IT NEWS

Unfortunately there is a low correlation factor between what most people find the best browsers and what are the best browsers when it comes to privacy and security. If you look at the market share of the most popular browsers, there is one browser that steals the crown without a lot of competition: Google’s Chrome. Safari is the only other one that passes the 10% line, the rest merely look like marginal players. Of course, there are billions of browser users in the world, so even the marginal players are used by significant numbers of people, but they fade when compared to Chrome.

I’m assuming here that people use the browser that they like best. In case you are not, you know you do have a choice, right? It’s not even unheard of to use more than one browser on the same system. It does even have some merits:

• Troubleshooting: Is that site really unavailable or is it my browser?
• Segregation: Use one for work and another for home use.
• Privacy: Using multiple browsers can disrupt tracking (although there are better ways).
• Security: Switch to a different browser if your favorite is waiting for a security patch.

In this post we will look at how your choice of browser can contribute to your online safety and privacy. And tell you about some browsers that actually do care about those elements. We will also touch upon some methods to make the browser you like safer and more private.

Why you should care

As I have said in the past, a browser is not just a looking glass. When you are browsing websites the information stream goes two ways. Some of the information your browser gives to the websites you visit is necessary for the website to function properly. But sometimes the website owner just wants to have as much information as possible about their visitors: Where are my visitors located? What other websites have they visited recently? Which link did they click to get here? How long did they stay? Where did they go to next? How many free articles have they read. And in many cases the information can and will be used for targeted advertising.

Better security and privacy in your favorite browser

In the past I have written about how to tighten security and increase privacy on your browser. Feel free to read the whole post but here is a summary.

The upside of being able to use browser extensions is that there are many good ones out there that can help you establish a more private browsing experience. Ad-blockers, anti-tracking tools, and security extensions add further protection.

You can also tighten your privacy by using a Virtual Private Network (VPN) to anonymize your traffic. You have options here, since you can install a VPN to anonymize all your Internet traffic, or you can install a VPN extension that will do so for your browser only. Since a VPN can slow down the Internet connection, the choice will be based on which other programs that need the Internet connection you use and your personal preference.

Better browser choices

Besides using a VPN, you can also look at some alternative browsers that are already optimized for privacy and security. Here is our choice of best privacy browsers:

• The Tor Browser protects your privacy by connecting you to the Internet using the Tor network, which was originally developed by the US Navy and DARPA. It hides your IP address like a VPN, but it doesn’t require you to trust a VPN provider, or share your real IP address with one. The Tor browser (which is based on Firefox) also includes a number of privacy features, plug-ins and defaults designed to protect your privacy. The Tor browser is available for Windows, macOs, and Linux.
• Freenet is a peer-to-peer platform for censorship-resistant communication and publishing that is available for Windows, macOs, and Linux.
• Waterfox is a secure and private browser based on Firefox, that allows you to use Firefox extensions. It is available for Windows, macOS, Linux, and Android.
• Pale Moon is another Mozilla fork, but it doesn’t work with all Firefox extensions. It is available for Windows and Linux.
• Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.

There are some things to consider here, because the best browser for privacy is not necessarily always the best browser for security. But they are closely knit together. And while it is easy to enhance your security outside of your browser, it is hard for another program to stop a browser from leaking information about you. And if you do manage to do so, it is likely to interfere with how well the browser works.

Granted, it may take you a while to get used to a new browser. One thing you can do to make it easier to adapt is to choose a browser that is based on the one, or very similar to, the one you are already using. For example, if you are using Firefox now, have a look at the Tor Browser, Waterfox, or Pale Moon. Whereas Chrome users may find using Brave more intuitive.

Your choice

So, what is the best browser for privacy and security? Choosing between browsers is hard enough and making that choice for someone else is even harder. But if you try the above and see which one you like best, you will have made a choice that improves your online safety and privacy. Good for you!

Stay safe, everyone!

The post The best browsers for privacy and security appeared first on Malwarebytes Labs.

A few weeks ago we blogged about a vulnerability in home routers that was weaponized by the Mirai botnet just two days after disclosure. Mirai hoovers up vulnerable Internet of Things (IoT) devices and adds them to its network of zombie devices, which can then be used to launch huge Distributed Denial of Service (DDoS) attacks.

Last time it was a vulnerability in the Arcadyan firmware found in devices distributed by some of today’s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.

A similar situation is going on right now with routers and Wi-Fi amplifiers that are built on the Realtek RTL819xD chipset. Realtek chipsets are found in many embedded IoT devices. At least 65 vendors are affected. The vulnerabilities enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. Exactly what Mirai wants.

Vulnerabilities

The vulnerabilities were found and disclosed by IoT Inspector, a platform for automated security analysis of IoT firmware. In total they identified more than a dozen vulnerabilities, but one of them (CVE-2021-35395) has already been found to be actively exploited in in the wild.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The description of CVE-2021-35395 contains a pretty dense explanation, but it boils down as follows.

There are two types of a management interfaces that can accessed over the Internet. Both of them are vulnerable to multiple stack buffer overflows due to “unsafe” copying of parameters, and two separate arbitrary command injection problems, again stemming from the apparently unsafe handling of parameters. These allow an attacker to run arbitrary commands on the vulnerable device.

For anyone unfamiliar with web programming, this implies that the code behind these Internet-exposed management interfaces are failing to perform the most basic security hygiene.

The description ends:

Some vendors use [the management interface] as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK web server will probably contain its own set of issues on top of the Realtek ones…

In other words, how vulnerable your device is may depend on whether, and how well, the vendor added their own authentication methods, but vendors may well have added more problems.

Same botnet, same operator?

With all the similarities in the vulnerabilities and the speed with which they are being exploited after disclosure, it will not come as a total surprise that the botnet that is actively going after these vulnerable devices is Mirai. Mirai is the name of the malware behind one of the most active and well-known IoT botnets. After the source code of the original Mirai botnet was leaked, it was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets.

Researchers at SAM Seamless Network were able to establish that the web server serving the Mirai botnet behind these attacks uses the same network subnet seen by Unit 42 in March of 2021, indicating that the same attacker was behind those incidents. Due to the similarity in scripts it was assumed that the same actor was behind the exploitation of the vulnerability listed under CVE-2021-20090 which is present in the Arcadyan firmware.

It also stands to reason to assume this is the actor that was responsible for the largest DDoS attack recorded to date, just last week.

Mitigation

Realtek has since patched the vulnerabilities, but it will take a while for manufacturers who use their chipset to make the patches available to their customers. And again many of the owners of vulnerable devices are home users. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.

RealTek is a common chipset used for sound and Wi-Fi by many vendors such as ARRIS, ASUSTek, Belkin, Buffalo, D-Link, EnGenius, Huawei, LG, Logitec, NetGear, TRENDnet, and many more. I found a list of affected devices courtesy of Mainstream Technologies but this is only a partial list. Alongside its list, Mainstream Technologies warns that: “If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch”.

So even if your device is not on it, that doesn’t mean it’s not vulnerable. Any device that uses a Realtek RTL819D chipset is vulnerable and the bots scanning the internet for vulnerable devices will definitely be able to find them.

It is cases like these that could end up to be a deciding factor in the discussion whether vendors/governments/law enforcement should be allowed to patch vulnerable systems that do not belong to them or to the infrastructure they are responsible for.

Stay safe, everyone!

The post Realtek-based routers, smart devices are being gobbled up by a voracious botnet appeared first on Malwarebytes Labs.

In life, when you encounter something momentuous—a sudden job loss, a routine check-up that revealed an illness you can’t afford the medical bills for—you can be assured that the federal or state government has benefits you can apply for it. And where there are benefits, you can also be assured that there will be individual scam artists and national (if not international) cybercrime gangs attempting to get those benefits by fraudulent means.

It was no different when the COVID pandemic hit.

And while there are domestic fraudsters in the US, the biggest agents of pandemic-related scams and fraud, according to law enforcement officials and private experts, are outside the country and read like a who’s who of cybercrime stereotypes: Nigerian scammers, Chinese hackers, and Russian mobsters.

The fraudulent filing of claims related to the COVID pandemic has been an on-and-off topic of discussion in news sites. And American nationals and legal residents in the US, in particular, who have lost their jobs due to the pandemic recession are the ones at the losing end of every fraud story out there.

According to the same law enforcement officials speaking to NBC News, the federal government “cannot say for sure how much of the more than $900 billion in pandemic-related unemployment relief has been stolen, but credible estimates range from $87 million to $400 billion—at least half of which went to foreign criminals”.

NBC News has pointed out that if you compare the amount being stolen via pandemic-related unemployment relief fraud, it dwarfs the annual budget the federal government allots on intelligence gathering or K-12 education. It even far outweighs the annual economic cost of ransomware attacks, which some put at around $20 billion USD.

“This is perhaps the single biggest organized fraud heist we’ve ever seen,” RSA’s Armen Najarian was quoted saying. Najarian had tracked down a Nigerian ring that was able to plunder millions of US dollars from many US states.

Exploiting weak ID checks

Criminals have been taking advantage of the Pandemic Unemployment Assistance (PUA) program, using stolen identities to land individual payouts of up to $20,000 USD.

When you file for unemployment relief, you have to prove that you were employed, before the pandemic affected your status. Some states have sought out the use of ID.me, which supplied NBC with a rogue’s gallery of pictures showing fraudsters trying to pull the wool over the eyes of the verification process with an assortment of silicon masks, barbie doll heads, and deepfake videos.

NBC reports that federal watchdogs have been flagging the weakness of some state’s verification methods for years—and the criminals know they can game the system.

In fact, the unemployment verification process in some states is so bad that prison and jail inmates were able to successfully apply for COVID-19 unemployment compensation.

Because of the rampant fraud of this nature, the Office of Inspector General (OIG) issued an alert to the US Department of Labor (DOL) that it should “take immediate action and increase its efforts to ensure SWAs,” or State Workers Agencies, “implement effective controls to mitigate fraud in these high risk areas.” The memo also identified potential fraud benefits paid in the following four areas:

1. Multi-State Claimants — totalling $3.5 billion in UI benefits paid;
2. Social Security Numbers of Deceased Individuals — totalling $58.7 million in UI benefits paid;
3. Federal Prisons — totalling $98.3 million in UI benefits paid; and
4. Suspicious Email Accounts — totalling $2 billion in UI benefits paid.

Since many states have already opted out (or will be opting out) of some or all of the unemployment relief stimulus as early as July 2021, it is expected that fraudsters will be moving on to other opportunities to make a COVID buck.

Outdated technology

Criminals are also exploiting a lack of data sharing between states. Almost half of states in the US have yet to join a national data exchange to check Social Security Numbers (SSNs), which can make it possible to use one SSN to file a claim in multiple states. Also, some states have not been sharing fraud data even though it’s required by federal law. On top of that, the IOG also released a report in May 2021 revealing that 40 percent of states did not perform the required Benefit Payment Control (BPC) activities (database identity checks), and 88 percent did not do the recommended BPC cross-matches.

Regardless of how fraudsters were able to get their hands on COVID government benefits, they are quick to move the money. Foreign organized criminals, for example, use mobile payment services—Cash App, in particular—to either move money or covert the stolen money to bitcoins, before moving it overseas. Sometimes, they also sought the aid of money mules to move cash.

Reporting fraud

If you think you might be a victim of pandemic-related relief fraud you should report it to:

• Your employer,
• Your state unemployment benefits agency, and
• the Federal Trade Commission (FTC) via IdentityTheft.gov.

The FTC will also help you with what to do next to recover from the incident of stolen identity. You might also reach out to the Identity Theft Resource Center (ITRC), a not-for-profit organization that has helpful resources you can use to resolve ID theft and fraud problems.

It’s also a good idea to freeze your credit, which in turn makes it a lot more challenging for the fraudster to use your identity to open a new account.

Lastly, it’s a good idea to review your credit reports every now and then.

Stay safe!

The post Criminals exploited weak checks and old tech to pull off vast COVID benefit fraud appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Podcast: Katie Moussouris hacked Clubhouse. Her emails went unanswered for weeks.
• How to troubleshoot hardware problems that look like malware problems.
• Analysts “strongly believe” the Russian state colludes with ransomware gangs.
• macOS 11’s hidden security improvements.
• How to spot a DocuSign phish and what to do about it.
• Cars and hospital equipment running Blackberry QNX may be affected by BadAlloc vulnerability.
• Beware of COVID Pass scams.
• T-Mobile customers, change your PINs.
• Cisco Small Business routers vulnerable to remote attacks, won’t get a patch.
• Largest DDoS attack ever reported gets hoovered up by Cloudflare.

Other cybersecurity news:

• SynAck ransomware decryptor lets victims recover files for free. (Source: BleepingComputer)
• A job ad blunder by the UK’s Ministry of Defence has accidentally revealed the existence of a secret SAS mobile hacker squad. (Source: The Register)
• Chinese espionage tool exploits vulnerabilities in 58 widely used websites, (Source: The Record)
• Wanted: Disgruntled employees to deploy ransomware. Get paid to be the insider threat. (Source: Krebs on Security)
• IDC survey finds more than one third of organizations worldwide have experienced a ransomware attack or breach. (Source: IDC)
• Hackers steal $97 million from Japan’s Liquid crypto exchange. (Source: Engadget)
• OpenSSL announces a high severity update on August 24th. (Source: openSSL)
• Unpatched Fortinet FortiWeb vulnerability allows remote OS command injection. (Source: Help Net Security)
• China pushes through data protection law that applies cross-border. (Source: ZDNet)
• NYC teachers‘ social security numbers exposed. (Source: InfoSecurity Magazine)
• America’s secret terrorist watchlist exposed on the web without a password. (Source: Bob Diachenko)

Stay safe, everyone!

The post A week in security (August 16 – August 22) appeared first on Malwarebytes Labs.

Last Saturday the Cybersecurity and Infrastructure Security Agency issued an urgent warning that threat actors are actively exploiting three Microsoft Exchange vulnerabilities—CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.

This set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the May 2021 Security Updates issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)

The attack chain

Simply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:

• Get in with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.
• Take control with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.
• Do bad things with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.

ProxyShell

The Record reports that ProxyShell has been used to take over some 2,000 Microsoft Exchange mail servers in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven’t installed the April and May patches.

We know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since March. Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.

Ransomware

Several researchers have pointed to a ransomware group named LockFile that combines ProxyShell with PetitPotam. Kevin Beaumont has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a webshell. Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read Kevin Beaumont’s post.

PetitPotam

Before we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.

PetitPotam uses the EfsRpcOpenFileRaw function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.

Since the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without “breaking stuff.” Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about PetitPotam.)

LockFile

LockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a blog post that the ransom note from LockFile ransomware is very similar to the one used by the LockBit ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are connected, and sharing resources and tactics.

Advice

CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.

We would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.

Stay safe, everyone!

The post Patch now! Microsoft Exchange is being attacked via ProxyShell appeared first on Malwarebytes Labs.

This blog post was authored by Hossein Jazi

In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37.

We discovered two documents written in Russian language and weaponized with the same malicious macro. One of the lures is about the trade and economic issues between Russia and the Korean Peninsula. The other one is about a meeting of the intergovernmental Russian-Mongolian commission.

In this blog post we provide on overview of this campaign that uses two different UAC bypass techniques and clever obfuscation tricks to remain under the radar.

Attack overview

The following diagram shows the overall flow used by this actor to compromise victims. The malicious activity starts from a document that executes a macro followed by a chain of activities that finally deploys the Konni Rat.

Document analysis

We found two lures used by Konni APT. The first document “Economic relations.doc” contains a 12 page article that seems to have been published in 2010 with the title: “The regional economic contacts of Far East Russia with Korean States (2010s)“. The second document is the outline of a meeting happening in Russia in 2021: “23th meeting of the intergovernmental Russian-Mongolian commission on Trade, Economic, scientific and technical operation“.

These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the "^var" string using findstr and then writes the content of the line staring from “var” into y.js. At the end it calls Wscript Shell function to executes the Java Script file (y.js).

The clever part is that the actor tried to hide its malicious JS which is the start of its main activities at the end of the document content and did not put it directly into the macro to avoid being detected by AV products as well as hiding its main intent from them.

The y.js file is being called with the active document as its argument. This javascript looks for two patterns encoded within the the active document and for each pattern at first it writes that content starting from the pattern into temp.txt file and then base 64 decodes it using its built-in base64 decoder function, function de(input), and finally writes the decoded content into the defined output.

yy.js is used to store the data of the first decoded content and y.ps1 is used to store the data of the second decoded content. After creating the output files, they are executed using Wscript and Powershell.

The Powershell script (y.ps1), uses DllImport function to import URLDownloadToFile from urlmon.dll and WinExec from kernel32.dll. After importing the required functions it defines the following variabbles:

• URL to download a file from it
• Directory to store the downloaded file (%APPDATA%/Temp)
• Name of the downloaded file that will be stored on disk.

In the next step it calls URLDownloadToFile to download a cabinet file and stores it in the %APPDATA%Temp directory with the unique random name created by GetTempFileName. At the end it uses WinExec to execute a cmd command that calls expand to extract the content of cabinet file and delete the cabinet file. The y.ps1 is deleted at the end using Winexec.

The extracted cabinet file contains 5 files: check.bat, install.bat, xmlprov.dll, xmlprov.ini and xwtpui.dll. The yy.js is responsible to execute check.bat file that extracted from the cabinet file and delete itself at the end.

Check.bat

This batch file checks if the command prompt is launched as administrator using net session > nul and if that is the case, it executes install.bat. If the user does not have the administrator privilege, it checks the OS version and if it is Windows 10 sets a variable named num to 4, otherwise it sets it to 1. It then executes xwtpui.dll using rundll32.exe by passing three parameters to it: EntryPoint (The export function of the DLL to be executed), num (the number that indicated the OS version) and install.bat.

Install.bat

the malware used by the attacker pretends to be the xmlprov Network Provisioning Service. This service manages XML configuration files on a domain basis for automatic network provisioning.
Install.bat is responsible to install xmlprov.dll as a service. To achieve this goal, it performs the following actions:

• Stop the running xmlprov service
• Copy dropped xmlprov.dll and xmlrov.ini into the system32 directory and delete them from the current directory
• Check if xmlProv service is installed or not and if it is not installed create the service through svchost.exe
• Modify the xmlProv service values including type and binpath
• Add xmlProv to the list of the services to be loaded by svchost
• add xmlProv to the xmlProv registry key
• Start the xmlProv service

xwtpui.dll

As we mentioned earlier if the victim’s machine does not have the right privilege, xwtpui.dll is being called to load install.bat file. Since install.bat is creating a service, it should have the high integrity level privilege and "xwtpui.dll" is used to bypass UAC and get the right privilege and then loads install.bat.

EntryPoint is the main export function of this dll. It starts its activities by resolving API calls. All the API call names are hard coded and the actor has not used any obfuscation techniques to hide them.

In the next step, it checks privilege level by calling the Check_Priviledge_Level function. This function performs the following actions and returns zero if the user does not have the right privilege or UAC is not disabled.

• Call RtlQueryElevationFlags to get the elevation state by checking PFlags value. If it sets to zero, it indicates that UAC is disabled.
• Get the access token associated to the current process using NtOpenProcessToken and then call NtQueryInformationToken to get the TokenElevationType and check if it’s value is 3 or not (If the value is not 3, it means the current process is elevated). The TokenElevationType can have three values:
  • TokenElevationDefault (1): Indicates that UAC is disabled.
  • TokenElevationTypeFull (2): Indicates that the current process is running elevated.
  • TokenElevationTypeLimited (3): Indicates that the process is not running elevated.

After checking the privilege level, it checks the parameter passed form check.bat that indicates the OS version and if the OS version is Windows 10 it uses a combination of a modified version of RPC UAC bypass reported by Google Project Zero and Parent PID Spoofing for UAC bypass while for other Windows versions it uses “Token Impersonation technique” technique to bypass UAC.

Token Impersonation UAC Bypass (Calvary UAC Bypass)

Calvary is a token impersonation/theft privilege escalation technique that impersonates the token of the Windows Update Standalone Installer process (wusa.exe) to spawn cmd.exe with highest privilege to execute install.bat. This technique is part of the US CIA toolsets leak known as Vault7.

The actor has used this method on its 2019 campaign as well. This UAC bypass starts by executing wusa.exe using ShellExecuteExw and gets its access token using NtOpenProcessToken. Then the access token of wusa.exe is duplicated using NtDuplicatetoken. The DesiredAccess parameter of this function specifies the requested access right for the new token. In this case the actor passed TOKEN_ALL_ACCESS as DesiredAccess value which indicates that the new token has the combination of all access rights of this current token. The duplicated token is then passed to ImpersonateLoggedOnUser and then a cmd instance is spawned using CreateProcessWithLogomW. At the end the duplicated token is assigned to the created thread using NtSetINformationThread to make it elevated.

Windows 10 UAC Bypass

The UAC bypass used for Windows 10 uses a combination of a modified version of RPC based UAC bypass reported by Google project Zero and Parent PID spoofing to bypass UAC. The process is as follows:

• Step 1: Creates a string binding handle for interface id “201ef99a-7fa0-444c-9399-19ba84f12a1a” and returns its binding handle and sets the required authentication, authorization and security Quality of service information for the binding handle.

• Step 2: Initializes an RPC_ASYNC_STATE to make asynchronous calls and creates a new non-elevated process (it uses winver.exe as non-elevated process) through NdrAsyncClientCall.

• Step 3: Uses NtQueryInformationProcess to Open a handle to the debug object by passing the handle of the created process to it. Then detaches the debugger from the process using NtRemoveProcessDebug and terminates this created process using TerminateProcess.

• Step 4: Repeats the step 1 and step 2 to create a new elevate process: Taskmgr.exe.
• Step 5: Get full access to the taskmgr.exe process handle by retrieving its initial debug event.  At first It issues a wait on the debug object using WaitForDebugEvent to get the initial process creation debug event and then uses NtDuplicateObject to get the full access process handle.

• Step 6: After obtaining the fully privileged handle of Taskmgr.exe, the actor uses this handle to execute cmd as high privilege process to execute install.bat. To achieve this, the actor has used Parent PID Spoofing technique to spawn a new cmd process using CreateProcessW and handle of Taskmgr.exe which is an auto elevated process is assigned as its parent process using UpdateProcThreadAttribute.

Xmlprov.dll (Konni Rat)

This is the final payload that has been deployed as a service using svchost.exe. This Rat is heavily obfuscated and is using multiple anti-analysis techniques. It has a custom section named “qwdfr0” which performs all the de-obfuscation process. This payload register itself as a service using its export function ServiceMain.

Even though this sample is heavily obfuscated its functionality has not changed much and it is similar to its previous version. It seems the actor just used a heavy obfuscation process to hinder all the security mechanisms. VirusTotal detection of this sample at the time of analysis was 3 which indicates that the actor was successful in using obfuscation and bypass most of the AV products.

This RAT has an encrypted configuration file “xmlprov.ini” which will be loaded and decrypted at the start of the analysis. The functionality of this RAT starts by collecting information from the victim’s machine by executing the following commands:

• cmd /c systeminfo: Uses this command to collect the detailed configuration information about the victim’s machine including operation system configurations, security information and hardware data (RAM size, disk space and network cards info) and store the collected data in a tmp file.
• cmd /c tasklist: Executes this command to collect a list of running processes on victim’s machine and store them in a tmp file.

In the next step each of the the collected tmp files is being converted into a cab file using cmd /c makecab and then encrypted and sent to the attacker server in an HTTP POST request (http://taketodjnfnei898.c1.biz/up.php?name=%UserName%).

After sending data to server it goes to a loop to receive commands from the server (http://taketodjnfnei898.c1.biz/dn.php?name=%UserName%&prefix=tt). At the time of the analysis the server was down and unfortunately we do not have enough information about the next step of this attack. The detail analysis of this payload will be published in a follow up blog post.

Campaign Analysis

Konni is a Rat that potentially is used by APT37 to target its victims. The main victims of this Rat are mostly political organizations in Russia and South Korea but it is not limited to these countries and it has been observed that it has targeted Japan, Vietnam, Nepal and Mongolia.

There were several operations that used this Rat but specifically the campaigns reported by ESTsecurity and CyberInt in 2019 and 2020 are similar to what we reported here. In those campaigns the actor used lures in Russian language to target Russia. There are several differences between past campaigns of this actor and what we documented here but still the main process is the same: in all the campaigns the actor uses macro weaponized documents to download a cab file and deploy the Konni RAT as a service.

Here are the some major differences between this new campaign and older ones:

• The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content.
• In the new campaign JavaScript files have been used to execute batch and PowerShell files.
• The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file.
• The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique.
• In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.

Malwarebytes customers are protected against this campaign.

IOCs

Domains:
takemetoyouheart[.]c1[.]biz
taketodjnfnei898[.]ueuo[.]com
taketodjnfnei898[.]c1[.]biz
romanovawillkillyou[.]c1[.]biz

The post New variant of Konni malware used in campaign targetting Russia appeared first on Malwarebytes Labs.

On the Cloudflare blog, the American web infrastructure behemoth that provides content delivery network (CDN) and DDoS mitigation services reports that it detected and mitigated a 17.2 million request-per-second (rps) DDoS attack. To put that number in perspective. The company reports that this is three times as large as anything it has seen before.

DDoS

In a DDoS attack, an attacker tries to stop people from using a service by making it so busy it either crashes or grinds to a halt. It does this by flooding the service with spurious requests from multiple, distributed locations.

If hacking is opening a door by picking its lock, then DDoS is blocking the door by boarding it up from the outside.

The target

The target of this enormous DDoS attack was a customer of Cloudflare in the financial sector. Cloudflare reports that within seconds, the botnet bombarded the its edge with over 330 million requests.

For Internet devices, the network edge is where the device, or the local network containing the device, communicates with the Internet. The “edge” in this case refers to the Cloudflare CDN, which customers use to improve the performance of their websites. CDNs are geographically dispersed clusters of servers that store web content. When users try to access a website that uses a CDN, they actually get directed to the nearest CDN server rather than the website itself, and Cloudflare handles the web traffic. Similarly, if somebody tries to DDoS attack the website, the attack ends up hitting the Cloudflare CDN.

The Cloudflare CDN is absolutely enormous, and is used by almost 20% of all websites, which means it can handle an absolutely enormous amount of traffic.

The botnet

The attack traffic is reported to have originated from more than 20,000 bots in 125 countries around the world. Based on the bots’ source IP addresses, almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined. Cloudflare attributes this attack to the Mirai botnet. Although the number of Mirai bots is on the decline, the botnet was still able to generate impressive volumes of attack traffic for short periods.

You may remember hearing about this botnet after the massive East Coast internet outage of 2016 when the Mirai botnet was leveraged in a DDoS attack aimed at Dyn, an Internet infrastructure company. Traffic to Dyn’s Internet directory servers throughout the US—primarily on the East Coast but later on the opposite end of the country as well—was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system.

Although it hasn’t generated headlines like that for a few years, we recently we posted about how Mirai was trying to add a host of home routers to its collection of compromised devices. It was found hijacking routers using a vulnerability that was disclosed only two days earlier

As it happens Microsoft wrote about the Mozi botnet, which is essentially a Mirai variant, going after Netgear, Huawei, and ZTE gateways by using clever persistence techniques that are specifically adapted to each gateway’s particular architecture. Last year, security experts from IBM X-Force said that the Mozi botnet accounted for 90 percent of traffic from IoT devices at that time.

Vulnerabilities

Mirai works by harnessing tens of thousands of small, low-powered Internet-of-Things (IoT) devices, such as Internet-connected cameras and home routers. Although each device it compromises only adds a little horsepower to Mirai’s engine, there are plenty of them to hijack.

Vulnerabilities in home networking equipment often go unpatched for long periods. Since most home users are unaware of the existence of such vulnerabilities and many lack the skills and/or confidence to apply a patch if one is made available.

And almost the same can be said about many small and medium-sized businesses. As long as the equipment works many fail to see the need for patching or the need to replace vulnerable devices. In some cases patches are not even made available when devices are replaced by newer models. Or because vendors fail to inform users about the vulnerability existing in the first place.

Mitigation

When it coms to blocking DDoS attacks there is not much businesses can do, except hire specialized help. But there are some things you can do so you do not become part of the problem.

Businesses and consumers alike should also start worrying about securing their IoT devices in a manner that they can’t be used in a DDoS botnet. We have an excellent article called Internet of Things (IoT) security: what is and what should never be that explains in detail why and how you can make the IoT a safer place.

And maybe, just maybe, we should try and work out Internet protocols that are designed so that they do not offer opportunities for DDoS attacks.

The post Largest DDoS attack ever reported gets hoovered up by Cloudflare appeared first on Malwarebytes Labs.

You’ve likely seen fake parcel delivery texts in the news recently, and we’ve covered a few of these ourselves. SMS missives claim a package is waiting to be delivered, and a small processing fee is required. There is no package; it’s a ruse to have people hand over their credit card details. It’s been wildly successful during lockdown, at a time when many are having to order almost everything they can online.

This isn’t the only bogus SMS message doing the rounds, however. COVID-19 is proving to be a a crucial piece of bait for this kind of tactic as we’ll see below.

The road to a (non-existent) COVID Pass

This attack is aimed at residents of the UK. It makes use of social engineering in a similar fashion to other pandemic-themed SMS texts, with a strong psychological aspect tied in for good measure.

This one works as follows:

1. SMS messages are sent to unsuspecting individuals.
2. The linked site is HTTPs, to give that added sheen of “this is the real website, because it’s got a padlock”. Hopefully you know that a padlock does not mean you can trust a website, many don’t.
3. The site design imitates the usual look and feel of NHS websites, specifically those related to COVID-19. Here’s an example of the real thing.
4. The scammers ask for a lot of details across multiple pages, beginning with “the exact name used when you registered with your GP surgery”. From there, they ask for date of birth, post code, and an address where they can deliver “your Covid pass credentials to be registered on our NHS app”. After this, they request “a payment of £4.99 to process your Covid Pass application”.

This doesn’t get a free pass to your bank account

It’s important to note that the UK does have an actual Covid Pass system in place. There’s a proper process in place, and it doesn’t involve handing money over to random websites. It’s also worth noting there’s been a number of other scams along these same lines.

Should you receive one of these text messages, you can safely ignore it and report for spam while you’re at it.

The post Beware of COVID Pass scams appeared first on Malwarebytes Labs.

At the end of last week, T-Mobile was investigating reports of a “massive” customer data breach. A hacker claimed to stolen 100 million people’s data from T-Mobile’s servers, which included everything from names and driver licences to addresses and social security numbers.

It’s now confirmed something bad did take place. Their estimate is currently “at least” 47m affected people, with around 7.8 million current postpaid customers impacted. The most pressing issue is that of postpaid account customer’s PINs.

PIN compromise

Roughly 850k active prepaid accounts had account PINS exposed, along with names and phone numbers. These PINs are used to help identify the account owner on customer service phone calls. If a scammer knows your PIN, they can potentially perform a SIM swap attack, giving them control of your mobile number, SMS messages, SMS 2FA… Gaining control of a mobile device isn’t far off having the keys to someone’s digital kingdom.

What to do?

T-Mobile have outlined the situation thus far, along with some pieces of advice for anybody worried by recent events.

The priority has to be the PIN codes. The company recommends ALL postpaid customers change their PIN to a new one, not just the 850k people known to be affected, just in case. This is because they currently have no evidence that postpaid PINs have been taken, but better safe than sorry.

They also recommend postpaid customers sign up to their Account Takeover Protection service to make things even harder for would-be hijackers. We note that T-Mobile also has a biometric verification feature, which can replace the problem of compromised PINs altogether. With a bit of luck, these proactive steps will help ease the concerns of anyone affected by this breach.

Even so, there’s a few more things to be wary of on the horizon.

What’s next?

Any time a breach occurs, a key concern has to be phishing and social engineering. Personal information is a goldmine for people who are up to no good. Customers should brace themselves for criminals taking advantage of the situation with a wave of fresh phish served up…now with more personalisation than ever before.

Anyone affected by a data breach before—and that’s a lot of us—will be familiar with the credit score dance that comes after. T-Mobile is offering “2 years of free identity protection services”, and have not long ago published a dedicated breach page.

From there, people can see an easy-to-digest slice of information which:

• Explains what happened, details compromised data, and mentions their next steps.
• Clearly advises what customers can do next, including a variety of security steps and a few more additional resources related to credit score / monitoring / related services.
• Lists a contact number for support calls, which is something that can easily go missing on a page like this.

All in all, not a great situation for anybody to be in. However, T-Mobile have done a good job of rounding up the details and making it obvious what people should do next. This hasn’t always been the case with major breaches in the past, and one hopes this can continue the next time something bad happens. That one-stop-shop page will almost certainly be updated should fresh information emerge, so T-Mobile customers would be wise to bookmark it for the coming weeks or months.

The post T-Mobile customers, change your PINs appeared first on Malwarebytes Labs.

In a security advisory, Cisco has informed users that a vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

Normally we’d say “patch now”, but you can’t, and you’ll never be able to because a patch isn’t coming.

CVE-2021-34730

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-34730. As a result of improper validation of incoming UPnP traffic an attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device.

A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system, or cause the device to reload, resulting in a DoS condition. “Executing arbitrary code as the root user” is tantamount to “do whatever they like”, which is bad. A CVSS score of 9.8 out of 10 bad. (CVSS can help security teams and developers prioritize threats and allocate resources effectively.)

UPnP

Universal Plug and Play (UPnP) is a set of networking protocols that permit networked devices, like routers, to seamlessly discover each other’s presence on a network and establish functional network services.

From that description alone it should be clear that, from a security point of view, this protocol has no place on an Internet-facing device. Once you have set up your connections to the internal devices there is nor reason to leave UPnP enabled. There are plenty of reasons to disable it.

A lot of the problems associated with UPnP-based threats can be linked back to security issues during implementation. Router manufacturers historically have not been very good at securing their UPnP implementations, which often leads to the router not checking input properly. Which is exactly what happened here. Again.

And then there are vulnerabilities in UPnP itself. The most famous one probably is CallStranger, which was caused by the Callback header value in UPnP’s SUBSCRIBE function that can be controlled by an attacker and enables a vulnerability which affected millions of Internet-facing devices.

That particular vulnerability should have been patched by most vendors by now by the way. But CVE-2021-34730 won’t be, here’s why…

No patch

The affected routers have entered the end-of-life process and so Cisco has not released software updates to fix the problem. According to the security advisory, it seems they have no plans to do so either:

“Cisco has not released and will not release software updates to address the vulnerability described in this advisory.” Cisco also says it is not aware of any malicious use of the vulnerability.

Since there are no workarounds that address this vulnerability, the only choice that administrators have is to disable the affected feature (UPnP). Or buy a new router. Since the routers won’t receive any updates for issues in future either, we suggest you do both: Disable UPnP now, and buy a new router soon.

Mitigation

For owners of the affected routers it is particularly important to check that UPnP is disabled both on the WAN and the LAN interface. The WAN interface is set to off by default but that doesn’t mean it hasn’t been changed since. The LAN interface is set to on by default and needs to be turned off. Cisco advises that to disable UPnP on the LAN interface of a device, you do the following:

• Open the web-based management interface and choose Basic Settings > UPnP.
• Check the Disable check box.

It is important to disable UPnP on both interfaces because that is the only way to eliminate the vulnerability.

Stay safe, everyone!

The post Cisco Small Business routers vulnerable to remote attacks, won’t get a patch appeared first on Malwarebytes Labs.