IT NEWS

Microsoft Threat Intelligence Center (MSTIC) last week disclosed “a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features” that it calls HTML smuggling.

HTML smuggling has been used in targeted, spear-phishing email campaigns that deliver banking Trojans (such as Mekotio), remote access Trojans (RATs) like AsyncRAT/NJRAT, and Trickbot. These are malware that aid threat actors in gaining control of affected devices and delivering ransomware or other payloads.

MSTIC said the technique was used in a spear-phishing attack by the notorious NOBELIUM, the threat actor behind the noteworthy, nation-state cyberattack on SolarWinds.

How HTML smuggling works

What is HTML smuggling?

HTML smuggling got its name from the way attackers smuggle in or hide an encoded malicious JavaScript blob within an HTML email attachment. Once a user receives the email and opens this attachment, their browser decodes the malformed script, which then assembles the malware payload onto the affected computer or host device.

Usually, malware payloads go through the network when someone opens a malicious attachment or clicks a malicious link. In this case, the malware payload is created within the host. This means that it bypasses email filters, which usually look for malicious attachments.

HTML smuggling is a particular threat to an organization’s network because it bypasses customary security mitigation settings aimed at filtering content. Even if, for example, an organization has disabled the automatic execution of JavaScript within its environment—this could stop the JavaScript blob from running—it can still be affected by HTML smuggling as there are multiple ways to implement it. According to MSTIC, obfuscation and the many ways JavaScript can be coded could evade conventional JavaScript filters.

HTML smuggling isn’t new, but MSTIC notes that many cybercriminals are embracing its use in their own attack campaigns. “Such adoption shows how tactics, techniques, and procedures (TTPs) trickle down from cybercrime gangs to malicious threat actors and vice versa … It also reinforces the current state of the underground economy, where such TTPs get commoditized when deemed effective.”

Some ransomware gangs have already started using this new delivery mechanism, and this could be early signs of a fledgling trend. Even organizations confident with their perimeter security are called to double back and take mitigation steps to detect and block phishing attempts that could involve HTML smuggling. As we can see, disabling JavaScript is no longer enough.

Staying secure against HTML smuggling attacks

A layered approach to security is needed to successfully defend against HTML smuggling. Microsoft suggests killing the attack chain before it even begins. Start off by checking for common characteristics of HTML smuggling campaigns by applying behavior rules that look for:

• an HTML file containing suspicious script
• an HTML file that obfuscates a JS
• an HTML file that decodes a Base64 JS script
• a ZIP file email attachment containing JS
• a password-protected attachment

Organizations should also configure their endpoint security products to block:

• JavaScript or VBScript from automatically running a downloaded executable file
• Running potentially obfuscated scripts
• Executable files from running “unless they meet a prevalence, age, or trusted list criterion”

BleepingComputer recommends other mitigating steps, such as associating JavaScript files with a text editor like Notepad. This prevents the script from actually running but would let the user view its code safely instead.

Finally, organizations must educate their employees about HTML smuggling and train them on how to respond to it properly when encountered. Instruct them to never run a file that ends in either .js or .jse as these are JavaScript files. They should be deleted immediately.

Stay safe!

The post Evasive maneuvers: HTML smuggling explained appeared first on Malwarebytes Labs.

If you received a scary missive from what appears to be from the FBI over the last few days, you’re not alone. The emails, which may have reached as many as 100,000 people, blamed a fictitious cyberattack on an innocent party. The mail read as follows:

Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough [SIC] multiple global accelerators.

Now, if you know your way around your network or have some insight into security generally, this may already sound a little off. The typo also doesn’t help. But for anyone else, the email could be very concerning, not least because of the potential for reputation damage for them and their business!

How did this happen?

An FBI server was used to send out these mails. The server itself was a tiny link in the chain known as LEEP. This is a “secure platform for law enforcement agencies, intelligence groups, and criminal justice entities. It includes active shooter initiatives, blogs, forums, and a “Virtual Command Center”. Unfortunately, for a short period of time it also included bogus attack mail notifications.

The website contained a flaw which allowed for the leaking of one time registration passcodes in the website’s HTML. From there, it was a short step to editing requests sent to the browser and changing the text in the intended message subject field.

The FBI has explained the server was geared towards pushing notifications only. It isn’t part of the FBIs corporate email network, and so no PII or other data was compromised.

The damage could have been much worse

It’s certainly embarrassing for a law enforcement service to be abused in this way. It’s also worrying for anyone who’s received the mail and isn’t yet aware it’s a fake.

We’re just lucky the aim of the game here seems to have been trolling (unless you’re the innocent party, of course. There’s definitely nothing lucky about that). Think how much more impact this could have had if the mail had come with a malicious attachment, or was part of a social engineering data harvesting extravaganza.

Once an attacker seizes control of official law enforcement comms tools the possibility for incredibly malicious activity is high. This one is all about the short sharp shock, but there’s plenty of time to think about a slow, drawn-out campaign with subtle missives and a gradual tightening of the web.

Should you ever receive what appears to be a mail warning of attacks at your organisation from law enforcement, consider phoning up and going directly to the (assumed) source. It’ll save you a lot of stress, time, and effort.

The post FBI server hijacked to send up to 100,000 bogus attack mails appeared first on Malwarebytes Labs.

The mechanisms for memorialising the social network accounts of people who’ve died haven’t really suffered a lot of scrutiny up until now. I’ve done a fair amount of research on the processes and perils we face in the digitally deceased age.

Traditionally, the biggest issues in this space tended to be surprise returns from the beyond. When someone is definitely dead but their accounts spring back into action, it can be incredibly disturbing for their loved ones.

This happens by accident, or deliberately. Sometimes a relative with access to the account of the departed starts tweeting, or accidentally posts a message. Other times, the account is compromised and used to spam, or just troll.

A combination of weak security and the possibility of continued access to an account allows for this to happen.

What you may not be expecting, is for the process to happen in reverse.

When reports of your demise are rather premature…

What if you’re able to convince a platform that someone who is alive and well has actually passed on?

This issue has faced multiple individuals over the past month, but the tale has an additional twist: In this specific case, we don’t have a regular social media user finding out a random platform thinks they’ve died. We have the head of Instagram locked out of their own Instagram account, because somebody exploited its memorialisation feature.

Well, I promised you a twist.

What is Instagram’s memorialization feature?

Instagram’s memorialization feature is a way to preserve the digital legacy of a user for friends and family. As per Instagram’s FAQ page:

Memorialized accounts are a place to remember someone’s life after they’ve passed away. Memorialized accounts on Instagram have the following key features:

• No one can log into a memorialized account.
• The word Remembering will be shown next to the person’s name on their profile.
• Posts the deceased person shared, including photos and videos, stay on Instagram and are visible to the audience they were shared with.
• Memorialized accounts don’t appear in certain places on Instagram, like Explore.

Once memorialized, no one will be able to make changes to any of the account’s existing posts or information. This means no changes to the following:

• Photos or videos added by the person to their profile.
• Comments on posts shared by the person to their profile.
• Privacy settings of their profile.
• The current profile photo, followers or people the person follows.

This is one of the more strict, locked down approaches I’ve seen in this realm. Some sites allow people to continue posting, or make updates. This is particularly the case if the deceased is a known public figure, or the spokesperson for a person, charity or other organisation. In those cases, a close relative may be allowed to continue posting. That isn’t the case here, and the account is indeed memorialised in every sense of the word.

Checks and balances

Instagram doesn’t mention what checks it makes to ensure nothing suspicious takes place, but it does say it has fewer people available to review memorialization reports due to COVID. It’s possible this also impacted what happened next.

Fake memorial pages aren’t a new phenomenon. Convincing someone at an organisation that their reasonably public-facing boss is dead, feels a bit fresher.

This is the situation Adam Mosseri found himself in after a scammer convinced Instagram support that Mosseri was dead. All it took was a fake memorial, easily thrown together online or via the DIY route. As Instagram requires a death certificate or an obituary/news article, the latter was all it took to ease the scam through in September of this year.

The reports on this don’t say how long he was locked out for, except that it was resolved “quickly”.

For unverified, regular users, the person behind these tactics doesn’t even need to whip up a fake notice. They simply grab a recent genuine online obituary of somebody with the same name. As long as the obituary is from the same week as the bogus memorialization request, “98%” of the time it goes through within one to two days.

Paying the piper

This tactic does of course involve money, with “most requests” coming from paying customers. We don’t know if this particular incident was a paid request or just a way to make the tactic more visible. Getting people banned from services is another trick which was popular back in the days of Myspace, and it remains so to this day.

Discovering a contact online has died is a profound shock. If someone manages to switch an account to some form of memorial page, the impact is immediate for both people who see it and the person themselves.

Tightening up the process?

It’s possible services may have to become a little more strict about the evidence required for memorializing accounts. Perhaps more pieces of evidence, or genuine links online which corroborate the request. Of course, asking for specific services as proof only will likely exclude many people. What if those services are only available in certain regions? How about the cost…will folks be priced out in this new digital world of verified death?

It remains to be seen, but this story is a good reminder that scammers will target absolutely anything they can to get the job done. It’s up to the services we use to find new ways to be ever more vigilant and keep our digital identities ticking over for the time being.

The post Instagram’s memorialize feature abused to memorialize…Instagram’s boss appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Multiple video games break after domain name snafu
• How to remove adware on an Android phone
• Smart TV adverts put a wrinkle in your programming
• Are cybercriminals turning away from the US and targeting Europe instead?
• Patch now! Microsoft plugs actively exploited zero-days and other updates
• Playstation 5 hacked—twice!
• Murder-for-hire, money laundering, and more: How organised criminals work online
• Could Apple’s new MacBooks signal a change in direction on security?
• The importance of backing up
• A multi-stage PowerShell based attack targets Kazakhstan

On Malwarebytes’ Lock and Code podcast episode S02E21 of this week we talked to Jess Dodson about “Why we fail at getting the cybersecurity basics right.“

Other cybersecurity news

• Romanian authorities arrested two individuals suspected of cyberattacks deploying the Sodinokibi/REvil ransomware. (Source: Europol Newsroom)
• The TOR project launched a new release: Tor Browser 11.0 (Source: The TOR blog)
• Threat actors are actively exploiting ZOHO ManageEngine ADSelfService Plus vulnerability in a targeted campaign. (Source: Microsoft Security blog)
• SolarWinds Serv-U vulnerability is used for initial access in Clop ransomware attacks. (Source: Fox IT)
• Facebook whistleblower Frances Haugen warned that the metaverse will gather even more personal information. (Source: AP news)
• The US Treasury Department announced a set of actions focused on disrupting criminal ransomware actors and virtual currency exchanges that launder the proceeds of ransomware. (Source: US Department of the Treasury)
• A suspected state-sponsored threat actor has used Hong Kong pro-democracy news sites to deploy a macOS zero-day exploit chain. (Source: The Record)
• Void Balaur hackers-for-hire sell stolen mailboxes and private data. (Source: Bleeping Computer)
• Queensland water supplier Sunwater targeted by hackers in months-long undetected cybersecurity breach. (Source: ABC.net.au news)
• Missouri apologizes to 600,000 teachers who had SSNs and private info exposed. (Source: ZDNet)

Stay safe, everyone!

The post A week in security (Nov 8 – Nov 14) appeared first on Malwarebytes Labs.

Apple recently announced a new line of completely overhauled MacBook Pros. Much has been written about their new design, new chips, new displays, new keyboards etc, but I thought I detected something else that might be new about these MacBooks too: A new approach.

The updated laptops may be the first sign of a shift in product management strategies at Apple. Product management—the process of directing the development and evolution of some product—is hard, and Apple has made some missteps in recent years. From the outside looking in, those missteps have resulted in challenges both within their products, but also relating to the security of their products.

It starts with solving problems

One of the most important principles of product management is to focus on problems to be solved. You have to start with a problem that your customer (or potential customer) has, and work from there to find a solution that makes sense for your product and your customer base. If your product does not solve a problem for anyone—even if that problem is a rather first-world problem like, “It’s a rainy weekend and I’m bored”—then nobody’s going to use it.

It’s a big product management no-no to just try to build something you think is cool and ship it, and let marketing figure out how to make it sell. That can certainly be a recipe for success, if you’re lucky and you’re fairly in touch with the market. But it can also be a big recipe for failure.

Consider the case of Juicero, an Internet of Things (IoT) device that could be controlled wirelessly and allowed you to… make juice. The product was intended to be similar to a Keurig, but for people who wanted juice instead of coffee. However, juice drinkers don’t have the same needs as coffee drinkers. The device and the juice pouches were expensive, and there were cheaper and easier ways to get your juice. Worse, it was discovered that you could use a pair of scissors to cut open the pouch, squeeze it into a glass, and get the same glass of juice that the machine would have produced.

Juicero was a failure, because it didn’t solve a problem for many people, and even among those who might have considered such a device, it didn’t solve the problem better than a cheap pair of scissors.

Working backwards from the problem to the features or products is something that Apple has experience with. Consider the response Steve Jobs gave back in 1997 when he got a question about why Apple was dropping support for OpenDoc.

So, Apple’s good at solving customer problems?

Well, yes and no. They’ve definitely had some success there in the past, but in recent years, it often feels like the things Apple produces are the result of someone in a back room somewhere saying, “Hey, I’ve got this cool idea,” and then building it without customer input. Let’s take a look at some examples.

In 2016 the Touch Bar was created. This has made a lot of people very angry and been widely regarded as a bad move.

The Touch Bar was, apparently, Apple’s compromise for a touch screen. Apple has always been against touch screens on the Mac, for reasons that I believe are quite valid. However, Apple had been getting heat from reviewers for years, who touted the touch screens on latest Windows PCs as a reason to buy them instead of a Mac.

Thus, the Touch Bar was born. Unfortunately, it solved a problem for Apple, but it didn’t solve a problem for most users. Although some learned to like it, hate for the Touch Bar is widespread.

Apple also released MacBook Pros that eliminated all ports other than USB-C, and with the infamous butterfly keyboard that was as fragile as its namesake. This was done for the sake of making laptops that were thinner and lighter. However, it turned out most people cared less about thinner and lighter and more about the things that had been taken away. The Internet has been awash in keyboard and dongle jokes, poking not-so-good-natured fun at Apple and the MacBook Pros, ever since. This created more customer problems than it solved.

And all this relates to security how?

Some of Apple’s recent security changes have addressed security issues, but they don’t seem to have taken their users’ problems and perspectives into consideration.

As an example, Apple decided to start restricting installation of kernel extensions in macOS 10.13 (High Sierra). The intent was to prevent malicious software from installing a kernel extension (kext) surreptitiously. This was done by asking the user to approve installation, via the following message:

In order to actually enable the kernel extension, users would have to click the button to go to Security Preferences, and then would have to figure out what they were supposed to do there, which was not so obvious. There was an Allow button in System Preferences that would need to be clicked, but Apple’s messaging never indicated that’s what you should do. Worse, the Allow button would only stick around for a few minutes before disappearing… so if the user didn’t click it right away, they’d be stuck.

Most of the cases where users saw these warnings were for legitimate software, not for malware. This solved a problem that Apple wanted solved, but from the user’s perspective, it caused more problems than it solved. Third-party software has had to take a lot of responsibility for filling in the gaps in the user experience as best it could. I know from first-hand experience!

I understand why Apple did it this way, but even so, the user experience needed a lot of work—and still needs work, as Apple has carried this experience over to the new system extensions that have replaced kernel extensions.

Next, Apple decided to protect certain locations on disk, to protect users’ security as well as their privacy. This is a noble goal, but it resulted in a cascade of new alerts that hassled users, who became frustrated and got in the habit of just clicking OK to make these alerts go away.

It’s important to note that Apple’s use of an OK button in this alert is problematic, as users have gotten used to simply clicking OK or Cancel to make these things go away. Yet clicking OK, in this case, has a definitive action of allowing an app to access your data! Worse, if you re-think that action afterwards, figuring out how to reverse your decision (assuming you even realize that you made a decision) is quite difficult for the average user. Not good.

Again, this solved a problem that Apple perceived, but not one that most users knew even existed. Amusingly, Apple did this in a way that they’d made fun of Microsoft for doing years before.

Another example relates to something I’ve just seen very recently. Out of the blue, not following any particular system update or software installation that I was aware of, I got a message on my Mac asking me to approve a mysterious, unnamed system extension.

The alert says it’s an Apple system extension, so I guess it must be okay, right? Not really. If I were crafting a message like this to be displayed by a piece of malware or a scam website, I’d make sure it claimed to be associated with Apple.

Visiting System Preferences didn’t clear anything up, unfortunately.

From a little detective work, assisted by Howard Oakley’s SystHist app, I was able to determine that this was most likely the result of an update silently and automatically installed on October 7, which updated a system kernel extension named AppleMobileDevice.kext. This is a legitimate Apple extension, located in the read-only /System/Library/Extensions/ folder.

Now, after all my complaining earlier about how Apple has made third-party developers go through this process, you might think I’d be happy to see that they apparently haven’t exempted themselves. However, you would be wrong.

In this case, Apple has implemented something in as close to the worst possible way that I can think of. This message instills fear and uncertainty. Something has been updated, but it’s apparently not working right! In order to solve this problem, I’m expected to trust what the alert tells me and go click a button.

Isn’t this more or less exactly what security professionals have been telling people not to do for years? If you see a weird link or button somewhere and you weren’t expecting it, don’t click it. Yet this is exactly what Apple is expecting people to do.

This behavior encourages insecure behavior, and will cause more security problems for people than would be caused by macOS simply automatically trusting one of Apple’s own kernel extensions. Once again, this solves an Apple problem at the expense of the customer, who now has a problem they didn’t have before.

So, is it time to move away from the Mac?

Whoa, there, let’s not do anything crazy like switching to Windows! Microsoft isn’t any better, and the good news is that there’s some hope that things are changing for the better. In October, Apple announced the release of a new MacBook Pro line. Okay, yes, I hear you… doesn’t Apple announce new Macs about once per year? What’s so special about this?

What’s most interesting about the new MacBook Pros are not the M1 Pro and M1 Max chips… it’s that this new line brings back a real keyboard, with real function keys instead of a Touch Bar, and brings back all the ports people were upset about losing. This may not seem like much, but it’s actually quite rare for Apple to walk back changes it’s made, especially to this degree.

Does this mean that Apple is once again starting to pay closer attention to the problems their users are experiencing? Perhaps. It’s definitely a good sign. They’ve looked at user problems that have emerged as a result of their actions, and they have made changes to address those problems, rather than just continuing to barrel forward to the next “cool” feature.

If we’re lucky—and noisy!—perhaps this problem-focused trend will trickle down to security development, and the user experience for some of the recent macOS security features will improve.

Maybe I’m reading more into one product release than I should be. Still, I choose to hope for a better tomorrow.

The post Could Apple’s new MacBooks signal a change in direction on security? appeared first on Malwarebytes Labs.

What does backing up something mean?

Backing up is the act of making a copy or copies of a file. These files are stored somewhere other than where the originals are located. You may only need to back up a few files, or it might be a much bigger effort. Requirements may differ greatly depending on if you’re an individual or a business.

The idea is that if the original file is damaged, breaks, is stolen, or suffers any other problem, then the backups survive the issue.

In an age of ransomware attacks, it’s crucial to back up data and essential systems. Ransomware authors have been attacking all sorts of business verticals for years and anything from infrastructure to medical systems can be targets. There are many tales of law enforcement and hospitals locked out of mission critical files and systems, leading to potentially life threatening delays and scheduled operation setbacks.

What does backing up a device mean?

Backing up a device can mean a few things and depending on the device, you may have to be very specific when you map out this process. Sometimes, this can just mean backing up certain mobile settings and functions, or options and data settings for a PC.

It can also mean simply copying everything from a particular piece of equipment, as opposed to a few files or folders. This is very common for all forms of mobile devices and laptops. Backing up the entirety of a desktop PC is often a bit more involved due to the sheer number of files. With smartphones, the primary concern is often the vast collection of precious photographs they contain.

Where do we put our backups?

One of the most important backup stumbling blocks is figuring out where to place the files being copied. This can be done locally, on an external hard drive or local server on your network. The files can also be saved in the cloud. This can cause a few headaches depending on:

• The security practices of the cloud storage system you’re using and
• Whether you encrypt the files and folders before you upload them.

If the files are work related, you should be using the business approved storage / backup solution. Placing files in a randomly selected service of your choice can have disastrous consequences if sensitive files are hacked or leaked.

Do people backup their backups?

They do! It’s not unheard of to have a PC fail with important files on it, and discover there’s a problem with the backup too. This is why you have backups of backups. It’s also important to have sensible backups.

If an organisation simply copies hundreds of thousands of files into a big folder and thinks “job done”? That’s going to be a problem. If they suffer a ransomware attack 6 months later, it probably won’t end well: The files will be six months out of date and you’ll lose six months of work, or find yourself paying an exorbitant ransom. System files for business operations may have been replaced by new technology and the old files are no longer relevant.

If the files are still relevant but not organised in a way which makes it clear what to do with them, that’s also bad, and you’re back to square one. Did you back everything up in a logical, regular fashion but then leave the storage device next to the main systems which are all covered in flood water? That’s not going to help very much, either.

The 3-2-1 backup strategy

The best starting point for most businesses is the 3-2-1 backup strategy, in which you keep:

3. Three copies of your data, in total.
4. Two copies of your data on-site, but on different devices.
5. One remote copy, in case your premises become damaged.

The local copies of your data give you easy and immediate, redundant access to your data when you need it. The remote copy, which will be harder to access, is your insurance policy against fire, flood, and other disasters. To act as a fallback if you are attacked with ransomware, the off-site copy of your data should be inaccessible to an attacker on your network with administrator rights.

Additional backup resources

You may wish to make a note in your diary now for World Backup Day which comes around every March. It’s a great reminder to set those backup plans in motion, and also do some more general file spring-cleaning while you’re at it. Whatever your strategy, the most important thing is to start backing up now. Not next week, most definitely not next month and almost certainly not “when I get around to it”.

There’s a lot of people out there who will sadly only realise the value of backups when it’s too late to do anything about it.

Getting backups right

Backups are simple in theory, but they often let you down when you need them most. On a recent Malwarebytes Lock and Code podcast, host David Ruiz spoke to Matt Crape, a technical account manager for VMware and backups expert, about why backups are so hard to get right, and what the most basic missteps are when companies roll out a backup plan.

The post The importance of backing up appeared first on Malwarebytes Labs.

This blog post was authored by Hossein Jazi.

On November 10 we identified a multi-stage PowerShell attack using a document lure impersonating the Kazakh Ministry of Health Care, leading us to believe it targets Kazakhstan.

A threat actor under the user name of DangerSklif (perhaps in reference to Moscow’s emergency hospital) created a GitHub account and uploaded the first part of the attack on November 8.

In this blog we will review the different steps the attacker took to fly under the radar with the intent on deploying Cobalt Strike onto its victims.

Overview

The attack started by distributing a RAR archive named “Уведомление.rar” (“Notice.rar”). The archive file contains a lnk file with the same name pretending to be a PDF document from “Ministry of Health Care, Republic of Kazakhstan”. Upon opening the lnk file, a PDF file will be shown to confuse victims while in the background multiple stages of this attack are being executed. The decoy document is an amendment for a Covid 19 policy that has been issued by the Chef State Sanitary of the Republic of Kazakhstan.

Attack process

The following figure shows the overall process of this attack. The attack started by executing the lnk file that calls PowerShell to perform several techniques such as privilege escalation and persistency through an autorun registry key. We will provide the detailed analysis in the next section. 

All stages of this attack have been hosted in one Github repository named GoogleUpdate. This repository was created on November 8th by a user named DangerSklif. The DangerSklif user was created on GitHub on November 1st. 

Analysis

The embedded lnk file is obfuscated and after de-obfuscation we can see that it used cmd.exe to call PowerShell to download and execute the first stage of the attack from the Github account (lib7.ps1).

The lib7.ps1 downloads the decoy PDF file from the same Github account and stores it in the Downloads directory.  In the next step it opens the decoy PDF to confuse the user while it performs the rest of process in the background, which includes getting the OS version and downloading the next stage based on the OS version. 

If the OS version is 7 or 8, it downloads and executes lib30.ps1 and if the OS version is 10 it downloads and executes lib207.ps1. The reason the actor is checking the OS version is because it is trying to execute the right privilege escalation method. These techniques previously used by TA505 in their campaign to drop SrvHelper. 

• Using the SilentCleanup task in the Task Scheduler to bypass UAC in Windows 10: Attacker used Lib207.ps1 to bypass UAC in Windows 10. The PowerShell commands used to perform the bypass are XOR encrypted using 0x58 key.

After decrypting the commands, we can see the process of UAC bypass which includes creating a SilentCleanup task in the Task Scheduler that calls PowerShell to execute the created vbs file with higher privilege.

• Using the sysprep.exe system utility and DLL side-loading to bypass UAC in Windows 7 and 8: Lib30.ps1 is used to execute this bypass. Simliar to lib207.ps1 this PowerShell script is also XOR encrypted but using different key (0x02).

Figure 9 shows PowerShell commands after decryption. The process starts by creating a batch file (cmd.bat) in the “Windows/Temp” directory.  In the next step, a cab archive file is created containing a DLL (CRYPTBASE.dll for Windows 7 or shcore.dll for Windows 8. Then this cab file is extracted into the C:WindowsSystem32Sysprep directory using wusa.exe.

At the end, the sysprep.exe system utility launches which side loads the CRYPTBASE.dll for Windows 7 or shcore.dll for Windows 8. This DLL executes the created cmd.bat file which leads to executing it with a high privilege.

After bypassing UAC, in all OS versions the next stage payload is downloaded and executed (lib106.ps1).

This stage performs the following actions:

• Creates a vbs file (cu.vbs) in ProgramFiles directory and makes this multi-stage attack persistence by adding this vbs file to HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key.  
• Makes vbs file hidden using “Attrib.exe +h” command. 
• Downloads and executes the final stage (updater.ps1) using PowerShell.

The final stage (updater.ps1) is executing Cobalt Strike in PowerShell context. In fact this PowerShell script is PowerShell variant of Cobalt Strike.

The Cobalt Strike ShellCode is base64 encoded and XOR encrypted using 35 key. After decoding and decrypting the ShellCode it allocates it into memory using VirtualAlloc and finally execute it by calling Invoke function.

Kazakhstan in the news

Kazakhstan has been in the news recently for taking over China in the cryptomining industry, depleting its own electric resources. The energy-rich country is a very important ally for Russia in particular with lucrative joint oil and gas ventures.

Other than their GitHub profile, we do not have much information on the threat actor or their exact intention with this attack. However, monitoring and espionage are a likely motive.

Malwarebytes users were protected thanks to the Anti-Exploit layer of our product.

IOCs

Уведомление.pdf.lnk:
574a33ee07e434042bdd1f59fc89120cb7147a1e20b1b3d39465cd6949ba7d99
Уведомление.rar:
d0f3c838bb6805c8a360e7b1f28724e73e7504f52147bbbb06551f91f0df3edb
Updater.ps1:
08f096134ac92655220d9ad7137e35d3b3c559359c238e034ec7b4f33a246d61
lib106.ps1:
81631df5d27761384a99c1f85760ea7fe47acc49ef81003707bb8c4cbf6af4be 
lib2.ps1:
912434caec48694b4c53a7f83db5f0b44b84ea79be57d460d83f21181ef1acbb
lib207.ps1:
893f6cac7bc1a1c3ee72d5f3e6994e902b5af044f401082146a486a0057697e5 
lib30.ps1:
11d6b0b76d057ac9db775d9a1bb14da2ed9acef325060d0452627d9391be4ea2 
lib63.ps1:
8f974d8d0741fd1ec9496857d7aabbe0d3ba4d2e52cc311c76c28396edae9eb9 
lib64.ps1:
301194613cbc11430d67acf7702fd15ec40ee0f9be348cf8a33915809b65bc5e
lib7.ps1:
026fcb13e9a4ea6c1eab73c892118a96731b868a1269f348a14a5087713dd9e5
lib706.ps1:
36aba78e63825ab47c1421f71ca02422c86c774ba525959f42b8e565a808a7d4 
C2:
188.165.148.241

The post A multi-stage PowerShell based attack targets Kazakhstan appeared first on Malwarebytes Labs.

Europol has released an extensive report into serious and organized crime, including how these groups use the internet to aid in their criminal behaviour.

Europol is the European Union’s (EU) law enforcement agency and it assists the EU Member States in their fight against serious international crime and terrorism. We’ll often mention them when we tell you that cybercriminals have been arrested in international cooperation between law enforcement agencies, such as the FBI, DEA, and other US agencies.

The purpose of the report, besides informing the public, is to create a better understanding of international crimes. Understanding how criminals and criminal networks operate may help law enforcement to more effectively identify and disrupt criminal operations.

Of course, we’re interested from a cybercrime point of view. So let’s dig in.

Cybercrime

Cybercrime in this report includes the creation and spread of malware, hacking to steal sensitive personal or industry data, denial of service attacks to cause financial and/or reputational damage, and other criminal activities.

The threat from cybercrime has been increasing over the last few years, not only in terms of the number of attacks reported but also the sophistication of attacks. Cybercrime causes significant financial loss to businesses, private citizens and the public sector each year through payments for ransomware, incident recovery costs, and costs for enhanced cybersecurity measures.

Cybercrime is attractive to criminals due to the potential profits, limited risk of detection and prosecution, which if successful often results in low sentences. Various types of criminals are involved in cybercrimes, ranging from structured criminal groups to lone offenders. At the entry-level, potential offenders without any specific expertise can carry out cyberattacks by relying on tools and services made available to them through crime-as-a-service.

Money makes the crimes go round

Money laundering is an essential component of the vast majority of criminal operations. Cryptocurrencies remain an important means of payment for criminal services and products. Their decentralization and semi-anonymity continue to make them attractive for criminal transactions. However they are not the main method of money laundering. A surprising 68% of crime groups use basic money laundering methods such as investing in property or high-value goods.

Brokers or intermediaries are crucial in connecting networks, individual criminals and groups. They enable and facilitate criminal business, linking producers with wholesale distributors, and distributors with transport providers. There is a parallel underground financial industry providing services to criminals and their networks completely detached from the oversight mechanisms governing the licit financial services industry. In many cases, service providers enable access to a parallel banking system which allows criminals to transfer money to associates across the world.

COVID-19

The current crisis situation due to the pandemic and the potential economic and social fallout threaten to create ideal conditions for the spread of organized crime in the EU. Criminals were quick to adapt illegal products, operational methods, and their narratives to the COVID-19 pandemic. In this way, they exploited the fear and anxieties of Europeans and profited from the scarcity of some vital goods during the pandemic.

Violence

While consolidated figures quantifying the number of violent incidents related to serious and organized crime are not available, the level of the use of violence associated with serious and organized criminality is perceived to have increased notably, both in terms of frequency and severity, over the last four years. 60 percent of the organized crime groups will use violence to any extent.

Much of the violence is arranged online, usually as a violence-for-hire service advertised on dark web platforms and encrypted communication apps.

The violent acts on offer range from threats, intimidation, vandalism and assaults, to kidnapping, torture, mutilation and murder. Violence is employed by criminal networks for a variety of reasons against external parties such as competitors as well as non-criminals (e.g. witnesses and their solicitors, law enforcement and court officers).

Key findings of the report

The full report goes into detail on many other forms of international crime, and we’ve only discussed a few sections that we thought would be of interest to our readers. Below we have listed the key findings of the report.

• Serious and organized crime remains a key threat to the internal security of the EU.
• The organized crime landscape is characterized by a networked environment where cooperation between criminals is fluid, systematic and driven by a profit-oriented focus. Several key actors cooperate in criminal networks with service providers and brokers in pivotal roles.
• Similar to a business environment, the core of a criminal network is composed of managerial layers and field operators.
• A key characteristic of criminal networks, as confirmed by the pandemic, is their agility in adapting to and capitalizing on changes in the environment in which they operate.
• The use of violence by criminals involved in serious and organized crime in the EU appears to have been increasing in terms of the frequency of use and its severity.
• Corruption is a feature of most, if not all, criminal activities in the EU. Corruption takes place at all levels of society and can range from petty bribery to complex multi-million-euro corruption schemes.
• The scale and complexity of money laundering activities in the EU have previously been underestimated.
• Legal business structures such as companies or other entities are used to facilitate virtually all types of criminal activity with an impact on the EU. Criminals directly control or infiltrate legal business structures in order to facilitate their criminal activities.
• The use of technology is a key feature of serious and organized crime in 2021. Criminals exploit encrypted communications to network among each other, use social media and instant messaging services to reach a larger audience to advertise illegal goods or to spread disinformation.
• The COVID-19 pandemic has had a significant impact on the serious and organized crime landscape in the EU.
• A potential deep economic recession following the COVID-19 pandemic will fundamentally shape serious and organized crime in the EU for the near future.
• Serious and organized crime deeply affects all layers of society; in addition to the direct impact on the daily lives of EU citizens, it also undermines the economy, state institutions and the rule of law.

The post Murder-for-hire, money laundering, and more: How organised criminals work online appeared first on Malwarebytes Labs.

Significant cyberattacks against critical targets in Europe have doubled in the past year, according to EU figures obtained by CNN. And with the announced pressure from the US against major ransomware gangs we can expect these figures to go up even more.

It’s also clear from recent attacks that the holiday season and the associated spending sprees make online retailers an attractive target for cybercriminals. Last week, we reported about UK based jewelry house Graff that was a target of Conti ransomware. But more and more European firms are showing up on the target list. Below you can see some examples from the last few days.

Angling Direct

The UK’s biggest fishing shop, Angling Direct has been hacked, with its website redirecting shoppers to an adult website. While this may seem a prank at first, there are signs that the hacker gained access to a few key systems of the company. Most people trying to access the site saw a warning like this:

On top of that, Angling Direct’s Twitter account was taken over, and it would seem that the hacker has at least some access to Angling Direct’s mail server, as they have claimed a local mail account as their own.

The company said it has brought in cybersecurity experts to tackle the problem, and alerted authorities. Angling Direct said it is too early to tell if any personal data has been compromised, but reassured customers that no payment data could have been leaked.

MediaMarkt

Dutch electronics retail giant MediaMarkt has fallen victim to the Hive ransomware group. The brick and mortar shops of MediaMarkt and Saturn, which can be found in the Netherlands, Belgium, Luxemburg, and Germany, are still open for business, as are their online shops, but the computer systems in the physical shops seem to be the ones that were encrypted. The cash registers cannot accept credit cards or print receipts at affected stores.

The systems outage is also preventing returns due to the inability to look up previous purchases. Employees were told not to use the computers in the shops, disconnect the cash registers from the network, and to refrain from rebooting systems.

While the functionality of its online shop seems unaffected, shoppers are shown a message that delivery may be delayed due to “technical problems.”

According to some sources, MediaMarkt is negotiating with the attackers about the 43 million Euro ransom (close to US$50 million) in Bitcoin.

Let’s go to Europe

For now it is hard to tell whether the increased amount of attacks in Europe is some sort of waterbed effect due to the US government’s harder stance against cybercriminals and ransomware in particular. It could be that it is simply ransomware groups expanding to new markets due to more competition among themselves and greener pastures on the other side of the pond. We have already seen a ransomware affiliate group called Lockean that concentrates on French targets.

In the ransomware industry, the time of “spray and pray” is long gone. Most of the well known groups know exactly which kind of targets they want to go after and even when the best time to strike is. So it’s not unlikely that we will see more of these attacks on online shops and large retailers with the shopping season around the corner.

For retailers it is time to shore up your defenses if you want to keep on serving your customers.

Stay safe, everyone!

The post Are cybercriminals turning away from the US and targeting Europe instead? appeared first on Malwarebytes Labs.

On what might seem a relatively calm Patch Tuesday with 55 vulnerabilities being patched, the fact that six of them were rated “Critical” and two of them actively exploited spoils the Zen factor somewhat.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

Exchange Server (again)

CVE-2021-42321: A Microsoft Exchange Server Remote Code Execution (RCE) vulnerability that is known to be exploited in the wild. This vulnerability was disclosed during the Tianfu International Cybersecurity Contest and requires an authenticated user to run arbitrary code on an on-premise Exchange Server.

Two other Exchange Server vulnerabilities, rated as “Important” are listed under CVE-2021-42305 and CVE-2021-41349. Both are Microsoft Exchange Server Spoofing vulnerabilities. The exploitation appears to be easy as the attack can be initiated remotely and no form of authentication is required for a successful exploitation. However, successful exploitation does require user interaction by the victim.

Excel

CVE-2021-42292: A Microsoft Excel Security Feature Bypass vulnerability which is also being exploited in the wild. Microsoft doesn’t suggest what effect the vulnerability might have, but its CVSS score of 7.8 out of 10 is worrying Two interesting notes in the Microsoft FAQ about this vulnerability:

• No, the Preview Pane is not an attack vector.
• The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.

Remote Desktop Protocol (RDP)

As if RDP wasn’t a big enough problem already, four vulnerabilities have been found in this widely abused protocol. Three of them are Information Disclosure vulnerabilities and one, listed under CVE-2021-38666 is a “Critical” RCE. The attack can be initiated remotely and no form of authentication is needed for a successful exploitation. It does however require the victim’s interaction.

3D Viewer

The Microsoft 3D Viewer lets you view 3D models with lighting controls, inspect model data and visualize different shading modes. Two “Important” RCE vulnerabilities in this utility have been patched in this update. They are listed under CVE-2021-43208 and CVE-2021-43209. The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately. App package versions 7.2107.7012.0 and later contain this update.

Microsoft Defender

CVE-2021-42298 is a Microsoft Defender Remote Code Execution vulnerability that is rated “Critical.” Defender is designed to scan every file and run with some of the highest levels or privileges in the operating system. An attack can be initiated remotely without any form of authentication. But successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

Other patches

It’s not just Microsoft who has issued patches recently, so check you’re using the most up to date version of the below, too.

Siemens issued updates to patch vulnerabilities in in the Nucleus RTOS (realtime operating system) versions Nucleus 4 and Nucleus ReadyStart (Nucleus 3). The vulnerabilities CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 have the highest CVSS scores with 10.0, 9.9 and 9.9 out of 10 respectively.

Citrix published information about vulnerabilities that have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.

Adobe made security updates available for RoboHelp Server, Adobe InCopy, and Adobe Creative Cloud.

Android published a security bulletin last week, which we discussed in detail here.

Cisco published a security advisory that mentions two “Critical” issues. One in Cisco Policy Suite Static SSH Keys, and one concerning Cisco Catalyst PON Series Switches Optical Network Terminal.

SAP has its own Patch Day Security Notes. One vulnerability listed under CVE-2021-40501 has a CVSS score of 9.6 out of 10 and the description Missing Authorization check in ABAP Platform Kernel.

VMWare’s security advisory includes one critical update for VMware vCenter Server which addresses multiple security vulnerabilities.

Intel also issued several security advisories, which are fixes or workarounds for vulnerabilities identified in Intel products.

In case you have no idea where to start, maybe our post about the CISA directive to reduce the risk of known exploited vulnerabilities will help you on your way.

Stay safe, everyone!

The post Patch now! Microsoft plugs actively exploited zero-days and other updates appeared first on Malwarebytes Labs.