IT NEWS

Sometimes the ways in which malicious code gets in the hands of cybercriminals is frustrating for those in the industry, and incomprehensible to those on the outside.

A quick summary of the events in the history of this exploit:

• A researcher found a flaw in Windows Installer that would allow an attacker to delete targeted files on an affected system with elevated privileges.
• Microsoft patched the vulnerability in November’s Patch Tuesday update.
• The researcher found a way to circumvent the patch and this time decided not to engage in responsible disclosure because he got frustrated with Microsoft’s bug bounty program.
• The researcher’s PoC is being tested in the wild and cybercriminals could be preparing the first real attacks exploiting this vulnerability.

Let’s have a look at what is going on and how it came to this.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability in question was listed as CVE-2021-41379 and is a local Windows Installer Elevation of Privilege (EoP) vulnerability. If successfully exploited, the bypass could give attackers SYSTEM privileges on up-to-date devices running the latest Windows releases, including Windows 10, Windows 11, and Windows Server 2022.

By exploiting this zero-day, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.

The patch

Microsoft patched the vulnerability in the November Patch Tuesday updates. But according to the researcher, the bug was not fixed correctly. He discovered a new variant during the analysis of the CVE-2021-41379 patch.

With the new variant, an attacker will be able to run programs with a higher privilege than they are entitled to. To be clear, an attacker using the new variant must already have access and the ability to run code on a target victim’s machine, but now they can run the code with SYSTEM privileges thanks to the exploit.

The frustration

The researcher appears to have been so disappointed in Microsoft after he responsibly disclosed the vulnerability by means of the Trend Micro zero-day initiative, that he decided to skip that path altogether when he found the new method to bypass the patch. The researcher published a new version of the proof of concept (PoC) exploit, which is even more powerful than the original exploit.

Apparently the main reason for his frustration was the reward level.

““Microsoft’s rewards have been very bad since April 2020; the community wouldn’t make these kinds of decisions if Microsoft took its rewards seriously.”

In the wild

Several security vendors have noticed malware samples in the wild that are attempting to take advantage of this vulnerability. A quick search on VirusTotal showed dozens of different files that tried to do this. This may be some threat actors testing the exploit code to turn it into something they can use in their attacks, along with some researchers trying out different ways to use and stop the exploit. It is worrying nonetheless to see once again how quick attackers are able to weaponize publicly available exploit code.

Mitigation

The researcher recommends users wait for Microsoft to release a security patch, due to the complexity of this vulnerability, although he doesn’t seem confident that Microsoft will get it right this time.

“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again.”

Microsoft says it is working on it. In the meantime, Malwarebytes Premium and business users are protected, because our programs detect the files using this vulnerability as Exploit.Agent.

Stay safe, everyone!

The post Windows Installer vulnerability becomes actively exploited zero-day appeared first on Malwarebytes Labs.

Gamers are a hot target for scammers, especially in the run up to Christmas. Major games are released throughout the last few months of any year, and the FOMO (fear of missing out) is strong. Especially if said titles offer pre-order exclusive bonuses, or deals and discounts for a few weeks after the game launches.

There’s a lot of big titles hitting digital storefronts at the moment. In the last few weeks alone we’ve seen the release of:

• Skyrim Anniversary Edition
• Forza Horizon 5
• Jurassic World Evolution 2
• Halo Infinite (portions of it, with more to come)
• Myth of Empires
• Battlefield 2042

Add other upcoming titles and older ones updated for the festive season into the mix, and it’s fertile ground for people up to no good.

Bogus YouTube videos promise much, deliver little

We’ve seen a lot of activity on YouTube in the last 24 hours in relation to dubious videos. They ride on the coat tails of common searches for “free” versions of popular titles like Skyrim, CSGO, PUBG, Cyberpunk, and more. Other videos focus on Call of Duty, GTAV, Fallout 4, and DayZ.

In all cases, “free Steam keys” are the name of the fake out game. No matter which of the many accounts post up these videos, they all typically link to the same download hosting site.

When free games lead to Malware

The file offered up for download is SteamKeyGeneration.rar, weighing in at 4.19MB. YouTube pages containing the link offer the following instructions:

“Download the ExLoader, open the RAR file, open the EXE file”

The .RAR is password protected, with the password being supplied in the YouTube description. Once the executable runs on the target system, it’s infected by the owner’s own hand.

We detect the file as Trojan.Malpack. This is a generic name given to files which have been packed suspiciously. The actual payload can be anything at all, but this form of packing files is not typically used for legitimate purposes. We’ve seen similar attacks like this previously. In 2018, Fortnite gamers were targeted by scammers pushing Trojan.Malpack files as Fortnite freebies. If the files were downloaded and run on the target system, the reward for doing so was data theft.

Part of a bigger campaign, or a standalone?

YouTube has definitely had some trouble along these lines recently. Researchers at Cluster25 spotted similar activity, targeting a multitude of interests including how-to guides, cryptocurrency, VPN software, and more. In those cases, activity seems to be primarily geared towards two infection paths.

Videos with bit(dot)ly links send victims to download sites such as Mega. Unshortened links redirect to taplink(dot)cc to push Racoon Stealer. Target machines are scanned for card details, passwords, cryptocurrency wallets and other forms of data. This is all harvested and sent on to the attacker.

There are similarities, despite the final destination links being different to those mentioned – such as the password requirement, the similarities in scam setup. Of course, this isn’t a particularly new or novel tactic for YouTube attacks. Including a link to an off-site compressed file on free file hosting, and disabling comments so nobody can point out they’ve had things stolen is video portal shenanigans 101.

You also tend to see one major campaign hit and enjoy success, and then lots of smaller would-be scammers jump on the bandwagon and before long everybody is doing it.

Tips to avoid scams

Whether this is part of the same campaign, a spin-off, or is simply inspired by it, you should avoid any promise of free games deploying these techniques on YouTube. The warning signs are:

1. Too good to be true claims of Steam (or another platform) being “hacked”, with free games being the end result.
2. Brand new accounts with no other content than these videos. Much older accounts which have been dormant until now, or display a sudden shift in content produced. Were they making videos of their cats until last week and now they’re all about hacked Skyrim downloads? Beware.
3. Comments disabled. Anybody linking to off-site files and turning off the comments may not have your best interests at heart.

Getting your hands on a cool new game at a discount is always good news, but sometimes the hidden cost is just too high.

The post “Free Steam games” videos promise much, deliver malware appeared first on Malwarebytes Labs.

With the holiday season around the corner, and Black Friday at the end of the week, we thought it was a good time to look at the dangers that come with gift cards.

Gift cards can be a an easy win in cases where you don’t know the receiver well enough to decide on a fitting gift, or when their wishes are out of your price range. But there are a few things to consider before you hand over your cash.

1. Fake gift cards

You will almost always need to pay full value for legitimate gift cards, so gift cards being offered for significantly less than the face value should be treated with extreme caution. Of course, it could be that they are from people that have no use for the gift cards they received, but it’s hard to tell who and who isn’t genuine. If you see websites offering all kinds of discounts on gift cards, you can be assured that these will turn out to be fakes or they have been acquired in an illegal way and you could be acting as a fence.

2. Gift card generators

One step up on the “scale of scammery” from fake gift cards are gift card generators. There are quite a few websites that claim to provide gift card generators that you can use to generate the code for all kinds of gift cards. Some of the major brand names that are used include Amazon, Roblox, Google, Xbox, PS5.

If you download a gift card generator and you are lucky, it will inform you just before you try it that it does not generate valid gift card codes, but only random codes for “educational purposes.” That is, after you have filled out endless surveys, and maybe even after given up some of your personal information.

In the worst case scenario, you will end up downloading a piece of malware to your system. In one case, researchers found a file titled “Amazon Gift Tool.exe” that was being marketed on a publicly available file repository site as a free Amazon gift card generator. In reality, the malware watched a user’s clipboard to find text that matches the normal length of a certain type of cryptocurrency wallet address. If other criteria were met, to ensure that the victim was involved in a Bitcoin Cash transfer, the malware replaced the string on the clipboard with the attacker’s Bitcoin Cash wallet address. The attacker was hoping that the victim wouldn’t notice the overwritten crypto wallet address when pasting it during the crypto transaction, and that the transfer would go to that of the cybercriminal instead of the intended recipient.

It always helps to keep in mind that if something sounds too good to be true, it is probably not true at all. This definitely applies to a tool that would allow you to create gift cards for free. That’s pretty much like having a money press in your basement.

3. Scammers like your gift cards

There is one group of people that does have a taste for gift cards, and that is scammers. Whether they claim to be with the IRS, Microsoft, or your service provider, if someone asks you to pay for something by putting money on a gift card, like a Google Play or iTunes card, you can safely assume that they’re trying to scam you. No real business or government agency will ever insist you pay them with a gift card.

We have seen live examples of business email compromise (BEC) attempts that ask for gift cards, like the one below:

Business Email Compromise (BEC) is a catch all term for a spoofed email pretending to come from an authority figure, with the intent to use social engineering to reach an outcome, usually financial gain, by convincing you to do something that you normally wouldn’t.

Not forgetting those gift cards that go unspent…

According to a Juy 2021 survey by Bankrate, more than half of US adults (51%) currently have unused gift cards, vouchers, or store credits totaling roughly $15 billion in outstanding value. Additionally, 49% of US adults have lost gift card/voucher/store credit value at some point because they let at least one of these expire (29%), they lost at least one (27%), or they failed to use at least one before the business closed permanently (21%).

Basically what it boils down to, is you are paying full value for something that only gets used roughly half of the time.

Conclusion

As one of my friends in the US used to say:

“The best gift cards have a number and a president on them.”

Even though it may seem unpersonal to give money as a present, the chance that the receiver will get something that they need or like is so much bigger than with a gift card. Should you still want to buy a gift card, make sure to get them from a reliable source and check that the receiver will make good use of it.

Stay safe, everyone!

The post Please don’t buy this! 3 gift card scams to watch out for this Black Friday appeared first on Malwarebytes Labs.

Domain name registrar giant and hosting provider GoDaddy yesterday disclosed to the Securities and Exchange Commission (SEC) that it had suffered a security breach.

In the notice, it explained it had been compromised via an “unauthorized third-party access to our Managed WordPress hosting environment.” The unknown culprit behind the attack stole up to 1.2 million active and inactive customer data, including email addresses, original WordPress admin passwords, Secure File Transfer Protocol (sFTP) and database credentials, and SSL private keys.

The company said it has taken measures to secure accounts and the environment, such as resetting passwords and blocking the unauthorised third-party from accessing its system, and said it will be issuing new certificates for specific customers.

GoDaddy first detected suspicious activity in its Managed WordPress hosting environment on Wednesday last week. According to initial investigations, the intruder used a compromised password to access legacy code in GoDaddy’s environment to steal data. Investigations are ongoing.

“We are sincerely sorry for this incident and the concern it causes for our customers,” wrote Demetrius Comes, GoDaddy’s Chief Information Security Officer (CISO), “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

According to researchers from Defiant Inc, developers of Wordfence—a plugin for securing WordPress sites—GoDaddy has been handling sFTP in a way that doesn’t follow standard practices: “It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.”

GoDaddy customer? Here’s what to do

If you use GoDaddy’s hosting service and are unsure if your account might be one of those affected, do not leave this to chance. Act now before someone takes the opportunity to take over your account.

GoDaddy has provided a good list of steps to take to lock down an account that might be potentially compromised:

• Change your password and your PIN
• Enable two-factor authentication (2FA) if you haven’t already
• Change the payment methods you have stored in your account, and delete those you don’t use. It would also be good to keep an eye on your bank account transactions and be ready to flag those that are fraudulent.
• Remove delegate access for anyone you’ve allowed into your account
• Remove any unknown API keys by deleting them.
• Verify your domain contact information is correct to avoid someone taking it over
• Remotely log out of your GoDaddy account, which will sign you out of all devices and browsers.

Stay safe!

The post Millions of GoDaddy customer data compromised in breach appeared first on Malwarebytes Labs.

A few short weeks ago, Microsoft launched the very latest version of its desktop operating system (OS), Windows 11. In security terms, Windows 11 is very much Windows 10 with knobs on. Or what Spinal Tap’s Nigel Tufnel might describe as Windows 10 turned up to 11.

Unlike Tufnel’s description of his infamous “one louder” amps though, the Redmond software giant’s approach to security shows signs of intelligence at work. And its reassuringly sensible, evolutionary approach indicates that Microsoft thinks it is on the right track.

Its aim for Windows 11 is much the same as it was for Windows 10: To make changes that take entire classes of vulnerabilities off the table for attackers. In broad terms, its approach is to use virtualization to create safe, protected environments for sensitive operations, and to build trust from the ground up, on top of trustworthy hardware specs.

In fact, a lot of what makes Windows 11 better for security than Windows 10 is that Microsoft is simply making things that are optional in Windows 10 mandatory (or at least a default) in Windows 11.

So, unlike some of the previous transitions between major versions of Windows, there is a very obvious continuity between the two most recent versions, and a sense that Windows 11 is just the latest version of Windows 10.

And it seems that continuity is now flowing upstream as well as down.

Last week Microsoft used its announcement about the availability of the Windows 10 November 2021 Update to reveal that Windows 10 is ditching its twice-yearly release schedule and moving to the calmer annual release cycle of its sibling:

“We will transition to a new Windows 10 release cadence to align with the Windows 11 cadence, targeting annual feature update releases … The next Windows 10 feature update is slated for the second half of 2022.”

This is not a security announcement per se—sysadmins will still have to digest enormous patch furballs on the second Tuesday of every month when the LCU (Latest Cumulative Update) is released—but we reckon it is good for security.

I asked Malwarebytes’ Windows expert Alex Smith, the brains behind our recent, detailed assessment of whether or not Windows 11 is any good for security (spoiler alert: yes, it is) for his thoughts.

Smith’s take: This switch can only help security.

It will be a welcome change by most, especially software developers, IT admins, technicians, help desks, Microsoft itself, and end users. Having to plan for and support a new Windows OS build every six months was a chore and led to lots of late adoption or deferment, which could impact security.

Smith says the new release schedule should give everyone a little more breathing space to prepare, adopt, and react to Windows releases, which could lead to:

• Higher adoption rates of the latest builds.
• Reduced build fragmentation in the ecosystem.
• More time for Microsoft to stabilize its updates before releasing them.
• Fewer “headaches” for software developers, IT admins, support staff, and users.

Of course it is just breathing space, and there is no guarantee it will be used productively. Most businesses are more than capable of over-committing security and IT staff, and the window of opportunity will close quickly, but there is a window.

Perhaps it will provide an opportunity for some organizations to run the rule over Windows 11.

Alongside revealing its changes to the Windows 10 release schedule, Microsoft also announced it was increasing the pace of the Windows 11 rollout, “making the Windows 11 upgrade more broadly available to eligible Windows 10 devices”. This is also good news. Microsoft can only achieve its lofty aim of making classes of vulnerability obsolete when Windows 11 is predominant, but the operating system’s beefed-up security comes at the cost of eye-watering hardware demands, which seem likely to chill the pace of adoption.

Anything that gives them a bit of warming sunshine is to be welcomed.

The post Windows 10 chills out, gives sysadmins a break appeared first on Malwarebytes Labs.

It’s not been a great time for ransomware authors recently. Well, some ransomware authors at any rate. While many are making huge amounts of money from their device-locking antics, it’s not a profession without risk. Every so often something can and does go wrong, and ransomware groups get into all manner of trouble. Sometimes they aim too high and generate a huge amount of heat. At that point, the solution is to go into hiding or claim to be leaving the business forever.

Elsewhere, it can be a case of accidentally leaking the decryption key, or making it so that third parties can figure it out.

Sometimes, an incident is just a disaster from start to finish.

Setting the scene

Conti ransomware is perhaps most well known for its use in the HSE healthcare attacks back in May. More than 80,000 endpoints were shut down and the health service had to revert to the pen and paper approach. Providers in the US and New Zealand were also affected.

Conti is created and distributed by “Wizard Spider”, a group which also created the well-known Ryuk ransomware. Conti, offered to affiliates as Ransomware as a Service, ran wild in the first quarter of 2021. RDP brute forcing, phishing, and hardware / software vulnerabilities are the chosen methods for Conti compromise.

Where it gets interesting is that Conti directs victims to Dark Web “support portals” where they talk through the steps to unlocking impacted devices. This is where the current Conti issues have arisen.

A lack of support

Security firm Prodaft discovered a vulnerability in the servers Conti uses for recovery. Essentially, the place they tell victims to go. They discovered the real IP address of the hidden service and were able to monitor network traffic for connections to the server. This is particularly ironic considering the slightly confusing stance on free keys, which still come with a ransom attached. There was also a flurry of news recently when word dropped that they were selling access to victims.

All in all, having access to a support portal swiped is probably not high on the Conti gang’s list of “cool things to have happen”.

Down for the count?

Once word broke that a security firm accessed the server for more than a month, the people behind the ransomware scrambled to fix things. What this meant in practice, is a support portal missing in action, and no way for victims to pay.

In total, the Conti infrastructure here was mostly offline for something like two days. This sounds great in practice. However, it’s worth noting that while the ransomware edifice has temporarily toppled, individuals and organisations affected couldn’t communicate with the attackers. If they decided to pay, they wouldn’t be able to. If they wanted to appeal to their better nature, it’s not a possibility.

To add to this sense of uncertainty, the victims would have no way of knowing if the people responsible for their locked files would even come back. They could have simply cut their losses.

Not a great time to be compromised by ransomware, and that’s taking into account that there’s never a great time to be compromised by ransomware.

An increasingly creaky comeback?

Conti has now, of course, returned with a combative air of defiance:

This isn’t the first thing to go wrong for them recently, however. In August, an ex-pentester for Conti decided to spill several gallons worth of beans on Conti activities. This individual, unhappy with the money they were making, dumped files allegedly handed to affiliates on a forum. Rival factions go to war with one another all the time, but it’s still somewhat unusual to see insider documents posted quite like this.

Still, despite the wheels coming off, it doesn’t seem to stop ransomware groups for long. There’s simply too much money at stake and (probable) decent odds against getting caught by law enforcement. In the game of ransomware whack-a-mole, the mole is most definitely king.

The post Security researchers play peek-a-boo with Conti ransomware server appeared first on Malwarebytes Labs.

Black Friday and the holiday season are approaching, and shoppers are forecast to spend record amounts again this year. Retail websites big and small can expect a lot of interest from shoppers looking for deals, and a lot of interest from cybercriminals looking to cash in on those shoppers, by stealing their credit card details with stealthy card skimmers.

Card skimmers, or web skimmers, are pieces of malicious software that criminals piggyback on to legitimate websites, so they can steal shoppers’ credit card details. The skimmers read the details as users type them into the sites’ payment forms, or replace the payment forms with convincing fakes. Attackers have even been seen adding entire checkout pages to sites that don’t take payments. Skimmers can steal card details in real time, as they are typed, even before the victim clicks “submit” on the payment form.

Skimmers allow criminal hackers to silently rob every customer that makes a purchase on an infected website, until they are discovered and removed. Malwarebytes products detect card skimmers, and our Threat Intelligence team tracks and investigates them. We know that card skimming activity tends to increase inline with busy shopping days, and shop owners need to be extra-vigilant heading in to the holiday season.

In this article we will explain the basic steps you should take to secure your website against card skimmers. Getting these basics right will also protect your website against a range of other cyberthreats too.

But before we look at how to secure your site, let’s look at why you should, if you’re only running a small mom-and-pop shop.

Why you aren’t too small to get hacked

If you think your website is too small to be of interest to cybercriminals, think again. They don’t care how small your site is. Really. In fact, they don’t care about you at all and may never even look at your website.

Cybercriminals don’t break into websites one by one, using their best guess to figure out your password like they do in the movies. They use computer programs to scan the Internet for vulnerable websites. There are millions of vulnerable websites out there, and scanning the entire Internet to find them is fast, cheap, and easy.

When they find a site they can break into, they inject a card skimmer, automatically.

Their objective is to break into thousands of websites at a time and the process is automated and can run continuously. It effectively costs criminals nothing to break into even the smallest website, so every website—no matter how small—is an attractive target.

Websites without a payment form can be still be targeted, or monetised in other ways, so even if your site doesn’t sell anything, it is still at risk.

Securing your website

With an Internet full of potential targets to choose from, you don’t have to do much to make your website less attractive to attackers. As the old saying goes, you don’t have to outrun the bear that’s chasing you, you just have to outrun the other people running away from the bear!

So, how do you move a little faster than the others?

Step 0, keep your computer secure

The first step in keeping your website secure is to make sure that your computer, and computers belonging to anyone else who administers the site, are secure. If your computer has malware on it, it doesn’t matter how secure your website is, because criminals can just steal your password or login in to your website from your computer, pretending to be you.

Keep your software up to date with security fixes, and install a modern antivirus solution, a password manager, and a securiity plugin for your browser, like BrowserGuard.

Set strong passwords. Never share them, never reuse them

One of the easiest ways to break into a website is to guess an administrator password for the software that runs the website—its Content Management System (CMS). If an attacker can do that, they can do anything they like to the website, including adding a card skimmer and dismantling any defences you have.

Just as they don’t search for websites manually, attackers don’t guess passwords manually either. They have computer programs for that too. And once their scanner finds your website, another computer program will happily plug away 24/7, trying to guess your password. They will move on eventually, but they may have made thousands of attempts before they do.

The good news is that you can seriously sharpen up your password game by avoiding a few bad habits:

• Bad passwords. Cybercrooks don’t guess passwords randomly, they use lists of popular passwords. The ten thousand most common passwords are full of easy-to-type sequences like 123456, 1111, and qwertyuiop, or they are made from names and common words like monkey, michael or trustno1. If your password is on that list, or looks like the passwords on that list, your website is in trouble.
• Shared passwords. If you share a password with somebody you have no idea if they are storing it securely, or who they might be sharing it with. The only way to ensure passwords stay secret is to never share them. Give everyone their own account, with their own password, and tell them not to share.
• Passwords you’ve used elsewhere. Alongside common passwords, criminals also use lists of usernames and passwords exposed in data breaches (this is called credential stuffing). Chances are you’ve lost at least one password in a data breach. If you never use the same password twice, you can’t be caught by credential stuffing.
• Everyone’s an admin. It’s often convenient to give everyone who works on a site an administrator account, so their work isn’t interrupted by being denied access to something. But every separate administrator login gives criminals another potential way in. Save administrator-level access for the people that need it, and aim for the smallest number of administrators you can get away with.

You can get to grips with most of these bad habits by adding two-factor authentication (2FA) to your site. 2FA forces users to provide another piece of information with their password when they log in, such as a one-time code from an app. Any decent website CMS will have a 2FA option built in, or 2FA plugins that are easy to find and install.

If your company uses a Virtual Private Network (VPN) to provide secure, remote access to company systems, you could limit access to your website login screen to company VPN users too.

Keep website software up to date, every day

Another easy way to break into a website is by exploiting a software vulnerability in the web server, CMS, or plugins your website uses. A vulnerability is a coding flaw that lets attackers do things they aren’t supposed to be able to do, such as adding files to your website, or accessing its back end without logging in. When software vendors find vulnerabilities in their software they provide a security patch that fixes the problem.

Your website is only secure against that problem when you apply the patch.

Criminals often reverse enginer patches to find out what vulnerabilities they fix, and then attempt to use those vulnerabilities to break in to websites that haven’t been patched yet. They can do this extremely quickly.

In 2014, Drupal, a very popular CMS, released an update for a serious security flaw. Criminals reverse engineered the update and were using it to take over websites within hours. Later, the Drupal security team made the extraordinary announcement that if you hadn’t updated your website within seven hours of the patch being released then you should “consider it likely your site was already compromised”.

Make sure you know whose job it is to keep the website patched. This may be something that the people who built and maintain your website will do for you, or a job you need to do yourself. Whatever you do, don’t just assume that somebody else must doing it.

If you use WordPress, it should update itself automatically with security fixes. You can check this by logging in and going to Dashboard > Updates. Note however, that WordPress will not update most plugins automatically. Vulnerabilities in plugins are common, and probably the biggest threat to your website, so if nothing else, you will need to make a point of logging in regularly to check for and apply plugin updates.

The same is true for other CMSes: You should log in regularly to see if there are updates that need to be applied. We suggest you also go to your CMS vendor’s website (and any plugin vendor’s sites too) and see if they have a mailing list where they announce patches. Sign yourself up so you are alerted if anything urgent needs your attention.

Finally, this advice applies to every website under your control. It is quite common for companies to run a number of websites on the same server. These could be different websites for different purposes, or test and staging versions of your principal site. If any one of those websites is compromised, it gives attackers a potential route to cross-contaminate all the other sites on the server. Test and staging sites are often neglected, and often exposed to the Internet accidentally, making them a particularly soft underbelly.

Use a Web Application Firewall (WAF)

A Web Application Firewall (WAF) is an appliance or Cloud-based service that filters the data that’s sent to your website, weeding out things that look malicious, such as XSS or SQLi attacks. They can also prevent unauthorized data (like credit card details from a server-side skimmer) from leaving your website if it is compromised.

WAFs use a rulebook to recognize malicious or unauthorized inputs and outputs, which means they can often provide protection far sooner than patching. All a WAF vendor needs to know to create a new rule is what input the attackers are using to compromise websites. To create a patch, a vendor needs to know what input the attackers are using, but also how that input affects their software, and how to fix it without breaking anything.

WAFs add complexity to your environment and may require regular updates, but they provide a useful extra layer of defence for your website. You should never use a WAF as an alternative to patching, but using one could save you if you miss a patch, are too slow to apply one, or if attackers are using a zero-day technique that your CMS or plugin vendor hasn’t patched yet.

Protecting users from rogue dependencies

Web pages are typically made up of multiple separate elements, such as scripts, images, like buttons, sharing widgets, and so on, drawn from multiple different places. In fact it is not uncommon for individual pages to have tens or even hundreds of such dependencies, and for them to be drawn from many different domains: Analytics and advertising code from Google perhaps, a Tweet button from Twitter, images pulled from a Content Delivery Network (CDN), and so on.

The different elements are only assembled into a single page at the last minute when it’s viewed in a web browser, and that process is repeated in each user’s machine, each time the page is viewed.

Each dependency is a potential backdoor into your web pages. If an attacker can compromise a site hosting one of your dependencies, they can use it to inject a card skimmer into your page when it is assembled by a web browser, without ever compromising your website. You can’t control the passwords or patching on the sites you depend on, so instead you must take steps to protect your users from compromised dependencies.

Subresource integrity

Subresource integrity is a form of tamper protection for scripts and stylesheets. If an attacker compromises a third-party script your website relies on, they can use it to inject a card skimmer into your pages.

In June 2019, Malwarebytes Threat Intelligence discovered exactly this kind of attack on the official Washington Wizards page of the NBA.com website. Attackers had managed to alter a script the site used that was hosted on an Amazon S3 storage website.

Subresource integrity protects against this kind of attack by using fingerprints (cryptographic hashes) to verify that elements loaded by <script> or <link> tags haven’t been altered.

For example, let’s say your website uses version 3.6 of the popular jQuery JavaScript library. Without Subresource Integrity, the script tag for it would look like this:

<script src="https://code.jquery.com/jquery-3.6.0.js">

With Subresource Integrity, the script tag looks like this:

<script src="https://code.jquery.com/jquery-3.6.0.js" integrity="sha256-H+K7U5CnXl1h5ywQfKtSj8PCmoN9aaq30gDh27Xc0jk=" crossorigin="anonymous">

When a browser assembles your page it will download the jQuery code and create its own cryptographic fingerprint from it, and match it against the fingerprint in the tag. If the fingerprints don’t match, the browser will assume the jQuery code has been compromised and won’t run it.

Content Security Policy

Sometimes, instead of changing an existing dependency, attackers can find enough leverage to add a new dependency to your site, from a website they control.

Content Security Policy (CSP) is a simple addition to your website that can protect against this form of attack. It works by sending web browsers a list of the domain names your website trusts, and what it trusts them to do.

For example, let’s say your website is example.com, and your website includes Google Analytics code, which is loaded from the analytics.google.com domain. Your CSP header would say you trust your own site to provide all forms of content, and it trusts Google Analytics to provide scripts, and nothing else. The actual instruction looks like this:

Content-Security-Policy: default-src 'self'; script-src analytics.google.com

If a cybercriminal sneaks a card skimming script on to your site that’s loaded from example.xyz, web browsers will refuse to run the card skimmer. So, even though your website has been compromised, it will not affect your users.

CSP isn’t perfect. In a serious hack, an attacker might gain enough access to your site to remove the CSP instructions altogether, but in many situations they won’t.

You can see if your website already has a CSP header (and other useful security headers too) by checking it on securityheaders.com.

Pulling it all together

Securing your site and its dependencies against attack are vitally important, but sometimes you don’t realise you’re vulnerable until it’s too late, or your Subresource Integrity and CSP silently block a rogue dependency and you don’t ever learn about it

In both cases you want something that tells you as soon as the problem starts. So the last step in securing your site is to use a third-party integrity monitoring service that sees your site from your users’ point of view. These services can find card skimmers that slip through the net and, most importantly, tell you that there’s something you need to fix.

Automated integrity checking services are like users that work on your behalf, periodically visiting important web pages, like your checkout, pulling in all the dependencies in real time, looking for anything that shouldn’t be there, and alerting you if they find anything.

Although we have gone into a lot of depth in this article, keeping websites secure is mostly a matter of setting up a few services, and then doing a some simple things, over and over again. By making these things a habit, you will strengthen your site enormously against card skimmers and other attacks, and keep your users safe through the holiday season and beyond.

* The fake checkout is on the left.

The post How to defend your website against card skimmers appeared first on Malwarebytes Labs.

Decades ago, the promise of the Internet was clear: No one, depending on their age, gender, race, income, or place of birth, would be unwelcome from expressing their thoughts and ideas.

Today, that promise has been largely unfulfilled. As Malwarebytes discovered earlier this year, the Internet is a deeply unequal place for women, teenagers, and Black communities, Indigenous populations, and people of color. Women, above all demographics, told us that they felt both the least safe and the least private online, and when we looked at why that might be, the answers were obvious. Women face higher rates of cyberstalking. Women are almost singularly targeted by nonconsensual pornography. Women who are stuck in situations of domestic abuse are also reportedly more frequently impacted by the threats of stalkerware. Women also, as we learned, reported higher rates of receiving text messages from unknown phone numbers, and having their social media accounts hacked.

These are all the outcomes of an unfair Internet. On today’s Lock and Code podcast, with host David Ruiz, we dig into why so many real-life problems have followed women onto the Internet today.

Part of the problem, according to our guest Sue Krautbauer, is that the Internet has created tremendous latitude for bad actors to commit harms and then get away without a trace.

“It almost feels a bit like online guerilla warfare, right? Where they come in, and they lob something into the internet, and then they disappear again. And that can just have such an emotional and a mental toll on the victims because they can’t point to them and say it’s that person or that thing.”

Sue Krautbauer, senior director of strategy and development for Digitunity

Today, on the Lock and Code podcast, we speak with Sue Krautbauer, senior director of strategy and development for Digitunity, about the different—often worse—experiences that women face online, how pervasive such treatment can be, and why our Internet so often mirrors our real-life situations.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post The Internet is not safe enough for women, and Sue Krautbauer has some ideas about why: Lock and Code S02E22 appeared first on Malwarebytes Labs.

On October 29 we published our third CrackMe Challenge and announced two parallel tracks for the contest: “The fastest solve” , and “The best write-up“.

In the first category (“The fastest solve” ), we got three winners already the first weekend following publication. Big congratulations to:

@nazywam

Suvaditya Sur (@x0r19x91)

@evandrix

Yet, even those of you who are not as fast could still join in the fun, and get a chance to win a prize in the second category. Submissions for the best writeup closed November 12 (two weeks after the Crackme publication). In this post we will summarize the writeups that we received, and announce the winner for the best writeup!

Hall of fame

The submissions were treated as valid if they contained the following flag:

flag{you_got_this_best_of_luck_in_reversing_and_beware_of_red_herrings}

We received them in the following order:

1. @nazywam
2. Suvaditya Sur (@x0r19x91)
3. @evandrix
4. Alex Skalozub (@pieceofsummer)
5. @JLeow00
6. rainbowpigeon
7. arm4nd0
8. Matthieu Walter (@matth_walter)
9. Bahlai Vladyslav (@BaglaiVlad) & Alex Shevchuk
10. @kasua02
11. @zvikam

Congratulations to all the solvers!

CrackMe 3 challenge

Before we present you with the writeups, let’s have a quick look at the task itself.

The CrackMe was composed of multiple components:

• The GUI application (written in .NET): responsible for taking the input, and verifying it / passing it to the further layers. It was accepting 3 passwords for the consecutive levels.
• The server: a native application, packed. Responsible for verifying the input of the passwords for the stages 2 and 3. Communicating with the GUI application with the help of a named pipe, and a local TCP server.
• The DLL injector (written in .NET, loaded into the main application with the help of .NET Reflection)
• The hooking DLL: a native application, injected into the server and hooking some of the used APIs, changing the password verification function.

It is worth to note that each level of the CrackMe depends on the previous one, so the passwords have to be provided in the right order.

To make the analysis easier, and more approachable for beginners, the code (apart from the loader part) was not obfuscated. Some components were based on public code, or contained debug strings making it easier to follow.

Level 1:

In the first level, the user was supposed to input the password that would let the second stage get properly decoded and run as a new process. The second stage of the crackme was a PE, steganographically hidden in the image that was displayed in the GUI, and obfuscated by XOR with a static key. The key could be cracked with the help of plaintext attack.

Level 2:

The second password inserted by the user was sent over the pipe to the previously deployed server. The user was supposed to unpack the core of the server, and analyze it. First, it was required to notice that the presence of certain analysis tools cause the crackme to exit. Then, the user needed to find out that the expected password is in reality the name of one of those analysis tools. The next step was finding a public list of suspected tools, and cracking the password by a dictionary attack.

The correct password was not only clearing the level, but also triggering the decryption of the hooking DLL, that was injected in the server.

Level 3:

The third password inserted by the user was sent over the local TCP connection to the previously deployed server.

The user was supposed to notice that the hooking DLL alters the behavior of the verification function. With this information, the actual flow of the verification function should be reconstructed. Then it was possible to crack the final password.

Techniques covered:

1. Steganography
2. Packed executable (loader with self-injection of the payload)
3. Shellcodified PE
4. Loading functions by hashes (API hashing)
5. Basic anti-analysis tricks
6. Vectored Exception Handling (VEH)
7. Inline hooking
8. Inter-process communication
9. .NET Reflection
10. Classic DLL injection

List of writeups

We received 6 writeups in total, from the following contestants:

• Suvaditya Sur (@x0r19x91) [ writeup ]
• Alex Skalozub (@pieceofsummer) [ writeup ]
• @JLeow00 [ writeup ]
• rainbowpigeon [ writeup ]
• Matthieu Walter (@matth_walter) [ writeup ]
• Bahlai Vladyslav (@BaglaiVlad) & Alex Shevchuk [ writeup ]

Scoring the writeups

As we mentioned in the contest opening:

The write-up will be judged by its educational value, clarity, and accuracy. The author should show their method of solving the CrackMe, as well as provide the explanation of the techniques used in the challenge

Just like in the previous edition, in order to introduce some objective measures, several categories were used to assign points.

• The quality of the solution:

There are no wrong solutions if they lead to the goal. However, some approaches are faster and more elegant than others. We ranked higher the solutions that are straight to the point and not over-engineered. If multiple solutions were presented in a single writeup, we appreciated if the author stated which of them is the most optimal, and why.

• An in-depth explanation of the inner workings of the CrackMe, guiding through the process of solving. This means writers should have:

1. Explained how to approach the CrackMe: presented an overview of the task as a whole
2. Explained each stage of the CrackMe: the main logic, relationship to the other levels
3. Identified and described each executable layer the stage was composed of (loaders, shellcodes, etc.)
4. Identified each algorithm used (i.e. CRC32, RC4)
5. Identified and explained each technique used (from the list “techniques covered”)
6. Explained the third verification function before and after hooking, presented what each hook is responsible for, and how it changes the logic

An educational value of the writeup. Writers should have:

1. Introduced tools before they were used, showing the environment setup
2. Provided detailed explanation of the used techniques, reaching beyond the CrackMe itself. For example, providing links where the reader can learn more.
3. Described the solution in a comprehensive way, that can be followed by a beginner
4. If applicable, presented different approaches, and explanation which of them is the recommended one and why
5. Provided graphical illustrations making the provided explanation easier to follow. Diagrams, GIFs, videos, etc.
6. Been especially clear and had a pleasant writing style

You could also get some bonus points for OSINT if you found:

1. The header of the payload in the stage 2 was shellcodified with the help of pe_to_shellcode
2. The hashes in the stage 2 were based on the list from the Al-Khasher project
3. The function checking the processes was copied from the repo: antianalysis_demos
4. The hooking DLL was created with the help of MS Detours, and based on the following template

The writeup contest results

All 6 solutions turn out to be of very high quality, so it was extremely hard to select winners. Even trying to introduce some objective criteria for judging writeups, all authors covered most of the points that we would like to see described, and the margin between the scores was small. That’s why we decided to reward all of them with Malwarebytes swag.

Additionally, we decided to distinct three, most comprehensive solutions, that will be rewarded with the main prize (an IT-related book of contestant’s choice):

• rainbowpigeon [ writeup ] – clear explanation of the stages, elegance and simplicity of the taken approaches
• Matthieu Walter (@matth_walter) [ writeup ] – detailed explanation of each level, easy to follow even for a person who didn’t solve the crackme themselves
• Leow00 [ writeup ] – for the efforts to provide an educational value: detailed explanations, diagrams

All the authors will be contacted soon!

Once again thank you for participation, and hopefully see you again next year!

The post Malwarebytes CrackMe – contest summary appeared first on Malwarebytes Labs.

Netgear has released a fix for a vulnerability on several of their product models. The affected product models include extenders, routers, air cards, and modems.

The vulnerability was discovered by researchers at GRIMM, but prior to the planned disclosure date, Netgear released a patch that fixed the underlying bug in one of the affected devices.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-34991 and described as a vulnerability that allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the universally unique identifier (uuid) request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

The vulnerability received a CVSS score of 8.8 out of 10 because of some limiting factors. One consolation in the above is that the attacker already has to be inside the LAN to perform this attack. But once they are, the attacker can send a specially crafted header to the UPnP daemon and can remotely run code with root privileges on the affected device.

Another limiting factor for the attacker lies in the fact that the copy function which overflows the stack is a string copy. As such, it will stop copying characters when it encounters a NULL character. Thus, the exploit cannot include gadgets with NULL bytes. All of the addresses within the UPnPd daemon contain a NULL character as the Most Significant Byte (MSB). But, the researchers that discovered this vulnerability created a Proof-of-Concept (PoC) which bypasses this limitation by omitting the gadget’s MSB in the payload, and then immediately ends the payload. The string copy which overflows the stack will automatically NULL terminate the string, and thus write a single NULL byte. However, this technique has the disadvantage that it can only write a single NULL byte at the end of the payload. As such, the exploit can only run a single gadget via this technique.

UPnP

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services. By design, the daemon accepts unauthorized requests of clients that want to receive updates when the UPnP configuration of the network changes. For example, the Xbox One uses UPnP to configure port forwarding necessary for gameplay.

The eternal dilemma

UPnP is a convenient way of allowing gadgets to find other devices on your network and, if necessary, modify your router to allow for device access from outside of your network. A UPnP client can obtain the external IP address of your network and add new port forwarding mappings as part of its setup process.

This is extremely convenient from a consumer perspective as it makes it a lot easier to set up new devices. Unfortunately, with this convenience have come multiple vulnerabilities and large-scale attacks which have exploited UPnP.

Very often, security issues arise from the developers’ inclination to make things easier for their users. It seems there is an impossible to find balance between security and ease of use. It should not be so hard to make secure the default, and if the user wants to increase the ease of use then there should be an option to do so temporarily. Why would you have to open the floodgates permanently just to let one boat in?

Affected devices

This list will not be inclusive because some organizations, and ISPs in particular, have a habit of rebranding routers and other network equipment. But a list of product models and the required firmware version can be found in the Netgear security advisory.

How to make sure you are safe

Netgear strongly recommends that you download the latest firmware as soon as possible.

1. Visit Netgear Support.
2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears. If you do not see a drop-down menu, make sure that you enter your model number correctly, or select a product category to browse for your product model.
3. Click Downloads.
4. Under Current Versions, select the first download that begins with Firmware Version.
5. Click Release Notes.
6. Follow the instructions in the firmware release notes to download and install the new firmware.

For cable products, new firmware is released by your Internet service provider after NETGEAR releases it to them. Firmware fixes for the following cable products have been released to all service providers:

• CAX80

Stay safe, everyone!

The post Update now! Netgear vulnerability patched appeared first on Malwarebytes Labs.