IT NEWS

The importance of backing up

What does backing up something mean?

Backing up is the act of making a copy or copies of a file. These files are stored somewhere other than where the originals are located. You may only need to back up a few files, or it might be a much bigger effort. Requirements may differ greatly depending on if you’re an individual or a business.

The idea is that if the original file is damaged, breaks, is stolen, or suffers any other problem, then the backups survive the issue.

In an age of ransomware attacks, it’s crucial to back up data and essential systems. Ransomware authors have been attacking all sorts of business verticals for years and anything from infrastructure to medical systems can be targets. There are many tales of law enforcement and hospitals locked out of mission critical files and systems, leading to potentially life threatening delays and scheduled operation setbacks.

What does backing up a device mean?

Backing up a device can mean a few things and depending on the device, you may have to be very specific when you map out this process. Sometimes, this can just mean backing up certain mobile settings and functions, or options and data settings for a PC.

It can also mean simply copying everything from a particular piece of equipment, as opposed to a few files or folders. This is very common for all forms of mobile devices and laptops. Backing up the entirety of a desktop PC is often a bit more involved due to the sheer number of files. With smartphones, the primary concern is often the vast collection of precious photographs they contain.

Where do we put our backups?

One of the most important backup stumbling blocks is figuring out where to place the files being copied. This can be done locally, on an external hard drive or local server on your network. The files can also be saved in the cloud. This can cause a few headaches depending on:

  • The security practices of the cloud storage system you’re using and
  • Whether you encrypt the files and folders before you upload them.

If the files are work related, you should be using the business approved storage / backup solution. Placing files in a randomly selected service of your choice can have disastrous consequences if sensitive files are hacked or leaked.

Do people backup their backups?

They do! It’s not unheard of to have a PC fail with important files on it, and discover there’s a problem with the backup too. This is why you have backups of backups. It’s also important to have sensible backups.

If an organisation simply copies hundreds of thousands of files into a big folder and thinks “job done”? That’s going to be a problem. If they suffer a ransomware attack 6 months later, it probably won’t end well: The files will be six months out of date and you’ll lose six months of work, or find yourself paying an exorbitant ransom. System files for business operations may have been replaced by new technology and the old files are no longer relevant.

If the files are still relevant but not organised in a way which makes it clear what to do with them, that’s also bad, and you’re back to square one. Did you back everything up in a logical, regular fashion but then leave the storage device next to the main systems which are all covered in flood water? That’s not going to help very much, either.

The 3-2-1 backup strategy

The best starting point for most businesses is the 3-2-1 backup strategy, in which you keep:

  1. Three copies of your data, in total.
  2. Two copies of your data on-site, but on different devices.
  3. One remote copy, in case your premises become damaged.

The local copies of your data give you easy and immediate, redundant access to your data when you need it. The remote copy, which will be harder to access, is your insurance policy against fire, flood, and other disasters. To act as a fallback if you are attacked with ransomware, the off-site copy of your data should be inaccessible to an attacker on your network with administrator rights.

Additional backup resources

You may wish to make a note in your diary now for World Backup Day which comes around every March. It’s a great reminder to set those backup plans in motion, and also do some more general file spring-cleaning while you’re at it. Whatever your strategy, the most important thing is to start backing up now. Not next week, most definitely not next month and almost certainly not “when I get around to it”.

There’s a lot of people out there who will sadly only realise the value of backups when it’s too late to do anything about it.

Getting backups right

Backups are simple in theory, but they often let you down when you need them most. On a recent Malwarebytes Lock and Code podcast, host David Ruiz spoke to Matt Crape, a technical account manager for VMware and backups expert, about why backups are so hard to get right, and what the most basic missteps are when companies roll out a backup plan.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post The importance of backing up appeared first on Malwarebytes Labs.

A multi-stage PowerShell based attack targets Kazakhstan

This blog post was authored by Hossein Jazi.

On November 10 we identified a multi-stage PowerShell attack using a document lure impersonating the Kazakh Ministry of Health Care, leading us to believe it targets Kazakhstan.

A threat actor under the user name of DangerSklif (perhaps in reference to Moscow’s emergency hospital) created a GitHub account and uploaded the first part of the attack on November 8.

In this blog we will review the different steps the attacker took to fly under the radar with the intent on deploying Cobalt Strike onto its victims.

Overview

The attack started by distributing a RAR archive named “Уведомление.rar” (“Notice.rar”). The archive file contains a lnk file with the same name pretending to be a PDF document from “Ministry of Health Care, Republic of Kazakhstan”. Upon opening the lnk file, a PDF file will be shown to confuse victims while in the background multiple stages of this attack are being executed. The decoy document is an amendment for a Covid 19 policy that has been issued by the Chef State Sanitary of the Republic of Kazakhstan.

decoy 2
Figure 1: Decoy document

Attack process

The following figure shows the overall process of this attack. The attack started by executing the lnk file that calls PowerShell to perform several techniques such as privilege escalation and persistency through an autorun registry key. We will provide the detailed analysis in the next section. 

cobalt
Figure 2: Attack Process

All stages of this attack have been hosted in one Github repository named GoogleUpdate. This repository was created on November 8th by a user named DangerSklif. The DangerSklif user was created on GitHub on November 1st. 

Screen Shot 2021 11 11 at 8.20.10 AM
Figure 3: GitHub repository

Analysis

The embedded lnk file is obfuscated and after de-obfuscation we can see that it used cmd.exe to call PowerShell to download and execute the first stage of the attack from the Github account (lib7.ps1).

lnk
Figure 4: lnk file

The lib7.ps1 downloads the decoy PDF file from the same Github account and stores it in the Downloads directory.  In the next step it opens the decoy PDF to confuse the user while it performs the rest of process in the background, which includes getting the OS version and downloading the next stage based on the OS version. 

lib7
Figure 5: lib7.ps1

If the OS version is 7 or 8, it downloads and executes lib30.ps1 and if the OS version is 10 it downloads and executes lib207.ps1. The reason the actor is checking the OS version is because it is trying to execute the right privilege escalation method. These techniques previously used by TA505 in their campaign to drop SrvHelper. 

  • Using the SilentCleanup task in the Task Scheduler to bypass UAC in Windows 10: Attacker used Lib207.ps1 to bypass UAC in Windows 10. The PowerShell commands used to perform the bypass are XOR encrypted using 0x58 key.
207 before deobfuscation
Figure 6: Lib207

After decrypting the commands, we can see the process of UAC bypass which includes creating a SilentCleanup task in the Task Scheduler that calls PowerShell to execute the created vbs file with higher privilege.

207 after deobfuscation
Figure 7: Lib207 after decryption
  • Using the sysprep.exe system utility and DLL side-loading to bypass UAC in Windows 7 and 8: Lib30.ps1 is used to execute this bypass. Simliar to lib207.ps1 this PowerShell script is also XOR encrypted but using different key (0x02).
lib30 before deobfuscation
Figure 8: Lib30

Figure 9 shows PowerShell commands after decryption. The process starts by creating a batch file (cmd.bat) in the “Windows/Temp” directory.  In the next step, a cab archive file is created containing a DLL (CRYPTBASE.dll for Windows 7 or shcore.dll for Windows 8. Then this cab file is extracted into the C:WindowsSystem32Sysprep directory using wusa.exe.

At the end, the sysprep.exe system utility launches which side loads the CRYPTBASE.dll for Windows 7 or shcore.dll for Windows 8. This DLL executes the created cmd.bat file which leads to executing it with a high privilege.

lib30 after deobfuscation 1
Figure 9: Lib30 after decryption

After bypassing UAC, in all OS versions the next stage payload is downloaded and executed (lib106.ps1).

This stage performs the following actions:

  • Creates a vbs file (cu.vbs) in ProgramFiles directory and makes this multi-stage attack persistence by adding this vbs file to HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key.  
  • Makes vbs file hidden using “Attrib.exe +h” command. 
  • Downloads and executes the final stage (updater.ps1) using PowerShell.
3ce06f2c c0ab 4248 a312 67d249de0eb8
Figure 10: lib106.ps1

The final stage (updater.ps1) is executing Cobalt Strike in PowerShell context. In fact this PowerShell script is PowerShell variant of Cobalt Strike.

36932c0f 974e 4f93 a792 8c5f01fdd600
Figure 11: updater.ps1

The Cobalt Strike ShellCode is base64 encoded and XOR encrypted using 35 key. After decoding and decrypting the ShellCode it allocates it into memory using VirtualAlloc and finally execute it by calling Invoke function.

cobalt 1
Figure 12: Updater.ps1 after de-obfuscation

Kazakhstan in the news

Kazakhstan has been in the news recently for taking over China in the cryptomining industry, depleting its own electric resources. The energy-rich country is a very important ally for Russia in particular with lucrative joint oil and gas ventures.

Other than their GitHub profile, we do not have much information on the threat actor or their exact intention with this attack. However, monitoring and espionage are a likely motive.

Malwarebytes users were protected thanks to the Anti-Exploit layer of our product.

block 1

IOCs

Уведомление.pdf.lnk:
574a33ee07e434042bdd1f59fc89120cb7147a1e20b1b3d39465cd6949ba7d99
Уведомление.rar:
d0f3c838bb6805c8a360e7b1f28724e73e7504f52147bbbb06551f91f0df3edb
Updater.ps1:
08f096134ac92655220d9ad7137e35d3b3c559359c238e034ec7b4f33a246d61
lib106.ps1:
81631df5d27761384a99c1f85760ea7fe47acc49ef81003707bb8c4cbf6af4be 
lib2.ps1:
912434caec48694b4c53a7f83db5f0b44b84ea79be57d460d83f21181ef1acbb
lib207.ps1:
893f6cac7bc1a1c3ee72d5f3e6994e902b5af044f401082146a486a0057697e5 
lib30.ps1:
11d6b0b76d057ac9db775d9a1bb14da2ed9acef325060d0452627d9391be4ea2 
lib63.ps1:
8f974d8d0741fd1ec9496857d7aabbe0d3ba4d2e52cc311c76c28396edae9eb9 
lib64.ps1:
301194613cbc11430d67acf7702fd15ec40ee0f9be348cf8a33915809b65bc5e
lib7.ps1:
026fcb13e9a4ea6c1eab73c892118a96731b868a1269f348a14a5087713dd9e5
lib706.ps1:
36aba78e63825ab47c1421f71ca02422c86c774ba525959f42b8e565a808a7d4 
C2:
188.165.148.241

The post A multi-stage PowerShell based attack targets Kazakhstan appeared first on Malwarebytes Labs.

Murder-for-hire, money laundering, and more: How organised criminals work online

Europol has released an extensive report into serious and organized crime, including how these groups use the internet to aid in their criminal behaviour.

Europol is the European Union’s (EU) law enforcement agency and it assists the EU Member States in their fight against serious international crime and terrorism. We’ll often mention them when we tell you that cybercriminals have been arrested in international cooperation between law enforcement agencies, such as the FBI, DEA, and other US agencies.

The purpose of the report, besides informing the public, is to create a better understanding of international crimes. Understanding how criminals and criminal networks operate may help law enforcement to more effectively identify and disrupt criminal operations.

Of course, we’re interested from a cybercrime point of view. So let’s dig in.

Cybercrime

Cybercrime in this report includes the creation and spread of malware, hacking to steal sensitive personal or industry data, denial of service attacks to cause financial and/or reputational damage, and other criminal activities.

The threat from cybercrime has been increasing over the last few years, not only in terms of the number of attacks reported but also the sophistication of attacks. Cybercrime causes significant financial loss to businesses, private citizens and the public sector each year through payments for ransomware, incident recovery costs, and costs for enhanced cybersecurity measures.

Cybercrime is attractive to criminals due to the potential profits, limited risk of detection and prosecution, which if successful often results in low sentences. Various types of criminals are involved in cybercrimes, ranging from structured criminal groups to lone offenders. At the entry-level, potential offenders without any specific expertise can carry out cyberattacks by relying on tools and services made available to them through crime-as-a-service.

Money makes the crimes go round

Money laundering is an essential component of the vast majority of criminal operations. Cryptocurrencies remain an important means of payment for criminal services and products. Their decentralization and semi-anonymity continue to make them attractive for criminal transactions. However they are not the main method of money laundering. A surprising 68% of crime groups use basic money laundering methods such as investing in property or high-value goods.

Brokers or intermediaries are crucial in connecting networks, individual criminals and groups. They enable and facilitate criminal business, linking producers with wholesale distributors, and distributors with transport providers. There is a parallel underground financial industry providing services to criminals and their networks completely detached from the oversight mechanisms governing the licit financial services industry. In many cases, service providers enable access to a parallel banking system which allows criminals to transfer money to associates across the world.

COVID-19

The current crisis situation due to the pandemic and the potential economic and social fallout threaten to create ideal conditions for the spread of organized crime in the EU. Criminals were quick to adapt illegal products, operational methods, and their narratives to the COVID-19 pandemic. In this way, they exploited the fear and anxieties of Europeans and profited from the scarcity of some vital goods during the pandemic.

Violence

While consolidated figures quantifying the number of violent incidents related to serious and organized crime are not available, the level of the use of violence associated with serious and organized criminality is perceived to have increased notably, both in terms of frequency and severity, over the last four years. 60 percent of the organized crime groups will use violence to any extent.

Much of the violence is arranged online, usually as a violence-for-hire service advertised on dark web platforms and encrypted communication apps.

The violent acts on offer range from threats, intimidation, vandalism and assaults, to kidnapping, torture, mutilation and murder. Violence is employed by criminal networks for a variety of reasons against external parties such as competitors as well as non-criminals (e.g. witnesses and their solicitors, law enforcement and court officers).

Key findings of the report

The full report goes into detail on many other forms of international crime, and we’ve only discussed a few sections that we thought would be of interest to our readers. Below we have listed the key findings of the report.

  • Serious and organized crime remains a key threat to the internal security of the EU.
  • The organized crime landscape is characterized by a networked environment where cooperation between criminals is fluid, systematic and driven by a profit-oriented focus. Several key actors cooperate in criminal networks with service providers and brokers in pivotal roles.
  • Similar to a business environment, the core of a criminal network is composed of managerial layers and field operators.
  • A key characteristic of criminal networks, as confirmed by the pandemic, is their agility in adapting to and capitalizing on changes in the environment in which they operate.
  • The use of violence by criminals involved in serious and organized crime in the EU appears to have been increasing in terms of the frequency of use and its severity.
  • Corruption is a feature of most, if not all, criminal activities in the EU. Corruption takes place at all levels of society and can range from petty bribery to complex multi-million-euro corruption schemes.
  • The scale and complexity of money laundering activities in the EU have previously been underestimated.
  • Legal business structures such as companies or other entities are used to facilitate virtually all types of criminal activity with an impact on the EU. Criminals directly control or infiltrate legal business structures in order to facilitate their criminal activities.
  • The use of technology is a key feature of serious and organized crime in 2021. Criminals exploit encrypted communications to network among each other, use social media and instant messaging services to reach a larger audience to advertise illegal goods or to spread disinformation.
  • The COVID-19 pandemic has had a significant impact on the serious and organized crime landscape in the EU.
  • A potential deep economic recession following the COVID-19 pandemic will fundamentally shape serious and organized crime in the EU for the near future.
  • Serious and organized crime deeply affects all layers of society; in addition to the direct impact on the daily lives of EU citizens, it also undermines the economy, state institutions and the rule of law.

The post Murder-for-hire, money laundering, and more: How organised criminals work online appeared first on Malwarebytes Labs.

Are cybercriminals turning away from the US and targeting Europe instead?

Significant cyberattacks against critical targets in Europe have doubled in the past year, according to EU figures obtained by CNN. And with the announced pressure from the US against major ransomware gangs we can expect these figures to go up even more.

It’s also clear from recent attacks that the holiday season and the associated spending sprees make online retailers an attractive target for cybercriminals. Last week, we reported about UK based jewelry house Graff that was a target of Conti ransomware. But more and more European firms are showing up on the target list. Below you can see some examples from the last few days.

Angling Direct

The UK’s biggest fishing shop, Angling Direct has been hacked, with its website redirecting shoppers to an adult website. While this may seem a prank at first, there are signs that the hacker gained access to a few key systems of the company. Most people trying to access the site saw a warning like this:

redirect warning for wrong certificate
Security certificate mismatch

On top of that, Angling Direct’s Twitter account was taken over, and it would seem that the hacker has at least some access to Angling Direct’s mail server, as they have claimed a local mail account as their own.

Twitter message from the hacker

The company said it has brought in cybersecurity experts to tackle the problem, and alerted authorities. Angling Direct said it is too early to tell if any personal data has been compromised, but reassured customers that no payment data could have been leaked.

MediaMarkt

Dutch electronics retail giant MediaMarkt has fallen victim to the Hive ransomware group. The brick and mortar shops of MediaMarkt and Saturn, which can be found in the Netherlands, Belgium, Luxemburg, and Germany, are still open for business, as are their online shops, but the computer systems in the physical shops seem to be the ones that were encrypted. The cash registers cannot accept credit cards or print receipts at affected stores.

The systems outage is also preventing returns due to the inability to look up previous purchases. Employees were told not to use the computers in the shops, disconnect the cash registers from the network, and to refrain from rebooting systems.

While the functionality of its online shop seems unaffected, shoppers are shown a message that delivery may be delayed due to “technical problems.”

Apologies
We are experiencing technical problems at the moment. This may cause delayed deliveries…

According to some sources, MediaMarkt is negotiating with the attackers about the 43 million Euro ransom (close to US$50 million) in Bitcoin.

Let’s go to Europe

For now it is hard to tell whether the increased amount of attacks in Europe is some sort of waterbed effect due to the US government’s harder stance against cybercriminals and ransomware in particular. It could be that it is simply ransomware groups expanding to new markets due to more competition among themselves and greener pastures on the other side of the pond. We have already seen a ransomware affiliate group called Lockean that concentrates on French targets.

In the ransomware industry, the time of “spray and pray” is long gone. Most of the well known groups know exactly which kind of targets they want to go after and even when the best time to strike is. So it’s not unlikely that we will see more of these attacks on online shops and large retailers with the shopping season around the corner.

For retailers it is time to shore up your defenses if you want to keep on serving your customers.

Stay safe, everyone!

The post Are cybercriminals turning away from the US and targeting Europe instead? appeared first on Malwarebytes Labs.

Patch now! Microsoft plugs actively exploited zero-days and other updates

On what might seem a relatively calm Patch Tuesday with 55 vulnerabilities being patched, the fact that six of them were rated “Critical” and two of them actively exploited spoils the Zen factor somewhat.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

Exchange Server (again)

CVE-2021-42321: A Microsoft Exchange Server Remote Code Execution (RCE) vulnerability that is known to be exploited in the wild. This vulnerability was disclosed during the Tianfu International Cybersecurity Contest and requires an authenticated user to run arbitrary code on an on-premise Exchange Server.

Two other Exchange Server vulnerabilities, rated as “Important” are listed under CVE-2021-42305 and CVE-2021-41349. Both are Microsoft Exchange Server Spoofing vulnerabilities. The exploitation appears to be easy as the attack can be initiated remotely and no form of authentication is required for a successful exploitation. However, successful exploitation does require user interaction by the victim.

Excel

CVE-2021-42292: A Microsoft Excel Security Feature Bypass vulnerability which is also being exploited in the wild. Microsoft doesn’t suggest what effect the vulnerability might have, but its CVSS score of 7.8 out of 10 is worrying Two interesting notes in the Microsoft FAQ about this vulnerability:

  • No, the Preview Pane is not an attack vector.
  • The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.

Remote Desktop Protocol (RDP)

As if RDP wasn’t a big enough problem already, four vulnerabilities have been found in this widely abused protocol. Three of them are Information Disclosure vulnerabilities and one, listed under CVE-2021-38666 is a “Critical” RCE. The attack can be initiated remotely and no form of authentication is needed for a successful exploitation. It does however require the victim’s interaction.

3D Viewer

The Microsoft 3D Viewer lets you view 3D models with lighting controls, inspect model data and visualize different shading modes. Two “Important” RCE vulnerabilities in this utility have been patched in this update. They are listed under CVE-2021-43208 and CVE-2021-43209. The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately. App package versions 7.2107.7012.0 and later contain this update.

Microsoft Defender

CVE-2021-42298 is a Microsoft Defender Remote Code Execution vulnerability that is rated “Critical.” Defender is designed to scan every file and run with some of the highest levels or privileges in the operating system. An attack can be initiated remotely without any form of authentication. But successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

Other patches

It’s not just Microsoft who has issued patches recently, so check you’re using the most up to date version of the below, too.

Siemens issued updates to patch vulnerabilities in in the Nucleus RTOS (realtime operating system) versions Nucleus 4 and Nucleus ReadyStart (Nucleus 3). The vulnerabilities CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 have the highest CVSS scores with 10.0, 9.9 and 9.9 out of 10 respectively.

Citrix published information about vulnerabilities that have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.

Adobe made security updates available for RoboHelp Server, Adobe InCopy, and Adobe Creative Cloud.

Android published a security bulletin last week, which we discussed in detail here.

Cisco published a security advisory that mentions two “Critical” issues. One in Cisco Policy Suite Static SSH Keys, and one concerning Cisco Catalyst PON Series Switches Optical Network Terminal.

SAP has its own Patch Day Security Notes. One vulnerability listed under CVE-2021-40501 has a CVSS score of 9.6 out of 10 and the description Missing Authorization check in ABAP Platform Kernel.

VMWare’s security advisory includes one critical update for VMware vCenter Server which addresses multiple security vulnerabilities.

Intel also issued several security advisories, which are fixes or workarounds for vulnerabilities identified in Intel products.

In case you have no idea where to start, maybe our post about the CISA directive to reduce the risk of known exploited vulnerabilities will help you on your way.

Stay safe, everyone!

The post Patch now! Microsoft plugs actively exploited zero-days and other updates appeared first on Malwarebytes Labs.

Playstation 5 hacked—twice!

Over the weekend, hackers revealed that the Playstation 5 (PS5), Sony’s latest darling, has been broken into—not just once but twice.

Fail0verflow, the hacking group notorious for breaking Playstation consoles, and Andy “TheFlow” Nguyen, a security engineer at Google and widely known in the Playstation Vita scene, both tweeted samplings of their successful PS5 hacks.

Fail0verflow announced they were able to retrieve all PS5 symmetric root keys, including a per-console root key, from the firmware itself. A root key is used to decrypt and reverse engineer the console’s firmware. A reverse-engineered firmware, of course, opens the door for creating and introducing homebrew PS5 software into the console, allowing other software and games to run in it. These homebrews will be signed with the same symmetric root keys so the PS5 can recognize them as belonging to its own. This also opens the door for finding future exploits.

Fail0verflow are yet to reveal any details about how they did the hack, but there has been speculation that they may have used a kernel exploit or carried out some “significant hardware glitching”.

Nguyen, on the other hand, was able to access the Debug Setting option of a retail PS5, something that is normally available only on hardware testkits. Wololo, the site who first wrote and published about this, said the Debug Setting option is disabled on retail consoles. “But it can be enabled on retail consoles by patching some flags, located at specific addresses in the firmware at Runtime.”

Nguyen gaining access to the usually invisible console option makes one think he likely used a PS5 kernel exploit. It remains to be seen if Nguyen’s and fail0verflow’s exploits are the same, if not similar.

We won’t be hearing any confirmation or refutation from Nguyen though, as he already pointed out in a tweet that he has no plans of disclosing the exploit he used. Fail0verflow may or may not choose to disclose either. In a blog post eight years ago, the group admitted that developing homebrew software for closed consoles no longer appeals to them. Not only does this require a great deal of work, they are also constantly at risk of litigation. To top it off, game pirates get the bank on their hard work.

So, what can we expect from these PS5 hacking revelations? A firmware patch from Sony, perhaps, which has happened before, or nothing at all. But it is interesting to think about the future of homebrew software at this point. Is the homebrew scene in the Playstation—or other consoles for that matter—dead? If so, would anyone dare take up the mantle?

The post Playstation 5 hacked—twice! appeared first on Malwarebytes Labs.

How to remove adware on an Android phone

It shouldn’t be surprising that Android devices are the targets of threats like adware and other Potentially Unwanted Programs (PUPs). After all, there are millions of apps on the Google Play Store, servicing billions of monthly active users globally. And, as we have noted with Mac virus trends, platforms with rising popularity tend to attract threats.

What is adware?

Adware is a type of bothersome malware that sits quietly on your device, generating revenue for its authors through unwanted marketing campaigns. Usually, adware hits your screen with advertisements, but some adware can be sneakier.

What can adware do to Android phones?

While adware isn’t as threatening as more dangerous malware like spyware, stalkerware, or ransomware, it can be unpleasant. Most commonly, adware throws up advertisements on your screen in the shape of irritating popups. It may also hijack your browser, redirect you to different web pages, install toolbars, extensions, or plugins, and track your activity for marketers. Here are some other potential signs of an adware infection on your Android phone:

  • Your phone slows down or crashes inexplicably
  • Your browser slows down or crashes inexplicably
  • Downloading, uploading, and browsing takes longer than usual
  • You need to recharge your device more often
  • Apps take longer to load or run sluggishly
  • Your data usage is higher than usual
  • New software is on your phone that you didn’t download or install

Of course, many of these symptoms are also signs of an aging Android device, or could be a sign of a different type of malware infection than adware. A few of these symptoms, combined with core signs of adware like popups or browser redirection, are a red flag. Check out the next section to see how to get rid of adware on Android devices.

How to remove adware and malware on an Android phone

Removing any malware from your phone requires a holistic approach. For example, even if you remove an infection with mobile device security tools, you may attract new threats if some problematic apps remain. Here are some steps that can help you remove adware from Android devices, and protect your device from future infections:

1. Use adware removal tools

The most obvious first step is to use a cybersecurity tool, such as Malwarebytes for Android, that protects against adware on Android devices. When selecting an adware removal app, ensure that it has the following traits:

  • It scans and removes adware quickly.
  • It’s light, doesn’t hog your system resources, and runs seamlessly in the background.
  • It alerts you about suspicious apps.
  • It keeps an eye on URLs and warns you against unsafe websites.
  • It doesn’t create false positives to appear more valuable.

Of course, adware is just one type of malware that can infect an Android device. An exhaustive cybersecurity app will find all kinds of malware, including viruses, spyware, stalkerware, Trojans, ransomware, rootkits, and adware. So dig into the details of the app you are considering to make sure you’re protected against all of these.

It’s also a good idea to check your cybersecurity app’s reputation before you download it. For example, some cybersecurity tools were criticized for harvesting user data to supply it to marketers. There’s little point in downloading software to remove adware if it also takes a page out of the adware playbook.

2. Remove dubious apps

You can check out what suspicious apps you already have lurking on your phone by doing the following:

  1. Hold down the power button on the side of your phone.
  2. Tap and hold the Power Off icon on your screen.
  3. Tap Safe mode to restart your device in Safe mode.
  4. Tap Settings.
  5. Tap Apps.
  6. Select Suspicious apps.
  7. Hit Uninstall.
  8. Restart your phone.

3. Clean your browser

Your browser may carry data or plugins that leave your Android device susceptible to adware. Remove all unnecessary extensions, clear your browsing history, and delete stored data. You can also uninstall your browser entirely and reinstall it to start afresh.

Where do Android adware and malware come from?

Hundreds of thousands of instances of new malware are detected every day, according to some experts. The authors of malicious software include online trolls, hackers, blackmailers, thieves, and other cybercriminals. Threat actors often hide adware and other malware in shady links, untrustworthy websites, and even on apps in the official Google Play Store.

Tips to safeguard Android devices from adware

  • Make sure you have security software installed.
  • Keep your operating system, security tools, and apps updated.
  • Only download apps from trustworthy sources.
  • Even when downloading apps from Google Play Store, check reviews.
  • Avoid apps that are new or ask for unnecessary permissions.
  • Don’t visit untrustworthy websites.
  • Avoid opening suspicious links, emails, and text messages.

The post How to remove adware on an Android phone appeared first on Malwarebytes Labs.

Smart TV adverts put a wrinkle in your programming

Smart TVs are back in the news due to the potential pitfalls of embedded advertising. It may come as a surprise to some, but these devices aren’t particularly new. As far back as 2013, security researchers were already exploring the issues related to internet connected televisions in a home environment.

In 2016, we looked at an LG brand TV which sent a variety of information related to files and viewing habits despite telling it not to. Even then, we can see similar tactics used to block ads on home video game consoles, and desktop PCs. It’s all about blocklists, and domains shut down at the router.

A privacy versus convenience mashup

Yes, it’s cool that you can control your TV with your voice and use hand gestures to change the channel. However, advertising built into the fabric of a TV is something people don’t pay much attention to. You can try and block these ads in increasingly sophisticated ways. Realistically though, most folks aren’t rushing to spin up a Pi-hole. And hey, why should they? This is the kind of problem solved by a “No, I don’t want that but thanks anyway” button.

Unfortunately, those buttons appear to be in short supply.

Today, in ad land…

The owner of a new Samsung TV noticed a huge chunk of ad space on one of the menu screens.

To be clear, the ad banner in the picture isn’t serving up brands of washing up liquid or footwear. It’s a feature which essentially lists things to watch on the device. Caveat: some of those options are paid, and there are several more general ad-specific domains requiring a block to be ad free.

It’s adverts all the way down

Smart TVs generally have multiple layers of advert options, banners, and dashboards. They may offer downloadable apps for popular streaming services or other products used to watch, or buy products unrelated to television. Whatever you do, some form of analytics/tracking is inevitable. It’s not all bad news…sort of. Certain brands will allow you to switch off many of these features. Have you ever set your Android to low power mode and watched as all the apps disabled themselves? Televisions can do the same thing.

Again, this isn’t perfect. Assuming you want to use the apps displayed, there’s going to be an element of analytics under the hood even if just specific to the app and not the television as a whole. For example: does this reference content inside the apps which are still functional, or somewhere on the dashboard unrelated to the apps?

Even the device owner doesn’t know, because they don’t currently see any ads. Is it regional specific? Or have they yet to hit the random button or screen which finally pops an advert?

All good questions, and ones which most of us don’t have answers for.

Tech downgrades as a solution

Some folks don’t want to mess around at a network level. They’re turning to other methods instead to bypass ads altogether. This is certainly one (expensive) way to do it:

Others choose to buy up so-called “hotel” televisions, which may have all internet capability stripped out of them. Even with these measures taken, there’s no real guarantee you can avoid ads and tracking. You may have an ad-free television, as far as built in popups go. But what if it’s plugged into a cable TV box from a provider who also provides your broadband? Your ISP knows what you’re doing online and also potentially what you’re watching, at a bare minimum.

You can read more about this latest round of TV advertising here. One thing is for certain: ads in the home aren’t going to go away anytime soon. People who disagree with this type of televisual promotion may wish to object via tech solutions, or downgrades, or simply buying something else instead.

Perhaps the advert revolution will not be televised.

The post Smart TV adverts put a wrinkle in your programming appeared first on Malwarebytes Labs.

A week in security (Nov 1 – Nov 7)

Last week on Malwarebytes Labs

Other cybersecurity news

Stay safe, everyone!

The post A week in security (Nov 1 – Nov 7) appeared first on Malwarebytes Labs.

Why we fail at getting the cybersecurity basics right, with Jess Dodson: Lock and Code S02E21

The cybersecurity basics should be just that—basic. Easy to do, agreed-upon, and adopted at a near 100 percent rate by companies and organizations everywhere, right?

You’d hope. But the reality is that basic cybersecurity blunders continue to affect businesses of all sizes, which has led to embarrassing vulnerabilities, hacks, and attacks. And some of those very mishaps have been the focus of the Lock and Code podcast for months.

In August, Luta Security CEO Katie Moussouris told us about simple security oversights at the company that develops the popular “social listening” app Clubhouse. After poking around with the app on two separate devices, Moussouris discovered that she could easily eavesdrop on conversations without having her user icon present in a room. That same month, hacker Sick Codes told us about how he and roughly 10 other hackers gained extensive reach in just a few days into John Deere’s data operations center, revealing data about farms, farm equipment, and the equipment’s owners. And in July, the chair of the Dutch Institute for Vulnerability Disclosure Victor Gevers told us that he and his organization had found “seven or eight” zero-days in the popular managed service provider tool Kaseya VSA. What’s worse is that Gevers said that he and his volunteers had been finding similar vulnerabilities in many remote networking tools for months.

About these flaws, Gevers said: “I am sorry, but these vulnerabilities—these are not advanced. Not advanced at all.”

The big problem about these vulnerabilities is that, because they are so basic, they are so easy to abuse.

The zero-days that Gevers and his team found in Kaseya VSA led to one of the most catastrophic ransomware attacks in recent history. A failure to differentiate user passwords on a remote access tool used by a Florida water plant likely led to the attack on that plant’s chemical treatment facilities, and though the attack was caught and prevented, it was still a bit worrisome. And when the meat supplier JBS was hit with ransomware, even though it reportedly had backups in place—which are the single most effective defense against ransomware—the company still chose to pay $11 million to its attackers for a decryption key.

Many of these problems could have been prevented—or at least better mitigated—if the organizations in question had a better grasp on the cybersecurity basics. As our guest on today’s episode of Lock and Code explains, there are huge risks in failing to get these basics right. Jess Dodson, who described herself as a “recovering Windows systems administrator” (ha), said:

If you are not doing these things, I would say that there is a high chance that you already have a threat actor in your environment. That is the risk.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Dodson about what are the most commonly-missed cybersecurity basics, which are the most foolish ones to get wrong, and why do we keep failing at what we can all agree is, after all, pretty basic stuff.

Tune in to hear all this and more on this week’s Lock and Code podcast, by Malwarebytes labs.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why we fail at getting the cybersecurity basics right, with Jess Dodson: Lock and Code S02E21 appeared first on Malwarebytes Labs.