IT NEWS

Last week on Malwarebytes Labs

• How to defend your website against card skimmers
• Security researchers play peek-a-boo with Conti ransomware server
• Windows 10 chills out, gives sysadmins a break
• Please don’t buy this! 3 gift card scams to watch out for this Black Friday
• Millions of GoDaddy customer data compromised in breach
• Password usage analysis of brute force attacks on honeypot servers
• What is facial recognition?
• Windows installer vulnerability becomes actively exploited zero-days
• “Free Steam games” videos promise much, deliver malware
• Beware card skimmer this Black Friday
• New law will issue bans, fines for using default passwords on smart devices
• Improving security for mobile devices: CISA issues guides
• Google’s Threat Horizons report: Will the straightforward approach get results?
• ICO challenges adtech to step up privacy protection

Stay safe!

The post A week in security (Nov 22 – Nov 28) appeared first on Malwarebytes Labs.

The UK Information Commissioner’s Office (ICO) wants the advertising industry to come up with new initiatives that address the risks of adtech, and take account of data protection requirements from the outset.

The ICO is an independent body set up to uphold information rights. The technology that is currently in use by the advertising industry has the potential to be highly privacy intrusive. And the ICO has the right to issue, on initiative or on request, opinions to Parliament, government, other institutions or bodies, and the public, on any issue related to the protection of personal data.

The problem

The concept is simple: Advertisers want to show adverts to individuals who are likely to buy their product, and consumers prefer to see adverts that are relevant to them over those that are not. To accomplish this, the advertising industry has come up with a complex web of data processing which includes profiling, tracking, auctioning, and sharing of personal data.

That approach leads to advertisers knowing far more about people than they need to, and having to store and secure all that data.

Moves in the right direction

In recent years, the ad industry has developed several initiatives for less intrusive technology to address these privacy risks. These include proposals from Google and other market participants to phase out the use of third-party cookies, and other forms of cross-site tracking, and replace them with alternatives.

Federated Learning of Cohorts (FLoC) is one of the initiatives by Google that aims to thread the needle of offering people targeted ads while respecting their privacy. That initiative got off to a bad start when it became known that Google had quietly added millions of Chrome users to a FLoC pilot without asking them.

Other recent developments highlighted by the ICO include:

• Proposals like FLoC, that aim to phase out third-party cookies and replace them with alternatives.
• Increases in the transparency of online tracking, such as Apple’s App Tracking Transparency, which has had a notable impact—both in terms of the number of users exercising control over tracking, as well as the market itself.
• Mechanisms to enable individuals to indicate their privacy preferences in simple and effective ways.
• Developments by browser developers to include tracking prevention in their software.

As an example of the last point, Enhanced Tracking Protection in Firefox automatically blocks trackers that collect information about your browsing habits and interests. But this is not  as effective as you might hope. Blocking third-party cookies and related mechanisms does partially restrict cross-site trackers, but as long as a tracker is still being loaded in your browser, it can still track you. Not as easy as it was before, but tracking is still tracking, and the most prevalent cross-site trackers (looking at you,  Google and Facebook) are certainly still tracking you.

Google

Google’s status in the digital economy means that any proposal it puts forward has a significant impact. Not just because of the market share of its browser, but also due to the services it offers individuals and organizations, and the large role it plays in the digital advertising market.

In 2019, Google announced its vision for the Google Privacy Sandbox. The building blocks for this were essentially:

• Most aspects of the web need money to survive, and advertising that relies on cookies is the dominant revenue stream.
• Blocking ads or cookies can prevent advertisers from generating revenue, threatening #1.
• If you block easily controllable methods like cookies, advertisers may turn to other techniques, like fingerprinting, that are harder for users to control.

Expectations

The ICO is attempting to insert itself into the rapidly evolving situation around adtech by means of a recently published opinion:

There is a window of opportunity for proposal developers to reflect on genuinely applying a data protection by design approach. The Commissioner therefore encourages Google and other participants to demonstrate how their proposals meet the expectations this opinion outlines.

The ICO is encouraging Google and other advertisers to demonstrate new proposals that can meet a set of expectations set out in the Opinion. It wants to see proposals to remove the use of technologies that lead to intrusive and unaccountable processing of personal data and device information, which increases the risks of harm to individuals.

The ICO says it expects any proposal to:

• Engineer data protection requirements by default into the design of the initiative.
• Offer users the choice of receiving adverts without tracking, profiling or targeting based on personal data.
• Be transparent about how and why personal data is processed, and who is responsible for that processing.
• Articulate the specific purposes for processing personal data
• …and demonstrate how this is fair, lawful and transparent.
• Address existing privacy risks and mitigate any new privacy risks that their proposal introduces.

As the ICO does, we are looking forward to more privacy focused ways of delivering targeted advertising.

The post ICO challenges adtech to step up privacy protection appeared first on Malwarebytes Labs.

The idea of connecting your entire home to the internet was once a mind-blowing concept. Thanks to smart devices, that concept is now a reality. However, this technological advancement aimed at making our lives more convenient—not to mention very cool and futuristic!—has also opened a wide door for potential cybercriminals.

New figures from a recent investigation conducted by Which?, the UK’s leading consumer awareness and review site, say that smart devices could be exposed to over 12,000 hacking and unknown scanning attacks in a single week. And smart devices are big news—a study commissioned by the UK government in 2020 revealed that almost half (49 percent) of UK residents purchased at least one smart device since the pandemic started.

And because of our high propensity to forgo changing default passwords that came with the smart devices we buy, we’re essentially putting ourselves—our homes and our family’s data and privacy—at the forefront of online attacks without us knowing.

To help address this cybersecurity and privacy problem, the UK government will soon roll out the Product Security and Telecommunications Infrastructure (PSTI) Bill that bans the use of default passwords for all internet-connected devices for the home, which we all call the Internet of Things (IoT). This law covers smartphones, routers, games consoles, toys, speakers, security cameras, internet-enabled white goods (fridge, washing machine, etc.) but not vehicles, smart meters, smart medical devices, laptops, and desktop computers. Firms that don’t comply will face huge fines.

The BBC has highlighted three new rules under this bill:

• Easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default
• Customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn’t get either, that must also be disclosed
• Security researchers will be given a public point of contact to point out flaws and bugs

A regulator will be appointed to oversee this bill once fully enforced. They will also have the power to fine manufacturers of vulnerable smart devices and the markets that sell them (Amazon, for example) up to £10M GBP or 4% of their global earnings. They can also impose an additional fine of £20,000 a day if the company continues to be in violation with the law.

“This is just the first step”

Julia Lopez, the Minister of State at the Department for Digital, Culture, Media and Sport, said: “Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those that fall foul of tough new security standards.”

While Ken Munro, a security consultant for Pen Test Partners, told the BBC he sees the bill as a “big step in the right direction”, he also cautions about complacency, “However, it’s important that government acknowledges that this is just the first step. These laws will need continual improvement to address more complex security issues in smart devices,” he said.

The post New law will issue bans, fines for using default passwords on smart devices appeared first on Malwarebytes Labs.

The Cybersecurity and Infrastructure Security Agency (CISA) has released two actionable Capacity Enhancement Guides (CEGs) to help users and organizations improve mobile device cybersecurity.

Consumers

One of the guides is intended for consumers. There are an estimated 294 million smart phone users in the US, which makes them an attractive target market for cybercriminals. Especially considering that most of us use these devices every day.

The advice listed for consumers is basic and our regular readers have probably seen most of it before. But it never hurts to repeat good advice and it may certainly help newer visitors.

• Stay up to date. Make sure that your operating system (OS) and the apps you use are up to date, and enable automatic updating where possible.
• Use strong authentication. Make sure to use strong passwords or pins to access your devices, and biometrics if possible and when needed. For apps, websites and services use multi-factor authentication (MFA) where possible.
• App security:
  • Use curated app stores and stay away from apps that are offered through other channels. If they are not good enough for the curated app stores, they are probably not good for you either.
  • Delete unneeded apps. Remove apps that you no longer use, not only to free up resources, but also to diminish the attack surface.
  • Limit the amount of Personally Identifiable Information (PII) that is stored in apps.
  • Grant least privilege access to all apps. Don’t allow the apps more permissions than they absolutely need in order to do what you need them to do, and minimize their access to PII.
  • Review location settings. Only allow an app to access your location when the app is in use.
• Network communications. Disable the network protocols that you are not using, like Bluetooth, NFC, WiFi, and GPS. And avoid public WiFi unless you can take the necessary security measures. Cybercriminals can use public WiFi networks, which are often unsecured, for attacks.
• Protection. – Install security software on your devices. – Use only trusted chargers and cables to avoid juice jacking. A malicious charger or PC can load malware onto smartphones that may circumvent protections and take control of them. A phone infected with malware can also pose a threat to external systems such as personal computers. Enable lost device functions or a similar app. Use auto-wipe settings or apps to remove data after a certain amount of failed logins, and enable the option to remotely wipe the device.
• Phishing protection. Stay alert, don’t click on links or open attachments before verifying their origin and legitimacy.

Organizations

The guide for organizations does duplicate some of the advice given to consumers, but it has a few extra points that we would like to highlight.

• Security focused device management. Select devices that meet enterprise requirements with a careful eye on supply chain risks.
• Use Enterprise Mobility Management solutions (EMM) to manage your corporate-liable, employee-owned, and dedicated devices.
• Deny access to untrusted devices. Devices are to be considered untrusted if they have not been updated to the latest platform patch level; they are not configured and constantly monitored by EMM to enterprise standards; or they are jailbroken or rooted.
• App security. Isolate enterprise apps. Use security container technology to isolate enterprise data. Your organization’s EMM should be configured to prevent data exfiltration between enterprise apps and personal apps.
• Ensure app vetting strategy for enterprise-developed applications.
• Restrict OS/app synchronization. Prevent data leakage of sensitive enterprise information by restricting the backing up of enterprise data by OS/app-synchronization.
• Disable user certificates. User certificates should be considered untrusted because malicious actors can use malware hidden in them to facilitate attacks on devices, such as intercepting communications.
• Use secure communication apps and protocols. Many network-based attacks allow the attacker to intercept and/or modify data in transit. Configure the EMM to use VPNs between the device and the enterprise network.
• Protect enterprise systems. Do not allow mobile devices to connect to critical systems. Infected mobile devices can introduce malware to business-critical ancillary systems such as enterprise PCs, servers, or operational technology systems. Instruct users to never connect mobile devices to critical systems via USB or wireless. Also, configure the EMM to disable these capabilities.

While you may not feel the need to apply all the advice listed above, it is good to at least know about it and consider whether it fits into the security posture that matches your infrastructure and threat model.

Stay safe, everyone!

The post Improving security for mobile devices: CISA issues guides appeared first on Malwarebytes Labs.

Google’s Cybersecurity Action Team has released a Threat Horizons report focusing on cloud security. It’s taken some criticism for being surprisingly straightforward and less complex than you may expect. On the other hand, many businesses simply don’t understand many of the threats at large. Perhaps this is a way of easing the people the report is aimed at into the wider discussion.

At any rate, the report is out and I think it’s worth digging into. They may be taking the “gently does it” approach because so many of their customers are falling foul to bad things. It makes sense to keep it simple in an effort to have people pay attention and nail the basics first. After all, if they can’t do that then complex rundowns stand no chance.

Key features of the report

The executive summary lists a number of key points. There’s a strong focus on issues and concerns for people using Google services. For example:

“Of 50 recently compromised GCP instances, 86% of the compromised cloud instances were used to perform cryptocurrency mining, a cloud resource-intensive, for profit activity. Additionally, 10% of compromised cloud instances were used to conduct scans of other publicly available resources on the internet to identify vulnerable systems, and 8% of instances were used to attack other targets”.

In case you’re wondering, GCP means Google Cloud Platform.

Elsewhere, the summary mentions Google cloud resources were used to generate bogus YouTube view counts. This sounds interesting, and would probably be useful to know more about it. Unfortunately there are no details in the summary, and the full report doesn’t go into the nitty-gritty of what happened either. Given this one is a clear and easily understandable way to explain how [bad thing in cloud] equals [bad knock-on effect for service everyone you know uses], it seems strange to keep us guessing.

Google also references the Fancy Bear/APT28 Gmail phishing attack, which we covered last month. While this isn’t exactly a common concern for most people, it is good to reiterate the usefulness of multiple Google security settings. 2FA, apps, backup codes, and advanced security settings are always better to have up and running than not at all.

It’s not just Google services up for discussion…

The report also briefly branches out into other realms of concern. Bogus job descriptions posing as Samsung PDFs were deliberately malformed, leading to follow up messages containing malware lurking at the links provided by the sender.

This campaign is apparently from a North Korean government-backed group, which previously targeted security researchers. There’s also a lengthy rundown of Black Matter ransomware, and (again) various tips for Google specific cloud products in terms of keeping the Black Matter threat at arm’s length.

The full report is a PDF weighing in at 28 pages long. Yes, it’s a bit light on details. However, it’s quite possible to send people running for the hills with 80+ pages of heavy-duty security information. If people are making rudimentary mistakes, why not make a gesture of highlighting said mistakes?

Simply does it

As we heard in our recent Lock and Code episode, the basics are no laughing matter. Many organisations don’t have the time, money, or resources available. They’re unable to tackle what some would consider to be incredibly obvious issues. There’s plenty of detailed security information out there already on multiple Google pages. Maybe it’s possible that this back to basics approach will pay off in the long run.

If Google’s main concern seems to mostly be “script kiddy with a cryptominer”? Then a script kiddy with a cryptominer focus we shall have. For now, we’ll just have to wait and see what kind of uptake this new approach receives and go from there.

The post Google’s Threat Horizons report: Will the straightforward approach get results? appeared first on Malwarebytes Labs.

The UK’s top cybercops are urging owners of small online shops to “protect their customers and profits” by guarding against card skimmers in the frenetic shopping period that starts with Black Friday, which lands on November 26 this year.

The warning comes from the National Cyber Security Centre (NCSC)—which is part of GCHQ, the UK’s equivalent to the NSA—which says it identified 4,151 compromised online shops up to the end of September.

Card skimmers, also know as web skimmers, are bits of malicious software that are injected into legitimate websites, so they can steal shoppers’ credit card details. The skimmers read the details as users type them into the sites’ payment forms, or replace the payment forms with convincing fakes.

The longer that cybercriminals can keep their card skimmers on a website before its customers or owners notice, the more money they will make, so they take care to be as unobtrusive as possible. Unsurprisingly, Malwarebytes’ own research has shown that card skimming activity tends to ramp up on the busiest shopping days, when the most money changes hands. And some of the biggest shopping days of the year are nearly upon us, starting with Black Friday, the biggest of them all.

For the uninitiated, Black Friday is the annual celebration of peak capitalism that commemorates the symbolic moment that retailers go “in to the black” for the year and start to make a profit. If you’re wondering why shoppers would be so keen to celebrate the mechanics of retail accountancy, it’s because shops mark the occasion (the Friday that follows Thanksgiving in the US) with extravagant sales, offers, and deals.

The NCSC is rightly concerned that with record amounts of money expected to slosh about on the Internet in the next few days, cybercriminals will be hard at work, spoiling everyone’s fun.

Yes, you

It is worth noting that the NCSC’s announcement uses the word “small” no less than four times— “small online shops”; “small business sites”; “small online retailers”; “small and medium-sized online retailers”—in a short announcement that also mentions “SMEs” twice, and says it is written for “small & medium sized organisations”.

On the off-chance the point still hasn’t landed, let me spell it out for you: The NCSC would like you to know that no online business is small enough to ignore the threat of card skimmers.

I will add a personal note to that too. If you assume you are too small to be attacked by a card skimmer and your customers later find out their card details were stolen while on your site, they will expect you to have cared a great deal more. At least that’s how I felt when it happened to me.

Not just Magento

Although its guidance is aimed at all e-commerce retailers, the NCSC makes specific mention of sites built on the Magento platform, which it says has been particularly popular with cybercriminals lately:

The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform.

However, your takeaway after reading that should not be “Magento” so much as “known vulnerability”. Cybercriminals do not care that you’re running Magento, they only care that you are running a system they can exploit because it contains a known vulnerability, and any system with a known vulnerability will do, thanks. It so happens that Magento has been a prime target recently, but every decent e-commerce system has known vulnerabilities. Not using Magento is no protection whatsoever.

What really matters is whether or not ecommerce sites are patched promptly when fixes for vulnerabilities are made available. Which is why the NCSC’s headline guidance is “Retailers are urged to ensure that Magento—and any other software they use—is up to date”.

Keeping website software up to date will certainly take you a very long way indeed in terms of protecting against card skimmers, but there is more to it than that.

For the “more to it than that”, the NCSC point readers to the British Retail Consortium’s Cyber Resilience Toolkit for Retail, and its own website, which is full of useful cybersecurity advice, although neither resource is specifically about card skimming.

I would like to humbly suggest that readers should also consult our own guidance on how to defend your website against card skimmers. Our easy-to-digest advice is aimed at preventing card skimming specifically and explains how card skimming gangs find victims; why everyone is a potential target; how to avoid a website breach; how to protect your customers from a card skimmer if you are breached; and how to detect card skimmers as quickly as possible.

The post Beware card skimmers this Black Friday appeared first on Malwarebytes Labs.

As Microsoft’s Head of Deception, Ross Bevington is responsible for setting up and maintaining honeypots that look like legitimate systems and servers.

Honeypot systems are designed to pose as an attractive target for attackers. Sometimes they are left vulnerable to create a controllable and safe environment to study ongoing attacks. This provides researchers with data on how attackers operate and enables them to study different threats.

In Bevington’s words:

“I develop and lecture on these technologies with emphasis on the human behind the keyboard and how to integrate Deception into general security posture.”

Now, Bevington has released information gathered from Microsoft honeypots of over 25 million brute force attacks against SSH.

SSH and RDP

Secure Shell (SSH) is a protocol optimized for Linux server access, but it can be used across any operating system’s server. Remote Desktop Protocol (RDP) is almost exclusively used for accessing Windows virtual machines and physical Windows servers. Based on data provided by Bevington, which were taken from more than 14 billion brute-force attack attempts against Microsoft’s network of honeypot servers until September this year, attacks on Remote Desktop Protocol (RDP) servers have seen a rise of 325%.

RDP is one of the most popular targets because it is a front door to your computer that can be opened from the Internet by anyone with the right password. And because of the ongoing pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened.

The data

What the research data analysis looked at were the credentials that were attempted during more than 25 million brute force attacks against the Microsoft honeypot systems, which roughly represents a period of 30 days.

Some highlights of these results:

• 77% of the passwords were between 1 and 7 characters long
• Only 6% of the passwords were longer than 10 characters
• 39% of the passwords contained at least one number
• None of the attempted passwords contained a space

Passwords

The data above can help you determine whether a password is more secure than another. But, there are some caveats. Passwords need to be long and complex because it’s their length, complexity and uniqueness that determines how difficult they are to crack.

However, you can have the longest password in the world, but if it has been leaked in a breach there is a chance that an attacker will add it to their dictionary. This is the reason we tell you not to re-use your passwords. It’s inconvenient to lose one in a breach, but if that means having to change your password on multiple sites and services, it’s a major inconvenience.

In an older study by Microsoft, it was determined that users should spend less effort on password management issues for don’t-care and lower consequence accounts, allowing more effort on higher consequence accounts. Unless you are using a password manager doing the work for you, of course. Your efforts to come up with a strong password are wasted at sites that store passwords in plaintext or reversibly encrypted.

Sites that require minimum length and/or use other complexity standards have always been a major annoyance. Not only because every site uses a different standard, some of which have been made obsolete, they also encourage users to come up with simple passwords that just barely meet the standard. Am I right, MyDogsName1 and P@$$w0rd?

One of the recommendations of the earlier Microsoft study was that organizations should invest their own resources in securing systems rather than simply offloading the cost to end users in the form of advice, demands or enforcement policies that are often pointless.

The fact that none of the attempts contained a space looks favorable for insights that recommend using three random words separated by spaces. Easy to remember, type in (especially on smaller devices) and harder to guess.

Passwordless future

Not too long ago, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services. We talked that over with a world expert on passwords, Per Thorsheim, and while we will welcome the passwordless future, there are some concerns when it comes to account recovery and what may happen when people lose access to their choice of authenticator.

How to protect your organization from brute force attacks

The ground rules of protecting against remote online attacks are basically:

• Limit the number of open ports
• Restrict the access to those that need it
• Enhance security of the port and the protocol

There are applications that can help you accomplish these basic tasks if you feel the built-in tools are too hard to configure.

Restricting the access is the point of this post. Telling us that a password alone is not always enough. And when you rely on passwords make sure to choose them wisely.

Stay safe, everyone!

The post Password usage analysis of brute force attacks on honeypot servers appeared first on Malwarebytes Labs.

Facebook recently announced it would give up on its facial recognition system. Facebook, or Meta, was using software to automatically identify people in images posted to its social network. Since facial recognition has become an increasingly toxic concept in many circles and Facebook was having enough to deal with as it is, it shut the “feature“ down.  But that doesn’t mean that the technology no longer exists, or even that it isn’t used anymore.

Let’s establish first what we consider facial recognition to be.

By definition: A facial recognition system is a technology capable of matching a human face from a digital image or a video frame against a database of faces, typically employed to identify and/or authenticate users.

In layman’s terms, facial recognition is technology to recognize a human face.

How does facial recognition work?

There are different systems and algorithms that can perform facial recognition, but at the basic level they all function the same—they use biometrics to map facial features from a photograph or video. The image is captured and reduced to a set of numbers that describes the face that needs to be identified. The software analyses the shape of the face by taking certain measurements that, all put together, provide a unique characteristic for the face. The shape of the face is reduced to a mathematical formula, and the numerical code of that formula is called a “faceprint.” Such a faceprint can be quickly compared to those stored in a database in order to identify the person.

You can compare this to a person leafing through an enormous book of portraits to find a suspect. Only much faster because now it’s a computer comparing sets of numbers.

How is facial recognition used?

The most well-known example of facial recognition is the one that can be used to unlock your phone or similar. In those cases, your face is compared to the ones that are authorized to use the phone.

Another convenient method of facial recognition can be found in some major airports around the world. An increasing number of travelers hold a biometric passport, which allows them to skip the long lines and walk through an automated ePassport control to reach their gate faster. This type of facial recognition not only reduces waiting times but also allows airports to improve security.

A lot less consensual is the fact that in some countries mobile and/or CCTV facial recognition is used to identify any person, by immediately comparing an image against one or more face recognition databases. In total, there are well over 100 countries today that are either using or have approved the use of facial recognition technology for surveillance purposes. This has brought up a lot of questions about our privacy.

What is bad about facial recognition?

As we can see from the above, facial recognition is not always bad. And it can be used to improve our personal and public security. It becomes a privacy issue when the consensus from the person in the database is missing. People, especially in large cities, have become used to being monitored a lot of the time that they spend outside. But when facial recognition adds the extra layer of tracking, or the possibility to do so, it becomes worrying.

China, for example, is already a place deeply wedded to multiple tracking/surveillance systems. According to estimates, there are well over 400 million CCTV cameras in the country, and they do not shy away from using facial recognition in public shaming to crack down on people that are jaywalking and other minor traffic offenders.

It’s because of the privacy implications that some tech giants have backed away from the technology, or halted their development. Many groups like American Civil Liberties Union (ACLU) and Electronic Frontier Foundation (EFF) have made objections against facial recognition technology as it is considered a breach of privacy to use biometrics to track and identify individuals without their consent. Many feel that there is already more than enough technology out there that keeps track of our behavior, preferences, and movement.

Can I use facial recognition to find someone?

For an individual to identify another individual would require access to a large database or an enormous amount of luck. As we explained, the faceprints are compared with those in a database. And that database has to contain a pretty large subset of the population you are looking in.

But there are other ways to identify an individual if he is nowhere to be found in the database. A picture can be compared to one that is openly posted on social media. Some organizations have built quite the databases just from harvesting pictures from social media. And you might be amazed about what a reverse image search could bring up. In essence, your chance of success finding a person based on a picture depends on how sophisticated your search algorithm is and how many pictures of your subject can be found on the Internet.

The other way around, if you do not want to be found, make sure that you don’t post your pictures everywhere, and when you do, make sure they are not publicly accessible. And stay out of the databases.

If you are interested in the subject of facial recognition, you may also want to listen to S1Ep6 of the Malwarebytes podcast Lock and Code where we talk with Chris Boyd about “Recognizing facial recognition’s flaws”

The post What is facial recognition? appeared first on Malwarebytes Labs.

Sometimes the ways in which malicious code gets in the hands of cybercriminals is frustrating for those in the industry, and incomprehensible to those on the outside.

A quick summary of the events in the history of this exploit:

• A researcher found a flaw in Windows Installer that would allow an attacker to delete targeted files on an affected system with elevated privileges.
• Microsoft patched the vulnerability in November’s Patch Tuesday update.
• The researcher found a way to circumvent the patch and this time decided not to engage in responsible disclosure because he got frustrated with Microsoft’s bug bounty program.
• The researcher’s PoC is being tested in the wild and cybercriminals could be preparing the first real attacks exploiting this vulnerability.

Let’s have a look at what is going on and how it came to this.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability in question was listed as CVE-2021-41379 and is a local Windows Installer Elevation of Privilege (EoP) vulnerability. If successfully exploited, the bypass could give attackers SYSTEM privileges on up-to-date devices running the latest Windows releases, including Windows 10, Windows 11, and Windows Server 2022.

By exploiting this zero-day, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.

The patch

Microsoft patched the vulnerability in the November Patch Tuesday updates. But according to the researcher, the bug was not fixed correctly. He discovered a new variant during the analysis of the CVE-2021-41379 patch.

With the new variant, an attacker will be able to run programs with a higher privilege than they are entitled to. To be clear, an attacker using the new variant must already have access and the ability to run code on a target victim’s machine, but now they can run the code with SYSTEM privileges thanks to the exploit.

The frustration

The researcher appears to have been so disappointed in Microsoft after he responsibly disclosed the vulnerability by means of the Trend Micro zero-day initiative, that he decided to skip that path altogether when he found the new method to bypass the patch. The researcher published a new version of the proof of concept (PoC) exploit, which is even more powerful than the original exploit.

Apparently the main reason for his frustration was the reward level.

““Microsoft’s rewards have been very bad since April 2020; the community wouldn’t make these kinds of decisions if Microsoft took its rewards seriously.”

In the wild

Several security vendors have noticed malware samples in the wild that are attempting to take advantage of this vulnerability. A quick search on VirusTotal showed dozens of different files that tried to do this. This may be some threat actors testing the exploit code to turn it into something they can use in their attacks, along with some researchers trying out different ways to use and stop the exploit. It is worrying nonetheless to see once again how quick attackers are able to weaponize publicly available exploit code.

Mitigation

The researcher recommends users wait for Microsoft to release a security patch, due to the complexity of this vulnerability, although he doesn’t seem confident that Microsoft will get it right this time.

“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again.”

Microsoft says it is working on it. In the meantime, Malwarebytes Premium and business users are protected, because our programs detect the files using this vulnerability as Exploit.Agent.

Stay safe, everyone!

The post Windows Installer vulnerability becomes actively exploited zero-day appeared first on Malwarebytes Labs.

Gamers are a hot target for scammers, especially in the run up to Christmas. Major games are released throughout the last few months of any year, and the FOMO (fear of missing out) is strong. Especially if said titles offer pre-order exclusive bonuses, or deals and discounts for a few weeks after the game launches.

There’s a lot of big titles hitting digital storefronts at the moment. In the last few weeks alone we’ve seen the release of:

• Skyrim Anniversary Edition
• Forza Horizon 5
• Jurassic World Evolution 2
• Halo Infinite (portions of it, with more to come)
• Myth of Empires
• Battlefield 2042

Add other upcoming titles and older ones updated for the festive season into the mix, and it’s fertile ground for people up to no good.

Bogus YouTube videos promise much, deliver little

We’ve seen a lot of activity on YouTube in the last 24 hours in relation to dubious videos. They ride on the coat tails of common searches for “free” versions of popular titles like Skyrim, CSGO, PUBG, Cyberpunk, and more. Other videos focus on Call of Duty, GTAV, Fallout 4, and DayZ.

In all cases, “free Steam keys” are the name of the fake out game. No matter which of the many accounts post up these videos, they all typically link to the same download hosting site.

When free games lead to Malware

The file offered up for download is SteamKeyGeneration.rar, weighing in at 4.19MB. YouTube pages containing the link offer the following instructions:

“Download the ExLoader, open the RAR file, open the EXE file”

The .RAR is password protected, with the password being supplied in the YouTube description. Once the executable runs on the target system, it’s infected by the owner’s own hand.

We detect the file as Trojan.Malpack. This is a generic name given to files which have been packed suspiciously. The actual payload can be anything at all, but this form of packing files is not typically used for legitimate purposes. We’ve seen similar attacks like this previously. In 2018, Fortnite gamers were targeted by scammers pushing Trojan.Malpack files as Fortnite freebies. If the files were downloaded and run on the target system, the reward for doing so was data theft.

Part of a bigger campaign, or a standalone?

YouTube has definitely had some trouble along these lines recently. Researchers at Cluster25 spotted similar activity, targeting a multitude of interests including how-to guides, cryptocurrency, VPN software, and more. In those cases, activity seems to be primarily geared towards two infection paths.

Videos with bit(dot)ly links send victims to download sites such as Mega. Unshortened links redirect to taplink(dot)cc to push Racoon Stealer. Target machines are scanned for card details, passwords, cryptocurrency wallets and other forms of data. This is all harvested and sent on to the attacker.

There are similarities, despite the final destination links being different to those mentioned – such as the password requirement, the similarities in scam setup. Of course, this isn’t a particularly new or novel tactic for YouTube attacks. Including a link to an off-site compressed file on free file hosting, and disabling comments so nobody can point out they’ve had things stolen is video portal shenanigans 101.

You also tend to see one major campaign hit and enjoy success, and then lots of smaller would-be scammers jump on the bandwagon and before long everybody is doing it.

Tips to avoid scams

Whether this is part of the same campaign, a spin-off, or is simply inspired by it, you should avoid any promise of free games deploying these techniques on YouTube. The warning signs are:

1. Too good to be true claims of Steam (or another platform) being “hacked”, with free games being the end result.
2. Brand new accounts with no other content than these videos. Much older accounts which have been dormant until now, or display a sudden shift in content produced. Were they making videos of their cats until last week and now they’re all about hacked Skyrim downloads? Beware.
3. Comments disabled. Anybody linking to off-site files and turning off the comments may not have your best interests at heart.

Getting your hands on a cool new game at a discount is always good news, but sometimes the hidden cost is just too high.

The post “Free Steam games” videos promise much, deliver malware appeared first on Malwarebytes Labs.