IT NEWS

Wanted! US offers $10m bounty for ransomware kingpins

The US State Department is offering a massive $10 million reward if you can help bring DarkSide to justice.

The U.S. Department of State announces a reward offer of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group.

And they aren’t just after the ransomware group members.

The State Department is also offering a reward of up to US $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident. An incentive that seems to be aimed at capturing the affiliates that penetrate victims’ networks with the goal of deploying the ransomware later on.

The Department of State manages two US government programs that offer rewards of up to $25 million for information leading to the arrest and/or conviction of members of significant transnational criminal organizations and the disruption of other forms of transnational organized crime. 

DarkSide

DarkSide is thought to have originated in the Russian Federation and/or Ukraine, and was first observed in the wild in August 2020 and is thought to be a product of the FIN7 group.

DarkSide has targeted many organizations in almost every vertical in the Middle East, Europe, and the United States, but it is most notorious for its role in the attack on the Colonial Pipeline. The attack in May 2021 triggered a shutdown of the largest fuel pipeline on US east coast, which sparked a new urgency in the US government’s determination to tackle ransomware.

DarkSide ransomware was sold using the Ransomware-as-a-Service (RaaS) distribution model, so attacks were carried out by affiliates. Like many other modern ransomware families, DarkSide was mostly manually-operated. This means that the ransomware was executed by an actual person behind the screen, after they had successfully infiltrated a target network. Such attacks focus on extracting enormous ransoms from a relatively small number of victims, rather on extracting small ransoms from large numbers of victims, as was more common in the past.

Threat actors can spend weeks or even months inside victims’ networks before running the ransomware; moving laterally, scouring the entire network, elevating their privileges, deleting backups, and leaving backdoors in vulnerable systems. When an attacker has administrator credentials, and access to business-critical systems, they deploy DarkSide.

The DarkSide ransomware group called it quits after some of its servers and Bitcoin accounts were seized, and its DarkSide Leaks blog was shut down. This was believed to be the work of either the US government, local law enforcement, or other gangs looking to profit from DarkSide’s downfall.

Soon after, a new ransomware group who called themselves BlackMatter surfaced on the dark web, which was generally seen as the latest flavor in a long lineage of RaaS providers. Recently, the BlackMatter ransomware gang announced they are going to shut down their operation, citing pressure from local authorities.

Motives for the reward

One question that immediately popped into my head, is why they would offer such a reward for members of an organization that, officially, no longer exists?

Officially, the press statement tells us that in offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cybercriminals. On top of that, it mentions the Colonial Pipeline incident as a prime example for how disruptive these ransomware attacks are.

But, given the timing and the unlikelihood of ever apprehending one of the key players, it stands to reason to speculate about possible other motives. One way to disrupt the ransomware industry might be to feed the growing distrust between groups and their affiliates.

With the recent announcement that BlackMatter is about to shut down its operation, and many security professionals expecting it to re-surface under yet another new name, you can imagine that having a price of $10 million dollars on your head might slow you down a bit. Not just because it becomes harder to trust new partners, but also because it might scare potential new partners away.

By creating unrest and spreading disinformation among ransomware groups and their affiliates, the US government can hope to slow down operations. And by going after the key players of the group and their affiliates, they may instigate some caution in the operators at the moment when they pick a target.

The size of the reward is perhaps a counterweight to the enormous ransoms feeding the ransomware epidemic. The ransomware model is so profitable that smaller rewards may not be enough to attract an insider willing to snitch.

Should you manage to cash in that reward, don’t forget where you read about it first.

Stay safe, everyone!

The post Wanted! US offers $10m bounty for ransomware kingpins appeared first on Malwarebytes Labs.

CISA sets two week window for patching serious vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued binding directive 22-01 titled Reducing the Significant Risk of Known Exploited Vulnerabilities. This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency’s behalf.

One of the most welcomed of the required actions set forth in the directive is that CISA will keep a catalog of vulnerabilities alongside timeframes in which they must be remediated. According to the plan, this catalog will list only the most important vulnerabilities that have proven to pose the biggest risks.

The scope

In the US, a binding operational directive is an instruction that federal, executive branch, departments and agencies have to follow. They also provide a strong indication of the kind of cybersecurity measures that CISA thinks are important, which other organizations may wish to follow. (It’s also easy to imagine that what’s required of federal agencies today may be required of the vast web of suppliers to federal agencies tomorrow.)

To that end, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments review and monitor its catalog. CISA has done the hard work of identifying what should be patched first, and anyone who follows its guidance is likely to find their security and resilience posture improved.

The reason

It will come as no surprise that the continued cyberattacks against US entities are the reason for this directive: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

Many of the attacks against US organizations rely on vulnerabilities that could have been patched months or even years ago, but haven’t been. For example, earlier this year CISA issued a joint advisory with the FBI and NSA urging US organizations to patch five old vulnerabilities from 2018 and 2019 that were regularly exploited by the Russian Foreign Intelligence Service.

The idea is that better patch management, supported by the prioritization provided by the CISA catalog, can prevent future attacks.

The rules

The required actions are pretty simple and straightforward—to read at least. Execution of the rules may prove to be more difficult. The rules are:

  • Plan. Organizations have 60 days to come up with a vulnerability management plan.
  • Execute. CISA is giving notice that the clock is running on vulnerabilities it cares about. The affected departments and agencies have six months to fix anything with a CVE issued before 2021, and two weeks to fix everything else.
  • Report. Organizations have to report on the status of vulnerabilities through the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard.

While 6 months may seem a long time for the CVE’s prior to 2021, that doesn’t mean they are less important than this year’s vulnerabilities. The grace period may reflect the difficulty that organizations have already had in fixing older bugs, or the fact that “everything prior to 2021” is just a much longer period of time than the ten months of 2021. After six months is up and all those vulnerabilities are fixed, presumably everyone will be on a much shorter lease, with just two weeks to fix anything CISA deems serious enough to put on its list.

In some cases the catalog already lists a vulnerability with a due date in the past, such as CVE-2019-11510. In August, 2019, scans performed by Bad Packets found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510, four months after a patch became avaiable. Over 5,000 of those were in the US, including military, federal, state, and local government agencies—and this was after advisories have been issued by the NSA and the NCSC.

The notes column for this CVE references CISA’s ED 21-03 for further guidance and requirements. In that Emergency Directive you will find the due date of April 23rd of 2021. So, it was already required to be patched for organizations that are bound to follow emergency directives.

Patch management

Because patch management has proven to be a challenge, having a catalog to fall back on when you are looking for prioritization rules can be very helpful. On the other hand, by telling organizations what needs to be done, inadvertently they may skip necessary patches, simply because they were not listed. Or worse, they were listed but the people responsible for patching didn’t find them.

Either way, if this is a first step in setting up a compliance program, where all the vulnerabilities that are used in the wild get patched within two weeks we will certainly welcome it. We have seen the impact of, for example, the disclosure rules set forth by Google’s Project Zero on the generally accepted rules for responsible disclosure, and would love to see this directive have a similar effect on the average patching speed.

Stay safe, everyone!

The post CISA sets two week window for patching serious vulnerabilities appeared first on Malwarebytes Labs.

Update now! Mozilla fixes security vulnerabilities in Firefox 94

In a security advisory, Mozilla’s announced that several security issues in its Firefox browser have been fixed. Several of these vulnerabilities were listed as having a high impact.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). We’ll discuss some of the CVEs fixed in this update below.

XSLT in an iFrame

Listed as CVE-2021-38503, it fixes an issue where the iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. Attackers could handle manipulated XSLT stylesheets and be able to execute scripts or break out onto the main frame.

XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents, or other formats such as HTML for web pages, plain text or XSL Formatting Objects, which may subsequently be converted to other formats, such as PDF, PostScript and PNG.

Use-after-free in file picker dialog

The vulnerability listed under CVE-2021-38504 could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in file picker dialog. By persuading a victim to visit a specially-crafted website, a remote attacker could create an interaction with an HTML input element’s file picker dialog with webkitdirectory set. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Windows 10 Cloud Clipboard

The vulnerability listed under CVE-2021-38505 only applies for users of Firefox for Windows 10+ with Cloud Clipboard enabled. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats. Firefox versions before 94 and ESR 91.3 did not implement these formats. This could have caused sensitive data to be recorded to a user’s Microsoft account.

Unsolicited full screen mode

CVE-2021-38506 describes a vulnerability in which, through a series of navigations, Firefox could have entered full screen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This type of attack is particularly useful for Tech Support scammers because they can make the browser page look like a security warning or BSOD, and trick the user into calling a specific number.

Opportunistic Encryption in HTTP2

Listed as CVE-2021-38507, the Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) doesn’t opt-in to opportunistic encryption, a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.

QR code scan

The vulnerability listed under MOZ-2021-0003 does not have a CVE number assigned to it. The vulnerability only affects Firefox for Android. A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. QR codes are complicated barcodes that are popular among scammers. It’s advisable to use a QR scanner that checks or at least displays the URL before it follows the link.

Memory safety bugs

Several memory safety bugs were grouped under MOZ-2021-0007. Some of these bugs showed evidence of memory corruption and it was presumed that with enough effort some of these could have been exploited to run arbitrary code. These bugs were found by Mozilla developers and community members and have also been fixed in this update.

How to protect yourself

All of the issues listed above, and more, have been fixed in Firefox 94 and Firefox ESR 91.3. By default, Firefox updates automatically. You can always check for updates at any time, in which case an update is downloaded, but it is not installed until you restart Firefox.

  • Click the menu button, click Help and select About Firefox.
  • The About Mozilla Firefox window opens. Firefox will check for updates and, if an update is available, it will be downloaded automatically by default.

Stay safe, everyone!

The post Update now! Mozilla fixes security vulnerabilities in Firefox 94 appeared first on Malwarebytes Labs.

Credit card skimmer evades Virtual Machines

This blog post was authored by Jérôme Segura

There are many techniques threat actors use to slow down analysis or, even better, evade detection. Perhaps the most popular method is to detect virtual machines commonly used by security researchers and sandboxing solutions.

Reverse engineers are accustomed to encountering code snippets that check certain registry keys, looking for specific values indicating the presence of VMware or Virtual Box, two of the most popular pieces of virtualization software. Many malware families incorporate these anti-vm features, usually as a first layer.

For web threats, it is more rare to see detection of virtual machines via the browser. Typically threat actors are content with filtering targets based on geolocation and user-agent strings. But that feature does exist in modern browsers and can be quite effective.

In this blog post we show how a Magecart threat actor distributing a digital skimmer is avoiding researchers and possibly sandboxes by ensuring users are running genuine computers and not virtual ones.

Virtual Machine detection

Our investigation started by looking at a newly reported domain that could possibly be related to Magecart. Suspicious JavaScript is being loaded alongside an image of payment methods. Note that browsing directly to the URL will return a decoy Angular library.

load

There is one interesting function within this skimmer script that uses the WebGL JavaScript API to gather information about the user’s machine. We can see that it identifies the graphics renderer and returns its name.

For many Virtual Machines, the graphics card driver will be a software renderer fallback from the hardware (GPU) renderer. Alternatively, it could be supported by the virtualization software but still leak its name.

detection

We notice that the skimmer is checking for the presence of the words swiftshader, llvmpipe and virtualbox. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.

By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.

Data exfiltration

If the machine passes the check, the personal data exfiltration process can take place normally. The skimmer scrapes a number of fields including the customer’s name, address, email and phone number as well as their credit card data.

skimmer

It also collects any password (many online stores allow customers to register an account), the browser’s user-agent and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request:

Evasion and defenders

This is not surprising to see such evasion techniques being adopted by criminals, however it shows that as we get better at detecting and reporting attacks, threat actors also evolve their code eventually. This is a natural trade-off that we must expect.

In addition to code obfuscation, anti-debugger tricks and now anti-vm checks, defenders will have to spend more time to identify and protect against those attacks or at least come up with effective countermeasures.

Malwarebytes users are protected against this campaign:

block

Indicators of Compromise (IOCs)

cdn[.]megalixe[.]org
con[.]digital-speed[.]net
apis[.]murdoog[.]org
static[.]opendwin[.]com
css[.]tevidon[.]com
mantisadnetwork[.]org
static[.]mantisadnetwork[.]org
stage[.]sleefnote[.]com
js[.]speed-metrics[.]com
troadster[.]com
nypi[.]dc-storm[.]org
web[.]webflows[.]net
js[.]librarysetr[.]com
librarysetr[.]com
opendwin[.]com
app[.]rolfinder[.]com
libsconnect[.]net
artesfut[.]com
js[.]artesfut[.]com
js[.]rawgit[.]net
js[.]demo-metrics[.]net
demo-metrics[.]net
dev[.]crisconnect[.]net
m[.]brands-watch[.]com
graph[.]cloud-chart[.]net
hal-data[.]org
stage[.]libsconnect[.]net
app[.]iofrontcloud[.]com
iofrontcloud[.]com
alligaturetrack[.]com
webflows[.]net
web[.]webflows[.]net
tag[.]listrakbi[.]biz
api[.]abtasty[.]net
cloud-chart[.]net
graph[.]cloud-chart[.]net
cdn[.]getambassador[.]net
climpstatic[.]com
stst[.]climpstatic[.]com
marklibs[.]com
st[.]adsrvr[.]biz
cdn[.]cookieslaw[.]org
clickcease[.]biz
89.108.127[.]254
89.108.127[.]16
82.202.161[.]77
89.108.116[.]123
82.202.160[.]9
89.108.116[.]48
89.108.123[.]28
89.108.109[.]167
89.108.110[.]208
50.63.202[.]56
212.109.222[.]225
82.202.160[.]8
82.202.160[.]137
192.64.119[.]156
89.108.109[.]169
82.202.160[.]10
82.202.160[.]54
82.146.50[.]89
82.202.160[.]123
82.202.160[.]119
194.67.71[.]75
77.246.157[.]133
82.146.51[.]242
89.108.127[.]57
82.202.160[.]8
185.63.188[.]84
89.108.123[.]168
77.246.157[.]133
185.63.188[.]85
82.146.51[.]202
185.63.188[.]59
89.108.123[.]169
185.63.188[.]71
89.108.127[.]16
82.202.161[.]77

The post Credit card skimmer evades Virtual Machines appeared first on Malwarebytes Labs.

BlackMatter ransomware group announces shutdown. But for how long?

The BlackMatter ransomware gang has announced they are going to shut down their operation, citing pressure from local authorities.

And pressure there is. Only two weeks ago, we wrote about a warning that the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) had issued over BlackMatter ransomware.

Missing staff

One revealing sentence in the posted message says that “part of the team is no longer available, after the latest news.” This could well be a reference to an announcement made by Europol last week, after it arrested 12 individuals “wreaking havoc across the world with ransomware attacks against critical infrastructure.”

Even though the announcement does not mention BlackMatter specifically, it says these individuals were known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others. And as we have published before, most of the major ransomware gangs are connected somehow.

The BlackMatter business model

BlackMatter is a ransomware-as-a-service (RaaS) that allows the developers to profit from cybercriminal affiliates who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, and has some similarities to REvil. Both DarkSide and REvil have had to shut down.

It would not come as a surprise if the group decides to make some sort of comeback. This may be with an “improved” product, new staff, rebrand, or all three. Time will tell, but it is unlikely that the business model that allowed them to make a fortune, will be completely abandoned.

One of the disadvantages for such groups is that affiliates are unlikely to wait for a rebirth of the group and may flock to other groups rather than wait for BlackMatter to come back in some form.

How to protect yourself from ransomware

Last month, CISA published a joint Cybersecurity Advisory about BlackMatter Ransomware. The CISA alert lists technical details in the form of Tactics, Techniques, and Procedures (TTPs) based on the MITRE ATT&CK for Enterprise framework, detection signatures, and mitigations.

Most of the mitigation strategies will look very familiar to our regular readers, but it’s always worth repeating them. And you may spot some new ones.

  • Use strong and unique passwords. Passwords should never be reused across multiple accounts or stored on a system where an adversary may gain access. Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
  • Implement and require Multi-Factor Authentication (MFA) where possible, and especially for webmail, virtual private networks, and accounts that access critical systems.
  • Patch and update. Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
  • Limit access to resources over the network. Remove unnecessary access to administrative shares, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity. Use a host-based firewall to only allow connections to administrative shares via Server Message Block (SMB) from a limited set of administrator machines.
  • Implement network segmentation and traversal monitoring. This will hinder an adversary from learning the organization’s enterprise environment. Many attackers use system and network discovery techniques for network and system mapping.
  • Implement time-based access for accounts set at the admin-level and higher. BlackMatter operatives used compromised credentials during non-business hours, allowing them to go undetected for longer periods.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line.
  • Implement and enforce backup and restoration policies and proceduresDoing backups right is not as easy as some may think. Make sure they are recent, cannot be altered or deleted, and cover the entire organization’s data infrastructure.

Furthermore, CISA, the FBI, and NSA urged critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise:

  • Disable the storage of clear text passwords in LSASS memory.
  • Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
  • Implement Credential Guard for Windows 10 and Server 2016.
  • Minimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity. Ticket Granting services can be used to obtain hashed credentials that attackers attempt to crack or use in pass-the-hash methods.

Stay safe, everyone!

The post BlackMatter ransomware group announces shutdown. But for how long? appeared first on Malwarebytes Labs.

Trojan Source: Hiding malicious code in plain sight

Researchers at the University of Cambridge, UK, have released details of a cunning and insidious new class of software vulnerability that allows attackers to hide code in plain sight, within the source code of computer programs. The techniques demonstrated by the researchers could be used to poison open source software, and the vast software supply chains they feed, by adding flaws, vulnerabilities, or malicious code, that are invisible to human code reviewers.

The new class of vulnerabilities, dubbed “Trojan Source“, affect a who’s who of the world’s most widely-used programming languages—including the five most popular: Python, Java, JavaScript, and C#, and C—putting enormous numbers of computer programs at risk.

How it works

Most computer code starts life as a set of instructions written in a so-called “high level” language, like Python or Java, which is designed to be easy for humans to read, write and understand. These high level language instructions are then processed by a computer program—an interpreter or a compiler—into a low level-language, such as bytecode or machine code.

A lot of source code looks very English, and is written using the same limited set of letters, numbers, and punctuation I used to create this article. However, it can potentially include any of the roughly 150,000 characters included in the Unicode standard, a sort of grand-unified human alphabet. Unicode provides a unique number (called a code point) for almost all the characters we use to communicate—from Kanji and currency symbols to Roman numerals and emojis.

To a computer, every unicode character is just a different number, but humans are less discerning. Some unicode characters are invisible to humans, and many of them look very similar to one another.

Trojan Source attacks exploit the fact that humans and compilers may interpret the same source code in two different ways. By playing on those differences, it’s possible for attackers to create malicious source code that appears harmless to human eyes.

Trojan Source attacks come in two flavours:

Homoglyph attacks

Homoglyphs are sets of characters that look identical or very similar. They are already widely used by scammers to create lookalike web addresses and app names, such asFаⅽeЬoοk.com and WhatѕAрp. (I’ve used examples that deliberately look odd, so you can see what I mean, but attackers aren’t so charitable.)

The Trojan Source paper shows that the same trick can be used to mislead humans when they read source code, by using lookalike class names, function names, and variables. The researchers use the example of a malicious edit to an existing codebase that already contains a function called hashPassword, which might be called during a login process. It imagines an attacker inserting a similar-looking function called hаshPasssword (the a has been replaced), which calls the original function but also leaks the user’s password.

Would a busy code reviewer spot the imposter? I suspect not. The authors suspect not too, and say they were able “…to successfully implement homoglyph attack proofs-of-concept in every language discussed in this paper; that is, C, C++, C#, JavaScript, Java, Rust, Go, and Python”.

Bidi attacks

Alongside the characters you can see, Unicode also contains a number of invisible control characters that indicate to computer programs how things should be interpreted or displayed. The most obvious and often used are probably the carriage return and line feed characters that mark the end of a line of text you write. Chances are, you use them every day without realising.

Among its invisible control characters, Unicode also includes characters for setting the direction of text, so that it can handle languages that are read left-to-right like English, and languages that are read right-to-left, like Hebrew, and mixtures of the two. The control characters allow a phrase like left-to-right to be reversed, so it reads thgir-ot-tfel, or for it to be rearranged so that chucks of left-to-right text are arranged in a right-to-left order (or vice versa), so it reads right-to-left, for example.

Since these control characters are about arranging text for human consumption, the text editors used for reading source code tend to respect them, but compilers and interpreters don’t. And while compilers and interpreters tend not to allow control characters in the source code itself, they often do allow them in the comments that document the code, and in text strings processed by the code.

That difference between the way that humans and compilers “see” the source can be used to hide malicious code.

The researchers show that an attacker could use bidirectional control characters in comments to completely change the meaning of a piece of code, which they illustrate with a simple example.

In our fictional scenario, attackers have disabled a line of code that should only run if the user is an admin, by putting it in comments. The compiler sees this:

/* if (isAdmin) { begin admins only */

The attacker knows that a human code reviewer should identify this as a security problem, so they add some bidirectional control characters to rearrange the code for human eyes, making it look as if they have simply added a comment before the admin check, and that the check still works. The code reviewer sees this:

/* begin admins only */ if (isAdmin) {

This is a simple example to illustrate the point, but it’s not difficult to imagine that an adversary with time and money could come up with attacks that are far more subtle and much harder to spot.

Of course the attacks only work if attackers have access to the source code, but that doesn’t present the barrier you might expect. Modern software projects are often complex jigsaw puzzles composed of other, smaller projects in absurdly convoluted supply chains (although “supply webs” might be a more accurate description). Those supply webs invariably include some open source code, somewhere, and open source projects often allow anyone to make a contribution to their code, provided it gets past the watchful eye of a human reviewer.

Tinfoil hat time?

With so much software potentially at risk from Trojan Source, you might be tempted to throw your computers in the river, hide in the cellar, and put on your tinfoil headgear, but don’t.

For a level-headed perspective, I spoke to Malwarebytes’ security researcher and Director of Mac and Mobile, Thomas Reed. Reed’s perspective is, yes, it’s a supply-chain threat, but the problem isn’t this specific vulnerability so much as the fragility of the supply chain itself.

“The biggest danger from my perspective is usage in open-source projects that are used by commercial software, which I imagine isn’t all that unique a perspective. The danger is there, though, with or without Trojan Source, because a lot of open source projects aren’t getting any kind of in depth source reviews.”

This isn’t the first research to find a vulnerability that could affect basically everything. In fact, they’re surprisingly common. You may remember KRACK, the 2017 research that revealed that our Wi-Fi security was broken, everywhere. Or the Spectre and Meltdown vulnerabilities from a year later that affected generations of hard to patch, and hard to replace, processor chips. And what did we do? We patched and moved on, just like we always do.

The good news is that the work on that has already started, with an extensive process of vulnerability disclosure that began in July, when researchers contacted nineteen separate organizations about their findings. They have since contacted more organizations, including the CERT Coordination Centre, and been issued a pair of CVEs, CVE-2021-42574 and CVE-2021-42694.

There are plenty of choke points where Trojan Source attacks might be picked up, such as public code repositories like GitHub, code editors and Integrated Development Environments, static analysis tools, and of the actual code compilers themselves. A lot of code will have to pass through several of these chokepoints before going live, so we will soon have plenty of defence in depth.

And spotting or stopping the attacks should be fairly easy, now we know to look for them. The researchers suggest several methods, starting with the most simple: Simply banning the use of bidirectional control characters in comments entirely. Where it’s humans rather than computers that are reading the code, text editors could add a visual marker to control characters, just as word processors can be made to show paragraph marks, and other invisible characters.

If you want to know more about the research, check out the research paper Trojan Source: Invisible Vulnerabilities, by Nicholas Boucher and Ross Anderson.

The post Trojan Source: Hiding malicious code in plain sight appeared first on Malwarebytes Labs.

What is Twitch?

Twitch is primarily a site dedicated to live streaming content. It also offers the ability to chat with others in the Stream you happen to be in via text. The primary draw of Twitch streams is video games and e-sports, leading to the rise of many big name streamers and content creators.

Is Twitch just for gaming?

In addition to gaming streams, Twitch also offers user generated content on a wide variety of themes and subjects. Everything from watching somebody sleep, or musical events, to walking around the streets of Japan shopping for clothes is available.

What age is Twitch for?

Statistics show a heavy leaning towards younger age ranges, with 41% of them in the 16-24 bracket and 32% in the 25-34 demographic. The proliferation of younger users makes it an appealing target for scammers.

Is it free? What is Twitch Prime?

The default Twitch experience is free to use. You can open up the Twitch website or download the app and start watching content right away. There’s no payment required to do this. However, Twitch does have paid options in the form of subscriptions, and also Prime Gaming (often referred to as “Twitch Prime”). Being a subscriber supports specific channels and also adds functionality for the user, such as emotes. Paid features and services make Twitch accounts an attractive proposition for scammers.

What are the dangers of Twitch?

It’s a variety of malware, phish pages, and social engineering.

  1. Fake spam blogs, which may or may not claim to be official Twitch sources, offer up some kind of “fix”. It could be related to stream quality, or audio, or broken emotes (for example). In one case, we found malware served up as an “audio fix”. This file actually steals the streamer’s Stream Key and gives it to the malware author. From there, they’re able to take control of the Stream and send out whatever they want to their audience, as well as change the channel name.
  2. Bogus video plugins are also a popular way of tricking people into running files that are not necessary to use Twitch. We found an imitation Twitch site offering up a “video player plugin” required to stream the site’s content. In actuality, the file is an installer manager which we detect as a PUP (Potentially Unwanted Program). The program offers a variety of installs, and also opens a streaming site unrelated to Twitch. Though listed as “free”, often these types of site require a paid monthly subscription to view the content – only registering on the site is “free”.
  3. Fake “bombing” tools. Twitch bombing is where bots jump into someone’s channel and entice viewers away to another stream. This is a bad enough thing to happen, but the waters are muddied further when you discover fake tools claiming to help you “bomb” are actually just Trojans or other forms of PUP.
  4. Discord/Twitch crossovers. We often see bots in Discord channels, claiming to be from Twitch bearing free gifts. These generally direct potential victims to phishing pages hunting for Discord credentials.

Has Twitch ever been compromised?

Yes. Data was exposed to the internet after a server configuration change. This alteration was taken advantage of by a third party. Although no payment or address data was found to be leaked, a number of security practices were advised in any case. The data was classed as “Part 1”, leading some to suspect a second data dump containing said payment or address data. At time of writing, no such data has materialised. Users of Twitch should be on their guard for any kind of scam or social engineering regardless. We’re too close to the incident to know for sure if everything is now back to normal. As far as regular Twitch use goes, however, you’re almost certainly good to go.

Is Twitch safe?

A lot of the tricks above are used on many other websites whether related to gaming or not. If you make use of Twitch security settings, and keep up to date with the latest security happenings along the way, in theory you should be fine.

There’s always the possibility of a service being compromised, and as we’ve seen, this happened to Twitch itself not long ago. However, this kind of attack is out of your hands. Keep things locked down, make use of 2FA, and steer clear of the “something for nothing” scams. Nobody can possibly fault you for doing the very best you can to keep your account and Twitch itself safe from harm.

The post What is Twitch? appeared first on Malwarebytes Labs.

Google patches zero-day vulnerability, and others, in Android

Google has issued security patches for the Android Operating System. In total, the patches address 39 vulnerabilities. There are indications that one of the patched vulnerabilities may be under limited, targeted exploitation.

The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.

Let’s have a closer look at the vulnerabilities that might seem interesting from a cybercriminal’s perspective.

The zero-day

Google has issued a patch for a possibly actively exploited zero-day vulnerability in the Android kernel. The vulnerability that got listed under CVE-2021-1048, could allow an attacker with limited access to a device, for example through a malicious app, to elevate his privileges (EoP). Further details about this vulnerability have not been provided by Google, except that it is caused by a use-after-free (UAF) weakness and that it may be under limited, targeted exploitation.

Use after free is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. In this case that means they could run malicious code with the permissions granted to the legitimate program.

Android TV

The most severe vulnerability in the Android TV could enable a proximate attacker to silently pair with a TV and execute arbitrary code with no privileges or user interaction required. This vulnerability, listed under CVE-2021-0889, lies in Android TV’s remote service component.

CVE-2021-0918 and CVE-2021-0930

In the System section of the security bulletin we can find two Remote Code Execution (RCE) vulnerabilities that are rated as Critical. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

The most severe vulnerability in this section could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. At this point it is unclear whether this description applies to CVE-2021-0913 or CVE-2021-0930 since both are listed as critical RCE’s.

No more details were provided, but Google has used the description “a specially crafted transmission” for Bluetooth vulnerabilities in the past.

Chipsets

Besides vulnerabilities in the Android code, Google has fixed vulnerabilities introduced by some of the chipset manufacturers that Android uses. This round we spotted MediaTek and Qualcomm closed-source components. Two of the vulnerabilities in the Qualcomm software are listed as CVE-2021-1924 and CVE-2021-1975, and have been listed as critical. The severity assessment of these issues is provided directly by Qualcomm.

CVE-2021-1975 is located in the data-modem and can be used remotely. It is a possible heap overflow due to improper length check of domain while parsing the DNS response. This vulnerability got a CVSS rating of 9.8.  

Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

Android patch levels

Security patch levels of 2021-11-06 or later address all of these issues. To learn how to check a device’s security patch level, see Check and update your Android version.

Google releases at least two patch levels each month, and for November, they are 2021-11-01, 2021-11-05, and 2021-11-06.

For those who see an update alert marked as 2021-11-01, it means that they will get the following:

  • November framework patches
  • October framework patches
  • October vendor and kernel

Those who see either 2021-11-05 or 2021-11-06 patch levels will receive all of the above, plus the November vendor and kernel patches.

Stay safe, everyone!

The post Google patches zero-day vulnerability, and others, in Android appeared first on Malwarebytes Labs.

Zuckerberg’s Metaverse, and the possible privacy and security concerns

The news is currently jam-packed with tales of Facebook’s Meta project. Of particular interest to me is Facebook’s long-stated desire to introduce adverts into the VR space, and what this may mean for Meta too. I’ve talked about the privacy and legal aspects of adverts in gaming and other tech activities many times down the years.

An advert in every home

Back in the Xbox 360 days, I explained how even in 2009 console dashboards were increasingly filled with adverts. A few years later I also highlighted how gamers resorted to using HOSTS files or OpenDNS to block advertisers from placing adverts onto the screen. Sure, they ended up with lots of black empty boxes but they felt it was preferable to the alternative.

Adverts and tracking in gaming has never gone away, and in many cases has only become worse. In 2017, I presented findings on what gamers could expect to see in many EULAs and privacy policies. I also covered, in detail, what kind of things you should expect with regards advertising in VR/AR platforms.

The Advergaming wilderness years

Things sort of fizzled out in VR/AR for advergaming for a few years. The technology has been there, but the big push has been around advertising in VR more generally. Advergaming is still pretty niche, and VR headsets always seem to be on the cusp of becoming the next big thing…but then not quite getting there.

What this realm has been crying out for, is a massive platform push. Step up to the plate, Facebook. Now with all new Meta.

A frosty Meta reception

The promotional material for Meta hasn’t had the best of receptions. There’s still a lot of things in there which simply don’t make sense, and provide no real indication of how it’s going to work. Even so, something VR/AR-centric is definitely going to be the end result, we just don’t know what specific form it’s going to take. But what we do know is that advertising will be a big part of it. Some of the basic ideas already thrown around suggest a gamification of reality, seen through the lens of Meta.

We’ve been down this privacy road before with Google Glass and other AR specs. What are some of the possible concerns and issues related to privacy and security in this new world of virtual augmented realities?

Avoiding the physical risks of VR

If you’re going to spend a lot more time in headsets, it pays to be mindful of your surroundings. There’s already been one VR death that we know of, and we don’t need any more. I’ve spent a fair amount of time with a headset on for advergaming research, and below are the rules I generally follow to keep myself safe. We don’t know what Meta will say in terms of physical security yet, but encouraging a big push into VR should probably be accompanied by suggestions similar to these:

  1. Some VR games require you to stand up, or move around. They’re quite physical. Others are fine to play sitting down, and you might use a mouse and keyboard or a controller. If you’re doing the latter, you won’t want to accidentally hit your screen. You’re not looking at it anyway, so consider turning it around so it faces away from you. If your layout doesn’t allow for this, you can often align the “front view” of the game (what you see, in other words) to be aligned in a different direction from the TV or monitor the PC is plugged into. So you’re still able to have yourself facing a different direction. Note that this will only work if you’re using a controller or wands. You can’t really sit at a right angle to your screen if you still need the mouse and keyboard.
  2. Wire safety is crucial. It’s incredibly easy to get your legs tangled up and then have a head/floor incident. Some people install overhead hooks to manage wires. Where this isn’t possible, cable ties are also handy. If all else fails, there are apps you can use which will show you if cords are tangling while in-game.
  3. Some platforms use “chaperone” modes. These map out the safe floorspace area while playing.
  4. I’ve seen many “Oh no, I bashed my toddler on the head with my wand” type posts down the years. There used to be no easy way to get the attention of someone in a headset without risking a bash from a flailing arm or leg. Thankfully there are safeguards which can be used. For example, the Steam “knock knock” feature.
  5. Orientation is another problem. I don’t remember where I got this tip from, but placing a fan next to wherever your TFT or TV is located means you’ll always know where everything in the room is related to your position. Finally, if you’re on carpet then put down a rubber mat or similar so you know where the safe zone is. If you’re on wood, then a few squares of carpet or a rug will do.

That’s the physical side of things covered, though there’s probably room for improvement. Now we move onto the digital concerns. Let’s start the ball rolling with what is probably the biggest problem for Facebook/Meta specifically:

Advertising in Facebook related VR realms just isn’t that popular

In June, we looked at what happened when Facebook announced it was going to do some advert testing in games. The title selected for this was something called Blaston. Although the adverts arguably stuck out badly from the game’s futuristic environment, the ad tracking side of things was pretty non-invasive. No movement data was used to determine ad success, no information was processed or stored locally, and conversation content was not recorded. Compared to the kind of deep-dive practices which happen on your desktop every time you open your browser, this is an incredibly light touch.

Despite this, the test didn’t seem to go very well. The developers were told by players “We don’t want this” and they decided not to do it anymore. Like many popular VR games, it’s a paid title and not a freebie. Ads in expensive console and PC games tend to get a rough time of things by default. It seems the same is true for VR titles. The fact that players on some VR platforms would see these ads as opposed to others pretty much sealed their fate.

There’s no easy way round this, and Facebook/Meta has a big hill to climb here.

Data breaches are still a thing even in VR land

Users of a pornography-based VR app were in the news back in 2018. Researchers found it was possible to view information including email addresses and device names for app users along with download details for anyone who’d paid using PayPal. Even though you’re interacting with a virtual or augmented world via headset or mobile, your data is still ending up somewhere other than the visor on your head.

It’s never been easier to pick up cheap DIY tools and get making some VR apps. We often wonder how much security work goes into cheap IoT devices and regular mobile apps, and the same thing applies to VR and AR. At this point, we simply don’t know what the future holds in this respect. If Meta allows for third party apps somewhere down the line, we need to know what security measures are in place to protect user data, and also screen for potentially malicious or insecure apps.

Augmented reality specs are on thin ice regarding privacy concerns

Look, we’ve been here before. People were so carried away with the idea of tiny digital lenses on their face that we soon ended up with lots of privacy invading overreach. Oh no, my fancy glasses are banned from public restrooms. Ah, this eatery won’t let me sit inside with other customers. Whoops, the local cinema has accused me of recording a movie and sent me to space prison.

And so on.

Any maker of AR glasses must surely be aware of the privacy furore just waiting to explode again the moment someone does something bad with their branded specs in the accompanying news stories.

Facebook seems to be conscious of the Glass issues years prior, but some of its solutions to these privacy issues are arguably a little bit lacking in solid details so far. Tying real world product functionality to be dependent on social media accounts generally is also risky. We need to see a lot more meat on the bone where addressing safety and privacy issues arising from AR glasses is concerned. Whoever manages to crack this problem will reap the benefits, but will they be able to pull it off in the first place?

The privacy concerns issue isn’t really helped by some of the commentary from Mark Zuckerberg himself. He commented that a “killer use case” for AR glasses is being able to do something the person you’re talking to is unaware of.

We’re in a time where privacy focused people have seen years of awful tech practices. At this current moment, we’re all waiting for the next privacy fallout from a data breach. With the myriad ways bad people can abuse people through technology placed in their homes, the stakes for real/digital crossovers have never been higher.

And then, in all of this, we have the man at the forefront of a new, unreleased real/virtual crossover normalising a (mildly) deceptive use of technology towards people unaware that it’s happening.

This seems like a bad idea.

Don’t make it easy for criminals

Another selling point of Meta is being able to reproduce your home inside the VR space. This sounds cool, but there’s already plenty of VR apps and desktop-based programs you can do this in already. Yes, I made my home in Fallout 4. Yes, I blew it up shortly afterwards.

The difference is, the only person able to see it before it went kaboom was me.

There’s almost certainly going to be a social dimension to Meta’s home building. Friends will want to come and hang out at your (digital) place, right?

Where this could be a cause for concern is privacy settings. We need to make sure people are able to make their homes private, or inaccessible to strangers. I’ve seen similar situations in games where your home can be opened to the public. Sometimes you can port accessibility restrictions from house to house. Other times, homes or apartments are listed in public databases in-game and you’re free to visit wherever you want.

VR and AR allows for a lot more realistic homebuilding in digital spaces. There are furniture store apps which allow you to use AR and place items in your home to see if it fits the space intended for it. Could we see people scanning portions of their home and inserting it into Meta spaces? How about accurate replicas of rooms and their furniture?

The danger is we’ll be making scale models which could be used for any dubious purpose you care to mention. What if you’re able to make the outside of your home resemble the real thing too? Why stop at your home, when you can port in the whole street via public map databases?

Now you have a proper digital replica of your everyday life which strangers can visit. They can use this data and OSINT (open source intelligence) to figure out where you live. A dubious character might keep an eye on your social media feeds till you say you’re on holiday for 2 weeks. At that point, you might have your first burglary using VR as a launchpad…and an incredibly accurate floorplan of your home for reference while doing it.

Making Meta mountains out of molehills?

This is all wild speculation, but it’s very easy to see a way several unrelated aspects of VR/AR could unintentionally help people up to no good. If the right privacy tools don’t exist, if users aren’t given warnings as to why doing x or y in VR isn’t safe, it could be bad. A senior lecturer in digital cultures recently said “Facebook’s VR push is about data, not gaming”. I’d have to respectfully disagree.

All of the proposed coolest looking features seen so far are indeed all about gaming. If it isn’t Force ghost chessplayers, it’s Force ghost fencing battles. Wanting to make your own home digital and show it off is gamifying the experience. You can’t get any more gamey than oft-frustrated attempts to jam adverts into popular video game titles.

The games are absolutely the hook, and the way in, to vast quantities of data. Regardless of which direction Meta goes in with this, it’s up to the people wearing the headsets and glasses to be comfortable with their choices and be aware of the privacy perils of VR and AR.

It’s a whole new digital world out there.

The post Zuckerberg’s Metaverse, and the possible privacy and security concerns appeared first on Malwarebytes Labs.

This Steam phish baits you with free Discord Nitro

Weeks ago, we talked about the one effective lure that could get a Discord user to consider clicking on a scam link they were generously given, either by a random user or a legitimate contact who also happened to have fallen for the same ploy: free Discord Nitro subscriptions.

And similar to how scammers repeatedly prey on Discord users, they also prey on Steam users (Remember that “I accidentally reported you” scam?).

There’s novelty, however, in scammers preying on both at the same time. It’s not something you normally come across every day.

This Discord scam is not after your Discord credentials

There’s a fresh, active scam circulating in Discord right now that is propagated by either bot accounts or accounts controlled by scammers. Below is a sample screenshot of what you might find sitting in your direct messages:

FAKE DIS
This is just one variant of the scam.

See, here free nitro for 1 month, just link your Steam account and enjoy –
{partially redacted URL}

Once Discord users click the link, they are directed to a website that was made to look and feel like a legitimate Discord page.

fake discord website
Since when did Steam start giving away free Discord Nitro?

Clicking the “Get Nitro” button opens something that deceptively resembles a Steam pop-up, when in fact, it’s actually not a separate window but the pop-up is part of the website itself.

This tactic is similar to that used by fraudsters about two years ago, described here by Reddit user /Bangaladore. In the post, he describes in detail how he (or his friend) found out that the pop-up is actually not a pop-up: “If you try to drag the window off of the parent chrome window, what happens? You can’t. It just stops at the edge. If you scroll up and down on the original page, the Steam sign in the [sic] window goes with it. A normal pop up does not act like this.”

fake discord popup
Uhh…

As you can see above, this particular pop-up had a bit of a problem loading the elements, thus the borked look. But we’d like to point out that, while the websites we visited and analyzed related to this scam use the same interface, there are just times when the code breaks and the spoofed URL in the fake address bar doesn’t show as it should. Here’s a better example from a related scam website that perfectly loaded up everything:

better presentation
Note that the fake pop-up window displays the proper “steamcommunity.com” domain—but do not be fooled. This is just another way for scammers to make fake things look believably real.

When Discord users key in their Steam credentials in the fake pop-up, it will show them the error message saying “The account name or password that you have entered is incorrect”. Behind the scenes, though, their Steam credentials have already been stored into the scam website.

Below is a clip of the scam in action (Kudos to Stefan Dasic who analyzed the URLs and recorded this clip):

steam phish

Malwarebytes already blocks 195[dot]133[dot]16[dot]40, the IP of this scam. We also found more than a hundred other scammy domains sitting on this IP. Here’s a sampling:

1nitro.club
appnitro-discord.com
asstralissteam.org.ru
discord-steam-promo.com
discordgifte.com
dicsord-ticket.com
discord-appnitro.com
ds-nitro.com
nitro-discordapp.com
nitrodsgiveways.com
steam-nitro.online

Stay safe out there! And please don’t just click links that came out of the blue.

The post This Steam phish baits you with free Discord Nitro appeared first on Malwarebytes Labs.