IT NEWS

In April of 2021, Apple introduced AirTags to the world, making the small tracking devices—similar to a Tile— available for purchase at the end of that month. The circular, coin-like product is designed to be attached to or placed in objects that are commonly lost, such as keychains, wallets, purses, backpacks, etc.

You can track an AirTag with your iPhone in some powerful ways, enabling you to locate a set of keys that has fallen down between the cushions of a couch, for example. You can see its location on a map, and if you’re close to it, you can get a directional signal on newer iPhones. It can be put into lost mode, enabling someone who finds it to tap it with their phone and get information you supply, such as a phone number to call.

Sounds great, right? Everyone who has ever had something stolen—a laptop bag, for example—has fantasized about being able to track it down and get their property back. (The reality is a bit grittier. It’s not hard to find news stories of people using things like Find My iPhone to follow their stolen property directly into danger, being shot at when they approached the thief they’d tracked down.)

Unfortunately, there’s a dark side to AirTags: stalking.

Why are AirTags so good for stalking?

Although they are conceptually similar to a Tile, AirTags have far more stalking potential. A Tile that isn’t near you can only be tracked if it comes into proximity of someone with the Tile app open and active on their phone. If the Tile app can detect the Tile, it can report the location and the owner of the Tile can see where it is.

However, an AirTag’s location can be tracked any time it comes into proximity of any iPhone. The number of iPhones out there moving around in the world is substantially higher than the number of phones with a Tile app open and active. iPhones form a massive tracking network for AirTags that can be quite difficult to get away from. Long-time Mac expert and writer Kirk McElhearn sent an AirTag through the mail, as a test, and was able to follow its progress quite successfully.

AirTags are also rather small. They’re easily hidden in a bag, a vehicle, or anything else you might carry with you. There have been stories of people finding AirTags in their bags, various places on the exterior of their cars, hidden inside the frame of their bicycles, and more. Keep in mind, these are all folks who don’t actually own the AirTag in question!

Sounds terrifying! How can I avoid being tracked?

Apple has taken some measures to prevent AirTags from being used for stalking. Unfortunately, these measures are not 100% effective.

First, if you have an iPhone and an unknown AirTag is detected moving along with you for some period of time, your iPhone will notify you. (It’s unclear exactly how long it takes for this message to appear.) This is a reasonable measure, but there’s one major flaw: not everyone has an iPhone. Apple did recently release an Android app that can be used to help find unknown AirTags moving with you, but that requires you to take action proactively, and many probably will not do so.

If you don’t have an iPhone or the Android app, AirTags were, at the time of release, designed to start playing a sound periodically after they’d been separated from their owner for 3 days. After much criticism about this being far too long an interval, Apple shortened it to between 8 and 24 hours (the exact time is apparently random).

Unfortunately, there are a couple problems with this. For one, the sound isn’t that loud, and could easily be muffled if it were buried inside a bag, or completely inaudible if it were somewhere on the exterior of a car and you didn’t happen to be there when the alert sounded.

Another problem is that this only works when the AirTag has been away from its owner for at least 8 hours. This may work well in some situations, but it won’t work in the case of intimate partner abuse, in which the victim is in regular contact with their abuser. It also won’t work if the stalker only needs to track you for a few hours before getting the information they’re interested in, such as the location of your home.

Recently, yet another problem has arisen. It was discovered that someone was selling a “silent AirTag” on Etsy. The claim was that the seller had modified the hardware in order to disable the speaker, and was reselling it for a higher price. Fortunately, it appears that Etsy has taken this listing down, but the fact remains that if one person is doing these modifications, others are as well, and there’s nothing Apple can do about it.

We asked Eva Galperin for her thoughts, and as she told us, “This was very easy to see coming. I am absolutely not surprised and probably neither is anyone at Apple. Tiles have not been modified in a similar way because Tiles do not beep in the same way AirTags do.”

What do I do if I find an AirTag in my stuff?

Assuming you have an iPhone, you can unlock your phone and touch the back of the top of your phone to the AirTag. A notification should appear, offering to open found.apple.com in Safari. Tap the notification to open that site, and you’ll see some info about the AirTag as well as a link to instructions on how to disable it.

This advice is different for survivors of domestic abuse, though, because disabling an AirTag could alert an abuser. Similar to instances of stalkerware, domestic abuse survivors should consider their own safety planning before immediately disabling forms of digital stalking. The National Network to End Domestic Violence has many specialists trained on technology-enabled abuse, and can help those who need a safety plan before taking action.

If you don’t have an iPhone, or don’t have it with you, or just don’t feel comfortable scanning an unknown AirTag like this, the instructions to disable the AirTag aren’t very complicated. You simply press down and twist counterclockwise on the back of the AirTag. (The back is the shiny side with the Apple logo.) This should open the battery compartment cover, allowing you to remove the battery. Once the battery has been removed, the AirTag can no longer be tracked.

Note that scanning the AirTag gives you the serial number and the owner’s phone number, which may help in the event of legal action against a stalker. The phone number could be a fake one, but the AirTag has to be linked to someone’s Apple ID in order for them to track it. The serial number should help Apple identify the owner’s Apple ID.

Conclusion

I fully understand why Apple created the AirTag. People like Find My for locating lost or stolen devices, and they like being able to share their locations with friends and family via Find My. (“They” in this case meaning people in general… obviously, there are individuals who dislike such things.) There is a customer need for something like an AirTag. This need has sustained Tile for years.

That said, there’s a significant difference between AirTags and anything that came before them. iPhones are not cheap, so though you can track them in the same way as an AirTag, you wouldn’t exactly want to plant one in someone’s bag or on their car. Tiles are cheap, but can’t be tracked as thoroughly as an AirTag.

The fact that AirTags are cheap, disposable, and can be tracked with decent precision makes them an ideal tool for stalkers. Apple was aware of this, and to their credit, they put a lot of thought into prevention of such usage. However, it’s also obvious that Apple failed in the area they so often fail at: consulting with experts outside Apple. It wasn’t until after the release that Apple was informed, by experts in the fight against stalking, of some of the device’s flaws. Like, for example, the former 3 day interval before it starts making noise after being separated from its owner.

Apple’s secretive nature often makes Apple its own worst enemy. Most people these days know that having a diverse set of opinions and inputs makes for better decisions. By keeping itself so isolated, Apple loses the opportunity to learn from and collaborate with experts in the field.

Apple also missed the boat for folks who don’t own iPhones. According to Galperin, “Apple’s AirTag anti-stalking measures are not enough. The next step required cooperation between Apple and Google to get the same levels of protection from AirTags on Androids as you have if you own an IPhone.” We couldn’t agree more, yet neither are we surprised that Apple and Google didn’t work together to solve this problem.

If you choose to buy and use AirTags, I can’t blame you. After all, I own one, and I like the way it works for my purposes. However, I’m still conflicted about owning one, since I know how much potential harm they can cause.

The post A worrying Etsy listing reveals the stalking potential of Apple’s AirTags appeared first on Malwarebytes Labs.

By using an exploit in the software of crypto-trading platform Wormhole, threat actors have stolen an estimated $322 million in cryptocurrencies. The platform is offering a $10 million award for the  stolen money and details about the attack.

How they pulled it off

Wormhole Portal is a web-based application that allows users to convert one form of cryptocurrency into another. These portals are often referred to as blockchain bridges. Basically they use Ethereum smart contracts (computer code stored on a blockchain) to connect the input currency and the desired output currency.

The attacker is believed to have exploited this process to trick the Wormhole project into releasing Ether (ETH) and Solana (SOL) coins for a far greater value than their input value. Analysis by experts showed that the attacker created a guardian account by using information pointing back to an earlier, legitimate and much smaller, transaction.

The short version of what happened is easy. Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.

Earlier this year, Ethereum co-founder Vitalik Buterin already pointed out the fundamental security limits of bridges on Reddit, where he argued for a multi-chain blockchain ecosystem rather than the cross-chain applications, like bridges.

“it’s always safer to hold Ethereum-native assets on Ethereum or Solana-native assets on Solana than it is to hold Ethereum-native assets on Solana or Solana-native assets on Ethereum.”

Isn’t it ironic that he used exactly the currencies that were involved in this hack in his example?

Currency trading platforms

Crypto exchanges work like traditional money exchanges, setting prices for various currencies and taking a small fee to let users trade one. But while traditional exchanges are highly regulated by governments and international banks, it’s relatively easy to set up a cryptocurrency exchange nearly anywhere in the world and run it however you like. And under the hood they are just websites, websites that inherit all of the insecurities of the current state of web development in 2022 and inherit none of the considerable security inherent in blockchains, which are designed to prevent tampering, not theft.

Personally, I had never heard of the Wormhole platform before. That may be just me, but I’m guessing the same is true for many people. So how is it possible that someone can steal that amount of money from a platform most people have never even heard of? I was in no way shocked or surprised however to learn that such a platform can be hacked. It has happened before and it will happen again. In 2021 alone, there have been more than 20 incidents where a threat actor stole at least $10 million in digital currencies from a crypto exchange or project.

In this “industry” of fast moving money, huge profits–and losses–can be made and all that comes spiced with a hint of secrecy and hi-tech. But apparently it is more important to be the first to introduce new technologies than it is to check whether the security is in place to keep everything in check. We all know that we don’t need to invest in a fire-proof safe for the small amount of cash most people have. The investment would outweigh the risk. But if you are dealing in millions of dollars you might at least check that your account validation is waterproof, right?

The end?

Probably not. To be continued is more likely.

At the time of writing the Wormhole Portal is displaying a message stating:

“We’re actively working to get Portal back up and running.

A fix has been deployed and all funds are safe.

Thank you for your support and trust.”

In a message left on the blockchain we can read:

“We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at contact(@)certus.one”

Where we would like to take exception against the use of the term “bug bounty” which we would like to reserve for legitimate white hat hackers, working to make the world a safer place. This white hat guild holds no seat for a thief that exploits first and then sells the information about how they did it. Surely the only reason they would accept this deal is to avoid having a criminal complaint filed against them.

The only good news is that it looks like the exchange plans to carry on business so it did apparently not get robbed beyond recovery. Unfortunately, many others in the past have had to pull the plug after such an incident, leaving investors and traders in the cold.

The post $320 milllion stolen from Wormhole crypto-trading platform appeared first on Malwarebytes Labs.

Why do machines always throw a tantrum when you are in a hurry? It’s called Murphy’s Law which some people may know as the butter side down rule. Anything that can go wrong will go wrong. And usually at a time when it is most inconvenient.

That being said, there are ways to speed things up. Let’s have a look at some options to fix slow computers.

Why is my PC so slow all of a sudden?

If the speed change is sudden, your first port of call should be to run a malware scan. Malwarebytes can help with this. If your scan finds any threats then remove them from your computer and restart the system.

My PC is gradually slowing

Malware isn’t always the reason for a slow system. If the slowdown has been a gradual process, there may be other factors at play.

In these cases there are three main vectors to tackle speeding up a computer:

• Hardware
• Installed software
• Operating system

Replacing hardware

Modern computers consist of many components that have to work well together. The speed at which your computer operates varies according to the speeds of its individual components. There may be a component that is acting as a bottleneck and replacing it may be the key to success.

Replacing hardware can be an expensive way to speed up your computer, especially since many users will have to outsource the replacement. The computer parts that have the biggest influence on the system’s speed are:

• Memory. Computer memory is where data is processed and the instructions required for processing are stored. Upgrading or adding memory can have immediate results and is usually not very hard to do.
• CPU. The central processing unit is the most important chip in your system and has a big influence on speed. Both the processor cores and the clock speed are important to consider when you are looking for speed. Keep in mind that a degrading CPU cooling system can also be a speed limiter.
• Hard drives. The read/write speed of a hard drive is the factor that has the biggest influence on your overall speed. Due to technical differences, HDDs (hard-disk drives) cannot compete with SSDs (solid state drives) on speed. A SSD will decrease application loading times, so if you have one of each in your system install your operating system on the SSD.
• Video cards. A video card or graphics card generates the video signal that gets sent to a computer display. At the moment these are in short supply which makes them costly.

Software

Uninstalling software that you no longer use can free up storage space and memory. Go over your list of installed programs/apps and uninstall those that you never use anymore. These may include trial versions of software that came with the computer when you bought it, out-of-date antivirus programs, old software, and games that you no longer play.

For the software that you use on a regular basis, check if you are using the most current version. Improvements may have been made, and security vulnerabilities fixed, so checking for updates for the ones you use frequently may help as well.

The Operating System

Operating Systems like Windows are designed to satisfy the needs of a great variety of users. Unfortunately that means that your Windows system is running apps and services that you may never need. There are lists of services that may people don’t need. Remember the changes you made or create a restore point before starting, so you can go back if you need to.

Like with other software it, is important to keep your OS up to date, even if it hardly ever helps improve your speed.

Don’t make it worse by installing PUPs

Registry cleaners, defragmentation software, and other “speed up” utilities turn out to be potentially unwanted programs (PUPs) more often than they are useful.

Many of these programs clean up less than what you introduced to the system by installing them. They are known to use built-in Windows utilities to do the actual work, so you are basically installing a user interface rather than something useful. Others lure you into buying them by showing large amounts of results, that have almost no influence on your system’s speed, or don’t even exist at all.

Likewise, there are many PUPs that promise to perform a disk cleanup to remove unnecessary files to gain some free disk space. Installing such a program usually takes more disk space than it will free up and it’s better if you decide which files are unnecessary. There are some good guides for this. Personal experience tip: if you have a lot of pictures on your system, consider moving them to an external drive.

Other tips

If you are in the habit of letting your computer run for a long time, it may help to reboot more often. Restarting your PC clears out its memory. It also closes all the programs that are running, including those running in the background.

Delete temporary files and empty your recycle bin. When your hard drive memory is full, it slows your computer down because the operating system doesn’t have enough free space to work adequately.

Windows indexes your hard disk for speedier searching, but background indexing can slow down your computer’s overall performance. If your PC is dragging its heels, consider disabling this feature.

Too many icons on your desktop are almost as annoying as too many browser tabs open. They not only make it hard to find what you need, but they also slow down operations.

The post How to speed up your computer or laptop appeared first on Malwarebytes Labs.

A cyberattack has disrupted the activities in Germany of fuel supplier Oiltanking Deutschland GmbH & Co. KG. The supplier is, among others, responsible for deliveries to the thousands of Shell and Aral gas stations in Germany.  

The Oiltanking division of Hamburg-based Marquard & Bahls owns and operates 45 terminals in 20 countries. As far as we know only German branches of the firm are affected by the attack.

Distribution system blocked

The main problem for the supplier is that the automated systems that take care of loading the supply trucks are disabled. The underlying problem is that these systems can’t be operated manually and the automated system stopped working due to the attack. The company is using alternative loading points to fill part of the need and Shell is re-routing oil supplies to other depots. Aral, the largest petrol station network in Germany with around 2,300 stations, has also started supplying its stations from alternative sources in light of the disturbance.

Since there are a total of 26 similar companies in Germany and the disruption only blocks one specific part of the distribution chain, it seems unlikely that the consequences will be as severe as after the ransomware attack on Colonial Pipeline last year.

The attack

The attack struck two companies that are both subsidiaries of Marquard & Bahls. These companies, Oiltanking GmbH Group and mineral oil dealer Mabanaft GmbH & Co. KG Group, say they discovered on January 29 that they had been hit by an attack that disrupted their IT systems and caused a disruption of the supply chain.

The companies say they are undertaking a thorough investigation, together with external specialists, and are collaborating closely with the relevant authorities. They also said the attack has no influence on the safety of the terminal operations that were able to continue.

Warning

The attack follows closely after a warning was issued by the Bundesamt für Verfassungsschutz (Germany’s domestic security service) that it was expecting a surge in the number of China-sponsored cyberattacks on German organizations that play a key part in supply chains. The warning specifically mentioned APT27 aka Emissary Panda.

The German agency says APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, since March 2021. Last September the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warned in a joint advisory that advanced persistent threat (APT) groups were exploiting the very same vulnerability.

APT27 and other Chinese-backed hacking groups were also linked to attacks exploiting critical ProxyLogon bugs in early March 2021 that allowed them to take over and steal data from unpatched Microsoft Exchange servers worldwide. It can’t be ruled out completely that this attack was done by the APT27 group, but there are no indications that point to this group specifically. There is speculation about ransomware, but this has not been confirmed or denied by any of the parties involved.

The Bundesamt für Verfassungsschutz had also warned that cybercriminals, in addition to stealing business secrets and intellectual property, may also try to infiltrate the networks of (corporate) organizations or service providers to initiate a supply chain attack.

Stay safe, everyone!

The post Cyberattack on fuel supplier causes supply chain disruption appeared first on Malwarebytes Labs.

If you’re running Windows 10, it’s time to stop delaying those patches and bring your systems up to date as soon as possible.

Bleeping Computer reports that a researcher has come up with a bypass for an older bug, which could serve up some major headaches if left to fester. Those headaches will take the form of unauthorised admin privileges in Windows 10, alongside creating new admin accounts and more besides.

What happened the first time round?

Back in 2021, Microsoft patched an exploit which had been in use since mid-2020. Classed as “high-severity”, “CVE-2021-1732 – Windows Win32k Elevation of Privilege Vulnerability” allowed attackers to elevate privileges to admin level.

Fooling potential victims by having them open bogus email attachments is all it would take to get one foot in the door via code execution. It popped up in a targeted attack related to the Bitter APT campaign. According to the report, numbers were “very limited” and struck victims in China.

What’s happening now?

Multiple exploits have dropped for another elevation of privilege vulnerability known as CVE-2022-21882. This is a bypass for the previously mentioned CVE-2021-1732 which was fixed back in February 2021. CVE-2022-21882 was fixed by Microsoft via updates from January 2022. However, sys admins out there may well have skipped the updates due to various bugs which came along for the update ride.

Time to get fixing things?

It is absolutely time to get fixing things. The exploit is now out there in the wild, and as Bleeping Computer notes, it “affects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates”. 

Writers at Bleeping Computer were able to get it to work in testing, and others have confirmed it for themselves:

Is there any reason to wait for February’s Patch Tuesday?

If you’re one of the hold-outs who ran into errors last time around, waiting isn’t advisable. Microsoft already issued an OOB (out of band) update to address the multiple errors caused by the January patch. As per Microsoft’s January 17th notification about the release:

“Microsoft is releasing Out-of-band (OOB) updates today, January 17, 2022, for some versions of Windows. This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.”

Things being what they are, it’s likely time to get in there and apply the OOB update (if you haven’t already) and put this one to rest.

Microsoft is putting a fair bit of work into figuring out where weak points lie in the patching process, making use of its Update Connectivity data. The current estimate is a device needs a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably make it through the updating process.

If this sounds like your network, and if you’re still waiting to take the plunge, you’ve hopefully got little to lose by making that big update splash as soon as you possibly can.

The post Apply those updates now: CVE bypass offers up admin privileges for Windows 10 appeared first on Malwarebytes Labs.

Cleafy, a cybersecurity firm specializing in online fraud, has published new details about banking Trojan BRATA (Brazilian Remote Access Tool, Android), a known malware strain that first became widespread in 2019.

BRATA is now being used to perform factory resets on victims’ machines. It’s rare for malware to damage or wipe victims’ machines (there is rarely anything in it for the attackers) so what’s going on here?

According to Cleafy, the victim’s Android device is factory reset after the attackers siphon money from the victim’s bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.

Out with the old

BRATA used to target Brazilian banks exclusively, but Cleafy reports that the target list has now been expanded to include banks in Italy, the UK, US, Poland, Spain, and Latin America. It has also revealed a number of new capabilities, alongside the factory reset functonality:

• A GPS tracking capability
• Multiple methods of maintaining contact with command and control (C2) servers
• The ability to use a VNC (Virtual Network Computing) and keylogging to continuously monitor a victim’s bank account

But how does such dangerous malware end up on victims’ devices?

How BRATA is spread

A BRATA campaign starts off when a potential target receives an SMS claiming to be from their bank. The SMS contains a link to a website that encourages the target to download the BRATA malware. They also receive a call from an attacker, who pretends to work for the bank.

The app asks for multiple permissions that, to the trained eye, would raise some red flags, and might make users reluctant to install it. According to Cleafy, the caller’s first job is therefore to use social engineering tactics to convince victims to install it.

Once the app is installed, the fraudsters can remotely hijack the device whenever they want to, and can perform banking transactions without the target knowing. Not only that, the app can be used to initiate admin-level actions, such as locking the screen, changing the screen lock, and setting password rules. For the most recent BRATA strain, being an admin app also allows it to initiate a factory reset on the affected mobile device.

A two-factor authentication (2FA) code from the bank does not protect accounts here. Through BRATA, the 2FA codes from banks are intercepted and sent to the fraudster’s command and control sever.

Clearfy believes that current operators of the BRATA mobile malware are based in at least one country in Europe as mule accounts linked to this campaign were found in Italy, Lithuania, and the Netherlands.

Protect yourself from BRATA

The existence of this malware is a reminder to all Android users to avoid installing apps that don’t come from Google Play, and to pay attention to the permissions that apps ask for. For example, BRATA requests access to the “Erase all data” permission, and most of us don’t want apps that can do that running on our mobile devices.

Although this version of BRATA was not found on Google Play, in the past it has been found, called out, and removed from Google’s online store. So, even when you’re using Google Play, stay vigilant and make sure to keep your mobile antivirus running in real time and up to date.

IOCs:

• E00240F62EC68488EF9DFDE705258B025C613A41760138B5D9BDB2FB59DB4D5E – Malwarebytes detects it as Android/Trojan.Agent.PWSCR
• E769EF0D011CBF3322C9E85D4CDF70AF413F021D033AED884C1431F2B7861D0D – Malwarebytes detects it as Android/Trojan.Spy.Agent.GPPSSATB
• 2846C9DDA06A052049D89B1586CFF21F44D1D28F153A2FF4726051AC27CA3BA7 – Malwarebytes detects it as Android/Trojan.Spy.Brat.dsa
• F9DC40A7DD2A875344721834E7D80BF7DBFA1BF08F29B7209DEB0DECAD77E992 – Malwarebytes detects it as Android/Trojan.Spy.Brat.gvmb
• 4CDBD105AB8117620731630F8F89EB2E6110DBF6341DF43712A0EC9837C5A9BE – Malwarebytes detects it as Android/Trojan.Spy.Brat.oupa
• D9BC87AB45B0C786AA09F964A8101F6DF7EA76895E2E8438C13935A356D9116B – Malwarebytes detects it as Android/Trojan.Spy.Brat.prta
• 648A5A705BBE88E52569B3774A689A82F53962E8827B143189639D48727BD159 – Malwarebytes detects it as Android/Trojan.Spy.SpyNote.dcnp

The post Android malware BRATA can wipe devices appeared first on Malwarebytes Labs.

After making its first in-the-wild appearance in March 2021, Vultur—an information-stealing RAT that runs on Android—is back. And its dropper is equally nasty.

Vultur (Romanian for “vulture”) is known to target banks, cryptocurrency wallets, social media (Facebook, TikTok), and messaging services (WhatsApp, Viber) to harvest credentials using keylogging and screen recording.

According to ThreatFabric, the mobile security company that first spotted Vultur in 2021, the cybercriminals behind the malware have steered away from the common HTML overlay strategy usually seen in other Android banking Trojans. This approach usually requires time and effort for the attackers in order to steal what they want from the user. In steering away from this, the attackers made less effort but yielded the same results.

One of the Android dropper malware that drops Vultur (among others) is Brunhilda, a privately operated dropper. Initial variants of Vultur have been dropped by an Android app called “Protection Guard”, which have had 5,000 installs on the Google Play Store upon its discovery. Note, however, that there are many Brunhilda dropper apps on the Store, which suggests that infection count could be a lot higher.

ThreatFabric believes that the group behind this dropper and Vultur are one and the same. The company has linked the two for the following reasons:

• The command and control server (C2) of “Project Brunhilda” supports Vultur-specific bot commands
• Vultur is seen using the same C2 that Brunhilda used in the past
• Vultur is seen using the same icon and package name of a Brunhilda dropper
• Vultur uses JSON-RPC to communicate with its C2, a tactic that Brunhilda used to do

Moreover, the group behind Vultur can see every interaction the user does to their device, thanks to the real-time implementation of VNC (Virtual Network Computing) screen sharing. This a legitimate tool that allows one to remotely control a device, so whatever the user sees on his phone screen, the actors can see it, too. However, for VNC to work properly, Vutur uses ngrok, another legitimate tool that uses an encrypted tunnel to expose local systems behind firewalls and NATs (network address translation) to the public Internet.

Nasty new malware dropper spreads Vultur

Recently, researchers from Pradeo, another mobile security solutions provider, found a fresh variant of Vultur after they spotted a fake two-factor authenticator (2FA) app on the Google Play Store. The dropper app, aptly named “2FA Authenticator” is responsible for dropping Vultur onto Android devices. Pradeo didn’t specify in its report if this dropper app is Brunhilda.

“2FA Authenticator”, as Pradeo noted, used the open source code of the Aegis Authenticator app, a legitimate 2FA authenticator with a presence in the Play Store, but that had been modified to include malicious code. Users are likely to be less suspicious of apps that appear to be working as they should.

Creating a dropper malware that also works is a tactic not unheard of as this is also used by another Android malware called BRATA.

The automated Vultur attack comes in two stages: first is profiling. The dropper prompts the user for consent to access critical permissions which were never disclosed in its Play Store profile. These are:

• Take pictures and videos. This allows the dropper to collect information, such as application list and localization, about the user which the attackers can use to target other users in specific countries using certain applications.
• Disable your screen lock. This disables any form of phone security (passwords, unlock pattern) set up by the user.
• Full network access. This allows the dropper to download other third-party apps under the guise of updates.
• Run at startup. This allows the dropper to freely perform tasks even when the app is shut down.
• Draw over other apps. This allows the dropper to change the interface of other mobile apps—a permission that “very few apps should use”, according to Google.
• Prevent device from sleeping. This allows the dropper to continue running in the background.

The second stage is the installation of Vultur. Pradeo has noted that the dropper doesn’t just drop Vultur once it is executed. Instead, the attack escalates to this stage if the information the dropper has collected meets certain conditions.

If you have downloaded an app that you suspect could be malicious, go to Settings > Apps. Look for “2FA Authenticator” in the list and delete it.

Stay safe!

The post Duo of Android dropper and payload target certain countries and app users appeared first on Malwarebytes Labs.

Samba developers have patched a vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.

Samba is a free software re-implementation of the SMB networking protocol that provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain.

The vfs_fruit module provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. Netatalk is a freely-available Open Source AFP fileserver. A UNIX, Linux or BSD system running Netatalk is capable of serving many Macintosh clients simultaneously as an AppleShare file server (AFP).

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in Samba that received a CVSS score of 9.9 out of 10 has been assigned CVE-2021-44142.

The vulnerability is described as an out-of-bounds heap read/write vulnerability. The heap is the name for the part of the system’s memory that is allocated for the use of programs. If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions. This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have. In this case as root, which is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system.

The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.

The patch

The patch for this vulnerability was included in a security update that also patches some other issues:

• CVE-2021-44141 (CVSS score: 4.2) – Information leak via symlinks of existence of files or directories outside of the exported share. All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed. Symlink is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.
• CVE-2022-0336 (CVSS score: 3.1) – Samba AD users with permission to write to an account can impersonate arbitrary services. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding any service principals names (SPN) that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.

Mitigation

Samba administrators should upgrade to these releases or apply the patch as soon as possible to mitigate the defect and thwart any potential attacks exploiting the vulnerability. But, as a workaround it is possible to remove the “fruit” VFS module from the list of configured VFS objects in any vfs objects line in the Samba configuration file smb.conf.

Please note that changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost.

Stay safe, everyone!

The post Samba patches critical vulnerability that allows remote code execution as root appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• QNAP update stops Deadbolt ransomware, annoys some users, starts debate
• Big Mother is watching: What parents REALLY think about tracking their kids
• Update now! Apple patches another actively used zero-day
• Let’s Encrypt to revoke “mis-issued” certificates
• North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign
• Ransomware gangs are recruiting breached individuals to persuade companies to pay up
• Apple fixes Mac bug that could have allowed takeover of webcams and browser tabs
• New DazzleSpy malware attacks macOS
• KONNI evolves into stealthier RAT
• Senate Committee passes new antitrust bill aimed at Big Tech companies
• Google sued over deceptive location
• Windows Update has changed over the years. Here are 25 group policies to avoid
• Microsoft warns of phishy OAuth apps
• Cyberinsurance companies don’t want to pay out for “acts of war”
• Dark Souls servers taken offline over hacking fears
• Discord scammers go CryptoBatz phishing
• Warning issued over tampered QR codes
• Microsoft is now disabling Excel 4.0 macros by default
• Segway store compromised with Magecart skimmer
• Data Privacy Day: Know your rights, and the right tools to stay private

Stay safe!

The post A week in security (January 24 – 30) appeared first on Malwarebytes Labs.

When we refer to hijacked verified profiles on Twitter, it’s most commonly some sort of Elon Musk themed scam. The hijackers compromise the account, switch the picture to Elon, and then start spamming cryptocurrency links. Alternatively, they may keep the account as it is and spam images claiming Elon has approved a giveaway or something similar.

Well, times have changed on the big blue bird app. Whisper it, but Elon tributes may no longer be the hottest way on the block to earn some scam money. Instead, we’re seeing verified profiles compromised to promote and sell NFTs instead.

Forging a new career in pixel art

At some point on Thursday a verified profile belonging to Siobhán McSweeney, well known Irish actor, started to behave a little unusually. That is to say, promoting a range of pixel art cats known as “GrumpyKatz”.

The tweet reads as follows:

Giveaway time!

I am working with @grumpykatznfts to giveaway 15 SOL ($1500)

To enter:

• Follow me & @GrumpyKatzNFT
• Like & RT
• Tag 3 friends

We don’t know if the linked pixel art project is “genuine” or not, as there’s very little to go on from the profile itself. Another tweet (now deleted) suggested people should send a direct message to the account. Whoever was running this scam would likely have phished hopefuls via the hijacked Twitter account.

A short while after, the profile finally completed its full transformation. Behold the weirdly drawn ape of doom set as the profile picture:

You’ll notice the bio blurb has been altered to fit in with the general NFT theme taking place. It says:

Building an NFT community | 450,000 supporters | NFT promoter | DM for promo

The profile location has also been set to “Metaverse”, because of course it has.

Getting up to some monkey business

Followers of the actor were initially a bit surprised by the sudden interest in all things cryptocurrency. Had she decided to hop on the bandwagon? Or was something else at work? People weren’t sure and there was no 100% confirmed answer until a little earlier today.

This blog is safe for work so if you wish to see her, um, very enthusiastic condemnation of the account compromise, click here. At time of writing, some of the NFT/metaverse related Tweets are still on her profile.

What caused this, and how can you protect your Twitter account?

As to how it happened, there’s no indication just yet.

Verified profile accounts need to have two-factor authentication (2FA) enabled to be verified in the first place. But we’ve seen enough sneaky examples of people bypassing 2FA on different platforms previously.

Twitter offers a variety of options where it’s concerned: mobile, app, and security key. Perhaps the actor is using SMS codes and somebody performed a SIM swap attack. Maybe she uses an auth app but was taken to a phishing page which also asks for the time sensitive code.

I suspect we won’t find out. Even so, this is a good time to go check your login and verification settings on Twitter whether verified or not. You don’t want to accidentally wander into whatever currently passes for a metaverse, no matter how many free cats they claim to be giving away.

The post Actor’s verified Twitter profile hijacked to spam NFT giveaways appeared first on Malwarebytes Labs.