IT NEWS

In a detailed post on Github, security researcher Watchful_IP describes how he found that the majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical, unauthenticated, remote code execution (RCE) vulnerability, even with the latest firmware.

Hikvision

Hangzhou Hikvision Digital Technology Co., Ltd. engages in the development, production, and sale of security products. Its business activities include the provision of services for hard disk recorders, video codes, video servers, surveillance cameras, monitoring of ball machine, road mounts and other products, as well as security services. The company was founded on November 30, 2001 and is headquartered in Hangzhou, China.

According to global market data provider IHS Markit, Hikvision has 38% of the global market share, and it has been the market leader since 2011. Hikvision is also known for its research on technologies such as visual recognition, cloud computing, and their adoption in security scenarios.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability found by Watchfull_IP is listed under CVE-2021-36260 and could allow an unauthenticated attacker to gain full access to the device and possibly perform lateral movement into internal networks.

The critical bug has received 9.8 out of 10 on the CVSS scale of severity, clearly demonstrated by the fact it enables the attacker to gain even more access than the owner of the device has, since the owner will be restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.

According to the researcher, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner. The attack will not be detectable by any logging on the camera itself. A threat actor can exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.

Affected products

Users can find a list of affected products in the security notification from Hikvision. Among them are IP Cameras and  PTZ Cameras. PTZ is short for Pan/Tilt/Zoom and the name is used for cameras that can be remotely controlled and pointed. These cameras can, and are often used in surveillance mode where they cover an area by moving between preset points and the footage is often recorded, so it can be reviewed at a later time.

Users of other brands should also be advised that there are a huge number of OEM resellers offering Hikvision cameras under their own model numbers.

Responsible disclosure

The researcher has not disclosed any specifics about the attack to protect potential victims. In his post he describes how he worked with Hikvision since the discovery made on Sunday June 20, 2021. He was extremely pleased that they took him seriously and involved him in taking care of the problem.

On August 17, Watchfull_IP received the patched IPC_G3 (V5.5.800 build 210628) and IPC H5 (V5.5.800 build 210628) firmware from HSRC for testing.

“Decrypted and reversed the code in addition to live testing on my own equipment and confirmed to HSRC that the patched firmware resolves the vulnerability.

Was further pleased to note this problem was fixed in the way I recommended.”

We are glad that researchers like this check the security of the products we use and do responsible disclosure when they find problems, so manufacturers can resolve matters before some cybercriminal can start using our security equipment against us.

Mitigation

A word of caution is needed here, since not all the software portals have been provided with the latest firmware that is patched against this attack. To be sure to get a patched version it is recommended by Hikvision to download the latest firmware for your device from the global firmware portal. The researcher however notes that at the time of writing updated firmware seems to be properly deployed on the Hikvision China region firmware portal for Chinese region devices, but only partially on the global site. If you are in doubt there is a list of the vulnerable firmware versions in the researchers post.

In general it is a good idea not make your cameras accessible from the internet and if you do, put them behind a VPN.

The post Patch now! Insecure Hikvision security cameras can be taken over remotely appeared first on Malwarebytes Labs.

Malwarebytes has reason to believe that the MSHTML vulnerability listed under CVE-2021-40444 is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.

The first template we found is designed to look like an internal communication within JSC GREC Makeyev. The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic holding of the country’s defense and industrial complex for both the rocket and space industry. It is also the lead developer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia’s largest research and development centers for developing rocket and space technology.

The email claims to come from the Human Resources (HR) department of the organization.

It says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.

The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.

The second attachment we found claims to originate from the Ministry of the Interior in Moscow. This type of attachment can be used to target several interesting targets.

The title of the documents translates to “Notification of illegal activity.” It asks the receiver to please fill out the form and return it to the Ministry of Internal affairs or reply to this email. It also urges the intended victim to do so within 7 days.

Russian targets

It is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard.

Patched vulnerability

The CVE-2021-40444 vulnerability may be old-school in nature (it involves ActiveX, remember that?) but it was only recently discovered. It wasn’t long before threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that everyone was able to follow step-by-step instructions in order to launch their own attacks.

Microsoft quickly published mitigation instructions that disabled the installation of new ActiveX controls, and managed to squeeze a patch into its recent Patch Tuesday output, just a few weeks after the bug became public knowledge. However, the time it takes to create a patch is often dwarfed by the time it takes people to apply it. Organizations, especially large ones, are often found trailing far behind with applying patches, so we expect to see more attacks like this.

Будьте в безопасности, все!

The post MSHTML attack targets Russian state rocket centre and interior ministry appeared first on Malwarebytes Labs.

Another day, another example of how the data sharing choices we make can come back to haunt us. The Guardian reports a Florida resident finding his bike ride data requested by law enforcement. This is due to his route taking him close to the scene of a burglary a year earlier.

According to the report, he had just seven days to put something in front of a judge to block the data’s release. Not everyone would know how to do this, much less have heard of geofencing before.

What happened here?

Geofencing 101

Geofencing wraps virtual “fences” around real locations. It’s commonly talked about in relation to advertising and marketing activities, and it helps you track movement by pinging away should you enter or leave a specified location. It can be helpful or adversarial, depending on your need, and your point of view. It can be used for things as varied as keeping your advertising spend focussed on people from a particular area, or tracking that serious offenders under some form of house arrest don’t outside the areas they’re allowed to visit.

What is a geofence warrant?

A geofence warrant, also known as “reverse location warrants”, involve grabbing data on everybody close to a crime scene. Were you involved? Or simply passing by? Doesn’t matter! Into the pile of law enforcement data you go. You just have to hope you’re not caught up in some sort of mistaken identity fiasco down the line.

These warrants are increasingly being used for all sorts of reasons. The fear is they’ll contribute to a chilling effect on free speech, protest, and more. Indeed, Google has recently said these warrants “make up one quarter of all US demands” for its data. It’s easy to see why this would be the case. It’s lots of incredibly precise movement data, tied to big slices of people’s personal identity and physical objects kept about their person.

Which keywords open the door?

It’s not just geofencing causing headaches for privacy advocates. Requests for keyword searches are very popular too. This is where your search history is grabbed and examined for signs of…well…who knows. Essentially, you’re at the mercy of completely random investigations aligning with your completely random searches.

While Google states these data requests “…represent less than 1% of total warrants and a small fraction of the overall legal demands for user data that we currently receive”, it’s still rather uncomfortable to think about.

Is there any refuge in anonymity?

Well, that’s a very good question. There’s plenty of examples where theoretically anonymous data turned out not to be, after ending up online. Time and again we’ve seen that, with surprisingly few data points, users can be identified from anonymised data.

Geofence warrants leapfrog several of those issues and go directly for the user ID. If you make use of any form of location data whatsoever, it can be used against you. Even if you disable your Bluetooth, refuse beacon access, turn off all GPS features, choose not to store your exercise routes in your latest exercise app. Simply carrying the phone around and using it as intended is potentially more than enough.

There is no simple solution to this one; primarily it’s down to Google to run a tight ship. It’s also incumbent on privacy orgs and people working at various levels of Government to ensure no overreach is taking place.

What can I do to reduce any privacy risk?

You can consider using services other than Google. If you don’t want your entire online existence in one big pot of data, feel free to mix and match a little. Try out DuckDuckGo for your searching perhaps, or fire up a VPN. Just be aware that other organisations may not have the same outlook on these requests as Google does. It might be the case that they don’t have the same legal might Google carries. They may have no policy on this kind of request at all, and hand everything they have on you to whoever asks for it. This would probably not be ideal in the privacy stakes.

The choice, as they say, is yours.

The post Google, geofence warrants, and you appeared first on Malwarebytes Labs.

Last week, security researcher Patrick Wardle released details of a new piece of malware masquerading as the legitimate app iTerm2. The malware was discovered earlier the same day by security researcher Zhi (@CodeColorist on Twitter), and detailed on a Chinese-language blog. (For those who don’t speak Chinese, Safari seems to do a fair job of translating it.)

iTerm2 is a legitimate replacement for the macOS Terminal app, offering some powerful features that Terminal does not. It is frequently used by power users. It is a favorite of security researchers because of the propensity for Mac malware to take control or detect usage of the Terminal app, which can interfere with attempts to reverse engineer malware. This makes iTerm2 an ideal app to trojanize to infect people who may have access to development system, research intelligence, etc.

The website for the legitimate iTerm2 app is iTerm2.com. However, the malicious version of iTerm2 was apparently being distributed via iTerm2[.]net, which was a very convincing duplicate of the legitimate iTerm2 site.

Clicking the download link on the lookalike site would result in an iTerm2.dmg disk image file being downloaded from kaidingle[.]com.

The disk image throws the first red flag. The real iTerm2 is distributed in a zip file, rather than a disk image. Further, for an app with a very professionally designed website, the disk image file is quite unpolished. It also includes a link to the Applications folder with a Chinese name, which is unusual for an app that is English-only and does not contain any Chinese localization files.

Malware behavior

The malicious iTerm2 app appears to be a legitimate copy of the iTerm2 app, but with one file added:

iTerm.app/Contents/Frameworks/libcrypto.2.dylib

When launched, the malicious app loads and runs the malicious libcrypto.2.dylib dynamic library, which in turn does a couple things.

The main purpose seems to be to connect to 47.75.123[.]111, from which it downloads a Python file named g.py and a mach-O binary named GoogleUpdate into the /tmp folder, then executes both of them.

The GoogleUpdate binary is heavily obfuscated, and it’s currently not known exactly what it does. However, according to Patrick, it communicates with what appears to be a Cobalt Strike server (47.75.96[.]198:443), which may mean it is a Cobalt Strike “beacon,” which would provide comprehensive backdoor access to the attacker.

The g.py file is clear-text Python code, and thus its intent is quite clear. It collects the following data:

• Machine serial number.
• Contents of the user’s home, desktop, Documents, and Downloads folders.
• Applications folder contents.
• Command histories for bash and zsh, which can contain sensitive information such as credentials.
• The git config file, which contains potentially sensitive information, including an e-mail password.
• The /etc/hosts file, which can contain details on custom servers accessed by the user.
• The .ssh folder, which can contain credentials for SSH.
• The user’s keychains, which contain many credentials and can be unlocked if the user’s password can be obtained.
• The config file for SecureCRT, a terminal emulator program.
• The saved application state for iTerm2.

These files are all copied into ~/Library/Logs/tmp/, compressed into a file at ~/Library/Logs/tmp.zip, which is then uploaded to http://47.75.123[.]111/u.php?id=%s (where the %s is replaced with the machine’s serial number).

Thus, the primary goal of the g.py script seems to be to harvest credentials and other data that would be of use for lateral movement within an organization. Presumably, the backdoor provided by the GoogleUpdate process would be used to perform that lateral movement and infect other machines.

Additional trojanized apps

Subsequent findings revealed additional apps that had also been trojanized, using the same libcrypto.2.dylib file. These apps were:

• Microsoft Remote Desktop
• SecureCRT
• Navicat Premium (a database management app)

Who is affected?

At the moment, few people with Malwarebytes installed seem to be affected. We’ve only seen a detection on one computer so far, in Asia.

There are indications that this malware may be primarily distributed in China and other southeast Asian countries, where Malwarebytes has a relatively small install base. For readers outside that region, you probably don’t have much to fear.

However, out of an abundance of caution, if you have one of these apps, it would not be a bad idea to replace them with a known legitimate copy, being sure to get it from the official website of the developer rather than from a lookalike site or a download mirror.

You should also run a scan with Malwarebytes, which will detect this malware as OSX.ZuRu.

Samples

iTerm2.dmg                   e5126f74d430ff075d6f7edcae0c95b81a5e389bf47e4c742618a042f378a3fa
com.microsoft.rdc.macos.dmg  5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259
Navicat15_cn.dmg             6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff
SecureCRT.dmg                1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921

The post New Mac malware masquerades as iTerm2, Remote Desktop and other apps appeared first on Malwarebytes Labs.

When it comes to picking a new device for your child, it’s often difficult to know where to start.

Whether you’re looking for a smartphone, a laptop, a gaming device or something else, or even just signing up for an account online, you want to make sure your kids are protected. It’s important to get the basics right, and you also want to be able to set parental controls, leaving little room for your child end up in online destinations you don’t want them going.

Of course, setting controls shouldn’t be a be-all and end-all. Nothing can replace having good and open communication with your kids.

Today’s generation of kids and teens consider their devices and the Internet as extensions of their lives. So it’s really important to talk to them about how they should use their devices responsibly, what they should and shouldn’t be doing online, and how they should be treating other people.

So without further ado, let’s dive into what we should be teaching our kids about Internet safety and what we can do to enforce these teachings.

C O N T E N T S

1. Keep your online accounts secure
2. Respect your privacy
3. Capture and share with care
4. Take care of your data
5. Take care of your device
6. Be wary of certain sites and content online
7. Be kind

7 Internet safety tips

1. Keep your online accounts secure

Whether your child needs their own personal email address, an account for school, or a social media login, the advice is largely the same. Show them these tips:

Never use the same password twice

It seems like we can’t go a week—or even a day sometimes—without hearing about an online service being breached.

After a breach, cybercriminals often sell and re-sell the stolen data. And if your child uses the same password across multiple accounts, when one gets breached they are all vulnerable.

This is where a password manager comes in.

As parents and carers, you can introduce your kids to this nifty tool. Not only can it create lengthy and complex passwords, it remembers them all for you. Many of them auto-populate the login fields when you attempt to access an online account, so you know you are on the correct site and not an imitation site that’s phishing you.

Use strong passwords

You need to make sure the passwords your kids use are strong, and by today’s standard, this means they should have a decent amount of length.

Some websites cap the length of the characters one can use in a password. Some welcome a level of complexity you can bake into a password. What you should be considering is a site should have a set minimum password length of 8-characters. Anything below that…you might want to reconsider ever joining at all.

A strong password is one that nobody else knows, and is extremely hard (for a powerful computer) to guess. Make sure your child uses the maximum length with the maximum level of complexity a site can offer. For example, if a site only allows passwords that are 18 characters long and a combination of numbers and big or small letters, then create a password that has all these elements.

Your password manager can help with this. Just make sure you choose a super-strong password for the manager itself.

Enable multi-factor authentication (MFA)

Passwords alone just aren’t enough these days. You need to put in as much friction as possible in order to protect your kids’ accounts. Multi-factor authentication is a great step to add in on every service that offers it.

MFA provides an additional layer of identity confirmation. Once your child has entered their username and password, they’ll need to prove they are the account holder by using another method of verification. This could be a one-time login code sent via text, a code on an authenticator app, or a push notification, among others.

Make sure your child takes advantage of this feature when available, and if a site your child would like to try doesn’t have MFA, perhaps the better question to ask is: Security-wise, should they even be using it?

2. Respect your privacy

In our Malwarebytes 2019 Privacy Survey we found that younger generations of Internet users are actually quite privacy-conscious. However, one thing we learned is that when it comes to potentially identifiable information (PII), younger people tend to have different opinions from older generations on what counts as personal data and what doesn’t.

Various states, countries, and organizations also have their own list of what data should and shouldn’t be considered PII. The European Union, for example, considers an IP address as personal data, but under the California Consumer Privacy Act (CCPA) an IP address is only “sometimes” classed as PII.

Clearly it’s confusing. But teach your kids to, at the very least, carefully consider not sharing:

• their full name
• the school they’re currently attending
• their personal contact number
• their personal email address
• their Social Security Number (SSN)
• your home address
• your home phone number/landline (if you still use one)
• email addresses of relatives and/or friends
• information about relatives and friends, such as where they work.

Telling your kids what they can share and what they shouldn’t is a good first step to taking their privacy seriously.

From here, carefully look through your child’s browser privacy and security settings to make sure they’re as tight as they can be. Do this on all the devices they use, including their smartphones.

You might also want to install some privacy- and security-enhancing extensions for the browser. If you don’t know where to start, Pieter Arntz, Malware Intelligence Researcher and regular contributor to the Malwarebytes Labs blog, has shared the six brilliant Chrome extensions he personally uses.

Bonus points if you can encourage your kid into using a browser that is already optimized for privacy and security.

Lastly, don’t just stop at browsers. Your child’s social media platform of choice may need its privacy and security settings tinkering with as well.

3. Capture and share with care

If your kid respects their own privacy, then they should respect other people’s privacy, too.

Thanks to smartphones, we’ve found in ourselves our inner shutterbug. While being creative is good, snapping images here and there and sharing them online with nary a though is not. This is also true for video, of course.

Tell your kids that if they plan to share online photos and videos of other people in the background, they should take the time to edit out the faces, or other elements in them that might give away locations they frequent.

And they should always ask permission first from the people in the photo or video before posting them online.

4. Take care of your data

Securing your child’s data is one of the biggest concerns of parents today. With stories of ransomware targeting and successfully hitting schools, not to mention the many other data breaches, parents and carers might feel that there is nothing they can do to protect their child’s data.

Far from it.

Securing your kid’s online accounts is the first step (see above), but there are other steps you can take to secure your child’s data.

Be careful with files and links. Cybercriminals use files and malicious links to get their malware into devices. So teach your kids to treat files and links with caution. Although criminals used to send unsolicited private messages to random recipients, things have moved on. Now they create fake social media profiles of celebrities or people your kid knows, or even compromise legitimate accounts to spread their malware.

If your child is messaged privately by a friend, classmate, relative, or anyone they might know containing a link or a file, encourage your child to contact the person via a separate method to ask if they have indeed sent that message.

Make sure all software is updated. One way for cybercriminals to infiltrate systems is to find weaknesses in software and then exploit them. Think of it like a door that anyone can open without alerting those already in the house. Make sure that door in your child’s computer is sealed, and apply updates as soon as they’re available.

Be careful when connecting to public Wi-Fi. Your child’s school Wi-Fi isn’t the only hotspot they can connect to. When they’re out with friends or at a classmate’s house, they’re bound to connect to other Wi-Fi networks. Remind your kids that they shouldn’t allow their devices to connect to Wi-Fi that doesn’t use a password. And even then, they should also be picky about what they do online or what accounts they are accessing.

If connecting to a public Wi-Fi can’t be avoided, advise them to use a virtual public network (VPN).

Don’t share passwords with anyone. And we mean, anyone—including friends. If your kid does this, it not only puts their data at risk, but also opens the door for abuse. They might be a close friend at school, but that doesn’t mean they wouldn’t try pulling a prank using your kid’s account, for example. Better safe than sorry, right?

Install an antivirus (AV) you trust. Accidents happen. Many people have clicked a dodgy link or opened a questionable email attachment at some point. And when accidents like this happen to your kids, its good to have an AV installed to stop malicious code from downloading or running before it could wreak havoc on your device. It could also prevent you from seeing potentially malicious sites, such as phishing sites, when you click a questionable link.

Back up data. Even if you do everything you can to protect your kid’s data, you could still end up as one of the unlucky ones. This is why it’s good practice to back up your data. This is the process of creating at least one copy of (usually) important files that we can’t afford losing. Ever.

5. Take care of your device

How your kids look after their computing devices is just as important as how they take care of the data stored in them. One form of data compromise your kids should avoid is device theft.

Lock down the device after a certain time of idleness. This way, if your child takes their eyes off their device for a bit when in a public space, the device won’t be able to be quickly accessed by anyone else.

Secure their laptop to an object. If your child is prone to spending time in public places to work on their laptop, it’s a good idea to suggest using a security cable to physically secure their laptop onto a chair or desk in case they need to leave the device for a while. Security cables can be bought online or in computer hardware shops.

Speaking of theft, it’s also good to install anti-theft or tracking software in your child’s phone and other mobile devices, such as a laptop, that they bring with them to school or anywhere.

Password protect the device. For mobile devices, this could either be a PIN or a pattern. For laptops and desktop computers, this could be a local user password, a physical security key, or a picture code to name a few.

Update your child’s device’s firmware. Just like any software that’s installed on their devices, it is equally important to update firmware. Firmware can have vulnerabilities like any regular software, and so updates should be installed as soon as possible.

6. Be wary of certain sites and content online

The Internet is a place where misinformation, fake news, and scams spread if people aren’t careful enough. Not every site on the Internet is a safe place to visit, and this is something to gently drill in your child’s mind.

Indeed, there are so many social media platforms right now that a lot of us parents cannot keep up. It’s great that your child has a number of options to choose from, but in this case ask them to be picky.

If your child has a Facebook account, perhaps it’s a good idea to talk to them about fake news and how to identify it.

They need to be wary of everyone they are talking to online. Omegle, for example, is a social site where investigators found predators encouraging young boys to expose themselves on camera. Usually, these people claim to be the same age as their victims but they are, in fact, evil grown-ups taking advantage of kids. And it’s not just boys at risk, recent research found 11-13 year old girls are the most likely targets of predators.

When it comes to picking which sites they should join or content to consume, your child could be as confused as you are. And most of the time, they follow the herd, their friends, and what’s trendy at the moment. They might need your guidance here, so prepare to learn the ropes together.

7. Be kind

…to others

Online abuse could happen to anyone. Cyberbullying, cyberstalking, threats of physical violence, flaming, non-contact sexual abuse—this includes flashing, forcing a child to perform sexual acts or take part in sexual conversations, and showing pornography among others—and other forms of abuse continue to affect many for life, with some destroying the lives of their targets and those close to them.

Instil in your child the kindness, understanding, and patience you would want others to approach them with. Having a healthy communication between children and parents or carers becomes significant here. Talking about any or all of these topics doesn’t just happen once. As you help them navigate through life—both in the real and the digital one—such conversations should be expected to come up and (hopefully) the topics are tackled with care, respect, and zero judgement.

If you want your kids to be kind to others online, show, don’t just tell.

…to yourself

Yes, your kids can be kind to themselves, too. Being online all the time, could be really fun and entertaining at first. But after a while, this could take a toll on them mentally and emotionally. Your kids could feel anxious, stressed, or tired because they’re absorbing and processing everything they see and read about.

This is why it’s advisable that they disconnect from the digital world often and reconnect with family, friends, and even with themselves. When was the last time they picked up a hobby that doesn’t involve a computer or phone? Or perhaps…when was the last time your child actually picked up a book to read for pleasure?

Should you accept this challenge…

The Internet is both a good and bad place. A good approach is to spend little to no time on sites that do not give your child a positive and learning experience. And when it comes to Internet safety for kids and teens, the best approach is for parents and carers to be involved in their child’s digital life.

I don’t mean micromanaging their digital life or making all their online decisions for them. If only that was possible!

Being involved means taking interest in your child’s online activities. It means becoming a presence when they need to understand, be reassured, be guided, be confident in what they do online. Being involved also means allowing them to decide for themselves and make mistakes—even after repeated warnings—but always on the ready to be a confidante or sounding board when things get rough.

Internet safety should start from the home. So raise your digital native to not only be smart about staying secure online and respectful of their (and other people’s) privacy, but also a force of good in the digital realm. This is a challenge every modern parent must recognize and take to heart.

Challenge accepted.

The post Internet safety tips for kids and teens: A comprehensive guide for the modern parent appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Why backups aren’t a “silver bullet” against ransomware, with Matt Crape: Lock and Code S02E17
• The many tentacles of Magecart Group 8
• Apple releases emergency update: Patch, but don’t panic
• Update now! Google Chrome fixes two in-the-wild zero-days
• Parts of the Dark Web “awash” with school children’s personal data
• Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD
• What are SSL certificates?
• Ransomware scammers target artists with fake Krita revenue deals
• HP OMEN users, update your driver now!
• What are computer cookies?
• What is the Dark Web? The Dark Web explained
• FBI and CISA warn of APT groups exploiting ADSelfService Plus
• Facebook’s own research reveals the harm that Instagram can inflict

Other cybersecurity news

• Hackers stole the source code of an application Puma, the German sportswear company, is using internally. (Source: The Record)
• Fake UPS courier phishers unmasked by researchers. (Source: vpnMentor)
• What are zero-click attacks, and how do they work? (Source: Security Week)
• There’s a black market for fake COVID vaccine certificates, and it’s booming (Source: Check Point Blog)
• Threat actors pretended to be the US Department of Transportation, so they can harvest Microsoft credentials (Source: INKY)
• New Zealand companies are being bombarded with DDoS, but their government is mum about it. (Source: The Register)
• A top FBI official said that there is “no indication” that Russia has cracked down ransomware gangs. (Source: The Record)
• Exclusive: Gaggle follows kids home for remote learning. (Source: The 74 Million)
• A ransomware gang has encrypted the entire network of South Africa’s Department of Justice (Source: BleepingComputer)
• One ransomware gang has threatened to delete decryption keys if its victims contact law enforcement or hire a negotiator. (Source: BleepingComputer)

Stay safe!

The post A week in security (Sept 13 – Sept 19) appeared first on Malwarebytes Labs.

The wheels of justice have turned, if perhaps a bit slower than you may have expected. A Dublin resident, Eric Eoin Marques, has been sentenced to 27 years in federal prison. The reason is the frankly terrifying tally of child sexual abuse material (CSAM) he helped to distribute. Eoin helped to make no fewer than 8.5 million images of abuse available on the Dark Web. No fewer than 2 million of those images contained victims not previously known to those in law enforcement circles.

The main point of reference for these acts was something called “Freedom Hosting”. This website hosting service helped keep all of the illegal content online, and available for distribution. Law enforcement seized $155,000 from Marques, who stated that his business had been “very successful”.

How did the FBI, Interpol, and the Garda set about taking this nest of vipers down?

How Freedom Hosting operated

Freedom Hosting operated as a hidden service (a destination on the Dark Web), available to Tor users if they knew where to look for it. To prevent any confusion, as per the Tor blog:

The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research.

According to the investigation, “the hosting service contained over 200 child exploitation websites that housed millions of images of child exploitation material”. Essentially, they played host to the absolute worst of the worst. 

Shortly after the FBI began seeking Eoin’s extradition in 2013, malware—later identified as EgotisticalGiraffe—was discovered on a number of Freedom Hosting sites. The malware exploited a bug in the Tor browser that revealed the IP addresses of visitors, defeating Tor’s anonymity protection, and allowing them to be located.

The FBI later revealed in court that it had taken control of Freedom Hosting in July 2013 and planted the malware to identify people looking for CSAM there.

Racking up the charges

Marques at this time was facing up to four charges, plus extradition to the US, which eventually happened in 2019. By the end of it all, he stood accused of creating and operating servers from 2008 to 2013. He pleaded guilty at the start of 2020, after a year-long investigation.

Things have now come to a conclusion, for him at least, and he won’t be out of prison for a very long time. Considering his initial admission of guilt came with a mandatory sentence of 15 years, he managed to end up with quite a few more added to the tally.

Watching the dominoes fall

The combined efforts of law enforcement around the world have made a significant dent on this one operation. One suspects in real terms it’s a drop in the ocean with regards to numbers. Even so, this is a fantastic result:

More than 200 primary sites taken offline, along with “hundreds of other sites” sponsoring or facilitating the various activities; “The activities of tens of thousands of online pornographers disrupted”; over 4 million images / videos seized, and more than 100 unknown series of abuse uncovered; “dozens” of offenders identified and prosecuted throughout the world.

As for Marques himself, he apparently kept out of the limelight and “lived a quiet life”. He is also said to have been searching for information on Russian visas and passports, hoping to make extradition as tricky as possible.

We’re pleased to say this didn’t happen, and he’s proof positive that you can’t always hide from the long arm of the law.

The post Freedom Hosting operator gets 27 years for hosting Dark Web child abuse sites appeared first on Malwarebytes Labs.

In a recent blog Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

A long time coming

At first glance this looks like a great idea and many user will sigh in relief and wait in hope for the next tech giant to take this step. All those that were in favor of this change must have thought: What took them so long?

In 2019 Bret Arsenault, Microsoft’s security chief, explained why the company was eliminating passwords. And in 2020 Microsoft started to enable alternatives for many of its products, like Yubico, HID Crescendo, TrustKey, and AuthenTrend.

All these alternatives are a lot more secure and harder to compromise and we have been advocating them as a second factor in login procedures for ages.

Why get rid of passwords?

Microsoft gives two reasons for this move:

• Nobody likes passwords, (which I can guarantee is not true).
• They are a prime target for attacks.

One of the reasons that nobody likes passwords is that the password situation has also been made worse by ridiculous and unnecessary rules, such as asking users to pick passwords that follow formulas, or forcing users to change their password every few months. Both have been discredited but continue to haunt us. Formulas reduce the number of possible passwords a user can pick from, and regular password resets encourage users to pick passwords that conform to a predictable pattern, both of which can make guessing passwords easier, which is the opposite of what we want.

I will agree with the fact that passwords can be guessed makes them a target. But the reasoning here is a bit crooked in my opinion. If the thieves are after my jewellery, sure I can sell them at the  nearest pawn shop. But is that not just shifting their attention elsewhere? Now I have money, and that’s a target too.

Shifting from passwords to biometrics has this same problem many times over. If I swap my password for my fingerprints, my fingerprints become a target. Can I replace my fingerprints if I lose them? What ways will criminals think of to steal them? And what happens when they have them? Talk about re-using the same credentials everywhere…

Expert opinion from Per Thorsheim

Malwarebytes Labs was somewhat divided in our opinions about this news, so we decided to reach out to one of the world’s leading experts on passwords. Per Thorsheim, who tweeted some major concerns about this Microsoft initiative.

Malwarebytes Labs: Per, thank you for your time, can you tell our readers a bit about yourself and how you got so interested in passwords?

Per Thorsheim: I’m Per Thorsheim, and I am the founder and main organizer of PasswordsCon, the first and only global conference dedicated to passwords and digital authentication. By day I work with security for BankID, the digital ID/authentication/signature solution in Norway, operated by vipps.no. My rather obsessive interest into passwords came about when I was working as a penetration tester for PWC, and somewhere pre-Y2K managed to get Domain Admin in less then a day of a Fortune 500 company due to an employee using “Password” as his password.

In december 2010 I ran PasswordsCon for the first time, by invitation from the university here in Bergen, on the west coast of Norway, where I live. (See passwordscon.org for more info.)

Malwarebytes Labs: Is it correct to assume that your major concern is what happens when people lose access to their account for some reason? And would the same objections not also apply if they used one of Microsoft’s passwordless options as a second factor of authentication?

Per Thorsheim: Yes, at the time of writing that is my main concern. Or not exactly, better rephrase that as “when people lose access to their choice of authenticator, and by that lose access to their Microsoft account”. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers. As a result I’ve seen people just resign and create a new account instead. This can in particular be seen with teenagers and their use of social media such as Instagram, TikTok, and Snapchat. It’s just easier to create a new account and tell your friends you have a new username.

Now that Microsoft allows you to actually REMOVE your password and thus your “something you know” factor, are we only left with options that can be easily stolen or abused in close relationships? Does this make those scenarios easier, as an attacker no longer has to guess or obtain a victims password? Are we essentially degrading from passwords to simple 4-6-8 digit PINs?

I don’t have the answers, but I have to say I am impressed by Microsoft taking this bold step forward.

I’m old enough to have seen tons of different solutions that promised better UX and/or better security, with so many failing miserably. I’ve seen corporate integrations of smartcards, a myriad of two-factor solutions, including the infamous RSA SecurID.

During pen-tests and audits I remember seeing admins removing the need for SecurID OTP and setting the PIN to “123456” or similar for CxO levels and members of the board. “Because they said it was too hard to remember bringing that hardware token with them all the time”.

CxO-level executives also sometimes have personal assistants, who administer the majority of the digital lives of the person they work for.  And then there’s the shared accounts to handle, like press, booking or helpdesk. That’s just some of the many challenges corporations face these days where ‘personal’ accounts are not the only types of accounts in existence.

Malwarebytes Labs: What would, in your expert opinion, be a better alternative  for abandoning passwords altogether—one that deals with brute force attacks and phishing for passwords?

Per Thorsheim: I honestly do not believe there is a solution available for abandoning passwords. There is no risk analysis justifying their removal, neither is there a cost/benefit analysis.

On the other hand, there are tons of business cases supporting attempts to develop and sell solutions to remove, replace or at least hide passwords for users.

Now that Microsoft provides an option to remove your password for free, I wonder what the REAL cost of doing so will be for us all—and for Microsoft. Only time will tell.

I hope this works for you. I can go on for hours on this, but…

Malwarebytes Labs: Thank you Per, for your precious time and your valuable insights.

While we still have passwords

Time will tell whether this “bold move” from Microsoft will make for an improvement in security or not. We would like to advise users to think it through before taking their first steps towards the password-less future.

Whether you embrace Microsoft’s passwordless features or not, the fact is that you are likely to be using passwords elsewhere for a long time to come. While that’s still true, one of the best things you can do for your password security is use a password manager. Not only do they make it easier to create and remember strong passwords, and to avoid password reuse, they also stop us filling out our credentials on fake (phishing) sites!

The post Microsoft makes a bold move towards a password-less future appeared first on Malwarebytes Labs.

For years, people have accused social media, and particularly image-driven sites like Instagram, of being bad for young people, particularly young women. It turns that Instagram’s owner, Facebook, agrees.

Thirty-two percent of teen girls said that when they felt bad about their bodies, Instagram made them feel worse.

This was one of the findings of internal Instagram researchers which was included in a presentation slide posted to Facebook’s internal messaging board in March 2020. It continues:

“Comparisons on Instagram can change how young women view and describe themselves.”

The Wall Street Journal (WSJ) has reviewed and revealed the contents of such slides in its latest instalment in the The Facebook Files, a WSJ series of investigative articles based on “internal Facebook documents, including research reports, online employee discussions and drafts of presentations to senior management.” Sometimes, included in these reports are findings from other companies the social network giant owns, like Instagram and WhatsApp.

Concerned parents and carers who may have observed or heard something from their teen who is being affected by Instagram would likely get confirmation on what they already know: Instagram is not helping with their body issues and sense of self at all. What may be more shocking to them, is that Facebook knows this too.

What Facebook knows

Facebook has been conducting internal studies of how Instagram affects its young users for three years, but had never shared any of its findings until three days ago, in response to the WSJ investigation.

According to the Journal, more than 40 percent of Instagram users are 22 years old or younger, with about 22 million teens logging on to Instagram in the US each day. The social media giant is said to have repeatedly found that Instagram is harming its young users, especially teenage girls.

It reports that the research conducted by Facebook revealed that Instagram makes body image issues worse for about one in three girls; that teenagers blame Instagram for increases in the rate of anxiety and depression; and that one in five teenagers said that Instagram makes them feel worse about themselves. The slides also revealed that a percentage of female teens in the US and UK have suicidal thoughts over what they see on Instagram.

Teen girls aren’t the only ones affected though. In Facebook’s 2019 research report, it found that 14 percent of boys in the US had said that Instagram made them feel bad about themselves. The following year, they found that 40 percent of teen boys experienced negative social comparisons. This, the researchers have concluded, is a problem specific to Instagram.

“Social comparison is worse on Instagram,” is what Facebook noted after doing a deep dive into body image issues in teen girls in 2020. What Instagram users tend to do is share only the best and most perfect photos and moments, which can trigger negative reactions, and may even lead to eating disorders, an unhealthy outlook towards themselves, and depression.

According to the researchers, young Instagram users who are struggling with mental health are aware that the app is affecting them in a negative way and need to spend less time on it, but admit they couldn’t stop themselves.

Facebook executives are stumped

The Journal claims that Facebook’s internal documents reveal that it has done little to address these issues, and even downplays these in public. For example, Adam Mosseri, head of Instagram, has told reporters that the research suggests the app’s effects on teen well-being is, “quite small”.

“In no way do I mean to diminish these issues…. Some of the issues mentioned in this story aren’t necessarily widespread, but their impact on people may be huge,” Mosseri further said in an interview with the Journal.

In another example, Mark Zuckerberg, CEO of Facebook, said at a March 2021 congressional hearing that, “The research that we’ve seen is that using social apps to connect with other people can have positive mental-health benefits,” which only highlights one side of the story while failing to mention the other.

Instagram’s response to the WSJ, written by Karina Newton, head of public policy on Instagram, says the Journal focusses on “a limited set of findings and casts them in a negative light”. She stands behind the company’s research and efforts to make things better for every teen user on Instagram, writing that “It demonstrates our commitment to understanding complex and difficult issues young people may struggle with, and informs all the work we do to help those experiencing these issues.”

In other words, as so many Facebook profiles say: It’s complicated. “The research on the effects of social media on people’s well-being is mixed, and our own research mirrors external research. Social media isn’t inherently good or bad for people. Many find it helpful one day, and problematic the next. What seems to matter most is how people use social media, and their state of mind when they use it.”

The Journal claims that Facebook executives are struggling to find ways to reduce Instagram’s harm while keeping people on the platform. Project Daisy, for example, was a pilot program created as a potential solution to keeping kids from feeling anxious and having negative feelings, based on a focus group feedback, when they see “like” counts. In Project Daisy, “like” counts are hidden. However, the results of the program have revealed that it didn’t improve teens’ lives.

Project Daisy was rolled out, nonetheless, with executives noting in an internal discussion that this, essentially, is just for show. “A Daisy launch would be received by press and parents as a strong positive indication that Instagram cares about its users, especially when taken alongside other press-positive launches.”

Mosseri acknowledges in an interview with the Journal that he doesn’t think there is a clear-cut solution to fixing Instagram. “I think anything and everything should be on the table,” he said, “But we have to be honest and embrace that there’s trade-offs here. It’s not as simple as turning something off and thinking it gets better, because often you can make things worse unintentionally”.

In an comparison that might not have come across in the way he hoped it would, Mosseri recently equated social media to cars in a podcast interview with Peter Kafka on the Recode Media podcast. “Cars have positive and negative outcomes. We understand that. We know that more people die than would otherwise because of car accidents. But by and large, cars create way more value in the world than they destroy. And I think social media is similar.”

However, Kafka, and some helpful users on Twitter, pointed out that they are not the same at all: Cars are heavily regulated, licensed, policed, regularly tested for problems, are not accessible to teens who are 16 years old and below, and have meaningful safety measures in place.

This is a call for help

Perhaps what stands out most from the reporting is not a single statistic, or how negatively Instagram has been affecting teens for years, or even that Facebook is well aware of the negative side of its social media empire, but the fact that the teens who are reporting problems are finding it really difficult to unplug or quit the app.

Parents and carers: Do not expect Instagram or Facebook to do this for you any time soon, because these online services were engineered to make users want to come back for more, even when they know it’s not good for them.

As computer scientist Dr. Cal Newport said in his memorable TED Talk, Why you should quit social media, social media is designed to provide a constant flow of small, intermittent rewards, just like a slot machine. Newport: “It’s one thing to spend a couple of hours at a slot machine in Las Vegas, but if you bring one with you, and you pull that handle all day long, from when you wake up to when you go to bed: We’re not wired for that”.

Kids cannot be expected to handle the social media slot machine alone—parents, family members, and our childrens’ friends all have a role to play in helping our kids overcome this.

Recommended reading:

• How to delete your Instagram account

The post Facebook’s own research reveals the harm that Instagram can inflict appeared first on Malwarebytes Labs.

In a joint advisory the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warn that advanced persistent threat (APT) cyber-actors may be exploiting a vulnerability in ManageEngine’s single sign-on (SSO) solution.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in questions is listed under CVE-2021-40539 as a REST API authentication bypass with resultant remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus version 6113 and prior.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network.

In-the-wild exploitation

When word of the vulnerability came out it was already clear that is was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat-actor. Yesterday’s joint advisory seems to support that, telling us that APT cyber-actors are likely among those exploiting the vulnerability.

They find this of high concern since this poses a serious risk to critical infrastructure companies. CISA recognizes 16 critical infrastructure sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The joint advisory points out that  the suspected APT cyber-actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors—including transportation, IT, manufacturing, communications, logistics, and finance.

It also warns that successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

According to the advisory, the JavaServer Pages web shell arrives as a .zip file “masquerading as an x509 certificate” called service.cer. The web shell is then accessed via the URL path /help/admin-guide/Reports/ReportGenerate.jsp.

However, it warns:

Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.

Please consult the advisory for a full list of IOCs.

Mitigation

A patch for this vulnerability was made available on September 7, 2021. Users are advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urge organizations to make sure that ADSelfService Plus is not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations. It also has information about how you can reach out to support if you need further information, have any questions, or face any difficulties updating ADSelfService Plus.

Stay safe, everyone!

The post FBI and CISA warn of APT groups exploiting ADSelfService Plus appeared first on Malwarebytes Labs.