimal.

Speaking of which…

After what appear to be several reports of sexual harassment of various kinds in the Metaverse, Meta is enabling a “bubble shield”/personal boundary as a default for users to help avoid troublesome individuals. From the announcement:

Personal Boundary will begin rolling out today everywhere inside of Horizon Worlds and Horizon Venues, and will by default make it feel like there is an almost 4-foot distance between your avatar and others…If someone tries to enter your Personal Boundary, the system will halt their forward movement as they reach the boundary. You won’t feel it—there is no haptic feedback. This builds upon our existing hand harassment measures that were already in place, where an avatar’s hands would disappear if they encroached upon someone’s personal space.

How do people harass other users in VR spaces?

First off, some basics. You’ll notice that Meta avatars don’t have legs or hips. This isn’t uncommon in VR. A combination of small play areas, no sensors on legs/feet, and difficulties in animation mean it’s often easier to leave the legs out of it. An additional (very helpful) consequence of this is that it’s harder for awful people to get up to no good in VR. They can’t run up and grind or hip-thrust or anything else if they’ve nothing to grind or hip-thrust with.

However: there are many more ways people can be awful whether digital lower halves are present or not. Here’s some of the things developers do to prevent bad happenings:

• Fade out arms and/or hands should you get too close to other users. This prevents groping and pawing.
• Fade out bodies generally if you get too close.
• Fade out digital representations of your controller stick or wand.
• Allow users to “push” back others if they get too close. This one isn’t always optimal, as it can be used for trolling itself depending on how things are set up. Want to Jedi force-push someone into a wall or off a cliff? A badly configured push setting is how you do it.
• Emergency teleport, alongside easy to access blocking/reporting features round off some of the most common tools in the “stop bad people” toolkit.

Perhaps somewhat oddly, Meta is only now making a bubble a default setting. It seems an odd oversight for something so essential to VR spaces to have been lost in the mix. Meta may mention that it’s looking to “set new norms in social VR”, but attempting to set those norms is nothing new. Just to give one example: here’s Playstation’s Rec Room doing much the same thing back in 2017. 

How do bubbles work?

We’ve read the Meta description of how its bubble operates. How do others do it?They tend to take several aspects of the above bullet points and roll them into one. A field is placed around the individual, and anyone trying to enter it fades into non-existence. Smart programmers don’t make the bubble a solid if invisible object. This is because they end up used as dodgem cars and you’re back to Jedi style force pushes, minus the force push.

According to reports, Meta’s bubble isn’t configurable at time of writing. Some platforms allow users to define the size and/or shape, making it larger or smaller (or even turning it off) as desired. It’s probable that Meta will allow more customisation in the near future.

All the same, Meta definitely didn’t need a raft of assault themed news stories as it tries to promote the benefits of its Metaverse. VR has always been somewhat niche, and negative perceptions via easily preventable bad actions may not help with the general uptake.

Haptic headaches may be round the corner…

You may have seen the “haptic” reference up above, and wondered what it is. When you use a touch screen and it vibrates, when you get hit in a video game and your controller rumbles, that’s haptic feedback. The artificial replication of touch is what it’s all about. Haptic sensations are one of the big future goals of VR. Meta is trialling haptic glove prototypes.

Can you imagine the problems in VR realms that haptic sensations will bring as a result of weak or absent safety settings? It’s absolutely crucial that major players in the virtual space have all their headset safety ducks in a row before adding to the sensory overload that is VR. Anything less than that is probably going to end badly for all concerned.

The post Meta blows safety bubble around users after reports of sexual harassment appeared first on Malwarebytes Labs.

Ransomware tends to target organizations. Corporations not only house a trove of valuable data they can’t function without, but they are also expected to cough up a considerable amount of ransom money in exchange for their encrypted files. And while corporations struggle to keep up with attacks, ransomware groups have left the average consumer relatively untouched—until now.

Sugar ransomware, a new strain recently discovered by the Walmart Security Team, is a ransomware-as-a-service (RaaS) that targets single computers and (likely) small businesses, too. Sugar, also known to many as Encoded01, has been in operation since November 2021.

Bleeping Computer notes that the Walmart Security Team got the name ‘Sugar’ from a site belonging to an affiliate of the ransomware operation: sugarpanel.space.

As with many ransomware strains, the authors aren’t holding back in their note which is dropped onto the system as BackFiles_encoded01.txt:

Whats Happen? [+] 
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). 
[+] What guarantees? [+] 
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our] work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. 
[+] How to get access on website? [+]
You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop.
Also as the second option you can install the tor browser:
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website. Full link will be provided below.

----------------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions- ints may entail damge of the private key and, as result, THE Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interest to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
----------------------------------------------------------------------------------------------
Your ID:

{redacted}

How it works

Once executed, Sugar connects to two URLs, whatismyipaddress.com and ip2location.com, to identify the device’s IP address and geographic location. It then downloads a 76MB file, the use of which is currently unclear.

Sugar then connects to its command & control (C2) server where it transmits and receives data related to its attack. It then encrypts files located in the below folders:

• boot
• DRIVERS
• PerfLogs
• temp
• windows

However, it avoids the following files:

• .exe
• .dll
• .sys
• .lnk
• .bat
• .cmd
• .ttf
• .manifest
• .ttc
• .cat
• .msi;
• BOOTNXT
• bootmgr
• pagefile

The files are encrypted using the SCOP encryption algorithm, a stream cipher created in 1997 by Simeon Maltchev and Peter Antonov for Pentium processors but also runs very fast on other 32-bit processors. Furthermore, modifying SCOP to create a cipher optimized for 64-bit processors, which most machines run nowadays, is easy, according to Maltchev’s research. This modification will double the cipher’s speed.

Sugar is also called Encoded01 because this is the extension it appends to names of files it has encrypted. For example, after encoding a file called 1.jpg, the resulting filename is now 1.jpg.encoded01.

The ransomware note points victims at a Tor site which contains a page with the amount they have to pay in Bitcoin, a chat feature they can use to negotiate with the cybercriminals, and an offer to have five files decrypted for free.

According to BleepingComputer, the ransom amount is automatically generated based on the number of files Sugar successfully encrypts. The amount tends to be relatively affordable, usually a few hundred dollars, making it more likely that people will stump up the cash for their files.

Borrowed content

Several researchers have noted Sugar’s similarities with other ransomware families. The ransom note, for example, is reminiscent of REvil’s ransom note.

The Tor site the victim sees, on the other hand, is a lookalike of the page Cl0p used in its attacks.

How to protect yourself from ransomware

We don’t know yet how Sugar lands onto systems. So, as ever, we should continue to remain vigilant whatever we do online.

• Keep your system up to date. Cybercriminals take advantage of known vulnerabilities to infect computers. Make sure you apply patches as soon as they’re available, whether they’re for your operating system, your apps, or your browser.
• Back up your files. If you get infected with ransomware, you’re going to want to get hold of those backups. Make sure you back up offline to somewhere the attackers can’t reach.
• Don’t reuse your passwords, and make sure to choose strong ones for each account. Password managers can help with this.
• Be careful of unsolicited messages on social media, emails, online games, or anywhere else. Never click on a link sent in the message, and never enable macros in documents sent to you this way.
• Make sure all computers are protected with security protection. (Malwarebytes can help with this.)

Stay safe!

The post “We absolutely do not care about you”: Sugar ransomware targets individuals appeared first on Malwarebytes Labs.

Microsoft says it is going to disable macros in five Office apps by default. Besides Excel 4.0 macros, which were disabled by default last month, now VBA macros obtained from the Internet will be blocked by default as well.

The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. According to Microsoft, this significant security improvement will roll out to other Office update channels at a later date. After this change rolls out, Office users will no longer be able to enable macros with a click of a button after they’ve been automatically blocked.

VBA Macros

VBA is short for Visual Basic Application. VBA can be used to access the Windows Application Programming Interface (API). As such, macros are part of the active content options that Microsoft shipped as automation capabilities that enable users to run tasks in the background. Unfortunately, malware authors have used these capabilities to download and run malware on a large scale.

Attackers have always liked macros because they provide a simple and reliable method to spread malware using legitimate features, and without relying on any vulnerability or exploit. Emotet especially has been known to send emails that contain malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email. When a user opens one of the documents, they are prompted to enable macros so that the malicious code hidden in the Word file can run and install Emotet malware on the computer.

Blocked

With this change, untrusted macros will be blocked by default within Access, Excel, PowerPoint, Visio, and Word for any file downloaded from the Internet. Users will also no longer be able to enable content with a click of a button.

Instead, a security alert will appear:

The Learn More button goes to an article that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros by saving the file and removing the Mark of the Web (MOTW).

Mark of the Web

The MOTW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the Internet or a Restricted Zone. Since the new warning and the block depend on this MOTW, it is important to know some more about it.

In Windows, when files are downloaded from an untrusted location, like the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier. As such, the ability to add these attributes depends on the NTFS filesystem. NTFS is the modern file system Windows likes to use by default. Since Windows XP, when you install Windows, it defaults to format your drive with the NTFS file system. But if you happen to run a FAT32 system the MOTW attribute can’t be added to a file.

There are two main strategies malware can use to circumvent the MOTW attribute. All of the techniques that we have witnessed in the wild can be categorized under these two strategies:

• Abusing software that does not set MOTW: delivering your payload in a file format which is handled by software that does not set or propagate Zone Identifier information. This works because some cloning and archiving software does not propagate the MOTW to the clone or extracted file.
• Abusing container formats: delivering your payload in a container format which does not support NTFS’ alternate data stream feature. For example, delivering the payload in an ISO format, a technique that has been used in the wild.

In the first scenario, an attacker will need some inside knowledge as to how the intended victim handles certain file formats, because not all archiving and cloning software removes the MOTW attribute.

Removing the MOTW

On a file per file bases users can remove the MOTW attribute in the file properties.

The option to Unblock files can be found in the file properties, on the General tab, under Security. There a user can put a checkmark in the Unblock option.

Note: organizations are already able to use the Block macros from running in Office files from the Internet policy in order to prevent users from inadvertently opening files from the Internet that contain macros. Microsoft recommends enabling this policy, and if you already have this setting enabled your organization won’t be affected by this change. This option has been available since Microsoft Office 2013 and all subsequent versions.

Stay safe, everyone!

The post Microsoft takes macros out of the equation for five Office apps appeared first on Malwarebytes Labs.

An unsecured AWS server, found open to the public Internet, is the root cause of a huge compromise of data of airport employees in Colombia and Peru. This server, according to a report, belongs to Securitas, a Stockholm-based multinational company that provides security services like security guarding, fire and safety, and supply-chain risk management among others.

Affected airports

Approximately 3TB of data dating back to 2018 was housed on the server, the report says. It also names Securitas client airports most affected by this breach: El Dorado International Airport, Alfonso Bonilla Aragón International Airport, and José María Córdova International Airport in Colombia; and Aeropuerto Internacional Jorge Chávez in Peru. SafetyDetectives, who wrote the report, hasn’t examined every file in the bucket—there were almost 1.5 million files—but noted with high probability that all client airports of Securitas are affected. The report authors believe other airports in Latin America may also have been exposed.

What was leaked

A compromised AWS server exposed sensitive company data, employee PII, and datasets of Securitas employees and airport employees. These datasets include photos of ID cards and unmarked photos. As you may expect, these ID cards contain details like full names, national ID number, ID photo, and occupation.

Other data included photos of airline employees, planes, fueling lines, and more. SecurityDetectives said that exposing these photos also exposes the photos’ EXIF (Exchangeable Image File Format) data, such as GPS location, time and date, and device used to capture the images.

“Exposed employees are not just official airport staff but include staff from several different private companies, one of which was Securitas. There were photos of people, places, planes, and various other airport functions on the bucket.” the report adds.

Lastly, the exposed AWS bucket also contains Android apps used by security personnel to fulfil certain tasks like reporting incidents.

Breach impact

At this point, many of us are already familiar with the possible impacts any breach could cause to companies and affected parties.

For affected airlines, the likelihood of criminals impersonating airline and even Securitas personnel is a huge risk. This could lead to individuals or groups (think guerilla groups and terrorist organizations) gaining unlawful access to restricted areas within airline grounds.

Of course, any leaked data could be sold for profit. If not this, online criminals could target personnel whose data has been leaked, tricking them into falling for fraud and scam attempts.

Similar impersonation security infiltration attempts could happen against Securitas. On top of that, the company could face multiple sanctions and fines for violating data privacy laws against affected Colombian and Peruvian citizens.

The post Securitas breached, 3TB of airport employee records exposed appeared first on Malwarebytes Labs.

With Valentine’s Day approaching, you can be sure that the scammers will want to take advantage of lovebirds everywhere. From romance scams and sextortion, to fake dating sites and phishing campaigns, here’s how to avoid a sting in the tail this Valentine’s Day.

Romance scams

Stories of online romance scams are abundant on the internet. And with COVID-19 having forced everyone to stay home much more and not meet in real life, it’s no wonder that reports of these sorts of scams have significantly increased since the start of the pandemic.

So whether you meet someone on a dating site or social media, here are some common red flags to look out for:

• Their profile and picture seem too good to be true.
• They profess their love very quickly.
• They share a lot about themselves—often personal stuff—in the first meeting.
• They claim to be overseas and cannot stay in one place for long.
• They try to lure you from whatever platform you are on to talk to you via email or video chat.
• They claim to need money for something, such as to help their friends or family, repatriation, or something else entirely.

How to avoid romance scams:

• Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in.
• Do an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait.
• Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible to fleece them of their money as equally quickly.
• If they encourage you to invest in something—be suspicious. Start digging around online about the company that, they say, is worth investing in. Never send them money.
• Follow your gut instinct. If something feels off, cut off contact immediately and report your experience to the police, the Internet Crime Complaint Center (IC3), and the dating or social media site where you met the scammer.

Sextortion

Sextortion is where someone threatens to share your private or sensitive files, such as photos or videos, unless you do something for them—which can be send cash to them, share more images or perform sex acts. A sextortion attempt could take several forms, but there are two common tactics sextortion scammers use.

1. A scammer contacts their target via email, telling them they have a video of the target in a compromising position (usually watching porn). The sender then asks the target to send Bitcoin in exchange for the video being kept quiet. It’s important to note that sextortion emails of this nature are empty bluffs and must be ignored.
2. A scammer befriends their target—often a minor—on social media, video chat, dating sites, or online video games. They coerce their target into sending videos of themselves naked or performing a sexual act. This material is then used to force the victim to create more videos.

How to protect yourself from sextortion:

• If a scammer tells you they have compromising images of you and they show you no evidence of the images, they probably don’t have any. Offering “proof” such as a password or phone number of yours just means they’ve got that data from another breach, and doesn’t mean they have access to your computer or webcam.
• If they do show you evidence of the images, report to your local authorities and the FBI as soon as you can. Never engage with the sextortionist.
• Be extremely cautious about what you say to someone online. When asked certain questions, be vague and never give specifics. Remember that online, people can pretend to be someone they’re not, and can even look and sound like a different person with today’s technology.
• Make sure you personalize the security and privacy settings of all your social media and chat accounts. Lock down your accounts as much as you can, and keep as much private as possible.
• Remember that once you send something to someone—whether they’re a stranger, a romantic partner, relative, or friend—you have no control over where it goes next.

Fake dating websites

Scammers create dating services that appear legitimate, and do what every dating site asks you to do, like filling in your profile information and your card details. But the websites are fake.

According to the Better Business Bureau (BBB) which classifies this as a type of romance scam, once you have signed up, you’ll start getting messages from other members who have profiles that lack basic information and photos.

The site may even ask you to connect with others that don’t match your profile, such as those living in a different city or those outside your preferred date range. If you cancel your membership, the fake dating website keeps billing you anyway.

Some sites even have features locked behind a “paywall” wherein you have to buy some form of digital token or in-dating site coins to talk to other users. In one case, a victim was double charged for buying coins and bombarded with messages from almost 200 dating service users.

Note that since these sites are fake, site members are also likely fake. They could be bots or site employees handling multiple account personalities.

How to avoid fake dating sites

• Do your research. Ask around your friends in real life about what sites they use. If you are researching the sites online, prefix your search terms with “scam” and “reviews” to find out what people really think.
• Be suspicious when many people start lining up to meet you, especially if you have an incomplete profile. This is too good to be true.
• Know how the dating website works, including how they charge members and how much. If you cancel a membership to a particular site then contact your bank to make sure the ongoing payment is cancelled from your end.

Phishing scams, some with a touch of malware

Valentine’s Day themed phishing scams come in many flavors, but one of the most common is the phony florist or delivery driver, who sends you an email (or possibly an SMS message) to warn you about a missed delivery.

Spam messages like these are ten-a-penny, but many people buy flowers and gifts for loved ones online. So, led by worry and panic, they click the link from the email/SMS to punch in their details, only for them to be stolen and misused.

Other examples of phishy messages jumping on the Valentine’s Day trend are emails that say there is a problem with a transaction after a product has been bought, or a supposed courier claiming that there is an extra charge you have to pay.

How to protect yourself from phishing

• Never click links on emails or SMS messages. Instead, go straight to the website that claims have a problem with your item. If it’s legit, you’ll likely see a message there.
• When purchasing something online, always pay with a credit card. Credit cards have more fraud protections in place than other banking cards. It is also easier for users to dispute charges.
• Refrain from scanning QR codes if there are other payment options. If it cannot be avoided, check the URL destination to ensure that you are directed to the site you’re expecting to go to.
• Make sure you have installed an antivirus solution that catches malware fast before it can wreak havoc on your computer, and keep it up to date.

Head over heart, always

When it comes to romance scammers, we have to let our heads lead over our hearts. With Valentine’s Day around the corner, stop to take a breath and consider things before chatting, clicking, replying, or anything else online. It might save you heartache further down the line.

Stay safe!

The post How to avoid being scammed this Valentine’s Day appeared first on Malwarebytes Labs.

Media giant News Corp says it has fallen victim to a cyberattack. First analysis indicates that the attack was a state sponsored attack, aimed at emails and documents of News Corp employees, including journalists. News Corp says data was stolen, but that it didn’t include financial data or subscriber information.

The hack also affected financial news unit Dow Jones and News UK, the division that controls the Times of London and the Sun, according to a statement provided by News Corp.

Investigation

News Corp reported the attack in a document which was sent to the United States Securities and Exchange Commission (SEC).

“In January 2022, the Company discovered that one of these systems was the target of persistent cyberattack activity. Together with an outside cybersecurity firm, the Company is conducting an investigation into the circumstances of the activity to determine its nature, scope, duration and impacts. The Company’s preliminary analysis indicates that foreign government involvement may be associated with this activity, and that data was taken. To the Company’s knowledge, its systems housing customer and financial data were not affected. The Company is remediating the issue, and to date has not experienced any related interruptions to its business operations or systems. Based on its investigation to date, the Company believes the activity is contained. At this time, the Company is unable to estimate the expenses it will incur in connection with its investigation and remediation efforts.”

Targets

In an email to its employees, News Corp stated that the attack was discovered on January 20 and affected a number of publications and business units including The Wall Street Journal and its parent Dow Jones, the New York Post, the company’s UK news operation, and News Corp headquarters.

“We appear to have been the target of persistent nation-state attack activity that affected a limited number of our employees.”

News Corp chief technology officer David Kline and chief information security officer Billy O’Brien stated in an email to employees:

“We will not tolerate attacks on our journalism, nor will we be deterred from our reporting, which provides readers everywhere with the news that matters.”

Attribution

The firm that was brought in to investigate the incident believes the attackers are likely involved in espionage activities to collect intelligence to benefit China’s interests. News Corp said it would provide details of the breach to other news organizations so they could take appropriate measures.

As many other security authorities have pointed out, China has been ramping up cyberattacks on US and European organizations. For example, US authorities blamed China for a massive breach in 2021 of Microsoft’s Exchange email service. In the breach, hackers associated with China’s Ministry of State Security accessed thousands of email accounts associated with businesses, government offices and schools around the world.

The post News Corp falls victim to cyberattack appeared first on Malwarebytes Labs.