IT NEWS

How time flies sometimes. Microsoft yesterday released the first patch Tuesday security updates of the year 2022. The update includes fixes for six zero-day vulnerabilities and a total of 97 bugs. This includes two Remote Code Execution (RCE) vulnerabilities affecting open source libraries. None of the zero-day flaws are known to have been exploited in the wild, but one of the other vulnerabilities is feared to be a wormable one.

A severe word of warning for those running a network with a domain controller, the side effects this month are extreme. The advice is to hold of on the patch. Microsoft has a technology called Active Directory that allows workstations to authenticate with a “domain controller.” This month’s updates are causing such drastic issues with domain controllers that they can become stuck in a boot loop.

Patches that can cause problems include the following:

• KB5009624 for Server 2012 R2
• KB5009595 for Server 2012 R2
• KB5009546 for Server 2016
• KB5009557 for Server 2019

It’s unclear if Server 2022 is similarly impacted.

Along with the update comes an announcement of a new security update guide notification system.

Let’s start by taking a closer look at the zero-days. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The first two we listed below have previously been fixed by a third party and are now being incorporated into Microsoft products.

Open Source Curl RCE vulnerability

CVE-2021-22947 is regarding a vulnerability in the curl open source library which is used by Windows. The January 2022 Windows Security Updates includes the most recent version of this library which addresses this vulnerability and others. The listed one can lead to a STARTTLS protocol injection via a Man-In-The-Middle attack.

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. More specifically, when curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple pipelined responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.

Libarchive RCE vulnerability

CVE-2021-36976 is regarding a vulnerability in the libarchive open source library which is used by Windows. The January 2022 Windows Security Updates include the most recent version of this library which addresses the vulnerability and others. This vulnerability is described as libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

Windows Certificate Spoofing vulnerability

CVE-2022-21836 allows an attacker to bypass a security feature. A successful attacker could bypass the Windows Platform Binary Table (WPBT) verification by using a small number of compromised certificates. Microsoft has added those certificates to the Windows kernel driver block list, driver.stl. The Windows Platform Binary Table is a fixed firmware ACPI (Advanced Configuration and Power Interface) table. It was introduced by Microsoft to allow its vendors to execute programs every time a device boots. Certificates on the driver.stl will be blocked even if present in the WPBT.

Windows Event Tracing Discretionary Access Control List Denial of Service vulnerability

CVE-2022-21839 does not provide us with a lot of details. Affected is some unknown processing of the component Event Tracing Discretionary Access Control List. The exploitability is said to be easy, and it is possible to launch the attack remotely. Required for exploitation is an authentication. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or resource, making it inaccessible to its intended users.

Windows Security Center API RCE vulnerability

CVE-2022-21874 is a publicly disclosed RCE vulnerability in the Windows Security Center API that received a CVSS score of 7.8. This vulnerability requires user interaction to exploit, and the attack vector is local.

Windows User Profile Service Elevation of Privilege (EoP) vulnerability

CVE-2022-21919 is a publicly disclosed EoP vulnerability in the Windows User Profile Service API that has received a CVSS score of 7.0. The exploitation is known to be difficult, but the attack may be initiated remotely. The requirement for exploitation is a simple authentication.

HTTP Protocol Stack RCE vulnerability

CVE-2022-21907 is not one of the zero-days, but it stands out because it is a critical vulnerability which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. While this is a vulnerability that would mostly affect servers, the fact that it requires no user interaction, there are no privileges required and it targets an elevated service makes experts believe it is wormable. There are also some questions among experts about which Windows versions are vulnerable.

The new security update guide notification system

Notifications are sent when information is added or changed in the Security Update Guide. Based on feedback, Microsoft has been working to make signing up for and receiving Security Update Guide notifications easier. Starting today, you can sign up with any email address that you want and receive notifications at that email address. There is no longer a requirement that the email be a Live ID.

To start off, you will need to create a Security Update Guide profile by clicking “Sign in” at the top right corner of the Security Update Guide. You can use any email and password here. If this is your first time signing in, a validation email will be sent with steps to verify that you have entered a valid email address.

Other security updates

Don’t forget to look at other security updates that you may need. We have seen updates from:

• Adobe
• Android
• Cisco 
• Intel 
• SAP 
• VMWare 

Stay safe, everyone!

The post Update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one appeared first on Malwarebytes Labs.

There’s a new ransomware in town—isn’t there always?—and it’s, unsurprisingly, after corporation-sized businesses.

It’s called Night Sky, and it was first spotted and revealed by MalwareHunterTeam, a group on Twitter who hunts malware online, on the first day of 2022.

Like other ransomware families before it, Night Sky uses the double extortion model in its attacks. First, it demands corporate victims stump up money for a decryption key to get at their files, then it slaps them with the threat of either leaking all the stolen data or selling it to the highest bidder should victims refuse to pay.

Less than two years ago, double extortion was only being used by the Maze ransomware gang. Now, at least 16 ransomware groups have made this a core tactic of their campaigns.

What you need to know about Night Sky

Night Sky is said to have started operating around the last week of December 2021. We don’t know much about it yet, but it’s assumed that a human operator is involved in the reconnaissance, access, and eventual extraction of files from all network endpoints before Night Sky is launched. It’s also assumed that the Night Sky attackers infiltrate corporate networks with the use of tried-and tested methods, such as social engineering tactics or the use of stolen credentials.

Once launched, this ransomware encrypts the majority of the files on affected computers. It skips files with the extensions, .dll and .exe. It also skips files and folders contained within the following folders:

• $Recycle.Bin
• All Users
• AppData
• autorun.inf
• Boot
• boot.ini
• bootfont.bin
• bootmgfw.efi
• bootmgr
• bootmgr.efi
• bootsect.bak
• desktop.ini
• Google
• iconcache.db
• Internet Explorer
• Mozilla
• Mozilla Firefox
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• Opera
• Opera Software
• Program Files
• Program Files (x86)
• ProgramData
• thumbs.db
• Tor Browser
• Windows
• Windows.old

Encypted files will have the .nightsky extension, as seen below:

Night Sky also appears to drop a ransom note in every folder, save the ones above, with encrypted files. The note has the file name, NightSkyReadMe.hta.

According to BleepingComputer, it contains information on what was stolen, email contacts, and “hard coded credentials to the victim’s negotiation page.” The latter is used by the victim to log in to a Rocket.Chat URL, which is also provided in the ransom note, to directly reach the ransomware attackers.

Malwarebytes detects Night Sky as Ransom.NightSky. We’ll continue to update this post once we receive new information.

The post Night Sky: the new corporate ransomware demanding a sky high ransom appeared first on Malwarebytes Labs.

You may not have as many people visiting your home due to the pandemic, but restrictions are a hit-and-miss affair. It’s possible your region has opened up a little, and you’re seeing folks in your home for the first time in a long time. They may well be bringing new devices to your home, and you may have changed your ISP. Some of you may even have changed your old router’s password for a brand new one. Bonus points for not sticking with the default!

This brings with it a slight headache. How do you get your friends and relatives onto your network in a safe and secure manner? One which won’t put them, or yourself and your network, at risk?

It’s time to dig into the under-the-hood action that is your home’s internet sharing capabilities.

What is a Wi-Fi password?

Your Wi-Fi password is how you keep your internet activities, and also your router, secure from people you don’t want to have access. That could include friends, neighbours, or just random people walking past your place of residence. Without a Wi-Fi password, anyone can pull up your router from a list of possible Wi-Fi connections and start using it. If you’re on metered internet, that could prove costly and leave you with no internet for a month. It also means they can potentially download all manner of dubious content and you’d be first to get the blame.

Does my router have a Wi-Fi password?

Your router should have a Wi-Fi password by default, but it’s possible there isn’t one allocated to the router out of the box. Typically, the password will be on a sticker somewhere on the underside of the device. Depending on the type of router, you may find several passwords for different types of connections.

You can use the default password if you want, and it’s better than no password at all. However, there are some risks to this approach. Common password lists do end up on the internet, and people do exploit default setups regularly. We strongly suggest changing the password to something else as soon as you’re able to.

You may have to change it via a website tied to an account, or it may require you to log into the router itself. You’ll need to consult your user guide for this one!

How can I share my password securely?

There’s quite a few convenient ways to share Wi-Fi passwords. Apple users can do this in a very straightforward fashion. Android users can do it via QR codes. For trusted relatives, you can of course write it down and store it in a convenient place to prevent them shaking your router around in the hunt for the password. This may definitely be the case where Windows 10 is concerned, as Microsoft has removed the Wi-Fi sense feature which allowed for easy connections.

Whether you use an app or the piece of paper routine, the biggest problem isn’t really sharing the password. The issue is what you’re letting onto your network, either from external threats or the newcomer’s device itself.

Keeping the network safe

We’re most likely to share passwords with immediate friends and family. With the rise of internet connected homes and integrated online services, the list can and does extend to more people. It could be a repairer, or a housing inspection, or something else tied to an essential service.

We also can’t ignore that anyone, whether relative or stranger, could bring bad things into your network. For example, if a malware-laden laptop is dropped onto your network, you could end up spreading the malware around your devices.

One solution to this is guest networks. Your router may well have the option to enable a guest network for friends, visitors, whoever you like. This keeps them separated from the password protected network you’re using. You can also use time-limited passwords or enable other restrictions related to file/setting access. As above, make sure the guest network is a) password protected, b) encrypted, and c) your password is a new unique one and not the default.

With these tips in mind, you should be securely surfing and allowing friends and visitors to do the same in no time at all. This perhaps isn’t a major threat area for most of you, but it won’t hurt to ensure your home network is as robust as can be.

The post How to share your Wi-Fi password safely appeared first on Malwarebytes Labs.

Browser developer Mozilla has announced a research project to provide insights into, and data about, a space that’s opaque to policymakers, researchers and users themselves. Tracking the trackers is the name of the game. Give up some of your data voluntarily to stop the involuntary collection by Facebook.

Mozilla is partnering with The Markup, with the aim of unravelling how Facebook’s tracking infrastructure massively collects data about people online. Data which is eventually used for targeted advertising and tailored content recommendations.

Firefox users will get the option to participate in the project dubbed “the Facebook Pixel Hunt” and volunteer to share their browser data.

What is The Markup?

The Markup is a non-profit organization that investigates how powerful institutions are using technology to change our society. The Markup is the latest partner for Rally, the privacy-first data-sharing platform that was created by Mozilla in 2021 to take back control from platforms that are not transparent about how they use people’s data. When they hide their methods, the platforms make it very difficult for independent outside research to take place.

Just a few examples: Facebook shut down CrowdTangle, blocked ProPublica’s Ad Transparency tools, modified code to prevent The Markup’s Citizen Browser from collecting user-volunteered data and canceled NYU’s AdObserver researchers’ accounts.

The research project

Using tools provided by Rally, the two organizations will research how Facebook tracks people across the web through its Facebook pixel-powered ad network, and shine a light on what Facebook knows about their online life.

The Facebook pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track conversions from Facebook ads, optimize ads, build targeted audiences for future ads, and remarket to people that have already taken some kind of action on their website. That’s nice for the advertisers, but the combined information of all these pixels potentially provides Facebook with an almost complete picture of your browsing behavior.

By opting into “the Facebook Pixel Hunt” study, Rally gives Firefox users the power to help answer questions like: What kind of data does the Facebook pixel collect? Which sites share this data? What can this data reveal about people? What other ways does Facebook track people? How widespread is Facebook’s tracking network?

To answer these questions the study will collect:

• The data sent to Facebook pixels as you browse
• The (full) URLs of the web pages you browse
• The time you spend browsing pages and time spent browsing and playing media on each webpage
• The presence of Facebook login cookies in your browser
• Metadata on the URLs your visit, like how far down the webpage you scrolled
• A study survey that you complete, the results of which will be combined with study data for the analysis

Who can join?

If you want to contribute to this study there are a few things to check. Participation in the study is currently available for Firefox users in the US who are 19 or older. Having a Facebook account is not mandatory. Facebook may collect information about you across the web even if you don’t have a Facebook account.

If you decide to leave the study, Mozilla Rally uninstalls the corresponding study add-on. If the study is still open, the data that the study collected will be deleted. If a study has already ended, it may not be possible to delete your data because deletion of the data may impact the ability of the partners in the study to do their research.

How can I participate?

Taking part in the study is as easy as installing a browser add-on for Firefox. You can find the Rally add-on here. After installing you will see this explanatory page:

And this flag icon in your browser bar:

For demographic reasons you will be asked a few questions, although answering them is optional. The answers will help the researchers understand the representivity and diversity of the users.

You can then choose which study you want to participate in.

After joining the study you will notice another extension in Firefox.

Users of Malwarebytes Browser Guard for Firefox that wish to participate in this study will have to disable Browser Guard or, recommended, add facebook.com to their allow list for Ads/Trackers.

Here’s how to add an entry to the allow list for Malwarebytes Browser Guard:

• Click the Malwarebytes icon in the browser bar
• Click the 3 dots icon
• Select Allow list
• Add “facebook.com” in the “Add a URL or IP address” field
• Select Ads/Trackers in the “Disable protections” field
• Click “Done”

After successfully adding the entry, the allow list should look like this:

Other add-blockers may require additional actions for users to be helpful in this study.

We are looking forward to the results and hope that Facebook will not try to frustrate this study as well.

The post The Facebook Pixel Hunt aims to unravel Facebook’s tracking methods. Will you join? appeared first on Malwarebytes Labs.

Physical objects as security threats are in the news at the moment. The oft-touched upon tale of rogue USB sticks is a common one. Being wary of random devices found on the floor, or handed out at events is a smart move. You simply don’t know what’s lurking, and it’s hard to find out safely without the right tools available. Even then, something can slip by and cause no end of trouble on your desktop or network.

Sticky situations

Back in 2015, we covered the Dead Drops art project. This involved people hiding their USB stick in public places, and others finding them to join an “anonymous file-sharing network” and see what lurks. Security wise, this is an absolutely terrible idea for most folks.

On the other hand: people absolutely do plug in USB sticks found in the street, and they also happily use freebies at events. Most won’t concern themselves with security worries, but they should. However, it’s one thing to voluntarily grab USB sticks yourself. It’s quite another to be potentially disarmed by someone sending you said device instead.

Postal peril

The FBI has warned that a malware group is sending out infected USB sticks to specific targets. The group is behind major attacks such as the notorious colonial pipeline ransomware incident. Make no mistake, these are heavy hitters (and have been here before, and that time they included gifts such as cuddly toys).

The bogus sticks have been winging their way to potential victims through the post for a number of months. There’s elements of social engineering involved, too. It isn’t just a random stick in an unlabelled baggy, there’s a variety of packaging depending on who the sticks have been sent to. It’s perhaps not quite as visually impressive as rogue teddy bears, but it still gets the job done.

Social engineering their way to USB victory

The attackers use a couple of different postal services to send the USBs into the wide blue yonder: United Parcel Service, and United States Postal Service. The sticks have been sent to “US businesses in the transportation, insurance, and defence industries”. The packages are designed to resemble Amazon gifts, and Covid alerts from the US Department of Health, which are likely to carry a strong pull factor for the unwary.

If the USB stick is inserted into a PC, it launches a BadUSB attack and the malware auto-registers as a keyboard. From there, it uses keystrokes to place malware on the system and, potentially, deposit and fire up additional rogue files. Bleeping Computer notes that the end goal is to deploy ransomware on the compromised network.

Tips for keeping USB access points safe

• It’s not realistic to suggest disabling all USB ports on workplace machines, considering how many USB devices we use on a daily basis. However, you can ensure that only ones in use are functional. You can also buy physical locks which block use of ports with no software required to do it. Similarly, you can buy devices which lock wires into ports and reveal evidence of tampering if one is somehow pulled out.
• Dedicated workstations running virtual machines, or a non Windows OS, can be set up for any “stray” USB sticks.
• Disabling autorun is also helpful should such a thing already be enabled.
• Restricting access to any and all USB sticks to a handful of trained staff may be thought of as time-intensive, but realistically you likely don’t run into dozens of mysterious USB sticks on a daily basis.

We don’t know how many organisations have been affected, nor do we know how successful this campaign has been. Organisations should be cautious if they’re in one of the sectors targeted by this attack. In fact, we should all be cautious where rogue USB sticks are concerned. Get ahead of the curve and ponder this issue now, instead of waiting to find out if your area of business is on the next FBI release a few months down the line.

The post Attackers are mailing USB sticks to drop ransomware on victims’ computers appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Ransomware attacks Finalsite, renders 8,000 school sites unreachable for days
• Patchwork APT caught in its own web
• Sophisticated phishing scheme spent years robbing authors of their unpublished work
• Google and Facebook fined $240 million for making cookies hard to refuse
• New iPhone malware spies via camera when device appears off
• Hackers take over 1.1 million accounts by trying reused passwords
• Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected
• Card skimmers strike Sotheby’s in Brightcove supply chain attack
• Careful! Uber flaw allows anyone to send an email from uber.com
• $10m of funds goes missing in what appears to be a cryptocurrency rug-pull
• Customer support scammers take aim at NFT enthusiasts
• Purple Fox rootkit now bundled with Telegram installer
• What angered us most about cybersecurity in 2021: Lock and Code S03E01

Stay safe!

The post A week in security (January 3 – 9) appeared first on Malwarebytes Labs.

French privacy watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL), has hit Google with a 150 million euro fine and Facebook with a 60 million euro fine, because their websites—google.fr, youtube.com, and facebook.com—don’t make refusing cookies as easy as accepting them.

The CNIL carried out an online investigation after receiving complaints from users about the way cookies were handled on these sites. It found that while the sites offered buttons for allowing immediate acceptance of cookies, the sites didn’t implement an equivalent solution to let users refuse them. Several clicks were required to refuse all cookies, against a single one to accept them.

In addition to the fines, the companies have been given three months to provide Internet users in France with a way to refuse cookies that’s as simple as accepting them. If they don’t, the companies will have to pay a penalty of 100,000 euros for each day they delay.

GDPR

EU data protection regulators’ powers have increased significantly since the General Data Protection Regulation (GDPR) took effect in May 2018. This EU law allows watchdogs to levy penalties of as much as 4% of a company’s annual global sales.

The restricted committee, the body in charge of sanctions, considered that the process regarding cookies affects the freedom of consent of Internet users and constitutes an infringement of the French Data Protection Act, which demands that it should be as easy to refuse cookies as to accept them.

Since March 31, 2021, when the deadline set for websites and mobile applications to comply with the new rules on cookies expired, the CNIL has adopted nearly 100 corrective measures (orders and sanctions) related to non-compliance with the legislation on cookies.

Responses

Google said in a statement that “people trust us to respect their right to privacy and keep them safe” and that the company understands its “responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision”.

Facebook said it’s reviewing the authority’s decision. Here it may be important to note that the CNIL fined Facebook Ireland Limited, rather than Facebook France, since the head office in Ireland presents itself as the data controller of the Facebook service in the European region.

The procedure

As an example we’ll follow the cookie management procedure for YouTube, which was one of the sites the CNIL objected against.

A first time visitor (or more precisely, someone without any cookies from a previous visit) is presented with this consent form:

The user’s options are to either accept all the cookies by clicking “I AGREE”, or to click “CUSTOMIZE”, which results in a multitude of choices to be made about search customization, YouTube History, ad personalization, managing cookies in your browser, and managing data Google Analytics collects on sites you visit.

The first three entries are simple On/Off settings.

The last parts however point to instructions or link to other sites, which in general come down to “You can change your browser settings to reject some or all cookies.”

This explains why the French watchdog objects to the skewed balance between accepting or rejecting cookies from these sites—the path to privacy is long and difficult.

The everlasting battle

Internet giants like Meta (Facebook) and Alphabet (Google) depend on advertising. Advertising represented 98% of Facebook’s $86 billion revenue in 2020, and more than 80% of Alphabet’s revenue comes from Google ads, which generated $147 billion in 2020.

Advertisers can bid on specific words and phrases, and target specific demographics, geographies or interests, and this ensures ads show up to relevant users at relavent times, or so the theory goes. To find out who the “relevant users” are ad companies gather massive amounts of information about users, and that is where our privacy comes into play.

The information is stored in giant databases about us, and the link between us and our database entries are the cookies in our browser. The cookie acts like an ID badge, you show it every time you hit a Google or Facebook page, or any time you hit a page that includes a like button, some Google Analytics code, or anything else loaded from a Google or Facebook domain.

Sometimes that’s useful. Logging in to a website would be impossible without a cookie “ID badge”—you’d have to provide your password on each and every page instead. But sometimes the ID badge is doing someting that’s useful to somebody else rather than you, such as allowing them to silently build a personal profile about you.

Luckily, sites rarely use one cookie for everything and typically use different cookies for different features. This is why YouTube customization options are so convoluted, and why adblockers and privacy plugins work at all. With a decent tool it’s possible to block or refuse the cookies you don’t like and keep the ones you do.

If you want to clear out everything and start again, take a look at our quick guide, How to clear cookies”.

Dark patterns

YouTube’s choice between “I agree” and “Customize” rather than “I agree” and “I don’t agree” is an example of a dark pattern, a desgin that subtely and deliberately nudges you in the direction of a choice that benefits the designer. They are everywhere on the web, and they’re a problem.

In June 2021, Malwarebytes Labs’ David Ruiz spoke to dark patterns expert Carey Parker on the Lock and Code podcast. To learn more about dark patterns and how to spot them, listen below.

The post Google and Facebook fined $240 million for making cookies hard to refuse appeared first on Malwarebytes Labs.

Three years ago on Quora, someone asked what writers do to keep their manuscripts from being stolen. One of the top answers reads as follows:

You’re joking, right? It’s hard enough to get people to read your novel once it’s out on Amazon, much less reading it before it’s finished…unless you’re George RR Martin, nobody is trying to get your unpublished, unedited manuscript.

That optimistic piece of advice doesn’t really hold true anymore, if it ever did. In a scheme reminiscent of some sort of comic book supervillain, Filippo Bernadini was arrested at JKF International Airport on Wednesday. The reason? He stands accused of allegedly impersonating publishing professionals to obtain unpublished manuscripts. Charges include “wire fraud and aggravated identity theft”. The wire fraud aspect alone carries a potential maximum sentence of 20 years.

Throwing the book at crime

From the FBI indictment:

…an indictment charging FILIPPO BERNARDINI with wire fraud and aggravated identity theft, in connection with a multi-year scheme to impersonate individuals involved in the publishing industry in order to fraudulently obtain hundreds of prepublication manuscripts of novels and other forthcoming books.

This particular scheme had been rumbling along since “at least” 2016, and the accused individual worked in the publishing industry.

According to the FBI, multiple fake email accounts were created, impersonating real people in the publishing space. Not only that, but also publishing houses and talent agencies. Alongside this were “more than 160 internet domains”. The domains copied real entities, with deliberate use of slight typos in email addresses to further replicate the genuine article. These are common phishing tactics used by regular phishers, but here we can see it being deployed in a more targeted fashion.

Nice award. Can I have your next book, please?

There’s at least one example given of a Pulitzer prize-winning author tricked into sending a forthcoming manuscript to an imitation of a real well-known editor and publisher.

“Hundreds” of distinct people were impersonated in order to obtain manuscripts the phisher had no business accessing.

There’s also mention of gaining access to a New York literary scouting company, via bogus mails to employees and a fake domain for them to log into. Once they logged in, credentials were forwarded on to add another string in the “massive scam” bow.

This was all happening up until or around July 2021. It remains to be seen how the case will pan out for the accused, but it doesn’t sound great for him so far. It seems likely that this in-depth account of authors being contacted by fictitious publishers from August of last year is related to the above. If it isn’t, well, I guess we have two separate fake literary agent saboteurs to contend with.

What can writers do to keep their work safe?

A lot of the security issues in this story boil down to phishing, and phishing countermeasures. Most of the tips for authors for keeping their manuscripts safe tend to focus on backing up files. While some do mention security compromise, a few of the tips make me a little nervous. With that in mind:

• The Nathan Bransford article I’ve linked to above invites that the “technically disinclined” to email themselves a copy of their manuscript, but I’d be wary of emailing documents to myself or others in plain text. I also appreciate that there are some situations where you may be left with “email or nothing”. In those situations, you should make use of a tool which can encrypt your files before you attach them, such as WinZip. Be aware though that some forms of encryption are more secure than others.
• It also suggests placing documents in cloud storage. This puts a copy of your work in a different geograhpy than you laptop, which is good if there’s a fire, or you’re hit with ransomware, but it also means there’s another place your work can be stolen from. If someone manages to guess your cloud login, and you don’t have 2FA enabled, they have your documents. To prevent this, I suggest you enable two-factor authentication on your cloud accounts, and consider encrypting your files before uploading them.
• If you really don’t like the idea of leaving documents on your desktop, store them on an external drive. The usual caveats apply: Encrypt, encrypt, encrypt. On the very remote chance someone breaks in and steals it, or more likely, you lose it somewhere, it’ll help keep the files safe from prying eyes.

Again, these tips are really for everyone and all kinds of files. They’re not specific to budding or even professional writers. However, they can still make full use of them. And you don’t even have to be George R.R. Martin to do it.

The post Sophisticated phishing scheme spent years robbing authors of their unpublished work appeared first on Malwarebytes Labs.

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT).

What is interesting among victims of this latest campaign, is that the actor has for the first time targeted several faculty members whose research focus is on molecular medicine and biological science.

Instead of focusing entirely on victimology, we decided to shade some light on this APT. Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines.

Ragnatela

We identified what we believe is a new variant of the BADNEWS RAT called Ragnatela being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT.

Ragnatela RAT was built sometime in late November as seen in its Program Database (PDB) path “E:new_opsjlitest __change_ops -29no – CopyReleasejlitest.pdb”. It features the following capabilities:

• Executing commands via cmd
• Capturing screenshots
• Logging Keystrokes
• Collecting list of all the files in victim’s machine
• Collecting list of the running applications in the victim’s machine at a specific time periods
• Downing addition payloads
• Uploading files

In order to distribute the RAT onto victims, Patchwork lures them with documents impersonating Pakistani authorities. For example, a document called EOIForm.rtf was uploaded by the threat actor onto their own server at karachidha[.]org/docs/.

That file contains an exploit (Microsoft Equation Editor) which is meant to compromise the victim’s computer and execute the final payload (RAT).

That payload is stored within the RTF document as an OLE object. We can deduce the file was created on December 9 2021 based on the source path information.

Ragnatela RAT communicates with the attacker’s infrastructure via a server located at bgre.kozow[.]com. Prior to launching this campaign (in late November), the threat actor tested that their server was up and running properly.

The RAT (jli.dll) was also tested in late November before its final compilation on 2021-12-09, along with MicroScMgmt.exe used to side-load it.

Also in late November, we can see the threat actor testing the side-loading in a typical victim machine.

Victims and victim

We were able to gain visibility on the victims that were successfully compromised:

• Ministry of Defense- Government of Pakistan
• National Defense University of Islam Abad
• Faculty of Bio-Science, UVAS University, Lahore, Pakistan
• International center for chemical and biological sciences
• HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
• SHU University, Molecular medicine

Another – unintentional – victim is the threat actor himself which appears to have infected is own development machine with the RAT. We can see them running both VirtualBox and VMware to do web development and testing. Their main host has dual keyboard layouts (English and Indian).

Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet. On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address.

Under the VPN they log into their victim’s email and other accounts stolen by the RAT.

Conclusion

This blog gave an overview of the latest campaign from the Patchwork APT. While they continue to use the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers.

Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding about who sits behind the keyboard. The group makes use of virtual machines and VPNs to both develop, push updates and check on their victims. Patchwork, like some other East Asian APTs is not as sophisticated as their Russian and North Korean counterparts.

Indicators of Compromise

Lure

karachidha[.]org/docs/EOIForm.rtf
5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6

RAT

jli.dll
3d3598d32a75fd80c9ba965f000639024e4ea1363188f44c5d3d6d6718aaa1a3

C2

bgre[.]kozow[.]com

The post Patchwork APT caught in its own web appeared first on Malwarebytes Labs.

Finalsite, a popular platform for creating school websites, appears to have recovered significant functionality after being attacked by a still-unknown ransomware on Tuesday, January 4, 2022. At least 8,000 schools are said to have been affected by the resulting outage.

According to an open letter published on its Twitter account:

On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment.

In the time since the incident, our security, infrastructure, and engineering teams have been working around the clock to restore full backup systems and bring our network back to full performance, in a safe and secure manner.

Internet users who are directly or indirectly affected by this ransomware incident took to Reddit to raise some concerns. User /u/flunky_the_majestic writes: “Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol. The impact of this outage is far greater than the attention it has received.” [1]

Some Reddit users also used this thread to complain about K12 schools continuing to use old technology and the challenges they faced on why it has remained this way. This is a notable one from someone who works in K12:

The first good news is the company says it has found no evidence of data theft.

The second good news is, as of Finalsite’s status entry hours ago, “the vast majority of front-facing websites are online.” As a caveat, it added that some of these sites still lack some functionality and content, such as admin log-in, calendar events, and the directory of constituent groups, which the team is working to restore. While the CMS company continues to restore from backups, investigation is ongoing still as of this writing.

The third and final bit of good news is related to the second: Finalsite got it so right by making and keeping backups of all their most important data. Remember that it’s not a matter of “if” but “when” ransomware—or another cyberthreat—strikes. Sometimes, companies who deem themselves secure can still get hit. And when (not if) they do, organizations need a recovery plan and the right kind of backups.

Companies restoring from backup in just a few days after an attack rather than paying the ransom is, by far, the least worst outcome. This is also quite difficult to pull off because of so many questions to consider first before doing anything. On top of that, there are instances where backups could fail us. Malwarebytes Labs’s podcast, Lock and Code, has covered this very dilemma. Listen to the full podcast below:

Finalsite also kept it simple and honest, which we greatly applaud. Some (if not most) organizations leave it at “sophisticated cyberattack”—perhaps for fear of ridicule or criticism over “not doing enough”. While this is understandable, Finalsite admitting they have been ransomware victims but are actually doing something about it is somewhat refreshing to see. We can only hope that other organizations, regardless of size, follow their example.

The post Ransomware attacks Finalsite, renders 8,000 school sites unreachable for days appeared first on Malwarebytes Labs.