IT NEWS

Update now! Chrome patches critical RCE vulnerability in Safe Browsing

Google has issued an update for the Chrome browser which includes 26 security fixes. What stands out is that one of these fixes is rated as “critical”. The critical vulnerability is a use after free bug in the Safe Browsing feature.

The Stable channel has been updated to 97.0.4692.99 for Windows, Mac and Linux which will roll out over the coming days/weeks. Extended stable channel has also been updated to 96.0.4664.110 for Windows and Mac which will roll out over the coming days/weeks

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in Safe Browsing that was rated critical has been assigned CVE-2022-0289. While Chrome vulnerabilities are rarely rated critical, this is already the second one this year. The previous one (CVE-2022-0096) was another use after free vulnerability that could lead to remote code execution (RCE). Only that one affected all Chromium based browsers.

The vulnerability in Safe Browsing was reported by Sergei Glazunov of Google Project Zero on 2022-01-05. Project Zero is a team of security researchers at Google who study zero-day vulnerabilities in widely used hardware and software systems. This team also found a use after free vulnerability in Site Isolation, which is another Chrome security feature that acts as a sandbox to offer additional protection against some types of security bugs. The Site Isolation vulnerability was rated as high and not critical, because the exploitability is limited to the browser.

The vulnerability in Safe Browsing does not require any user interaction after the user has visited a malicious website that exploits this vulnerability. Any RCE vulnerability has the potential to take over the affected browser, which in this case could potentially lead to a complete system take-over.

Safe Browsing

Google Safe Browsing is a service that shows warnings to users when they attempt to navigate to dangerous sites or download dangerous files. Safe Browsing also notifies webmasters in case their websites are compromised by malicious actors and helps them diagnose and resolve the problem. And Google’s Ads Security team uses Safe Browsing to make sure that Google ads do not promote dangerous pages.

Many browsers like Google Chrome, Safari, Firefox, Vivaldi, and Brave use the lists of URLs for web resources that are known to contain malware or phishing content. These lists are provide by the Safe Browsing service. Google also provides a public API for the Safe Browsing service.

Use after free

Use after free (UAF) is a vulnerability that results from the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

How to protect yourself

If you’re a Chrome user, you should update to version 97.0.4692.99 as soon as possible.

The easiest way to update Chrome is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome update ready
Relaunch the browser to apply the update
Chrome update applied
After the update the version should be 97.0.4692.99

Stay safe, everyone!

The post Update now! Chrome patches critical RCE vulnerability in Safe Browsing appeared first on Malwarebytes Labs.

Red Cross begs attackers to “Do the right thing” after family reunion service compromised

Restoring Family Links is a program most commonly associated with The Red Cross. It’s been around since 1870, and aims to reunite lost family members, repatriate individuals, prevent folks from disappearing, and much more. You may have seen them in the news during times of disaster, war, and other situations necessitating some form of international aid.

Sadly, someone has compromised a large chunk of data related to the Restoring Family Links program and nobody knows what they intend to do with it.

Unauthorised access of data

In an attack billed as “sophisticated”, personal and confidential data related to no fewer than 515,000 people has been pilfered by unknown attackers. Those impacted may be victims of disaster, conflict, or detention.

According to the ICRC (International Committee of the Red Cross), the data originated from “at least 60 Red Cross and Red Crescent National Societies around the world”. The plundering itself took place from an “external company” located in Switzerland contracted to manage the data by the ICRC.

The impact of the attack is already being felt. Should you visit the Restoring Family Links page at this time, you’ll see it’s down for maintenance. The whole program’s systems have been shut down while they figure out what exactly has happened, and which bits of their network are still insecure.

As the ICRC notes, an average of 12 missing people a day are reunited with their families. Humanitarian work such as this can have potentially fatal consequences if interfered with so the stakes here are very high indeed.

Under attack (again)

The Red Cross/ICRC have had a number of run-ins with hacks and leaks in the past. For example, 555,000 people had their details leaked in 2016 when Red Cross Australia blood donor information was accessed by someone without permission. In 2019, it happened again in Singapore but on a much smaller scale.

The ICRC takes this subject very seriously, to the extent there’s a handbook on data protection in humanitarian action. We don’t know yet how this aligns with whatever has happened at the external data host, however.

From untargeted to very targeted…

During the Japan tsunami and earthquake of 2011, a huge volume of scam attacks sank their claws into the disaster. We saw fake missing relative notices, bogus Red Cross websites, fake charity donation sites, 419 scams, and even radiation health e-books.

They all tried to exploit a crisis, but it was primarily very general and untargeted.

This breach could have severe consequences for both people in the data and those related to them. The pilfered details could be used for all manner of scam attempts. Phishing, social engineering, blackmail, fraud: all of these things and more could be in the running. Highly targeted, with a potentially very good chance of succeeding. Sensitive information could make its way to Governments who don’t have the best interest of those named at heart.

The humanitarian world holds its breath

We don’t know what’s going to happen to the compromised data. There’s a real worry it could simply be tossed out into the ether. As the ICRC put it:

Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.

Will they do the right thing? Unfortunately, we could be in for a long wait to find out.

The post Red Cross begs attackers to “Do the right thing” after family reunion service compromised appeared first on Malwarebytes Labs.

Mac users, update now! “Powerdir” flaw could allow attackers to spy on you

If you have been forgoing updating your Mac, this article might make you think twice.

The Microsoft 365 Defender Research Team has discovered a vulnerability in macOS, which allows malicious apps to successfully bypass a user’s privacy preferences. This means attackers could access personal data that was once private, as well as install a malicious app—or hijack one that’s already installed—to access the microphone to record conversations or capture screenshots of the user’s screen without them knowing.

Dubbed “Powerdir,” it is the latest in a lengthening line of Transparency, Consent, and Control (TCC) security framework bypasses that have been hitting Apple these past few months. The Microsoft team is said to have reported Powerdir to Apple in mid-July 2021, and Apple patched it 6 months after. It is tracked as CVE-2021-30970.

microsoft macOS TCC
The Security & Privacy UI of a macOS device, which helps users configure the privacy settings of their apps. The TCC is the underlying technology that makes this happen. (Source: Microsoft)

The TCC is essentially the technology that keeps user data within a device private, so apps without full disk access rights cannot just access data without the user’s consent. It also houses a database of consent history for app requests.

While Apple has set up restrictions and blocking mechanisms against unauthorized code execution, the Microsoft team was able to successfully change a user’s home directory and plant a second TCC database (a specially crafted one, of course). In doing so, they were able to access protected user information.

bleepingcomputer powerdir poc
Screenshot of the first working Powerdir proof-of-concept (PoC) (Source: Microsoft)

A bypass similar to Powerdir was presented by Wojciech Reguła and Csaba Fitzl in Black Hat USA on August 2021, along with over 20 more TCC bypasses. This flaw was tracked as CVE-2020-27937. However, despite Apple patching this, the Microsoft team’s PoC still worked until Apple released macOS Monterey in October 2021.

The Microsoft team then modified their first Powerdir PoC to make it work in the new macOS. Here’s a link to the demo video of how it now works in Monterey. This, too, has been patched by Apple and included as part of CVE-2021-30970.

How to protect yourself from Powerdir

All Mac users have to do is download and apply the fixes. Easy!

Stay safe!

The post Mac users, update now! “Powerdir” flaw could allow attackers to spy on you appeared first on Malwarebytes Labs.

Browsers on iOS, iPadOS and Mac leak your browsing activity and personal identifiers

Researchers at FingerprintJS, a Chicago-based firm that specializes in online fraud prevention, have published a software bug introduced in Safari 15’s implementation of the IndexedDB API that lets any website track your internet activity and may even reveal your identity.

They found that in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy; a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins.

Safari

Safari is developed by Apple and designed to be the default browser for the Operating Systems macOS, iOS and iPadOS. As such, it has a market share of around 20%, which makes it the most used browser after Chrome, which has a market share of over 60%.

The researchers found that the current version of WebKit, the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS, can be tricked into skipping the same-origin check. To put it simply, the names of all IndexedDB databases are available to any site that you are visiting in the same session. Actual access to the content of each database is restricted however.

IndexedDB

IndexedDB is a browser API for client-side storage designed to hold significant amounts of data. It’s supported in all major browsers and is very commonly used. Normally, information stored in IndexedDB storage can only be accessed by a web page from the same domain that created it. If Google creates it, for example, the information cached there can only be accessed by another Google web page.

Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID. This ID can be retrieved using this leak as well.

The leak

The information that can be gathered by exploiting this bug may seem limited at first sight. But it can disclose information about your recent browsing history and even some info about the logged-in Google account. So, it lets arbitrary websites learn what other websites you visit(ed) in different tabs or windows.

Additionally, some websites use unique user-specific identifiers in database names, which means that authenticated users can be uniquely and precisely identified. This includes, for example, your Google profile picture, which can be looked up using an ID attached to certain sites’ IndexedDB caches.

Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user.

Exploitability

Note that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time. So, all the criminals have to do is get you to visit a site designed by them. In such a case of actively controlled exploitation, the attacker could tell websites to open any other website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.

Mitigation

Apple has acknowledged the bug and worked on a solution, marking the issue as resolved. This does not mean the fix will take effect immediately, however. Updates take time to roll out, and it could be a while before your devices receive the fix.

If you are worried about this leak, you can use private mode in Safari 15. But this only helps partially because private mode in Safari 15 is also affected by the leak. It only helps because private Safari windows are restricted to a single tab, which reduces the extent of information available via the leak. If you visit multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites.

Another way to limit the impact is to block all JavaScript by default and only allow it on sites that are trusted. But this makes web browsing very inconvenient and is likely not a good solution for everyone. Moreover, vulnerabilities like cross-site scripting make it possible to get targeted via trusted sites as well, although the risk is much smaller.

MacOS users can switch to another browser but, unfortunately, this is not an option on iOS and iPadOS as all browsers are affected on these operating systems.

Demo

For those interested, the researchers have created a demo that demonstrates how a website can learn the Google account identity of any visitor. The demo is available at safarileaks.com.

If you open the page and start the demo in an affected browser, you will see how the current browsing context and your identity is leaked right away. Identity data will only be available if you are authenticated to your Google account in the same browsing session.

Stay safe, everyone!

The post Browsers on iOS, iPadOS and Mac leak your browsing activity and personal identifiers appeared first on Malwarebytes Labs.

Campaign launched to delay social media end-to-end encryption

The many issues surrounding end-to-end encryption (E2EE) are ever-present. They usually spring up when something that could potentially affect the safety of those who are vulnerable comes to light.

Back in November, Meta announced it had delayed plans to roll out E2EE on its Facebook and Instagram platforms until 2023, because the company needed more time to “get this right”. Not surprisingly, the UK government has been deeply concerned since it was first announced in 2019.

Child predators were busy in 2021

No Place To Hide, a UK-government backed child safety campaign, launched on Tuesday, aiming to “keep children safe online without compromising user privacy.”

An official campaign video for No Place To Hide

The campaign is supported by Barnardo’s, the UK’s largest national children’s charity; The Lucy Faithfull Foundation, a charity that focuses on abused children; The Marie Collins Foundation, a charity that focuses on children abused using technology and the internet; and SafeToNet, a “cyber-safety company” that develops apps to keep online threats, such as cyberbullying, sexting, and aggression, against children at bay.

Child predators could be anywhere, especially online. And in a recent revelation from the Internet Watch Foundation (IWF), 2021 is most noteworthy as “the worst year on record for child abuse online” due to pandemic lockdowns. The IWF dealt with 361,000 cases just last year, a staggering 25,442 more than the 335,558 cases the foundation assessed in total during its first 15 years of service.

Younger and younger children have been targeted as they spend more time online, leaving them ever more vulnerable to communities of criminals eager and willing to manipulate them into capturing sexual abuse imagery via their own webcams. These are deemed “self-generated material” and, more often than not, they are freely exchanged in the open web.

“Children are being targeted, approached, groomed, and abused by criminals on an industrial scale,” says Susie Hargreaves OBE, Chief Executive of the IWF, in a press release, “So often, this sexual abuse is happening in children’s bedrooms in family homes, with parents being wholly unaware of what is being done to their children by strangers with an internet connection.”

And one of the things that probably keep child predators from getting caught is E2EE. Speaking to the BBC, a spokesperson from No Place To Hide has said that E2EE apps being rolled out would be “like turning the lights off on the ability to identify child sex abusers online.”

Although this may sound like the coalition is against E2EE, they’re not, “as long as it is implemented in a way that does not put children at risk.” They also said they are in full support of strong privacy and children’s online safety, and urge social media sites to protect both.

“We want social media companies to confirm they will not implement end-to-end encryption until they have the technology in place to ensure children will not be put at greater risk as a result,” No Place To Hide’s campaign website states. “They need to show that the changes will not make it easier for child sex abusers to groom children; make, share, or view sexual images of children; and avoid detection by law enforcement agencies.”

The upsides and downsides of using E2EE

There is no denying that end-to-end encryption has been essential—life-saving, even—in keeping the exchange of data and information private with only the sender and receiver able to read the messages between them. Not only has it made online banking possible, it protects people from scams, hacking attempts, fraud attempts, surveillance, and potential breaches.

Children, too, can benefit from using E2EE. Encryption protects them from tech and social media companies, for example, who are keen at gathering data, profiling their users, and targeting them for advertising purposes. Furthermore, E2EE gives children the safe space they need to just express themselves without fear of judgment.

On the flip side, law enforcement, governments, and service providers where E2EE is incorporated would not be able to access data that might be essential in their intelligence gathering efforts in the name of national security. This, along with child safety, is one of the two linchpin arguments that keeps the fight against E2EE alive, and many governments and international committees are backing it.

Parents and carers, take the lead

The distribution and promotion of child sexual abuse material (CSAM) online is a huge problem that every nation needs to address. But is it really at the cost of compromising end-to-end encryption—and to a larger degree, our privacy?

Everyone needs to be protected online, especially the most vulnerable members of our society. And everyone should be able to use E2EE and be given the option to stay anonymous. Unfortunately, the bad guys also benefit from good things created for everyone. And breaking the very technology that is designed to protect us from all sorts of threats online is no better than not having any form of protection at all.

We feel for the parents and carers who may find themselves in the middle of this now-political battle concerning everyone’s online privacy and the safety of their children. What are they to do?

If you think your child is old enough to be left alone, even for a little while, to use the Internet on their own, wouldn’t now be the perfect time to talk to them about the possible dangers they could meet online? Perhaps more than having E2EE, they need the proper guidance of their parents on how to navigate the web and how to interact with other people online. Not only that, young and pre-teen children need hands-on intervention, if certain situations call for it.

We encourage you to work together towards keeping your children secure wherever they are online.

Recommended reading:

The post Campaign launched to delay social media end-to-end encryption appeared first on Malwarebytes Labs.

Cybercriminals’ friend VPNLab.net shut down by law enforcement

Europol has announced that law enforcement has seized or disrupted the 15 servers that hosted VPNLab.net’s service, rendering it no longer available.

Led by the Central Criminal Office of the Hannover Police Department in Germany, the coordinated operation took place in Germany itself, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom.

What was VPNLab.net?

VPNLab.net was a virtual private network provider that mostly advertised its services on the criminal side of the Dark Web, and provided services for various cybercriminals, including ransomware gangs. VPNLab had been around since 2008 and had built its service around the OpenVPN technology, used strong encryption, and provided double VPN, with servers located in many different countries.

According to its own website before it was taken down, VPNLab said it was a service providing your security on the Internet by using encryption of original traffic.

“Our service is designed for a broad spectrum of clients who care about their personal security. We set a special encrypted channel between your computer and our foreign servers. The channel is installed based on OpenVPN technology and encrypted using 2048 bit key and thanks to sophisticated algorithms all the information is unreadable for your provider. Average users don’t see the necessity of the described procedure and may even find it useless.”

At a cost of $60 per year and the multitude of accepted payment methods that included WebMoney, Perfect Money, and a host of cryptocurrencies, this would not indicate to visitors that they were looking at a predominantly illicitly used service but at one that certainly took privacy seriously.

What is double VPN?

Double VPN is basically what the name suggests. Your online activities are not hidden behind one, but two servers. The basic technology is called VPN server chaining and the idea behind it is pretty simple, but that doesn’t mean the technology is.

  • Your traffic is encrypted on your device and sent to an external VPN server.
  • Upon reaching the server it is encrypted again.
  • The double encrypted data goes to a second server where it is decrypted.
  • And then the information is sent to its destination, secure and private.

Double VPN is not a common feature, because it is very slow. When your traffic runs through two VPN servers located in different countries thousands of miles apart, the slow down becomes inevitable. Also, using double encryption is especially resource-demanding.

The will to keep your traffic private will really have to be worth the time and resources, before you use double VPN. This narrows down the interested users, but certainly includes many criminals.

DoubleVPN was also the name of a similar service used by cybercrime groups that got taken down in a coordinated effort between global law enforcement agencies, led by the Dutch National Police in June of 2021.

The impact

During this week’s operation, 15 servers were taken offline and the domain name was seized. No arrests were mentioned which probably means that none were made.

According to  the Head of Europol’s European Cybercrime Centre, Edvardas Šileris:

“The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online. Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches.”

The intent of the actions is not directed at the services per se, but if service providers support illegal action and are unwilling to provide any information on legal requests from law enforcement authorities, then cooperation of international law enforcement agencies will be initiated in order to shut down a global network and destroy such brands that are clearly servicing criminals.

The bulletproof nature of the service made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of being detected by authorities. Law enforcement took interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution.

Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware. It was even advertised as such a service on the Dark Web.

All in all, it is another dent in the infrastructure provided to cybercriminals, which may have prevented or postponed a few crimes.

The post Cybercriminals’ friend VPNLab.net shut down by law enforcement appeared first on Malwarebytes Labs.

Infamous dark net carding site UniCC to close

UniCC, the largest site on the dark web that sells credit card and debit card information, will close up shop for good, taking its affiliate site, LuxSocks, with it, too. According to Elliptic, a company that offers risk solutions for cryptoassets, the unknown UniCC administrators have made an estimated $358M USD in cryptocurrency for selling stolen credit card details.

A little bit about UniCC

UniCC opened shop in 2013, and specialized in credit card fraud and the sale of card details to criminals, collectively called carding. As you may already know, once online criminals get hold of your card details, they can use these to conduct unauthorized transactions. Such details can also be resold for cash, used in identity theft or the making of a synthetic identity, or used to further cash out cryptocurrencies gained from other online crimes.

The underground market accepts cryptocurrency payments of Bitcoin, Litecoin, Ether, and Dash.

And so, after nearly a decade of being active, administrators have announced their “retirement” on a carding forum. The announcement is in both Russian and English.

Untitled design 17
The UniCC post to a forum in English. (Source: Elliptic)

“Our team retires,” the announcement reads. After expressing their appreciation to clients, partners, and colleagues, they then proceed to shoot down potential gossip on why they suddenly decided to close shop: “…we are not young and our health do [sic] not allow to work like this any longer.” They then ended their piece with a warning, which is the final nail to the coffin: “We ask you to be smart and not follow any fakes tied to our comeback and other things.”

UniCC has filled the void left in the underground carding market after Joker’s Stash, deemed one of the founders of the carding industry in the dark web, voluntarily pulled the plug in February 2021. It’s believed that the administrator behind Joker’s Stash came away a “Bitcoin billionaire”.

Sunsetting and mixed feelings

UniCC and Joker’s Stash aren’t the only carding markets that have voluntarily exited this illicit industry.

“Right now it seems to be happening more,” said Professor David Décary-Hétu, a criminologist at the University of Montreal, in a BBC interview, “Markets gracefully exit and say, ‘We’ve made enough money, and before we get caught, we’re just going to retire and go into the sunset.”

Eight months after Joker’s Stash went caput, White House Market (WHM), a darknet marketplace, shut down. Then in November 2021, Cannazon, the largest marketplace for buying marijuana-based products, shut after a DDoS attack. Then to round off the year, ToRReZ Market, a site selling illegal products, closed in December 2021.

According to research conducted by the BBC, Europol, and European Monitoring Centre for Drugs and Drug Addiction (EMCDDA), there are at least five known reasons why markets in the dark web close.

Voluntary retirement, or “sunsetting”, is second to “exit scam”, which is where the market admins pull the rug from under their clients and partners and run away with the money. That’s exactly what happened recently with Arbix Finance.

bbc 122700032 dw shutdown reasons nc

While this wave of sunsetting may sound like great news to a lot of us, law enforcement have mixed feelings about it.

Alex Hudson, the Head of Darknet Intelligence at the National Crime Agency (NCA), is quoted by the BBC as saying: “I always celebrate anybody who perhaps realises that they’re in an occupation, which is criminalised and decided not to enhance that further. If there is a regret, it’s that we do need to hold them accountable for it and they need to understand that they will still be held accountable.”

The post Infamous dark net carding site UniCC to close appeared first on Malwarebytes Labs.

Nintendo warns of imitation websites and suspicious hardware

Brave indeed is the soul who decides to take on Nintendo with scam-filled behaviour online. The console legends have a long history of crunching down on fraud, as well as gaming past-times some would consider to be harmless.

Whether you create fan-made games, offer up plundered ROMs for use in emulators, or even just want to rent out some titles: Nintendo has almost certainly made the news.

This is before we even get to the Switch hacker improbably named Bowser who had to pay Nintendo $4.5 million as a result of said hacking.

It’s dangerous to hack alone

In a nutshell: perilous is the path of Nintendo fandom, and activities Nintendo may strongly disagree with. The company has always come down particularly hard on scams and hardware fakeouts, because it simply does not want people tampering with physical devices. The crown jewels are the online services and digital products, and Nintendo doesn’t want bogus consoles or cartridges mixing and matching with the real thing.

Last year, a big Nintendo story was the breach of around 300,000 Nintendo accounts. Suspected reasons for the spill included phishing and/or credential stuffing, with a fair bit of probable password reuse thrown in for good measure. There’s also the famous 2017 breach where files dating back to the 80s were accessed via the use of VPNs.

At this point, we can safely say two things. One: Nintendo absolutely does not want to entertain phishers, or bogus Nintendo websites. That path leads to bad experiences for Nintendo customers. Two: Nintendo absolutely does not want to entertain unofficial hardware, or suspicious device sales. This is another path filled with knock-off devices or tampered game cartridges.

The end result is that combining fake sites (which may or may not be phishing) with unofficial hardware sales will draw Nintendo’s attention extremely quickly.

Nintendo impersonations, phantom products?

For that reason, Nintendo has published a warning in relation to a fake site. A rough translation follows:

We have confirmed the existence of a fake site that impersonates the Nintendo homepage. These fake sites have nothing to do with us.

The fake site uses our logo illegally, making it look as if it is operated by us, and you can purchase our products such as Nintendo Switch at a significantly discounted price. If you purchase a product on a fake site, you may be scammed by fraudulent acquisition of personal information. Please be careful not to mistake it for our website, and do not purchase products from fake websites.

Nintendo usually holds on to lots of additional data where hacks or scams are concerned, likely because they are spending a lot of time investigating behind the scenes. This is how you eventually end up with people in front of judges.

Sadly, this sometimes makes it a bit tricky to figure out the who, what, when, where, and of course, why of any given situation. As Nintendo hasn’t released any information with regards to the fake site, it’s tricky to add much beyond what’s already been said.

Sounding out the scam

This definitely sounds like bogus device sales…if those devices even exist. It may well just be a fake store selling absolutely nothing at all, but that captures victims’ payment details. It’s possible the site in question also asks visitors to log in with their Nintendo accounts too. We simply don’t know.

The announcement on social media and the press release appear to (currently) be aimed at Japanese consumers only, so impact from this site may be more limited than usual. The release also points people to nintendo(dot)co(dot)jp as the official site, and doesn’t mention other regional variations.

For some semblance of completeness, there’s also Nintendo(dot)co(dot)uk, Nintendo-europe(dot)com, and Nintendo(dot)com for the US. I imagine there’s almost certainly more, but those tend to be the main first ports of call. If you haven’t set up two factor authentication on your Nintendo account then now is the perfect time to do it. The Princess may well be in another castle, but we don’t have to say the same thing about your login details.

The post Nintendo warns of imitation websites and suspicious hardware appeared first on Malwarebytes Labs.

Why we don’t patch, with Jess Dodson: Lock and Code S03E02

In 2017, the largest ransomware attack ever recorded hit the world, infecting more than 230,000 computers across more than 150 countries in just 24 hours. And it could have been solved with a patch that was released nearly two months prior.

This was the WannaCry ransomware attack, and its final, economic impact—in ransoms paid but also in downtime and recovery efforts—has been estimated at about $4 billion. All of it could have been avoided if every organization running a vulnerable version of Windows 7 had patched that vulnerability, as Microsoft recommended. But that obviously didn’t happen.

Why is that?

In today’s episode of Lock and Code with host David Ruiz, we speak with cybersecurity professional Jess Dodson about why patching is so hard to get right for so many organizations, and what we could all do to better improve our patching duties.

According to Dodson, the problem of patching isn’t just a problem of resources—time, staffing, funding—but also of mindset. For some organizations, refusing to patch almost brings with it a bizarre sense of pride, Dodson said.

“I was having a chat to a fellow security professional who was doing some work for an organization where they were boasting about servers being up for 1,000 days. That’s not something to be proud of. I don’t get the whole idea of being proud of your uptime.t That just means you haven’t done any updates on that thing for three years.”

Jess Dodson

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why we don’t patch, with Jess Dodson: Lock and Code S03E02 appeared first on Malwarebytes Labs.

REvil ransomware gang busted by Russian Federal Security Service

Eight members of the REvil ransomware group have been arrested in Russia and will be pressed with criminal charges.

Russia’s intelligence bureau, the FSB, announced on Friday that it had conducted an operation together with the Interior Ministry in Moscow, St. Petersburg, and the regions of Moscow, Leningrad and Lipetsk to detain the gang members.

In total, the FSB raided 25 homes of 14 members of the group and seized more than 426 million rubles ($5.6 million) including $600,000 in cryptocurrency; €500,000; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.

Eight of the suspects have been indicted. They are suspected of committing a crime stipulated under Part 2 of Article 187 of Russia’s Criminal Code (‘Illegal Circulation of Payments’).

US input

The FSB began the investigation after receiving information from US agencies about a criminal group and its involvement in attacks on foreign high-tech companies, by implanting malware, encrypting data and extorting money for its decryption. Based on the information provided, the FSB managed to identify all members of the REvil gang, document their illegal activities, and establish their participation in “illegal circulation of means of payment.”

The question about whether the arrests are a direct result of the pressure the Biden administration has been applying on Russian President Vladimir Putin to move against ransomware groups operating in Russia will probably never receive an official Russian answer. The United States government hasn’t indicate how it planned to respond to attacks emanating from Russia, but in July 2021 Biden hinted at digital retaliation if Russian cooperation was not forthcoming.

A Kremlin statement back then said Putin told Biden that Russia had not received any requests from the relevant US departments in the last month, and said that Russia was ready to jointly stop crime.

Now it looks like that might have happened, and hopefully not for the last time. There are many other ransomware groups believed to be based in the CIS.

REvil

We have talked about REvil here many times. Among other articles, you can find a threat spotlight from 2019, and a detailed report about REvil’s supply chain attack against Kaseya. That one even made it into the three most significant cyberattacks of 2021.

According to the FSB, as a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the REvil gang now ceases to exist after their information infrastructure used for criminal purposes was neutralized.

A lot of writing and speculation has been done about REvil’s origin, whether the gang would come back after a part of their infrastructure was shut down, or when affiliates were arrested. So, if you ask us whether this will be the end of REvil, it’s hard to give a definitive answer.

But whether the gang reopens operations under the same name, or whether it spawns a new organization under new management, the result will be the same. The infection methods, the extortion tactics, and the merciless attacks will undoubtedly continue.

Stay safe, everyone!

The post REvil ransomware gang busted by Russian Federal Security Service appeared first on Malwarebytes Labs.