Archive for NEWS

Raspberry Robin worm used as ransomware prelude

Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive. First spotted in September 2021, it was typically introduced into a network through infected removable drives, often USB devices.

Now the worm has been found to be the foothold for more serious threats like ransomware as laid out in this Microsoft Security blog. Microsoft warns that the worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days.

Primary infection

Initially, the Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device. The name of the lnk file was recovery.lnk which later changed to filenames associated with the brand of the USB device. Raspberry Robin uses both autoruns to launch and social engineering to encourage users to click the LNK file.

Raspberry Robin’s LNK file points to cmd.exe to launch the Windows Installer service msiexec.exe and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.

Infrastructure

A NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the internet. There are several vulnerabilities in QNAP devices for which patches are available, but unfortunately many of them remain unpatched due to unawareness.

Backdoor

To be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.

By using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.

Guests

As an established access provider in the current malware-as-a-service landscape you can make money by selling the access to affected networks to other malware operators like ransomware groups. Microsoft found that Raspberry Robin has been used to facilitate FakeUpdates (SocGholish), Fauppod, IcedID, Bumblebee, TrueBot, LockBit, and human-operated intrusions.

Fauppod is heavily obfuscated malweare that is also used to spread FakeUpdates, and writes Raspberry Robin to USB drives. TrueBot Trojans are used in targeted attacks for reconnaissance purposes.

An example of the human-operated intrusions was the deployment of Cobalt Strike to deliver the Clop ransomware.

Stop the worm

In Windows, the autorun of USB drives is disabled by default. However, many organizations have widely enabled it through legacy Group Policy changes, according to Microsoft. If you enabled it, this is a policy worth re-thinking.

Owners of QNAP devices should be aware of the fact that they are not only putting their own files at risk by not applying the patches, but they are providing malware authors with a free-to-use infrastructure to victimize others.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Posted in: NEWS

Leave a Comment (0) →

A Chrome fix for an in-the-wild exploit is out—Check your version

Google has announced an update for Chrome that fixes an in-the-wild exploit. Chrome Stable channel has been updated to 107.0.5304.87 for Mac and Linux, and 107.0.5304.87/.88 for Windows.

The vulnerability at hand is described as a type confusion issue in the V8 Javascript engine.

Mitigation

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Most of the time, the easiest way to update Chrome is to do nothing—it should update itself automatically, using the same method as outlined below but without your involvement. However, if something goes wrong—such as an extension blocking the update—or if you never close your browser, you can end up lagging behind on your updates.

So, it doesn’t hurt to check now and again. And now would be a good time, given the severity of the vulnerabilities in this batch.

My preferred method is to have Chrome open the page chrome://settings/help, which you can also find by clicking Settings > About Chrome.

Chrome updatingUpdating Chrome

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome is up to dateChrome is up to date

After the update the version should be 107.0.5304.87 or later.

CVE-2022-3723

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This is the one that urged the out of bounds update was CVE-2022-3723, a type confusion issue with Chrome’s V8 JavaScript engine. A remote attacker could exploit this vulnerability to trigger data manipulation on the targeted system.

Type confusion is possible when a piece of code doesn’t verify the type of object that is passed to it. The program allocates or initializes an object using one type, but it later accesses it using a type that is incompatible with the original. Details about the vulnerability will not be released before everyone has had a chance to update, but it seems that in this case the manipulation with an unknown input can lead to privilege escalation.

The V8 engine is a very important component within Chrome that’s used to process JavaScript commands. A very similar vulnerability was found in March of 2022. This was also a type confusion issue in the V8 engine, which turned out to affect other Chromium based browsers as well. So keep an eye out for updates on any other Chromium based browser you may be using, such as Edge.

Posted in: NEWS

Leave a Comment (0) →

Dormant Colors browser hijackers could be used for more nefarious tasks, report says

Researchers from Guardio, a cybersecurity company specializing in web browser protection, recently revealed a campaign involving a trove of popular yet malicious extensions programmed to steal user searches, browsing data, and affiliation to thousands of targeted sites.

Nicknamed “Dormant Colors,” this campaign involves at least 30 variants of browser extensions for Chrome and Edge, once available in their respective stores (you can’t find them there now). The campaign was named as such because all the extensions offer browser color customization options, and their “maliciousness” lie dormant until triggered by their creator.

The inexhaustive list of 30 browser extensions belonging to the Dormant Colors campaign. Note these are extension names with their icons. (Source: Guardio)

According to researchers, the campaign starts with malvertising in the form of ads on web pages or redirects from offered video and download links. If a site visitor attempts to download what an ad offers or watch a video stream, they are redirected to a page informing them they need to download an extension first. Of course, an extension is never required. It’s part of the campaign to make users believe an extension download is needed.

Once visitors confirm the download, one of the 30 extensions above is installed on the browser. The extension then redirects users to various pages that surreptitiously side-load malicious scripts, which instruct it to begin hijacking user searches and inserting affiliate links.

When hijacking user searches, the extension redirects search query results to display results from sites affiliated with the extension developers. Doing this gives them money from ad impressions and the sale of search data.

Another way that surreptitious extension developers wrongfully gain money is by redirecting users to the same page but with an affiliate link appended to the URL. For example, a user visits 365games.co.uk to buy video game merchandise. After the default page to this site finishes loading, the extension redirects the user to the same page but with an affiliate link included. The URL in the address bar would look something like this: 365games.co.uk/{affiliate-related string}.

Users visiting Amazon, AliExpress, and porn sites should expect to see affiliate redirections when hit with this campaign. 

It’s worrying that the average internet user hardly notices this campaign’s quick and easy money-making schemes because it has the potential to go beyond hijacking and URL sleight-of-hand. Guardio researchers say developers could program their extensions to direct users to phishing pages to steal credentials, especially those used to log in to work-related accounts. They could also write side-loaded code telling the extension to point users to a malware download site.

“This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without,” said Guardio researchers in their full write-up. “At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data.”

Posted in: NEWS

Leave a Comment (0) →

What is ransomware-as-a-service and how is it evolving?

Ransomware attacks are becoming more frequent and costlier—breaches caused by ransomware grew 41 percent in the last year, the average cost of a destructive attack rising to $5.12 milllion. What’s more, a good chunk of the cyber criminals doing these attacks operate on a ransomware-as-a-service (RaaS) model.

RaaS is not much different, in theory, from the software-as-a-service (SaaS) business model, where cloud providers “rent out” their technology to you on a subscription basis—just swap out ‘cloud providers’ with ‘ransomware gangs’ and ‘technology’ with ransomware (and the related crimes involved). 

In this post, we’ll talk more about how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks.

How does ransomware-as-a-service work?

How ransomware-as-a-service changed the game

Why ransomware-as-a-service attacks are so dangerous

Is ransomware here to stay? The evolution of RaaS attacks

How SMBs can protect themselves against next-gen RaaS

The perfect one-two combo for fighting RaaS

How does ransomware-as-a-service work?

Don’t get it twisted: RaaS gangs aren’t your run-of-the-mill hackers looking to score a few hundred bucks. We’re talking big, sophisticated businesses with up to a hundred employees—LockBit, BlackBasta, and AvosLocker are just a few of the RaaS gangs we cover in our monthly ransomware review.

“This is run as a business,” says Mark Stockley, Security Evangelist at Malwarebytes. “You’ve got developers, you’ve got managers, you’ve got maybe a couple of levels of people doing the negotiations, things like that. And these gangs have made hundreds of millions of dollars each year in the last few years.”

RaaS gangs like LockBit make money by selling “RaaS kits” and other services to groups called affiliates who actually launch the ransomware attacks. In other words, affiliates don’t need crazy technical skills or knowledge to carry out attacks. By working closely with “Initial Access Brokers” (IABs), some RaaS gangs can even offer affiliates direct access into a company’s network.

How ransomware-as-a-service changed the game

Let’s jump back to the year 2015. These were the “good ol’ days” where ransomware attacks were automated and carried out on a much smaller scale. 

Here’s how it went: somebody would send you an email with an attachment, you double-clicked on it, and ransomware ran on your machine. You’d be locked out of your machine and would have to pay about $300 in Bitcoin to get it unlocked. Attackers would send out loads of these emails, lots of people would get encrypted, and lots of people would pay them a few hundred bucks. That was the business model in a nutshell. 

But then ransomware gangs sniffed out a golden opportunity. 

Rather than attacking individual endpoints for chump change, they realized they could target organizations for big money. Gangs switched from automated campaigns to human-operated ones, where the attack is controlled by an operator. In human-operated attacks, attackers try hard to wedge themselves into a network so that they can move laterally throughout an organization. 

At the forefront of this evolution from automated ransomware to human-operated ransomware attacks are ransomware-as-a-service gangs—and their new business model seems to be paying off: in 2021, ransomware gangs made at least $350 million in ransom payments.

Why ransomware-as-a-service attacks are so dangerous

The fact that RaaS attacks are human-operated means that ransomware attacks are more targeted than they used to be—and targeted attacks are far more dangerous than un-targeted ones. 

In targeted attacks, attackers spend more time, resources, and effort to infiltrate a businesses network and steal information. Such attacks often take advantage of well-known security weaknesses to gain access, with attackers spending days to even months burrowing themselves in your network. 

The human-operated element of RaaS attacks also means that RaaS affiliates can control precisely when to launch an attack—including during times where organizations are more vulnerable, such as on holidays or weekends.

Famously, RaaS affiliates love long weekends,” Stockley said. “They want to run the ransomware when you’re not going to notice to give themselves however much time they need in order for the encryption to complete. So they like to do it at nighttime, they love to do it during holidays.”

“You’re dealing with a person,” Stockley continued. “It’s not about software running trying to figure everything out; it’s a person trying to figure everything out. And they’re trying to figure out what’s the best way to attack you.”

Is ransomware here to stay? The evolution of RaaS attacks

One of the biggest innovations in the RaaS space in recent years has been the use of double extortion schemes, where attackers steal data before encryption and threaten to leak it if the ransom isn’t paid. 

Companies have gotten more aware of ransomware and better prepared in terms of things like backups, for example. But if affiliates have already broken into your environment, they can simply use stolen data as extra leverage, leaking bits of it to get your attention, to speed up negotiations, or prove what kind of access they have.   

All of the RaaS gangs these days do double extortion, leaking data on dedicated leak websites on the dark web. Many RaaS programs even feature a suite of extortion support offerings, including leak site hosting. Not only is this trend growing, but there’s chatter about whether or not stand-alone data leaking is the next stage in evolution for RaaS. 

“There are now gangs that only do data leaking, and they don’t bother doing the encryption at all,” Stockley said. “Because it’s sufficiently successful. And you don’t have to worry about software, you don’t have to worry about software being detected, you don’t have to worry about it running.”

A LockBit data leak site. Source.

In other words, the evolution from “ransomware-focused” RaaS to “leaking-focused” RaaS means that businesses need to rethink the nature of the problem: It’s not about ransomware per se, it’s about an intruder on your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. 

How SMBs can protect themselves against next-gen RaaS

Preparing for RaaS attacks isn’t any different from preparing for ransomware attacks in general, and advice isn’t going to vary all that much across different sized businesses or industries. Because next-gen RaaS is so focused on intrusion, however, SMBs have their own unique challenges in combating it. 

Monitoring a network 24/7 for signs of a RaaS intrusion is tough work, period, let alone for organizations with shoe-string budgets and barely any security staff. Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23 percent of intrusions lead to ransomware, 29 percent to data theft, and 30 percent to exploit activity—when adversaries use vulnerabilities to initiate further intrusions.

Even with tools such as EDR, SIEM, and XDR, sifting through alerts and recognizing Indicators of Compromise (IOCs) is the work of seasoned cyber threat hunters—talent that SMBs just can’t afford. That’s why investing in Managed Detection and Response (MDR) is hugely beneficial for SMBs looking to get a leg-up against RaaS attacks. 

“Obviously, the most cost effective thing is to not let people in in the first place. And this is why things like patching, two-factor authentication, and multi-vector Endpoint Protection (EP) are so important,” Stockley said. “But at the point where they’ve broken in, then you want to detect them before they do anything bad. That’s where MDR comes in.”

The perfect one-two combo for fighting RaaS 

Human-operated, targeted, and easy to execute, RaaS attacks are a dangerous evolution in the history of ransomware. 

Double-extortion tactics, where attackers threaten to leak stolen data to the dark web, are another important evolutionary stage of RaaS campaigns today—to the point where ransomware itself might become obsolete in the future. As a result, SMBs should focus their anti-RaaS efforts on intruder detection with MDR, in addition to implementing ransomware prevention and resilience best practices.

More resources

Get the eBook: Is MDR right for my business?

Top 5 ransomware detection techniques: Pros and cons of each

Cyber threat hunting for SMBs: How MDR can help

A threat hunter talks about what he’s learned in his 16+ year cybersecurity career

Posted in: NEWS

Leave a Comment (0) →

Fake Proof-of-Concepts used to lure security professionals

Researchers from the Leiden University published a paper detailing how cybercriminals are using fake Proof-of-Concepts (PoCs) to install malware on researchers’ systems. The researchers found these fake PoCs on a platform where security professionals would usually expect to find them—the public code repository GitHub.

Use of PoCs

There is a big difference between knowing that a vulnerability exists and having a PoC available. If someone else has already put in the work of figuring out how a new vulnerability can be weaponized, it allows you to put it to the test, which is certainly not done to make the life of cybercriminals easier.

Security professionals are interested in PoCs because it gives them a better understanding about vulnerabilities. PoCs also offer the opportunity to see if certain mitigation techniques or updates solve the problem. They can also be used for red teaming to demonstrate the possible impact of successful attacks.

Investigation

The researchers investigated PoCs shared on GitHub for known vulnerabilities discovered between  2017 and 2021. They found that 4,893 malicious repositories out of the 47,313 repositories they downloaded and checked qualified as malicious. The qualification was based on calls to known malicious IP addresses, encoded malicious code, or the presence of Trojanized binaries. That is more than 10 percent of the samples the researchers checked.

Other sources

More reputable sources for PoCs like Exploit-DB try to validate the effectiveness and legitimacy of PoCs. In contrast, public code repositories like GitHub do not have such a exploit vetting process. But if a researcher is looking for a PoC based on a particular vulnerability and they can’t find it on a more reputable source they will have to resort to public platforms.

Indicators

Since it is an impossible task to do a detailed analysis of many thousands of PoCs, the researchers had to decide on certain indicators to establish whether a PoC was in fact malicious. Not an easy task since the behavior of a PoC to exploit a vulnerability might be detected as malicious by most anti-malware solutions. So, the researchers had to identify properties that indicate some other malicious goals, unrelated to the original PoC goals.

They did this by looking for the following indicators:

  • IP addresses: The researchers extracted IP addresses and removed all private IP addreses. The results were compared with VirusTotal, AbuseIPDB, and other publicly available blocklists.
  • Binaries, focused on EXE files which can be run on Windows systems, since most of malware attacks are conducted against Windows users. After extracting them, the researchers checked their hashes in VirusTotal and from those detected as malicious, dismissed the ones listed as an exploit of the target vulnerability.
  • Obfuscated payloads: By performing hexadecimal and base64 analysis, the researchers were able to extract some extra malicious PoCs.

For a full explanation of their methodology, we encourage you to read their full paper.

Conclusions

Out of 47,313 GitHub repositories with PoCs, the researchers detected 4,893 malicious repositories (i.e., 10.3 percent).  Inside some of these malicious PoCs they found instructions to open backdoors or plant malware in the system that is running on it. This means that these PoCs are indeed targeting the security service community, which leads to targeting every customer of such security company using these PoCs from GitHub. The results also show that malicious repositories are on average more similar to each other than non-malicious ones, which may lead to improved methods for further research.

Posted in: NEWS

Leave a Comment (0) →
Page 2 of 311 12345...»