IT NEWS

Apply those updates now: CVE bypass offers up admin privileges for Windows 10

If you’re running Windows 10, it’s time to stop delaying those patches and bring your systems up to date as soon as possible.

Bleeping Computer reports that a researcher has come up with a bypass for an older bug, which could serve up some major headaches if left to fester. Those headaches will take the form of unauthorised admin privileges in Windows 10, alongside creating new admin accounts and more besides.

What happened the first time round?

Back in 2021, Microsoft patched an exploit which had been in use since mid-2020. Classed as “high-severity”, “CVE-2021-1732 – Windows Win32k Elevation of Privilege Vulnerability” allowed attackers to elevate privileges to admin level.

Fooling potential victims by having them open bogus email attachments is all it would take to get one foot in the door via code execution. It popped up in a targeted attack related to the Bitter APT campaign. According to the report, numbers were “very limited” and struck victims in China.

What’s happening now?

Multiple exploits have dropped for another elevation of privilege vulnerability known as CVE-2022-21882. This is a bypass for the previously mentioned CVE-2021-1732 which was fixed back in February 2021. CVE-2022-21882 was fixed by Microsoft via updates from January 2022. However, sys admins out there may well have skipped the updates due to various bugs which came along for the update ride.

Time to get fixing things?

It is absolutely time to get fixing things. The exploit is now out there in the wild, and as Bleeping Computer notes, it “affects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates”. 

Writers at Bleeping Computer were able to get it to work in testing, and others have confirmed it for themselves:

Is there any reason to wait for February’s Patch Tuesday?

If you’re one of the hold-outs who ran into errors last time around, waiting isn’t advisable. Microsoft already issued an OOB (out of band) update to address the multiple errors caused by the January patch. As per Microsoft’s January 17th notification about the release:

“Microsoft is releasing Out-of-band (OOB) updates today, January 17, 2022, for some versions of Windows. This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.”

Things being what they are, it’s likely time to get in there and apply the OOB update (if you haven’t already) and put this one to rest.

Microsoft is putting a fair bit of work into figuring out where weak points lie in the patching process, making use of its Update Connectivity data. The current estimate is a device needs a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably make it through the updating process.

If this sounds like your network, and if you’re still waiting to take the plunge, you’ve hopefully got little to lose by making that big update splash as soon as you possibly can.

The post Apply those updates now: CVE bypass offers up admin privileges for Windows 10 appeared first on Malwarebytes Labs.

Android malware BRATA can wipe devices

Cleafy, a cybersecurity firm specializing in online fraud, has published new details about banking Trojan BRATA (Brazilian Remote Access Tool, Android), a known malware strain that first became widespread in 2019.

BRATA is now being used to perform factory resets on victims’ machines. It’s rare for malware to damage or wipe victims’ machines (there is rarely anything in it for the attackers) so what’s going on here?

According to Cleafy, the victim’s Android device is factory reset after the attackers siphon money from the victim’s bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.

Out with the old

BRATA used to target Brazilian banks exclusively, but Cleafy reports that the target list has now been expanded to include banks in Italy, the UK, US, Poland, Spain, and Latin America. It has also revealed a number of new capabilities, alongside the factory reset functonality:

  • A GPS tracking capability
  • Multiple methods of maintaining contact with command and control (C2) servers
  • The ability to use a VNC (Virtual Network Computing) and keylogging to continuously monitor a victim’s bank account

But how does such dangerous malware end up on victims’ devices?

How BRATA is spread

A BRATA campaign starts off when a potential target receives an SMS claiming to be from their bank. The SMS contains a link to a website that encourages the target to download the BRATA malware. They also receive a call from an attacker, who pretends to work for the bank.

cleafy brata dist
An illustration of the BRATA Android RAT in action (Source: Cleafy)

The app asks for multiple permissions that, to the trained eye, would raise some red flags, and might make users reluctant to install it. According to Cleafy, the caller’s first job is therefore to use social engineering tactics to convince victims to install it.

Once the app is installed, the fraudsters can remotely hijack the device whenever they want to, and can perform banking transactions without the target knowing. Not only that, the app can be used to initiate admin-level actions, such as locking the screen, changing the screen lock, and setting password rules. For the most recent BRATA strain, being an admin app also allows it to initiate a factory reset on the affected mobile device.

A two-factor authentication (2FA) code from the bank does not protect accounts here. Through BRATA, the 2FA codes from banks are intercepted and sent to the fraudster’s command and control sever.

Clearfy believes that current operators of the BRATA mobile malware are based in at least one country in Europe as mule accounts linked to this campaign were found in Italy, Lithuania, and the Netherlands.

Protect yourself from BRATA

The existence of this malware is a reminder to all Android users to avoid installing apps that don’t come from Google Play, and to pay attention to the permissions that apps ask for. For example, BRATA requests access to the “Erase all data” permission, and most of us don’t want apps that can do that running on our mobile devices.

Although this version of BRATA was not found on Google Play, in the past it has been found, called out, and removed from Google’s online store. So, even when you’re using Google Play, stay vigilant and make sure to keep your mobile antivirus running in real time and up to date.

IOCs:

The post Android malware BRATA can wipe devices appeared first on Malwarebytes Labs.

Duo of Android dropper and payload target certain countries and app users

After making its first in-the-wild appearance in March 2021, Vultur—an information-stealing RAT that runs on Android—is back. And its dropper is equally nasty.

Vultur (Romanian for “vulture”) is known to target banks, cryptocurrency wallets, social media (Facebook, TikTok), and messaging services (WhatsApp, Viber) to harvest credentials using keylogging and screen recording.

According to ThreatFabric, the mobile security company that first spotted Vultur in 2021, the cybercriminals behind the malware have steered away from the common HTML overlay strategy usually seen in other Android banking Trojans. This approach usually requires time and effort for the attackers in order to steal what they want from the user. In steering away from this, the attackers made less effort but yielded the same results.

One of the Android dropper malware that drops Vultur (among others) is Brunhilda, a privately operated dropper. Initial variants of Vultur have been dropped by an Android app called “Protection Guard”, which have had 5,000 installs on the Google Play Store upon its discovery. Note, however, that there are many Brunhilda dropper apps on the Store, which suggests that infection count could be a lot higher.

threatfabric playstore
A Brunhilda dropper masquerading itself as a faux security solution for Android. (Source: ThreatFabric)

ThreatFabric believes that the group behind this dropper and Vultur are one and the same. The company has linked the two for the following reasons:

  • The command and control server (C2) of “Project Brunhilda” supports Vultur-specific bot commands
  • Vultur is seen using the same C2 that Brunhilda used in the past
  • Vultur is seen using the same icon and package name of a Brunhilda dropper
  • Vultur uses JSON-RPC to communicate with its C2, a tactic that Brunhilda used to do

Moreover, the group behind Vultur can see every interaction the user does to their device, thanks to the real-time implementation of VNC (Virtual Network Computing) screen sharing. This a legitimate tool that allows one to remotely control a device, so whatever the user sees on his phone screen, the actors can see it, too. However, for VNC to work properly, Vutur uses ngrok, another legitimate tool that uses an encrypted tunnel to expose local systems behind firewalls and NATs (network address translation) to the public Internet.

Nasty new malware dropper spreads Vultur

Recently, researchers from Pradeo, another mobile security solutions provider, found a fresh variant of Vultur after they spotted a fake two-factor authenticator (2FA) app on the Google Play Store. The dropper app, aptly named “2FA Authenticator” is responsible for dropping Vultur onto Android devices. Pradeo didn’t specify in its report if this dropper app is Brunhilda.

pradeo vultur dropper0
The still-unnamed Vultur dropper spotted on the Play Store. Before it was pulled out, it had more than 10,000 downloads. If you look closer, the images used to showcase the app are refurbished version of images belonging to a legitimate authenticator app in the Play Store. (Source: Pradeo)

“2FA Authenticator”, as Pradeo noted, used the open source code of the Aegis Authenticator app, a legitimate 2FA authenticator with a presence in the Play Store, but that had been modified to include malicious code. Users are likely to be less suspicious of apps that appear to be working as they should.

Creating a dropper malware that also works is a tactic not unheard of as this is also used by another Android malware called BRATA.

The automated Vultur attack comes in two stages: first is profiling. The dropper prompts the user for consent to access critical permissions which were never disclosed in its Play Store profile. These are:

  • Take pictures and videos. This allows the dropper to collect information, such as application list and localization, about the user which the attackers can use to target other users in specific countries using certain applications.
  • Disable your screen lock. This disables any form of phone security (passwords, unlock pattern) set up by the user.
  • Full network access. This allows the dropper to download other third-party apps under the guise of updates.
  • Run at startup. This allows the dropper to freely perform tasks even when the app is shut down.
  • Draw over other apps. This allows the dropper to change the interface of other mobile apps—a permission that “very few apps should use”, according to Google.
  • Prevent device from sleeping. This allows the dropper to continue running in the background.

The second stage is the installation of Vultur. Pradeo has noted that the dropper doesn’t just drop Vultur once it is executed. Instead, the attack escalates to this stage if the information the dropper has collected meets certain conditions.

If you have downloaded an app that you suspect could be malicious, go to Settings > Apps. Look for “2FA Authenticator” in the list and delete it.

Stay safe!

The post Duo of Android dropper and payload target certain countries and app users appeared first on Malwarebytes Labs.

Samba patches critical vulnerability that allows remote code execution as root

Samba developers have patched a vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.

Samba is a free software re-implementation of the SMB networking protocol that provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain.

The vfs_fruit module provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. Netatalk is a freely-available Open Source AFP fileserver. A UNIX, Linux or BSD system running Netatalk is capable of serving many Macintosh clients simultaneously as an AppleShare file server (AFP).

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in Samba that received a CVSS score of 9.9 out of 10 has been assigned CVE-2021-44142.

The vulnerability is described as an out-of-bounds heap read/write vulnerability. The heap is the name for the part of the system’s memory that is allocated for the use of programs. If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions. This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have. In this case as root, which is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system.

The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.

The patch

The patch for this vulnerability was included in a security update that also patches some other issues:

  • CVE-2021-44141 (CVSS score: 4.2) – Information leak via symlinks of existence of files or directories outside of the exported share. All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed. Symlink is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.
  • CVE-2022-0336 (CVSS score: 3.1) – Samba AD users with permission to write to an account can impersonate arbitrary services. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding any service principals names (SPN) that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.

Mitigation

Samba administrators should upgrade to these releases or apply the patch as soon as possible to mitigate the defect and thwart any potential attacks exploiting the vulnerability. But, as a workaround it is possible to remove the “fruit” VFS module from the list of configured VFS objects in any vfs objects line in the Samba configuration file smb.conf.

Please note that changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost.

Stay safe, everyone!

The post Samba patches critical vulnerability that allows remote code execution as root appeared first on Malwarebytes Labs.

A week in security (January 24 – 30)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (January 24 – 30) appeared first on Malwarebytes Labs.

Actor’s verified Twitter profile hijacked to spam NFT giveaways

When we refer to hijacked verified profiles on Twitter, it’s most commonly some sort of Elon Musk themed scam. The hijackers compromise the account, switch the picture to Elon, and then start spamming cryptocurrency links. Alternatively, they may keep the account as it is and spam images claiming Elon has approved a giveaway or something similar.

Well, times have changed on the big blue bird app. Whisper it, but Elon tributes may no longer be the hottest way on the block to earn some scam money. Instead, we’re seeing verified profiles compromised to promote and sell NFTs instead.

Forging a new career in pixel art

At some point on Thursday a verified profile belonging to Siobhán McSweeney, well known Irish actor, started to behave a little unusually. That is to say, promoting a range of pixel art cats known as “GrumpyKatz”.

cat2

The tweet reads as follows:

Giveaway time!

I am working with @grumpykatznfts to giveaway 15 SOL ($1500)

To enter:

  • Follow me & @GrumpyKatzNFT
  • Like & RT
  • Tag 3 friends

We don’t know if the linked pixel art project is “genuine” or not, as there’s very little to go on from the profile itself. Another tweet (now deleted) suggested people should send a direct message to the account. Whoever was running this scam would likely have phished hopefuls via the hijacked Twitter account.

A short while after, the profile finally completed its full transformation. Behold the weirdly drawn ape of doom set as the profile picture:

cat3

You’ll notice the bio blurb has been altered to fit in with the general NFT theme taking place. It says:

Building an NFT community | 450,000 supporters | NFT promoter | DM for promo

The profile location has also been set to “Metaverse”, because of course it has.

Getting up to some monkey business

Followers of the actor were initially a bit surprised by the sudden interest in all things cryptocurrency. Had she decided to hop on the bandwagon? Or was something else at work? People weren’t sure and there was no 100% confirmed answer until a little earlier today.

This blog is safe for work so if you wish to see her, um, very enthusiastic condemnation of the account compromise, click here. At time of writing, some of the NFT/metaverse related Tweets are still on her profile.

What caused this, and how can you protect your Twitter account?

As to how it happened, there’s no indication just yet.

Verified profile accounts need to have two-factor authentication (2FA) enabled to be verified in the first place. But we’ve seen enough sneaky examples of people bypassing 2FA on different platforms previously.

Twitter offers a variety of options where it’s concerned: mobile, app, and security key. Perhaps the actor is using SMS codes and somebody performed a SIM swap attack. Maybe she uses an auth app but was taken to a phishing page which also asks for the time sensitive code.

I suspect we won’t find out. Even so, this is a good time to go check your login and verification settings on Twitter whether verified or not. You don’t want to accidentally wander into whatever currently passes for a metaverse, no matter how many free cats they claim to be giving away.

The post Actor’s verified Twitter profile hijacked to spam NFT giveaways appeared first on Malwarebytes Labs.

How a few PhD students revealed that phishing trainings might just not work: Lock and Code S03E03

You’ve likely fallen for it before—a simulated test sent by your own company to determine whether or not its employees are vulnerable to one of the most pernicious online threats today: Phishing.

Phishing has evolved in recent history, and as scammers have rolled out increasingly clever—and increasingly complex—phishing lures, companies have had to respond with increasingly better defenses. Most employees at large companies have a phishing “reporting” button that is embedded directly into their email client, and nearly just as many employees might have a phishing email detection system integrated into their email client, so that when a “fishy” email comes through (sorry), they are warned with a small notification at the top of the email.

But one of the primary defenses used today by countless companies is the practice called “contextual” or “embedded” training, and it’s a practice that, as we learn today on the Malwarebytes podcast Lock and Code with host David Ruiz, might not work.

It could be a little worse than that, actually—this practice could make things worse.

That’s one interpretation coming out of a 15-month long study run by several PhD candidates at the ETH Zurich university in Switzerland. By working with a company of tens of thousands of employees, these researchers were able to test what phishing defenses actually provided the best results, and after experimenting with embedded and contextual training in a voluntary format, they learned that the phishing resilience of those test subjects actually diminished.

Daniele Lain, who helped conduct the phishing research, told us:

“What we saw is that, very interestingly, if you do it like this—when you get training appearing when you fall for simulated emails—somehow it becomes much more likely that you actually fall for the subsequent phishing attempts.”

Daniele Lain

To say it’s a surprise is an understatement.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post How a few PhD students revealed that phishing trainings might just not work: Lock and Code S03E03 appeared first on Malwarebytes Labs.

Big Mother is watching: What parents REALLY think about tracking their kids

Every year on Data Privacy Day, we’re greeted with countless arguments about the absolute merits of data privacy (protections good, invasions bad), but we rarely see a faithful, factual accounting for the biggest data privacy conundrum facing billions of people every single day: Should parents invade the data privacy of their children and digitally track their activity in order to provide them with a little more safety?  

On Data Privacy Day this year, we decided to investigate the issue ourselves, and we found that, for the majority of parents we asked, the answer was a simple “Yes.”  

But there’s some nuance here, as parents revealed that their invasions of data privacy against their children typically happened when their children began to face new threats, whether online or in the real world. If a kid is old enough to enter a URL into a web browser, then they’re old enough to have that web browsing activity tracked, our parents revealed, and the same goes for opening a social media account, watching YouTube, and potentially just moving about the neighborhood, which could be tracked through GPS locations.  

Privacy invasions, then, are reactionary, and not planned. They are a response to a changing, frightening world that every parent has faced before, but that only parents today can push back against through the use of modern, digital tracking. 

Our survey

To learn more about what parents believe, earlier this month we asked our newsletter subscribers to fill in a short, anonymous survey about the monitoring they do of their kids.

We asked parents if they monitored their children’s location (GPS), web browsing, computer games, YouTube activity, social media posts, email, or WhatsApp or other message apps; the ages they started and stopped the monitoring; whether they told their children they were being monitored or not; and the age they thought children should be allowed to start using social media.

As with any online survey, you should understand the potential biases of the population involved: The respondents were a self-selecting group of individuals who care enough about technology, security, and privacy to have subscribed to a newsletter about it, and to respond to a survey about parental attitudes to electronic monitoring.

899 parents filled in the survey, and most of them had children aged nine years old or older.

Ages of respondents' children
Responses to the question “How old is your child? If you have more than one child, please choose ONE, and answer all the questions in this survey about that child.”

Digital tracking is the norm

The survey suggests that using some form of electronic monitoring to keep tabs on children is the norm.

84% of our respondents admitted to some form of electronic monitoring of their children, 70% used at least one form of monitoring they had told their child about, and 36% used at least one form of monitoring they had not told their child about.

Parents who monitor tend to use more than one kind of monitoring, whether they tell their children or not. 54% of parents use at least two forms of monitoring with their child’s knowledge, and 24% of parents use at least two forms of monitoring without their child’s knowledge.

number of activities monitored by parents
The number of activities monitored by parents who answered the question “Indicate which of your child’s activities you have monitored electronically, and whether or not you told your child about it.”

As you would expect, the number of parents monitoring multiple activities declines as the number of activities increases—more parents monitor one activity than two, more monitor two than three, and so on. There is one exception though. About 7% of the parents we surveyed monitored all seven of the different activites we asked about without their child’s knowledge.

What parents monitor

There is surprisingly little variation in the amount of parents monitoring each activity we asked about, with every individual activity being monitored by between about 30% and 40% of parents. The most common thing for parents to monitor electronically was their child’s physical location (GPS), and the least common thing to monitor was messaging apps. This may reflect where parents see the most potential harm, or it may simply reflect how easy some kinds of monitoring are compared to others. Of the activities we surveyed parents about, GPS is probably the easiest thing to monitor, and messaging apps the hardest.

Almost a quarter of the parents surveyed said they monitored their children’s web browsing without telling them.

Types of activity monitored by parents
The percentage of parents monitoring each of the activies they were asked about in the question “Indicate which of your child’s activities you have monitored electronically, and whether or not you told your child about it.”

When monitoring starts

As you might expect, the age at which parents start different types of electronic monitoring tends to reflect the ages at which children gain some level of independence in different areas of their lives.

Some parents start using electronic monitoring when their children are 3-5 years old, and others wait until their children are in their late teens, but the most common time to start electronic monitoring is when children are between 9 and 11, although it skews a little younger for computer games, and a little older for social media.

Children's ages when electronic monitoring starts
Responses to the question “At what age did you START each of the following types of electronic monitoring? If you have not started yet but expect to, tell us when you intend to start.”

When monitoring ends

While there is lots of variation in the age when monitoring starts, there isn’t in when it stops. Parents, it seems, are very unlikely to stop monitoring their children before their eighteenth birthday.

Children's ages when electronic monitoring stops
Responses to the question “At what age did you STOP each of the following types of electronic monitoring? If you have not stopped yet, tell us when you intend to stop.”

Social media

Our respondents were also aksed when they thought children should be allowed to open Facebook, Twitter, Instagram, TikTok, and YouTube accounts.

Most of the popular social media platforms have a minimum age limit of 13 years, but only about 30% of our respondents thought that children were old enough to open a social media account at that age or younger. While more parents thought 15-17 was a better age, the biggest cohort by far—between about 40 and 50% of all the parents surveyed, depending on the platform—thought the minimum age should be 18 or older.

YouTube, which is popular with kids and has very different functionality than the other platforms in our list, skewed a little younger. And TikTok, the newest platform and perhaps the least well understood by parents, attracted the most caution, with more than 50% of parents putting saying children should be 18 years or older to open an account.

when should children be allowed social media accounts 1
Responses to the question “At what age do you think children should be allowed to have have their own social media accounts?”

Conclusions

For our survey respondents, using electronic monitoring to keep tabs on their children is normal, and monitoring children without their knowledge is common. Parents that monitor their children tend to employ more than one method, and the most common age for each form of monitoring to start is—very roughly—the point where we might expect children to be given some independence in that area.

Most of the parents we surveyed think that children should be at least 15 before they open social media accounts, with 18+ the prefered age for about half of all parents. This puts social media platforms like Instagram, TikTok, and Twitter on a par with common minimum ages for things like sexual intercourse, driving, smoking, and drinking: Potantially dangerous activities reserved for children on the cusp of adulthood.

In short, our survey suggests that when it comes to privacy in the family, parents are conservative (in the “small c”, apolitical sense of the word) in their attitudes. Our survey says nothing about parents’ concern for children’s privacy in general, but it suggests that providing children with a space in which to be private from their parents plays a distant second fiddle to the responsibility parents feel for keeping them safe.

The post Big Mother is watching: What parents REALLY think about tracking their kids appeared first on Malwarebytes Labs.

QNAP update stops Deadbolt ransomware, annoys some users, starts debate

Earlier this week (25 January, 2022) news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. The threat actors claimed the attack was based on a zero-day vulnerability specific to the devices.

Today QNAP® Systems, Inc. (QNAP) pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers’ “DeadBolt” ransomware.

You might think that that is a good thing—if not exactly cause for celebration, at least a cause for relief—but some customers aren’t happy.

Deadbolt

The ransomware group responsible for this attack is calling themselves Deadbolt. They also use the same name in the file extension of the encrypted files their ransomware generates. Rather then using the habitual method of dropping ransom notes in each folder on a affected device, Deadbolt ransomware hijacks the QNAP device’s login page. The hijacked screen starts with “WARNING: Your files have been locked by DeadBolt”. The complete ransom message is shown below:

WARNING: YOUR FILES HAVE BEEN LOCKED BY DEADBOLT

? What happened?

All your files have been encrypted. This includes (but is not limited to) Photos, Documents and Spreadsheets.

? Why me?

This is not a personal] attack. You have been targeted because of the inadequate security
provided by your vendor (QNAP).

? What now?

You can sake a paywent of (exactly) 0.030000 bitcoin to the following address:
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■

Once the payment has been made we'll follow up with a transaction to the same address,
this transaction will include the decryption key as part of the transaction details.[more information]

You can enter the decryption key below to start the decryption process and get access to
all your files again.

important message for QNAP

Reportedly, the ransomware has already affected at least 3,600 victims. Besides urging individual victims to pay for a decryption key, the ransomware gang is also trying to sell the full details of the alleged zero-day vulnerability to QNAP for five bitcoins, and is apparently also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims, and the zero-day info, for 50 bitcoins. There are many good reasons for not giving in to ransomware gangs’ demands, and QNAP doesn’t need the zero-day information because it has already created an update to thwart the vulnerability. However, the update hasn’t been as welcome as you might expect.

Forced update

The day after the news broke (26 January) QNAP issued a statement in response to the ransomware. It urged NAS users to follow the recommended security setting instructions to ensure the security of their routers, and immediately update to the latest version of QTS—the Linux based operating system developed by QNAP to run on their devices.

Later that day, QNAP took more drastic action and force-updated the firmware for all customers’ NAS devices to version 5.0.0.1891, the latest universal firmware which has been available since December 23rd, 2021.

Problems

As you might expect after a forced update, a number of unexpected side-effects arose, making users that were affected by these problems unhappy.

Some users reporteded losing their devices’ ISCSI connections (ISCSI is a networking standard for linking data storage facilities), and some adaperts were apparently left disabled by the update. The firmware update removed the ransomware executable and the ransom screen used to initiate decryption, which apparently caused some victims who had paid the ransom to be unable to proceed with decrypting the files after the update.

When warnings alone are not enough

As we all know, there is often a lawning gap between when a patch becomes available and when it’s actually applied. In this case, QNAP seems to have decided that closing that gap is the lesser of two evils.

And in all fairness, QNAP has been urging users to secure their devices since 7 January, 2022, with elaborate instructions on how to check whether their NAS devices are exposed to the Internet, how to disable the Port Forwarding function of the router, and how to disable the UPnP function.

This is just good advice either way since QNAP NAS owners were already being targeted by other ransomware operations like Qlocker and eCh0raix. Rather ironic, since many NAS owners use their devices to store backups in case their main systems become dislabed by things like ransomware.

In response to criticism about the unannounced forced update, QNAP support stated:

“I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of deadbolt and our desire to stop this attack as soon as possible that we did this.”

We are curious as to how our readers feel about this. Let us know in the comments. Should device vendors be allowed to push updates when there is a clear and imminent danger?

Unless both business and conusmer users get to grips with patching sooner, we can probably expect to see more of these kind of forced updates.

The post QNAP update stops Deadbolt ransomware, annoys some users, starts debate appeared first on Malwarebytes Labs.

Ransomware gangs are recruiting breached individuals to persuade companies to pay up

You’ve heard about ransomware, where attackers lock up your files and demand a payment for the decryption key. You may also have heard about ransomware attackers not only locking up your files, but also threatening to release the stolen data in an attempt to get you to pay up.

What you may not have heard about is a relatively new tactic that ransomware attackers are using. Recent reports say attackers are using the stolen data to contact individuals (by social media, email or phone) that have been compromised in the attack.

Ransomware groups are using these direct contact tactics as extra leverage for victims to pay up. They contact staff or customers whose data was exfiltrated in the attack and get them to persuade the victim to pay up, threatening with the release of their personal information if they don’t.

Earlier this week, NBC news published a story about a parent of a child who attended a school overseen by a district that was the victim of a ransomware attack. The attackers emailed the parent and asked him to put pressure on the district to pay up or all the exfiltrated files, including information on him and his son, would be released on the dark web.

Allen School District

Ransomware attackers are always looking for low-hanging fruit. And schools have always been easy targets for ransomware, because of their limited budgets, especially for security. All of which was made worse by the demand for distance learning created by the Coronavirus pandemic.

In September 2021, Allen ISD was hit with a cyberattack, and later the subject of an attempted extortion by the culprits. Allen ISD serves nearly 22,000 K-12 students about 30 miles north of Dallas, Texas.

After consulting external cybersecurity experts, the school officials decide to refuse to pay the hackers’ demands, and even told local media there was no evidence that data had been exfiltrated. That’s despite the fact that the ransomware group said it had obtained personal information from district students, families and staff and attempted to extort Allen ISD out of millions of dollars.

Often, cybercriminals will follow the media coverage about how the incident is being portrayed and if they feel like the victim is not truthful, or misrepresents the situation, they have been known to escalate.

Personal contact

According to the person interviewed by NBC, the district did not tell parents or many staff that they had fallen victim to an attack, at least not before the contact was made by the attackers themselves.

The attackers use whatever contact information they can find, such as employee directories or customer databases, to identify individuals they can pressure. Learning about such an incident from the mouth of the attacker can be extra scary for those that had no clue whatsoever.

Enlist insiders

Another tactic that ransomware attackers use is to contact workers at a company in the reconnaissance stages of an attack to see if they can skip the infiltration stages by using an insider threat.

A new poll from identity protection company Hitachi ID Systems found that 65% of surveyed IT and security executives or their employees have been approached to assist in ransomware cyberattacks. This represents a 17% increase from a similar survey that was done a year earlier. In most cases, the attackers used email and social media to contact employees, but 27% of their approach efforts were conducted via phone calls, a direct and brazen means of contact.

Many ransomware gangs operate as a Ransomware-as-a-Service, which consists of a core group of developers, who maintain the ransomware and payment sites, and recruited affiliates who breach victims’ networks and encrypt devices. Using an insider threat, the developers can save splitting the money with the affiliates, or an affiliate can hand over an accomplished breach without having to use any complicated tools or skip the part of going through failed attempts with the chance of getting detected.

A prime example of this is LockBit which has been known to change the Windows wallpaper placed on encrypted devices to offer “millions of dollars” for corporate insiders who provide access to other networks where they have an account.

Insider risk mitigation

For those that are worried by the thought of possible insider threats, the Cybersecurity & Infrastructure Security Agency (CISA) has created an insider risk self-assessment tool, with which owners and operators or organizations, especially small and mid-sized ones who may not have in-house security departments, can gauge their vulnerability to an insider threat incident.

Stay safe, everyone!

The post Ransomware gangs are recruiting breached individuals to persuade companies to pay up appeared first on Malwarebytes Labs.