IT NEWS

We’ve written at length about account compromise and identity theft, and how criminals will often hijack accounts belonging to dead people. In many ways, it’s the perfect crime for anyone indulging in social engineering.

The amount of abandoned accounts due to death can only ever go up, and nobody is really paying attention if someone accesses them illicitly. By the same token, crooks grabbing ID’s during a disaster (natural or otherwise) is a good fit for bad people. Governments and rescue organisations are busy looking for folks and sorting out the problem. The moment victim details are released and / or leaked, the possibility for fraud is there. It could be days, or weeks before someone realises what’s happening. By that point it could already be too late.

Digging into identity theft

Depending on the region, identity theft of the dead can take many forms. In the US, for example, there were concerns back in 2012 over public access to something called the “Death Master File”. There were also plenty of concerns about this problem on a broad scale. Millions of dead people each year having their identities stolen, and around 800,000 instances of credit applied for in their names?

You bet. If this happens close to the time of the person’s death, it can easily disrupt and complicate a situation which is bad enough to deal with as it is. In the aftermath of the Japanese Earthquake / Tsunami in 2011, identity assistance was in so much disarray generally that most ID scams we saw focused on pretending to be charities as opposed to victims.

It stands to reason they’re probably more likely to swipe data from smaller, more local disasters than those on a much larger scale. Bigger events tend to cause scammers to gravitate towards mass donation charity fakeouts in any case.

When scammers strike

The latest example of this particularly distasteful trend came to light a few days ago. Scammers simply monitored unfolding news of a partial 12 story building collapse in Surfside, Florida that has so far claimed 90 lives. As names of victims were released, the scammer tried to exploit their identities. Relatives of the deceased are being urged to check credit accounts in case something untoward has taken place.

At time of writing, no further details have been released. We can only hope law enforcement has some idea who is behind this one, and that more information will be forthcoming soon. So far, the only comment available is one which says they’re protecting the integrity of the case, and also preventing further victimization.

Speaking to WPLG Local 10, Surfside Mayor Charles Burkett channelled the town’s revulsion, warning “[the police department] are out there looking. I wouldn’t want to be that person right now.”

Preventing identity theft

This can be a contentious topic, especially when credit score agencies themselves are at risk from attacks of the most severe variety. There’s also considerable concern over various types of identity theft protection services. With those caveats out of the way:

• Here’s a run-down of how you can protect yourself from any breach which affects a credit score agency you happen to have shared your data with.
• We cover a lot of ground with regards warding off various types of tax identity theft.
• Did you know child identity theft is a thing? Because it absolutely is. We’ve covered this topic at length in not one, but two articles.

Away from our blog, there’s a couple of other articles you may wish to also check out. The Experian blog explains some of the different types of common identity theft. Mail, credit card, online shopping, biometric, and synthetic. There’s something for everyone. They also have another article which details some of the ways scammers can misuse your data. Finally, Equifax list some of the methods you can deploy to keep your social media identity secure.

It’s not like there’s a huge amount we can do to secure our accounts or identity once we’re gone, but we can certainly be proactive about it while still able to set the wheels in motion.

The post ID theft ghouls targeting Surfside victims is appalling, but no surprise appeared first on Malwarebytes Labs.

Whether you’ve read up on Greek mythology or you’re simply a big fan of Marvel comics, the name “Zeus” should be familiar to you. In the context of cybercrime though, ZeuS (aka the Zbot Trojan) is a once-prolific malware that could easily be described as one of a handful of information stealers ahead of its time. Collectively, this malware and its variants infected millions of systems and stole billions of dollars worldwide.

ZeuS was primarily created to be a financial or banking Trojan, otherwise known as crimeware. But, as you’ll see, the extent of its information stealing ability could easily go beyond covertly pilfering financial information, making it a real threat to individuals and organizations of all sizes.

First spotted in-the-wild in 2007, the earliest known version of the ZeuS Trojan was caught stealing sensitive information from systems owned by the United States Department of Transformation. It was believed that ZeuS originated in Eastern Europe. ZeuS affiliates focused their efforts away from corporations and large banks, going after small- to medium-sized organizations, including towns and churches, according to the Federal Bureau of Investigation (FBI).

ZeuS usually arrives via phishing campaigns, spam campaigns, and drive-by downloads. However, this is easy to change and anyone motivated to conduct financial fraud can easily change who they target and how they want their ZeuS to be delivered. Victims have been infected by ZeuS variants via instant messengers (IM), messaging features in social media platforms, and even a pay-per-install (PPI) service—a way to distribute ads to users that a ZeuS user employed for their campaigns.

Once a machine gets infected, ZeuS immediately steals information from web browsers and Windows’ protected storage (PStore), such as banking or financial information and stored account credentials, respectively. All stolen data are siphoned off via a command & control (C&C) server.

Furthermore, any system infected with ZeuS also becomes a bot in a botnet. A kind of illegal Cloud computing platform that can be rented out to other criminals. These bots were also used to remotely update the ZeuS variants residing in them.

To date, there are 545 versions of the ZeuS Trojan, according to a website called ZeuSMuseum.com.

How mighty is the ZeuS Trojan?

A ZeuS Trojan toolkit can be fashioned to do a number of things both for the fledgling and adept fraudster.

ZeuS lurks inside infected machines as it stealthily monitors the websites users visit. It recognizes when a user is on a banking website, for example, and then records keystrokes when the user logs into the site. Because of this, fraudsters can easily log back into that banking account using the recorded keystrokes.

Some variants of ZeuS also affect mobile devices that run Android, Symbian, and Blackberry. ZeuS is the first information stealing malware that steals Mobile Transaction Authentication Numbers (mTANs), a type of two-factor authentication (2FA) method that banks use when you want to perform transactions. An mTAN, also called SMS TAN code, is usually a 6-digit number that is unique per transaction and is sent via SMS.

ZeuS steals information in a number of ways, including: Stealing user keystrokes; collecting the text users enter into web forms; taking screenshots whenever the mouse is clicked; so-called man-in-the-browser (MiTB) attacks that add new elements to web forms asking for things like social security numbers or bank PINs.

As to what, exactly, ZeuS steals, here is non-exhaustive a list provided by the SecureWorks security researchers:

• Data submitted in HTTP forms
• Account credentials stored in the Windows Protected Storage
• Client-side X.509 public key infrastructure (PKI) certificates
• FTP and POP account credentials
• HTTP and Flash cookies

ZeuS is also capable of re-encrypting itself every time it infects a system, making each infection “unique” and therefore harder to detect.

Many researchers attribute ZeuS’s ability to stay under the radar for long periods of time as the main reason why it became the most sought-after info-stealer kit in the underground market during its time. It’s likely that ZeuS infected millions of computers, with many victims not realizing that their sensitive data had fallen into the hands of criminals and that their computer was part of a botnet.

The ZeuS developers also put a lot of effort into protecting their malware. According to SecureWorks, ZeuS 1.3.4.x, a privately sold version of the kit, is protected via a hardware-based licensing system. Also known as hardware-locked licensing, this system allows the kit to be installed on only one computer.

The “fall” of ZeuS Trojan

In 2011, the source code for ZeuS 2.0.8.9 was leaked. Some groups or individuals started offering the use of ZeuS botnets on a subscription basis. According to a case study on ZeuS from students at the University of Cambridge, this “maximises earnings by providing the same service to multiple users. For the user of the service, the benefits are in a reduction in the initial financial outlay, while outsourcing the logistical and maintenance requirements, and reducing the risk of failure to achieve results.”

Cybercriminals also began creating their own ZeuS-based information stealers, make ZeuS itself something of a footnote. Citadel, GameOver, Panda Banker, Terdot, Floki, and Sphinx are some of the known ZeuS variants to date.

Before the code leak, it was rumored that the ZeuS creator would be retiring and then selling his code to a competitor called SpyEye, an up-and-coming information stealer that made heads turn for being able to remove ZeuS infections. There had been reports of a code hand-over, yes, further confirming the merging of the two malware, but the ZeuS creator didn’t quit. According to a report from Brian Krebs, the creator merely stopped selling it publicly and started creating “a more robust and private version of Zeus” instead.

In 2013, the FBI charged and arrested Aleksander “Harderman” Panin, a 24-year-old Russian male believed to be the creator of the SpyEye Trojan. That same year, Hamza Bendelladj, a 24-year-old Algerian male, was arrested and charged for developing components of SpyEye, operating botnets infected with SpyEye, and of course, fraud charges.

Is ZeuS dead?

As long as criminals continue to use bits and pieces of its code to create their own malware, ZeuS can’t be considered dead, so much as fading away slowly. However, ZeuS’s purpose, data theft, is making a comeback.

Banking trojans haven’t gone away, but in recent years their activity has been eclipsed by an epidemic of ransomware. Recently though, major ransomware operators have taken to stealing victims’ data before encrypting it, so they can threaten to leak it.

The tactic has been so successful that some ransomware actors claim to be moving away from encrypting files, and focussing entirely on finding and exfiltrating sensitive data from organisations.

In fact, following a devastating attack on Ireland’s public health system, the Conti ransomware gang issued the Health Service Executive (HSE), a free decryption key to unlock all of their affected files, convinced that simply publishing and selling the data they had stolen was leverage enough.

How long I wonder, before information stealers are another thing Biden will be phoning Putin for?

The post The life and death of the ZeuS Trojan appeared first on Malwarebytes Labs.

Do you remember back when the latest urgent update was a vulnerability in Microsoft Exchange? How is that only four months ago? The trigger for the urgent advice in March was the fact that Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributed the attacks to a group they have dubbed Hafnium.

Hafnium at the time was a newly identified attack group that was also thought to be responsible for attacks on internet-facing servers, and which was known for exfiltrating data to file sharing sites. Its targets were mainly entities in the United States across a number of industry sectors. Despite the group’s use of leased servers in the US, Microsoft believed it was based in China.

The attack method used against the Exchange servers was called ProxyLogon. ProxyLogon quickly went from “limited and targeted attacks” to a full-size panic. Microsoft’s patches for the Exchange vulnerabilities were quickly reverse engineered. Before long attackers from everywhere in the world and every level of cybercrime were using the bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Attribution

As most security researchers will tell you, attribution is hard, especially when it involves international espionage. Nonetheless, the US, UK, EU, and NATO have simultaneously voiced their concern about what they say is the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace.

Australia, Japan, New Zealand and Canada have also joined the coalition that are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it. One of the elements of the exposure is to confirm that Chinese state-backed actors were responsible for gaining access to computer networks around the world using ProxyLogon attacks against Microsoft Exchange servers.

The US Department of Justice also announced criminal charges against four hackers from the Chinese Ministry of State Security, the country’s unofficial espionage institution (the same organization that the UK named as the culprit behind the cyberattacks on Microsoft Exchange servers that took place earlier this year). The indictments against Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong are believed to be a part of this broader set of actions the federal government took to expose cybercrimes the White House officials say are sponsored and encouraged by the Chinese government.

The allies are also attributing the Chinese Ministry of State Security as being behind activity known by cyber security experts as “APT40” and “APT31”. It is rare to see such a unified and orchestrated reprimand against one of the world’s leading economies, but so far that seems to be as far as it goes. We have not seen any sanctions to be announced.

Sanctions

The EU has urged China to adhere to the “norms of responsible state behaviour as endorsed by all UN member states”, and not allow its territory to be used for malicious cyber-activities, and “take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation”.

The UK is calling on China to “reaffirm the commitment made to the UK in 2015 and as part of the G20 not to conduct or support cyber-enabled theft of intellectual property of trade secrets.”

When asked about the Microsoft hack, Joe Biden said one reason the US has not imposed sanctions against China over the cyberattacks is that the Chinese government, not unlike the Russian government, is not doing this themselves, but are protecting those who are doing it and maybe even accommodating them being able to do it.

In the past the EU imposed its first-ever sanctions in response to cyberattacks in July 2020, targeting Russian, Chinese and North Korean hackers involved in major incidents in previous years, namely the NotPetya ransomware outbreak, Cloud Hopper supply-chain hack, and WannaCry ransomware attack. In October 2020, it imposed sanctions on two Russian intelligence officers and a unit of the GRU military intelligence services over their involvement in hacking the German parliament in 2015.

From state-sponsored to free-for-all

As we have seen with ProxyLogon, the impact of this type of state-sponsored cybercrime aren’t limited to states. Techniques used by state actors have a way of getting picked up by cybercriminals that will grab every opportunity to make a few extra bitcoins.

Just look at EternalBlue and the other SMB vulnerabilities – developed as NSA hacking tools – that came out of The Shadow Brokers leak. These vulnerabilities were quickly picked up by threat actors like  Emotet and TrickBot. EternalBlue was also the driving power behind WannaCry.

Observed tactics and techniques

The NSA, CISA, and FBI also issued a joint advisory containing more than 50 tactics, techniques, and procedures (TTPs) that Chinese state-sponsored cyber actors have used in attacks targeting the US and allied networks.

The post US, EU, UK, NATO blame china for “reckless” Exchange attacks appeared first on Malwarebytes Labs.

We’ve observed a 419-style scam (also known as an advance fee scam) which combines the promise of cryptocurrency riches with WhatsApp conversation.

The mail, which arrived with the subject “Urgent respond”, begins as follows:

Greetings to you my friend,

My name is Haifa Kalfan, I am the Store manager with a Security Firm here in Malaysia . I need your urgent assistance to transfer funds out of this firm. I cannot directly achieve this without the help of a foreigner and that is why I am contacting you. All documents to enable the smooth release of this fund to you will be carefully worked out and there will be practically no risk involved, this will be executed under a legitimate arrangement that will protect you from any breach of law as a change of fund ownership certificate in your name will be legally initiated.

A fairly typical opening. Claiming to be in a reassuring position of power, along with the promise of being protected from any “breach of law”. Are you ready for things to go a bit Blockchain? Because they’re about to go a bit Blockchain.

Things go a bit Blockchain

This is the part of the scam where the people behind it start to get technical. Folks already involved in cryptocurrency would likely have suspicions raised after reading the below. Those with no prior experience may think somebody is suggesting an unfamiliar yet safe way to make a fortune.

A perfect arrangement is in place for the release of the fund to you without hitches through crypto currency which you may call bitcoin if you want. This measure was thought of due to the difficulties in transferring huge funds from one country to another, because of global fight on illicit movement of funds to sponsor terrorism. Transferring the fund to you through bitcoin is a perfect way. You will have to create a BLOCK CHAIN ACCOUNT on your phone, but you will first download the blockchain application on your phone, register an account and send the QR code to the financial institution, the fund will immediately be transferred into your blockchain account within 24 hours as soon as you send your blockchain QR code to the the department of any of our paying banks responsible for crypto currency transactions.

This is a long-winded way of asking would-be victims to install an app and begin transferring funds. Regular readers will be aware this means someone is about to have their bank account emptied, or have themselves turned into a money mule. If they’re really unlucky, both of these things are on the cards.

Confidence tricksters

Here’s the part where they attempt to keep would-be victims talking. It’s all about that personal touch in the land of cryptocurrency scams.

If you are ready, I will have to send you the director of the cryptocurrency department WhatsApp number, you will have to chat him up on WhatsApp for more details and guidelines. I will secure a legal certificate of fund ownership change through our firm’s legal team which you will forward.

This is nothing more than “the place the specifics of the scam unfold”. We did attempt to make contact and find out:

• Which app they want people to use and
• What the process is once the scam takes hold on WhatsApp, but at time of writing we’ve received no reply. Should we happen to get one, we’ll update this blog post in due course.

A multifaceted approach to scamming

With cryptocurrency being so widespread, it’s possible folks with digital money in the bank could be completely cleaned out. Whether the victim is someone tech-savvy or somebody who simply thinks they see a good thing, it will only end in disaster.

The email we received was already flagged as spam by Gmail, so it’s possible other spam filters have already marked this one out too. This style of missive is incredibly popular and costs folks a fortune every year. “If it’s too good to be true, it probably is” may be a little tired and worn around the edges these days, but it’s 100% accurate in this case. Should you receive a mail similar to the above, flag it as spam and send it straight to the trash bin.

The post Beware, crypto-scammer seeks foreigner with BLOCK CHAIN ACCOUNT appeared first on Malwarebytes Labs.

This blog post was authored by Erika Noerenberg

Introduction

Over the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos remote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive files containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system and allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs used by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which sells it openly on their website.

Distribution

Remcos often infects a system by embedding a specially-crafted settings file into an Office document, allowing an attacker to trick a user to run malicious code without additional notification. This variant of Remcos has been observed to be distributed via targeted spam emails with an attached archive file. The emails and attachment names have been primarily financially-themed; an example email is shown below:

For illustration, the following table lists a sample of email subjects and attachment names from 2021 by date:

In most Remcos spam campaigns, the payload is an executable contained in an attached archive (.zip) or disk image (.img) file, though malicious documents are also sometimes used. In this campaign however, the emails contain a zip archive containing a Visual Basic script (.vbs) which downloads and executes additional scripts and finally installs the Remcos payload.

*Eariler versions also included a “Property.hta” file which only comprised the VB script wrapped in HTML as seen below. Interestingly, the body of this HTML consisted only of the text “demo”, which indicates this might have been test code.

Analysis

Remcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect keystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download and execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results in the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for this variant is shown below:

The samples analyzed below originate from the attachment Appraisalreportl1100788392210.zip (SHA256 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23e). As with all analyzed samples, the the infection chain followed the process flow above; the initial Visual Basic script initiates a series of download and execution of obfuscated scripts that eventually result in the injection of the final Remcos payload into aspnet_compiler.exe.

Although the script above is lengthy due to obfuscation, it ultimately amounts to the following simple powershell command which downloads and executes a second Visual Basic script:

The first downloaded script (ALL.TXT) also uses simple deobfuscation techniques to perform a few simple tasks. The $JUANADEARCO variable in this script contains Base64-encoded data which is decoded by the last line of the script (this data is shown as decoded in the highlighted box in the image below). This script performs the following actions:

• Creates the directory C:UsersPublicRun
• Downloads Run_02_02_02.TXT (saved as C:UsersPublicRunRun.vbs)
• Downloads Lerveri.txt (saved as UsersPublicRun—–Run+++++++++.ps1)
• Sets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersStartup to “C:UsersPublicRun”
• Sets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup to “C:UsersPublicRun”

The shell folder registry entries are legacy keys that are still existent for backwards compatibility. Setting the “Startup” value of these registry entries to the malware’s directory of execution effectively sets the contents of that directory to execute upon system startup, ensuring persistence.

Run.vbs is obfuscated in a similar fashion to the initial Visual Basic script:

This script (deobfuscated below) is responsible only for execution the main powershell script which contains embedded binaries, encoded in hex in plaintext.

One of the binaries encoded in —–Run+++++++++.ps1 is the Remcos payload which is loaded into the legitimate Windows binary aspnet_compiler.exe. The following function in the powershell script loads the Remcos PE into the binary:

Although all of the analyzed Remcos samples of this campaign since January 2021 call back to the same IP address and port, no actual C2 traffic has been observed. All of the script downloads have pointed to addresses on the legitimate website us.archive.org, and the payloads have connected (though only via TCP handshake) to the IP address 185.19.85[.]168 on port 8888.

Because this IP address has not changed over several months, we investigated the passive DNS records to see if the infrastructure may have been used in other recent attacks. We found that this IP address had the following resolutions over the last few months:

Examination of this IP address revealed several hosted services on multiple ports. The highlighted date range above is interesting as it appears to be a mail server, and Spamhaus Zen classifies this address as blocked due to spam. Furthermore, analysis also revealed that the #totalhash malware database contains malware associated with this address going back as far as 2013. Correlating additional malware associated with this address showed several other versions of Remcos samples connecting to the same IP (many to shugardaddy.ddns.net port 5946) – a few recent samples are shown below:

One identifying factor from this campaign is the use of us.archive.org to host payloads. Although this is not unique to malware campaigns in general, it is unique to the Remcos campaigns we have analyzed – only the VBS method of distribution has been observed to display this behavior.

In an analysis from Morphisec in March of this year, an HCrypt loader sample was analyzed that demonstrated a similar infection chain to the Remcos samples discussed above. Although the stages and scripts are not identical, the intermediary steps share a few similarities, such as the file names of the downloaded scripts ALL.txt, Server.txt, and in newer samples, Bypass.txt. The scripts also have a few function names in common, but the HCrypt samples have anti-analysis and anti-virus evasion functionality not seen in the Remcos samples. Further research is required to determine whether this set of scripts is a generically available package, or specific to a particular actor and being re-used across campaigns.

Although the actor or group behind this campaign is not known, the sporadic nature of the emails distributing this malware suggests that it could be targeted in nature. Remcos is a mature trojan that has evolved over many years; though the basic capabilities have remained the same, the methodologies of distribution and installation continue to change. Because it is software that can be purchased openly online, it is difficult to trace or attribute usage to a particular actor. However, given the consistency of network infrastructure and installation methodology, it is possible that the motivation or actors behind these attacks could be identified. Malwarebytes analysts continue to monitor and track this threat and will update detections and indicators as needed.

Protection

Malwarebytes protects users from Remcos by using real-time protection.

References

https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly

https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers

https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service

IOCs

Analyzed Samples:

Remcos VB Scripts:

Related Remcos Samples:

Other IOCs:

The post Remcos RAT delivered via Visual Basic appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• DNS-over-HTTPS takes another small step towards global domination
• Nope, that isn’t Elon Musk, and he isn’t offering a free Topmist Dust watch either
• Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday
• Is crypto’s criminal rollercoaster approaching a terminal dip?
• Ransomware’s Russia problem
• SonicWall warns users of “imminent ransomware campaign”
• What is scareware?
• Does using a VPN slow down your Internet?
• US offers huge reward in fight against state-sponsored cybercriminals

Other cybersecurity news:

• Kaseya finally started moving on after the ransomware attack from REvil. (Source: Kaseya CSA Incident Response)
• Attackers use non-malicious documents to disable macro security warnings before executing the malicious macro. (Source: The Hackers News)
• MageCart criminal gang used odd concatenation technique to hide their malware. (Source: Sucuri Blog)
• Mint Mobile suffered a data breach. (Source: BleepingComputer)
• Guess, the fashion retailer, suffered a breach, too. (Source: SecurityMagazine)
• SpoofedScholars phishers targets professors and writers who are experts about the Middle East. (Source: TechRepublic)
• Meanwhile, REvil seem to have disappeared. (Source: Endgadget)
• At this point, we lost count at the number of times TrickBot has come back. (Source: Gizmodo)
• Twitter verifying bot accounts raised a lot of questions regarding their process. (Source: The Daily Dot)
• Adobe releases critical patches for Reader, Acrobat, and Illustrator. (Source: Security Week)

Stay safe!

The post A week in security (July 12 – July 18) appeared first on Malwarebytes Labs.

The US Department of Homeland Security (DHS) and the US Department of Justice (DOJ)—along with other federal partners—have launched a new website as part of the US government’s fight against ransomware: StopRansomware.gov.

StopRansomware.gov is said to be a one-stop hub for ransomware resources for everyone, may they be individuals, SMBs, enterprises, or others.

“As ransomware attacks continue to rise around the world, businesses and other organizations must prioritize their cybersecurity,” said Secretary of Homeland Security Alejandro Mayorkas in the official press release on the DHS website. “Cyber criminals have targeted critical infrastructure, small businesses, hospitals, police departments, schools, and more. These attacks directly impact Americans’ daily lives and the security of our Nation. I urge every organization across our country to use this new resource to learn how to protect themselves from ransomware and reduce their cybersecurity risk.”

This website release and announcement came three months after the Ransomware Task Force (RTF), a group of 60 volunteer experts across industries and governments, released a comprehensive, strategic plan to address the growing threat of ransomware.

Both the report and the new website are part of an escalation in the fight against ransomware in 2021. This year has seen devastating attacks against Colonial Pipeline, Ireland’s Health Service Executive, and Kaseya VSA, to name a few. In response, the Biden administration has issued new rules for critical infrastructure, promised to hold President Putin of Russia to account for the country’s apparent harboring of ransomware gangs, and offered rewards of up to $10 million for information about state-sponsored attacks on critical infrastructure.

StopRansomware.gov is the culmination of ransomware tools and resources from all US federal government agencies. When before, organizations would have to visit multiple sites to seek advice, threat updates, or alerts with regards to all ransomware matters, they can just visit this .gov website. Some of the resources included in StopRansomware.gov are content from Cybersecurity and Infrastructure Security Agency (CISA), the US Secret Service, the Federal Bureau of Investigation (FBI), the National Institute of Standards and Technology (NIST), the Department of Treasury, and the Department of Health and Human Services (HHS).

The post StopRansomware.gov brings together information on stopping and surviving ransomware attacks appeared first on Malwarebytes Labs.

Kaseya VSA included at least “seven or eight” privately known zero-day vulnerabilities before it suffered a widespread ransomware attack that impacted hundreds of businesses, said Victor Gevers, chair of the Dutch Institute for Vulnerability Disclosure, or DIVD, a volunteer-run organization that found a remote code execution flaw in Kaseya VSA on April 1, 2021.

In speaking with Malwarebytes for its Lock and Code podcast (embedded below), Gevers revealed that Kaseya VSA’s vulnerabilities represent just one data point in a far larger and more worrying trend—that Internet-facing remote administration tools are rife with flaws and that, as organizations increasingly rely on such tools for working-from-home environments, cybercriminals will increasingly discover, target, and exploit those flaws.

“We are seeing these signals very clearly that the quality of products that are online and are exposed to the Internet are not up to par for the current situation that we are in,” Gevers said. “For attackers, this is the best way in—next to, of course, sending phishing emails. That will always exist because we cannot learn to stop [clicking on things]. But this second thing, this is going to screw us over in the long term.”

The ransomware attack against Kaseya VSA on July 2 has quickly become recognized as one of the most significant cyberattacks in recent history. In the attack, members of the REvil ransomware gang pushed malicious Kaseya VSA updates that locked up machines and networks after first disabling several protective features in Microsoft Defender, the default anti-malware software packaged with most Windows machines today. The impact of the attack, however, extended much further, because Kaseya VSA is one of the more popular remote monitoring and management tools used by Managed Service Providers. The MSPs that were hit by the attack saw not only their systems encrypted, but also the systems of the clients that they support.

Essentially, the attack cascaded down, first hitting Kaseya VSA users—MSPs—and then hitting the businesses that relied on those MSPs for day-to-day IT support.

Reportedly hundreds of businesses were hit. Schools in New Zealand warned their staff that their computers might be inaccessible. The Swedish grocery chain Coop closed roughly 500 stores for multiple days. Two small towns in Maryland saw their systems lock up. The scale helped prompt Kaseya’s CEO into publicly releasing a statement.

For Gevers, the number of victims is frustrating, largely because he and his team were working with Kaseya to patch the VSA vulnerabilities for months prior. Within a day of discovering a remote code execution vulnerability on April 1, DIVD built up a team to investigate further, Gevers said.

“We open a case, we get some other security engineers on board. If we can find a copy [of Kaseya VSA], then we get our own copy of it, a trial version to run. We set up a lab. Then we have to go through the process of creating a fingerprint, because we want to scan the entire Internet—we want to look to every web server in the world to have that specific fingerprint, so we know where those panels are, exactly,” Gevers said. “Within a day, we were able to scan all Internet-facing instances of that thing, and it took us two days to start identification of the possible victims that had the on-prem version.”

DIVD compiled a report that showed “all on-prem implementation[s],” along with unique customer ID codes, delivering the report to Kaseya on April 6, just days after first discovering the vulnerability.

Kaseya took responsibility for the vulnerability and began developing a patch, Gevers said, which DIVD helped test for effectiveness. During this time, DIVD was also offered a version of Kaseya VSA to test more extensively, and in those tests, Gevers said, a researcher found additional flaws.

“We finally had our version running in our test lab,” Gevers said. “This is how it went from one zero-day [to] seven or eight, eventually.”

While Kaseya managed to quickly test its patches on SaaS implementations of Kaseya VSA, it had more trouble with customers who still relied on the on-premises versions, Gevers said. But in the middle of that testing, it became too late:

“It took them quite a lot of effort and time, and more and more expertise to get the right patch out—to get it tested, to get it through quality assurance. And then, disaster struck.”

The fallout of the attack is both external and internal.

Internally, Gevers said that DIVD is already considering how to improve coordinated vulnerability disclosure—as a process—because, despite issuing a confidential warning as far back as April 6, some systems remained vulnerable. While many potential victims were saved by DIVD and Kaseya’s months-long work, Gevers said he would have preferred to see no victims at all.

Externally—beyond the immediate damage of the ransomware attack itself—Gevers said that security administrators can no longer look away from a growing problem that affects the very tools they rely on every day.

“We understand that it is convenient to have your administrative panels, your RDP, your VNC, your shared hosting panels… all that kind of things for doing maintenance and administrative, to have it directly connected to the Internet, we understand,” Gevers said. “But it is simply not safe, because there is always, there is always an issue with the software.”

Critically, Gevers said that these flaws are neither isolated, or complex:

“This is not just to hit on Kaseya. With Vembu, it was the same. The latest Citrix bug, you know, that caused an outage. With Pulse VPN. I am sorry, but these vulnerabilities—these are not advanced. Not advanced at all.”

For Gevers, there is a clear path forward: Fix today’s vulnerabilities as soon as possible, and prevent future, similarly-flawed products from ever entering the market.

In the short term, Gevers called for more security volunteers. At DIVD, the team is too small and not geographically dispersed enough to handle worldwide cyberattacks. For instance, having a volunteer in Miami, Florida, near Kaseya’s headquarters, could have helped DIVD, Gevers said.

In the long term, Gevers stressed that software vendors take greater responsibility of their products. He asked vendors to invite third party reviewers to analyze software code, and to step away from meaningless marketing language. By giving consumers more information from trusted analysts about how a product performs and what vulnerabilities it may have, Gevers said the market will then hopefully reward secure, transparent software. Finally, Gevers said that countries around the world should better incentivize independent security research so that cybersecurity researchers do not feel intimidated or afraid to report their findings.

The future, Gevers said, is at stake:

“It’s our duty to do something to make sure that the Internet stays safe enough for the next generation… because we are always leaving the next generation with political challenges, challenges in society, environmental challenges, economical challenges. Can we please leave a communications network behind that I can still trust to work on?”

Listen to the full Lock and Code podcast, with host David Ruiz, below.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post “Seven or eight” zero-days: The failed race to fix Kaseya VSA, with Victor Gevers, Lock and Code S02E13 appeared first on Malwarebytes Labs.

Scareware is a type of rogue program which has been around for many years, arguably dating back to 1990. It can be installed without permission, or via deception and false promises. Scareware is primarily used to panic or worry someone into performing a task they otherwise wouldn’t have done. There are some caveats to this, which we’ll cover below.

The rest of this article will reference scareware programs which are intended to be malicious. This means asking for payment, locking devices, or acting in a malware-like manner. Joke / trick programs need not apply (unless they’re also doing something malicious). There are, broadly, a number of different categories which various kinds of scareware fall into. Bogus web browser messages often assist shareware installations. As such, we’ll look at those too.

Examples of scareware

Fake security software

Predating ransomware, rogue scanners used to be a major plague on the security landscape and are still problematic to this day. At one point, you simply couldn’t move for bogus programs. The standard procedure was to warn of infections via browser popups, or hijacked surfing and pages you couldn’t navigate away from. Bogus security programs would run a fake scan, and warn of fake infections. They’d also ask for payment to “unlock” the full version of software so cleaning could take place.

Many types of fake security software imitate the design / name of real programs, in order to seem more convincing.

Scareware as a system menace

Many fake security tools do little beyond triggering aggravating popups or fake infection warnings. They “just” want you to hand over some money for a useless program. Others go further, acting the same way actual spy/malware does while simultaneously saying the PC has an infection (spoiler – it does, but not in the way victims might think). Rogues changing desktops with fake blue screen of death imagery, restarting when trying to uninstall scareware, disabling genuine security tools, and much more are par for the course in this realm.

Web browser lockers

Although not an install, browser lockers were an integral part of how scareware used to end up on systems in the first place. Typically, this involved a web page using code to prevent the user shutting the browser window (or tab, after tabs were introduced). Some browser lockers would make the browser go full screen (as if you’d pressed F11) and use “scare” tactics as the webpage background.

This commonly took the form of fake representations of people’s “This PC” section, complete with representation of C or D drives, generic folders like Music / Pictures and so on. As mentioned, others would display fake BSoD screens. Whatever it took to panic the viewer into downloading and purchasing offered software.

Scareware influence

Many of these techniques ended up making their way into the hands of malvertisers. In fact, it’s not unusual to see malvertisers directing device owners to scareware messaging. You’ll notice the product at the end of that particular chain isn’t fake security software offering a cleanup. It’s a VPN. There’s at least some folks out there who may think installing it may be enough to “fix” the fictitious virus infestations. That’s all it takes for some money to change hands.

How to prevent scareware

Many scareware experiences begin with bad browser experiences. It pays to have a fully updated browser at all times to reduce the risk of attack from exploits. Additional extensions like our Browser Guard will further lower the possibility of scare screens and fake messaging.

Dire warnings of multiple infections out of the blue are a big hint scareware is in the offing. So too are immediate demands for payment, popups which won’t go away, tabs which refuse to close. Pressure to make decisions right away “or else” are also a major red flag. Ad blockers will help reduce the possibility of redirects to scareware and malvertising from bad ads. Double win!

General awareness of common social engineering techniques will also help steer you away from panic-based decisions. While scareware isn’t the mainstream force it once was, it still has the capacity to shock the money from your bank account. Stay safe out there!

The post What is scareware? appeared first on Malwarebytes Labs.

A Virtual Private Network (VPN) can stop others from snooping on or tampering with your Internet traffic. It does this by concealing your traffic inside an encrypted tunnel between you and your VPN provider. And because your traffic appears to join the the Internet from your VPN provider’s computer and not your own, a VPN can also conceal your IP address, which disrupts tracking and helps you circumvent geo-blocks. At Malwarebytes, we have noticed an increase in VPN usage worldwide.

Despite its benefits, some people hesitate to use the technology because they believe VPNs negatively impact the performance of their Internet connection. So, does a VPN slow down Internet speeds?

Yes, it does. The encryption process, the distance to the server, and the VPN protocol your VPN uses can impact your Internet speed. But that isn’t the whole story.

What really matters is: Is that slowdown noticeable? A good VPN may slow down your Internet, but only to a negligible degree. Most customers of cutting-edge VPN services find that a slight performance hit is worth the benefits, if they notice it at all.

VPN speed test

The best way to check how much a VPN is slowing down your Internet connection is to perform a VPN speed test. A VPN speed test compares your regular Internet speed with your VPN speed. Your Internet bandwidth is usually measured in megabits per second (Mbps).

Here is a fast and easy way to perform a VPN speed test:

1. Deactivate your VPN.
2. Search your favorite search engine for “Internet speed test.”
3. Run an Internet speed test and note down your download and upload speeds.
4. Activate your VPN.
5. Connect to a VPN server.
6. Repeat step three and compare the results.

Bear in mind though, that you are not a machine and that what actually makes a difference to you is not the measurable lag in your Internet connection (known as latency) but how you perceive that lag (known as perceived latency). In many situations, you won’t notice a small slow down. In other situations, perhaps when you’re waiting on something important like a credit card transaction to complete, you will be more sensitive to changes in latency you normally wouldn’t notice.

So, while objective speed tests are a useful guide, there is no substitute for actually using a VPN in the real world and seeing how it affects things you care about.

How can I make my VPN faster than before?

Pick a different server

In general, the further your traffic has to travel to your VPN provider’s servers, the slower your VPN will be. Speed is also affected by how powerful those servers are, and how many people are using them at the same time, but all things being equal, distance matters.

Try picking a closer server to enjoy a faster connection. If it’s experiencing heavy traffic during peak hours, pick another server nearby to improve your Internet speed. It’s a good idea to subscribe to a VPN service that offers many servers across dozens of countries to have a fast connection.

Select a VPN that uses WireGuard

A VPN protocol is the set of instructions that establishes the way your data routes from your device to your VPN server. A VPN protocol impacts the speed, security, and stability of your connection. Many service providers have switched from OpenVPN to the WireGuard protocol because it’s secure, newer, and more efficient. In many studies, WireGuard is significantly faster than its competitors, including OpenVPN.

VPN speed boost

Some Internet Service Providers (ISPs) deliberately throttle your Internet speed during peak hours to reduce the server load by slowing down popular data packets. For example, Northeastern University and the University of Massachusetts Amherst found ISPs throttling streaming platforms like Netflix in their research. A top VPN service can help you bypass bandwidth throttling because it stops your ISP from examining data packets.

The post Does using a VPN slow down your Internet? appeared first on Malwarebytes Labs.