IT NEWS

In a joint advisory the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warn that advanced persistent threat (APT) cyber-actors may be exploiting a vulnerability in ManageEngine’s single sign-on (SSO) solution.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in questions is listed under CVE-2021-40539 as a REST API authentication bypass with resultant remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus version 6113 and prior.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network.

In-the-wild exploitation

When word of the vulnerability came out it was already clear that is was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat-actor. Yesterday’s joint advisory seems to support that, telling us that APT cyber-actors are likely among those exploiting the vulnerability.

They find this of high concern since this poses a serious risk to critical infrastructure companies. CISA recognizes 16 critical infrastructure sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The joint advisory points out that  the suspected APT cyber-actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors—including transportation, IT, manufacturing, communications, logistics, and finance.

It also warns that successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

According to the advisory, the JavaServer Pages web shell arrives as a .zip file “masquerading as an x509 certificate” called service.cer. The web shell is then accessed via the URL path /help/admin-guide/Reports/ReportGenerate.jsp.

However, it warns:

Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.

Please consult the advisory for a full list of IOCs.

Mitigation

A patch for this vulnerability was made available on September 7, 2021. Users are advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urge organizations to make sure that ADSelfService Plus is not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations. It also has information about how you can reach out to support if you need further information, have any questions, or face any difficulties updating ADSelfService Plus.

Stay safe, everyone!

The post FBI and CISA warn of APT groups exploiting ADSelfService Plus appeared first on Malwarebytes Labs.

For years, people have accused social media, and particularly image-driven sites like Instagram, of being bad for young people, particularly young women. It turns that Instagram’s owner, Facebook, agrees.

Thirty-two percent of teen girls said that when they felt bad about their bodies, Instagram made them feel worse.

This was one of the findings of internal Instagram researchers which was included in a presentation slide posted to Facebook’s internal messaging board in March 2020. It continues:

“Comparisons on Instagram can change how young women view and describe themselves.”

The Wall Street Journal (WSJ) has reviewed and revealed the contents of such slides in its latest instalment in the The Facebook Files, a WSJ series of investigative articles based on “internal Facebook documents, including research reports, online employee discussions and drafts of presentations to senior management.” Sometimes, included in these reports are findings from other companies the social network giant owns, like Instagram and WhatsApp.

Concerned parents and carers who may have observed or heard something from their teen who is being affected by Instagram would likely get confirmation on what they already know: Instagram is not helping with their body issues and sense of self at all. What may be more shocking to them, is that Facebook knows this too.

What Facebook knows

Facebook has been conducting internal studies of how Instagram affects its young users for three years, but had never shared any of its findings until three days ago, in response to the WSJ investigation.

According to the Journal, more than 40 percent of Instagram users are 22 years old or younger, with about 22 million teens logging on to Instagram in the US each day. The social media giant is said to have repeatedly found that Instagram is harming its young users, especially teenage girls.

It reports that the research conducted by Facebook revealed that Instagram makes body image issues worse for about one in three girls; that teenagers blame Instagram for increases in the rate of anxiety and depression; and that one in five teenagers said that Instagram makes them feel worse about themselves. The slides also revealed that a percentage of female teens in the US and UK have suicidal thoughts over what they see on Instagram.

Teen girls aren’t the only ones affected though. In Facebook’s 2019 research report, it found that 14 percent of boys in the US had said that Instagram made them feel bad about themselves. The following year, they found that 40 percent of teen boys experienced negative social comparisons. This, the researchers have concluded, is a problem specific to Instagram.

“Social comparison is worse on Instagram,” is what Facebook noted after doing a deep dive into body image issues in teen girls in 2020. What Instagram users tend to do is share only the best and most perfect photos and moments, which can trigger negative reactions, and may even lead to eating disorders, an unhealthy outlook towards themselves, and depression.

According to the researchers, young Instagram users who are struggling with mental health are aware that the app is affecting them in a negative way and need to spend less time on it, but admit they couldn’t stop themselves.

Facebook executives are stumped

The Journal claims that Facebook’s internal documents reveal that it has done little to address these issues, and even downplays these in public. For example, Adam Mosseri, head of Instagram, has told reporters that the research suggests the app’s effects on teen well-being is, “quite small”.

“In no way do I mean to diminish these issues…. Some of the issues mentioned in this story aren’t necessarily widespread, but their impact on people may be huge,” Mosseri further said in an interview with the Journal.

In another example, Mark Zuckerberg, CEO of Facebook, said at a March 2021 congressional hearing that, “The research that we’ve seen is that using social apps to connect with other people can have positive mental-health benefits,” which only highlights one side of the story while failing to mention the other.

Instagram’s response to the WSJ, written by Karina Newton, head of public policy on Instagram, says the Journal focusses on “a limited set of findings and casts them in a negative light”. She stands behind the company’s research and efforts to make things better for every teen user on Instagram, writing that “It demonstrates our commitment to understanding complex and difficult issues young people may struggle with, and informs all the work we do to help those experiencing these issues.”

In other words, as so many Facebook profiles say: It’s complicated. “The research on the effects of social media on people’s well-being is mixed, and our own research mirrors external research. Social media isn’t inherently good or bad for people. Many find it helpful one day, and problematic the next. What seems to matter most is how people use social media, and their state of mind when they use it.”

The Journal claims that Facebook executives are struggling to find ways to reduce Instagram’s harm while keeping people on the platform. Project Daisy, for example, was a pilot program created as a potential solution to keeping kids from feeling anxious and having negative feelings, based on a focus group feedback, when they see “like” counts. In Project Daisy, “like” counts are hidden. However, the results of the program have revealed that it didn’t improve teens’ lives.

Project Daisy was rolled out, nonetheless, with executives noting in an internal discussion that this, essentially, is just for show. “A Daisy launch would be received by press and parents as a strong positive indication that Instagram cares about its users, especially when taken alongside other press-positive launches.”

Mosseri acknowledges in an interview with the Journal that he doesn’t think there is a clear-cut solution to fixing Instagram. “I think anything and everything should be on the table,” he said, “But we have to be honest and embrace that there’s trade-offs here. It’s not as simple as turning something off and thinking it gets better, because often you can make things worse unintentionally”.

In an comparison that might not have come across in the way he hoped it would, Mosseri recently equated social media to cars in a podcast interview with Peter Kafka on the Recode Media podcast. “Cars have positive and negative outcomes. We understand that. We know that more people die than would otherwise because of car accidents. But by and large, cars create way more value in the world than they destroy. And I think social media is similar.”

However, Kafka, and some helpful users on Twitter, pointed out that they are not the same at all: Cars are heavily regulated, licensed, policed, regularly tested for problems, are not accessible to teens who are 16 years old and below, and have meaningful safety measures in place.

This is a call for help

Perhaps what stands out most from the reporting is not a single statistic, or how negatively Instagram has been affecting teens for years, or even that Facebook is well aware of the negative side of its social media empire, but the fact that the teens who are reporting problems are finding it really difficult to unplug or quit the app.

Parents and carers: Do not expect Instagram or Facebook to do this for you any time soon, because these online services were engineered to make users want to come back for more, even when they know it’s not good for them.

As computer scientist Dr. Cal Newport said in his memorable TED Talk, Why you should quit social media, social media is designed to provide a constant flow of small, intermittent rewards, just like a slot machine. Newport: “It’s one thing to spend a couple of hours at a slot machine in Las Vegas, but if you bring one with you, and you pull that handle all day long, from when you wake up to when you go to bed: We’re not wired for that”.

Kids cannot be expected to handle the social media slot machine alone—parents, family members, and our childrens’ friends all have a role to play in helping our kids overcome this.

Recommended reading:

• How to delete your Instagram account

The post Facebook’s own research reveals the harm that Instagram can inflict appeared first on Malwarebytes Labs.

The Krita digital painting application is currently being targeted by ransomware authors. Available on Steam and other platforms, it’s a powerful tool with a very cheap purchase price and great reviews. A perfect bit of bait to start reeling in potential victims, in other words.

How does the scam work?

Ransomware scammers send out mails to artists. Those mails claim to be from the team behind the Krita tool, and contain links which redirect potential victims to the real domain. This is to make everything look above board and legitimate.

The mails seen so far read as follows:

Hello dear, please give me a moment of your time. Krita team is eager to collaborate with you.

After this follows a generic promo text for the program. They follow this up with:

We would like to consider integrating a 30-45 second ready-made promo into your media space (Facebook, Instagram, Youtube), can we consider that?

Other mails claim that once the registration process is done and dusted, an email address, payment information, and phone number are required. Yes, there’s a bit of data grabbing alongside the malware slinging.

The aim of the game is revenue generation, and this is always going to be an attractive proposition for artists.

The bogus mediabank zip makes its entrance

Regardless of how the emails present themselves, there’s one common factor. They claim to link to a “mediabank” which contains icons, screenshots and previous video campaigns. The contents are “confidential”, which is a sneaky way to prevent potential victims telling anybody about it.

Some folks have reported the contents of the zip as .scr files masquerading as images/videos.

Why an scr file?

Any scam which involves images has a good chance of falling back on scr files. It’s a very old technique. Folks unfamiliar may think it means “screenshot”. This is especially the case where they’re opening up zips expecting to see imagery. Sadly, this isn’t the case. An scr is a screen saver file, and it runs on your system like a program. If it contains bad things, then bad things will be headed your way in an instant.

Tricking visual artists with scr files seems like a particularly cruel trick, whether intentional or not.

What happens next?

Krita previously reported this as ransomware, and as you can see, the mails are still going strong:

They look pretty convincing, which certainly won’t hurt the scammers one bit. If you’re going to trick people who work with visuals, it pays to look as good as possible.

Forward on any dubious messages you receive to the Krita team, and delete the mails afterwards. Don’t trust zip attachments, and give any scr file extensions a wide berth. Showing file extensions is also helpful, both for this and any other potential attacks generally. It appears a lot of the domains used for these mails are down, but it’s easy enough to put up replacements. Be careful out there!

The post Ransomware scammers target artists with fake Krita revenue deals appeared first on Malwarebytes Labs.

HP has released a patch to fix a flaw in the HP OMEN driver.

As far as we know the flaw isn’t being actively exploited, but it’s worth applying the patch as soon as you can.

The flaw, the fix

The driver vulnerability, which is tracked as CVE-2021-3437, was found by Kasif Dekel, a senior security researcher at SentinelLabs.

If exploited, the vulnerability could allow a malicious threat actor to escalate privileges to kernel mode. This would enable the actor to perform tasks within affected systems, such as disabling security solutions, running malicious code in kernel mode, and elevating privileges of other users, and more. Exploiting this flaw could also allow the actor to trigger a denial-of-service (DoS) condition, which prevents traffic from going to the device.

The driver, HpPortIox64.sys, is used by the HP OMEN Gaming Hub (previously called HP OMEN Command Center), software that comes pre-installed in HP OMEN systems. Although this SYS file is created by HP, according to Dekel, it is actually “a partial copy of another problematic driver, WinRing0.sys, developed by OpenLibSys.”

HpPortIox64.sys essentially inherited the privilege kernel-mode problem from WinRing0.sys.

“It’s worth mentioning that the impact of this vulnerability is platform dependent,” continues Dekel in the report, “It can potentially be used to attack device firmware or perform legacy PCI access by accessing ports 0xCF8/0xCFC. Some laptops may have embedded controllers which are reachable via IO port access.”

The flawed HP driver accepts IOCTL (Input/Output Control) requests from non-privileged users, who aren’t subjected to access control rules. Because of this, such drivers can be abused, “by design.”

Road 96 and OMEN

It’s worth mentioning that HP’s first official video game, Road 96, gives its video game players and fans the option to download the OMEN Gaming Hub in a section of the game.

Although we can’t say for sure if the driver problem will pose a threat to non-HP users should they agree to install the Hub, we do note another threat to consider. According to Chris Boyd, lead malware intelligence analyst for Malwarebytes, “Certain games offer additional skills or abilities in return for installing OMEN, such as the award-winning, Road 96. As a result, many people will have it on their system even if they have no intention of ever using it. Where updates aren’t taking place, this could be dangerous should an exploit arise in the wild.”

The post HP OMEN users, update your driver now! appeared first on Malwarebytes Labs.

Jay Tipton, chief executive for the Managed Service Provider (MSP) Technology Specialists, remembers his Fourth of July weekend this year like many MSP employees likely remember theirs: As a bit of a nightmare.

“That’s like the worst feeling you’ll ever have,” Tipton said about his initial impressions about a fast-moving ransomware attack that he originally thought hit just his company. His Microsoft Outlook instance closed down unexpectedly, his phone rang and he learned about a customer having trouble connecting to some software tools, and then, just minutes later, his phone rang again. The number of customer problems had already multiplied.

As Tipton and the world would soon learn, his Fort Wayne, Indiana-based MSP was just one of up to 1,500 companies ensnared in what was is probably the largest ransomware attack ever, when threat actors poisoned the remote monitoring and management software tool Kaseya VSA—a favorite for many MSPs—with ransomware.

The attack, which actually led to grocery stores shuttering their doors in Sweden, proved so detrimental because of its cascading nature. By attacking Kaseya VSA, threat actors not only managed to compromise the software, but also the MSPs that used the software, and the small- to medium-sized businesses that were supported by those same MSPs.

Recovery for Tipton’s company has been slow but hopeful. Technology Specialists retrieved data for its customers, maintained strong customer relationships, and even received an outpouring of support from ex-employees and clients themselves.

But in speaking with MJ Shoer, executive director for the nonprofit CompTIA’s Information Sharing and Analysis Organization, Tipton revealed that even the best recovery plans will hit unforeseen obstacles.

Take, for instance, Technical Specialists’ efforts in recovering their clients’ data. Their backups worked, Tipton said, but the process itself happened slower than expected.

“We’ve had some restoring issues, and part of it had to do with download speeds, because everyone was trying to hit the same data centers at the same time,” Tipton told Shoer. “That’s part of the problem. You can’t plan for that.”

Through this process, Tipton compiled a long list of things he’d like to change moving forward, most of it on a large Post-It note covering much of one of his walls. Here’s what Tipton is focusing on moving forward. His lessons are relevant to all organizations, not just MSPs.

Ransomware recovery lessons

1. Put passwords and disaster recovery plans on paper

If the worst happens, you’ll wish you had made a recovery plan. Recovery plans typically identify the key systems and data inside your organization, and the shortest path to restoring critical business functions.

Following the Kaseya VSA ransomware attack, Tipton said that he is focusing on a way to provide “paper printouts” for his company and his clients’ disaster recovery plans. He also added that he wants to find a way to “securely print out passwords” because the attack also seemingly affected Technical Specialists’ password vault.

“We had to wait almost 36 hours to get our password vault restored so we could get passwords out of it,” Tipton said.

Both ideas have immediate value for any business, big or small. A disaster recovery plan is only as useful as it is accessible, and an inaccessible password vault could slow down literally every single part of a data recovery effort if administrators simply cannot access their accounts.

2. Say goodbye to public whitelists

Allowing MSPs to manage some or all of their IT and security makes sense for lots of small businesses, but it comes with its own risks. MSPs act as administrators, so any tools they use get administrator privileges too. MSPs also need to make their toolchain work across all the various customer environments they work with too.

A common practice for MSP software vendors is to advise users of directories that should be “whitelisted” against antivirus software, so that their software can work without interference from cybersecurity tools. This practice is understandable—attackers try hard to disguise themselves as administrators and security tools have the difficult job of letting legitimate remote administration go ahead while stopping malicious remote administration—but it is ill-advised.

These whitelist guides are available for anyone to view online, but, according to Tipton, Technical Specialists is asking for more control into how to actually treat some directories. Tipton said some of what he’s doing moving forward is “not allowing the software vendors to push us into whitelisting directories. That’s not happening anymore.”

“Give me control of which directory it is and how far down I can bury it—I’ll consider it, because then I can control how it’s working, what’s going on in there, and where it’s at so it’s not public knowledge that directory exists,” Tipton said. “But this open whitelisting of programs and directories isn’t going to happen.”

3. Insist that software is digitally signed

In speaking with Shoer, Tipton mentioned that one of the vendors that Technical Specialists use has the annoying habit of changing its DLLs (the software libraries that their product uses) quite regularly. Tipton said he will not allow that anymore unless the vendor starts digitally signing the DLLs.

Why? Because this is another situation where legitimate behavior and malicious behavior can look very similar. If a DLL changes and it hasn’t been signed by the vendor, Tipton has no way of knowing if the new DLL is legitimate or if it has been tampered with by an attacker.

“I’ve got a vendor that likes to keep changing their DLLs, and I think some of them change on the fly and it causes all kinds of problems,” Tipton said. “You’re going to have to sign your program with a cert because I’m going to block it and it’s not optional.”

Moving on

People are often understandably reluctant to talk about their experiences with ransomware, so we applaud Tipton for being open and transparent, and giving us all the opportunity to benefit from his experience.

All of Tipton’s goals seem to be focused on giving Technical Specialists more visibility and capability into how it supports its clients. And perhaps that’s the right mindset—Tipton shared with Shoer that his business lost very few clients after the attack, and of the clients he did lose, seemingly all of them misplaced blame on the MSP itself.

“There are a few that don’t get it, won’t ever get it, will never understand, and say it’s all our fault,” Tipton said. “I can’t change their minds, so I’ll just shake their hands, part as friends, and go on with life.”

Ransomware podcasts

Ransomware recovery is an important subject that benefits enormously from the real-world perspective and experience of those who have been through it. Several recent episodes of Malwarebytes Labs’ Lock and Code podcast have dealt with different aspects of recovering from ransomware.

Racing against a real-life ransomware attack

At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against Northshore School District in Washington state. Early the next morning, Northshore systems administrator Ski Kacoroski arrived on scene. Kacoroski explains what happened next, and what Northshore did to recover from the attack and prevent it from happening again.

Listen to Racing against a real-life ransomware attack

“Seven or eight” zero-days: The failed race to fix Kaseya VSA

The Dutch Institute for Vulnerability Disclosure (DIVD) discovered “seven or eight” zero-days in Kaseya VSA before the REvil ransomware group did. DIVD chair Victor Gevers explains why that wasn’t enough to stop the biggest ransomware attack in history, and reveals that Kaseya VSA’s vulnerabilities represent just one data point in a far larger and more worrying trend.

Listen to “Seven or eight” zero-days: The failed race to fix Kaseya VSA

Why backups aren’t a “silver bullet” against ransomware

Any cybersecurity expert will tell you that the last line of defense against ransomware is backups. But if they’re so important, why are we still so bad at getting them right? Host David Ruiz speaks with VMware’s Matt Crape about why making good backups is so hard, and what missteps you should watch out for.

The post 3 security lessons from an MSP that survived the Kaseya VSA attack appeared first on Malwarebytes Labs.

We all know cookies as tasty baked treats that we love to eat, but computer cookies are quite different. Although they’re most popularly known as just “cookies”, they may be referred to as browser cookies, Internet cookies, HTTP cookies, web cookies, computer cookies, or digital cookies.

What are cookies?

Cookies are pieces of information that a website can save in your browser. Websites can ask your browser to save cookies whenever the browser asks it for a page, picture, download, or any other piece of information. Until the cookie expires, the browser will keep it, and send it back to the website whenever it requests anything else.

The language web browsers and websites use to talk to each other is “stateless”, meaning that every message is totally independent and isolated from every other message. It’s like having a conversation with somebody who instantly forgets who you are after every sentence.

One of the most common uses for cookies is to provide a link between messages, so that a website can remember who you are, and tell that your messages are coming from the same individual.

To do this, a website sends a web browser a cookie with a unique ID the first time they communicate, and the web browser repeats the unique ID back to the website every time it sends a message.

In the language of the web, cookies allow us to link sentences into conversations.

Without this functionality we would not be able to log in to any websites, keep wish lists, see recommendations, use web-based video or instant messaging, or do most of the other things we rely on websites for.

Importantly, websites can read their own cookies, but can’t read cookies saved by other websites. However, there is a loophole that has led to most of the problems we have come to associate with cookies: third-party cookies.

Tracking with third-party cookies

Many people associate cookies with the cross-site tracking used by advertising companies. Advertisers like Google and Facebook can track users as they travel around the web from site to site, building up profiles of the kinds of sites they like to visit, and showing them targeted advertising.

Tracking somebody across multiple sites like this relies on third-party cookies.

Although a website can only read cookies that it has created, individual web pages can be assembled from components hosted by multiple websites. Sometimes those components are visible, like images, and sometimes they are just bits of code you can’t see.

If a website you visit includes a component pulled from another website (a third-party), that third-party website can send and receive cookies along with the component. If you visit a different website that includes the same third-party component, the third-party can read its cookies on both sites.

This is how Facebook uses its Like buttons, and Google uses its advertising code, to track you across the web. They can tell whenever you visit a site that includes one of their components because they can read their own cookies.

Importantly, the tracking stops if you block or delete those cookies.

Session cookies, persistent cookies, and “super cookies”

Just like edible cookies, digital cookies come in different flavors. Cookies that expire whenever you close your browser are called session cookies. These are used for temporary things, like telling a website that you have logged in successfully. If a website uses session cookies for its logins then you will be logged out when you close your browser, and you will have to log in again when you next visit.

Cookies that aren’t deleted when you close your browser are called persistent cookies. Persistent cookies last until you delete them, or until they expire. These are useful for things like remembering your username, so it can be pre-filled when you visit a website you have logged out of.

For all practical purposes, persistent cookies can last forever. (On 32-bit systems cookies can’t live past 2038, but we assume you’ll be using a different device by then.)

Because third-party tracking can be defeated by users deleting their cookies, some unscrupulous advertisers have turned to other things that can offer cookie-like persistence, such as ETags or browser fingerprints. Technologies that act like cookies, but aren’t affected by blocking or deleting regular cookies, are unofficially referred to as super-cookies.

So, are cookies bad?

No. Cookies are essential to the operation of the web as we know it and used for many useful, helpful things. However, cookies can also be used for things some people don’t like, such as third-party tracking, and adverts that seem to follow you around the web.

Luckily, cookies are easy to control. All browsers let you delete cookies, and there are numerous browser add-ons that can be used to block cookies, or control what cookies you will and won’t allow.

In response to increased sensitivity about cross-site tracking, some browsers, including Firefox, Safari, and Brave, now block third-party cookies by default. Google is working on an alternative, more privacy-conscious tracking technology called FLoC, and plans to block third-party cookies in 2023.

Cookie consent

In the European Union (EU), websites have to ask for your consent before they can set cookies, which has lead to web users seeing a profusion of cookie popups. Some people argue that this has led to “cookie fatigue“, and that privacy has not been improved.

What happens if you decline to accept cookies varies from site to site, and can range from the site working perfectly to the site not working at all.

Will a VPN stop tracking cookies?

No. A Virtual Private Network (VPN) guards your privacy by masking your IP address and your location, and by passing your traffic through an encrypted tunnel that protects it from rogue WiFi hotspots, or ISPs that want to sell advertisers information about your browsing habits.

To block or rewrite cookies, a VPN would have to look at your web traffic as it passed through its servers. VPNs can’t read encrypted communication, like HTTPS, so cookie blocking would be impossible for most web traffic.

Even it was possible it would probably cause some websites to malfunction. And if that could be overcome, privacy-loving VPN users would probably rather their VPN provider stayed out of their traffic anyway.

The post What are computer cookies? appeared first on Malwarebytes Labs.

You may have seen the Dark Web referenced in popular TV shows and have gotten the wrong idea, or if you already knew about it, you may have snorted in derision. The Dark Web is also sometimes called the Deep Web, when in fact the Dark Web is only a part of the Deep Web.

Terminology

• Surface Web is what we would call the regular World Wide Web that is indexed and where websites are easy to find.
• The Deep Web is the unindexed part of the Web. Actually, anything that a search engine can’t find.
• The Dark Web is intentionally hidden, anonymous, and widely known for illicit activities.

Maybe it’s a good idea to clear up some of the misconceptions about the Dark Web for those that are not in the know. That should tell you a lot about what it really is.

The Dark Web is a separate part of the World Wide Web

Well, it’s not as much separate, but sites on the Deep Web are harder to find as the Deep Web is an unindexed part of the internet. Actually, the indexed part of the Web, which is the part that can be found by robots, is only a small fraction of the entire web. It is hard to tell how big the Dark Web is, since, again, it is unindexed. Estimates say that only 5% of the Web is easily accessible and searchable to the general public. Many other sites can only be visited if you have a direct URL.

Only criminals use the Dark Web

Even though most of the traffic on the Dark Web is used up by criminal activities, such as—

• Drug trafficking
• Selling weapons to countries where they are forbidden or selling types of weapons that are prohibited
• Child (and other illegal) porn
• Malware (as a Service), think of this as programmers selling their malware for a fee or part of the profit
• Sites where victims can pay the ransom for some ransomware they have been hit with
• Buying and selling stolen data
• Fraud related services
• Fake ID’s
• Leak sites where ransomware gangs publish exfiltrated data if the victim refuses to pay

—there are also groups of users that need the Dark Web for reasons that are only considered illegal in a few places, such as:

• Journalists working in “difficult” countries
• People resisting a totalistic regime
• Whistleblowers
• Places where crimes can be reported anonymously
• Bitcoin services
• Forums on various subjects that do not wish to be public

As you can see there are some grey areas, depending on where you stand in a certain situation.

You need a special browser to access the Dark Web

There are several methods of restricting access to many of the resources on the Dark Web, but you can certainly expect you will have to login when you arrive at the site that you want to access. But in most cases, you will also need to be using some kind of service like a VPN, proxy, or an anonymized network.

For sites with an Onion (hence the symbol) domain, you will need a Tor browser to access them. This browser protects your privacy and anonymity by encrypting your traffic to and from the websites you are visiting, and by using a proxy. But if you are a Firefox user, you may see a big resemblance with the Tor Browser, so the browser is not that special. It’s the way how it connects that is different. You can also use Tor on the surface Web. People often do this for privacy reasons.

Surfing the Dark Web is dangerous

If you take the necessary precautions, surfing the Dark Web will not get you hurt, robbed, and mugged. But, like on the surface Web, you have to be vigilant and be protected. Keep in mind, for example, that torrents often bypass your proxy settings and might, therefore, expose your real location. And, needles to say, when you’re actively dealing with criminals, you can actually expect to get deceived and even robbed. So, stay away from those guys.

But as we recently learned, even the bad guys are not always safe on the Dark Web. People do get careless after a while and in these cases, it got the bad guys busted. Keep that in mind if you make it a habit to visit the darker corners of the Web. Curiosity killed many a cat.

The post What is the Dark Web? The Dark Web explained appeared first on Malwarebytes Labs.

The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare… nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this patch is so easy to circumvent.

The total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are “old friends”. There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.

Azure was the subject of five CVE’s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.

PrintNightmare

PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.

The problem was made worse by significant confusion about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.

This month, Microsoft patched the remaining Print Spooler vulnerabilities under CVE-2021-36958. Fingers crossed.

MSHTML

This zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only found last week, but has attracted significant attention. It was listed as CVE-2021-40444, a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML.

Threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.

Given the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.

DNS elevation of privilege vulnerability

This vulnerability was listed as CVE-2021-36968 and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.

Microsoft says that exploitation is “less likely”, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP).

OMIGOD

OMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:

• CVE-2021-38647 OMI RCE Vulnerability with a CVSS score of 9.8 out of 10.
• CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability
• CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability
• CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability

The researchers that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:

Wiz’s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.

OMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It’s likely that many users aren’t even aware they have it running.

The RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.

A coding mistake means that any incoming request to the service without an authorization header has its privileges default to uid=0, gid=0, which is root.

OMIGOD, right?

The researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.

They advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:

• For Debian systems (e.g., Ubuntu): dpkg -l omi
• For Redhat based system (e.g., Fedora, CentOS, RHEL): rpm -qa omi

If OMI isn’t installed, the commands won’t return any results, and your machine isn’t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.

The post Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD appeared first on Malwarebytes Labs.

Secure Sockets Layer (SSL) certificates are what cause your browser to display a padlock icon, indicating that your connection to a websites is secure. Although the padlock may soon be hidden from view, certificates aren’t going anywhere.

Let’s start with some definitions and explain some of the terminology.

On a strictly technical level, SSL was actually superseded by Transport Layer Security (TLS) many years ago, but the name has stuck around. So, in this article we’ll use SSL to refer to the entire SSL/TLS family of protocols.

SSL is a security technology for establishing an encrypted link between a server and a client, such as a website and a browser, or a pair of email servers. An SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection.

What is the purpose of SSL certificates?

SSL certificates serve two important purposes:

• Authentication. It authenticates the identity of the computer you are talking to.
• Privacy. It ensures that a connection between two computers is encrypted.

On the web, SSL makes a connection to a website more trustworthy: You are talking to the website identified in the certificate, and nobody is listening in or tampering with the communication between you. This is particularly important when you are exchanging private information like credit card details or passwords.

It does not make the website more trustworthy though, only the communication between it and you. Not every website that has an SSL certificate can be trusted. Evil websites, like phishing sites, can have SSL certificates and you can establish safe, trustworthy connections to evil sites using SSL!

Despite lots of (now outdated) advice, SSL certificates and padlocks should not be used as an indicator that a website is “safe”. Equally, if a website does not have a certificate, that does not mean it cannot be trusted.

How do SSL certificates work?

SSL encryption is possible because of the public-private key pairing that SSL certificates facilitate. A website visitor’s browser gets the public key necessary to open an encrypted connection from a server’s SSL certificate. The public key is not secret and anyone can see it, so it doesn’t matter if it’s intercepted. Anyone with the public key can use it to encrypt a message, but only the corresponding private key on the server can decrypt it.

Depending on the type of certificate it also provides a visitor with information about the holder of the certificate:

• The domain name the certificate is valid for
• Information about the holder of the certificate
• Which certificate authority issued the certificate
• Issue and expiration date of the certificate
• The public key needed for the encryption

SSL certificates are generally divided into three types:

• Domain Validated (DV) Certificates. DV certificates assert a link between a certificate and a domain. Projects like Let’s Encrypt, which provides free certificates and automates the process of creating and installing them, rely on domain validation.
• Organization Validated (OV) Certificates. OV certificates assert a link between a certificate and an organization. The body issuing the certificate must validate the legal and physical existence of the organization.
• Extended Validated (EV) Certificates. EV certificates assert a link between a certificate and an organization using a more thorough vetting process than OV certificates.

Where do you get SSL certificates?

SSL certificates are issued by a Certificate Authority (CA). Most browsers will accept certificates issued by hundreds of different CAs.

If you are looking for a certificate for your website, one option is to contact your hosting provider. They will usually be able to point you in the right direction, and will probably be able to provide one. Mention what type of certificate you are looking for since that is important information to start on your quest. Alternatively, you can automate the process of certificate creation and installation using services like Let’s Encrypt.

Is an SSL certificate necessary for a website?

The majority of the web is now encrypted, making sites without SSL the exception. SSL protects private data in transit, such as credit card details. Even when it isn’t protecting sensitive data, it stops attacks that might send you to fake websites, and prevents criminals injecting adds or malware into your traffic.

If that isn’t enough for you, there are other reasons to use SSL too.

Aside from securing your traffic, having an SSL certificate also helps your website’s search engine rankings. The current Google algorithm rewards sites with SSL by giving them higher rankings (or, better put, it punishes sites that do not use SSL).

SSL also makes a site look more professional and secure. Depending on the visitor’s browser, sites without an SSL certificate may trigger a warning that the site is not secure.

An increasing number of browser features require SSL to work. Features like getting a user’s location, accessing their microphone, or storing data locally on their device, all require that your website supports HTTPS, which relies on SSL. Which makes sense, because you are providing sensitive information to such sites. It poses a security risk if those features could be tampered with by a person-in-the-middle, or other network interference or impersonation.

The post What are SSL certificates? appeared first on Malwarebytes Labs.

Google announced on Monday that it will be issuing patches for 11 high severity vulnerabilities found in Chrome, including two that are currently being exploited in the wild. The patch, which is part of the Stable Channel Update for Chrome 93 (93.0.4577.82), will be released for Windows, Mac, and Linux (if it hasn’t already). Chrome users are expected to see the roll out in the coming days and weeks.

Readers should note that other popular browsers such as Brave and Edge are also Chromium-based and therefore likely to be vulnerable to these flaws too. Keep an eye out for updates.

You can check what version of Chrome you are running by opening About Google Chrome from the main menu.

The vulnerabilities

The fixes address high severity vulnerabilities reported to Google by independent researchers from as early as August of this year. That said, the company has included names of the researchers who found the flaws in their announcement.

The two vulnerabilities that are being actively exploited—namely, CVE-2021-30632 and CVE-2021-30633—were  submitted anonymously. The former is an “Out of bounds write” flaw in the V8 JavaScript engine and the latter is a “Use after free” bug in the Indexed DB API.

Because threat actors are currently exploiting the two aforementioned vulnerabilities, Google provides little to no information on how the attacks against these weaknesses are being carried out, or other precautionary measures users should be looking out for. Per Google:

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

V8, the thorn in Chrome’s side?

Nobody will be surprised to see that one of the in-the-wild exploits affects Chrome’s V8 engine.

At the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8. These components need to accommodate frequent updates and adhere to a bewildering array of web standards, while also being both fast and secure.

Chrome’s V8 JavaScript engine has been a significant source of security problems. So significant in fact, that in August Microsoft—whose Edge browser is based on Chrome—announced an experimental project called Super Duper Secure Mode that aims to tackle the rash of V8 problems by simply turning an important part of it off.

A little under half of the CVEs issued for V8 relate to its Just-in-Time (JIT) compiler, and more than half of all ‘in-the-wild’ Chrome exploits abuse JIT bugs. Just-in-time compilation is an important performance feature and turning it off is a direct trade of speed for security. How much? According our quick-and-dirty testing, turning off the JIT compiler makes JavaScript execution twice as slow in Edge.

11 zero-days and counting

To date, the Google Chrome team has patched 11 zero-day vulnerabilities in 2021. Previous patches are from the following vulnerabilities, some of which we have covered here in the Malwarebytes Labs blog:

• CVE-2021-21148
• CVE-2021-21166
• CVE-2021-21193
• CVE-2021-21206
• CVE-2021-21220
• CVE-2021-21224
• CVE-2021-30551
• CVE-2021-30554
• CVE-2021-30563

With so much bad PR, you might expect Chrome’s market share to suffer; yet, it remains by far the most popular browser. Users—and the Google Chrome brand—seem unaffected.

Make sure you update your Chrome or Chromium-based browser once you see the patch available, or better still, make sure your browser is set to update itself.

Stay safe!

The post Update now! Google Chrome fixes two in-the-wild zero-days appeared first on Malwarebytes Labs.