IT NEWS

“We have the smoke, the smell of gunpowder and a bullet casing. But we do not have the gun to link the activity to the Kremlin.” This is what Jon DiMaggio, Chief Security Stretegist for Analyst1, said in an interview with CBS News following the release of its latest whitepaper, entitled “Nation State Ransomware“. The whitepaper is Analyst1’s attempt to identify the depth of human relationships between the Russian government and the ransomware threat groups based in Russia.

“We wanted to have that, but we believe after conducting extensive research we came as close as possible to proving it based on the information/evidence available today.” DiMaggio concluded.

Here are some of the key players and connections identified by Analyst1:

Evgeniy “Slavik” Bogachev

Hailed as “the most prolific bank robber in the world“, Bogavech is best known for creating ZeuS, one of the most prolific banking information stealers ever seen. According to the report, Bogavech created a “secret ZeuS variant and supporting network” on his own, without the knowledge of his closest underground associates—The Business Club. This ZeuS variant, which is a modified GameOver ZeuS (GOZ), was designed specifically for espionage, and it was aimed at governments and intelligence agencies connected with Ukraine, Turkey, and Georgia.

Analyst1, too, believes that, at some point, Bogachev was approached by the Russian government to work for them in exchange for their blessing to have him continue his fraud operations.

The United States officially indicted Bogachev in May 2014. Seven years on, Russia still refuses to extradite Bogachev. The Ukraine Interior Ministry had provided the reason why: Bogachev was “working under the supervision of a special unit of the FSB.” That is, the Federal Security Service, Russia’s security agency and successor to the Soviet Union’s KGB.

EvilCorp

The Business Club, the underground criminal gang that Bogachev himself put together, continued their operations. In fact, under the new leadership of Maksim “Aqua” Yakubets, Bogachev’s successor, the criminal enterprise rebranded and started calling themselves EvilCorp. Some cybersecurity companies recognize or name them Indrik Spider. Since then, they have been behind campaigns involving the harvesting of banking credentials in over 40 countries using sophisticated Trojan malware known as Dridex.

Yakubets was hired by the FSB in 2017 to directly support the Russian government’s “malicious cyber efforts”. He’s also the likely candidate for this job due to his relationship with Eduard Bendesky, a former FSB colonel who is also his father-in-law. It was also in 2017 that EvilCorp started creating and using ransomware—BitPaymer, WastedLocker, and Hades—for their financially-motivated campaigns. In addition, Dridex had been used to drop ransomware onto victim machines.

SilverFish

SilverFish was one of those threat actors who were quick enough to take advantage of the SolarWinds breach that was made public in mid-December of 2020. If you may recall, multiple companies that use SolarWind’s Orion software were reportedly compromised via a supply-chain attack.

SilverFish is a known Russian espionage attacker and is said to be related to EvilCorp, in that this group shared similar tools and techniques against one victim: Use of the same command and control (C&C) infrastructure and unique CobaltStrike Beacon. SilverFish even attacked the same organization a few months after EvilCorp attacked it with their ransomware.

Wizard Spider

Wizard Spider is the gang behind the Conti and Ryuk ransomware strains. Analyst1 has previously profiled Wizard Spider as one of the groups operating as part of a ransomware cartel. DiMaggio and his team believes that Wizard Spider is responsible for managing and controlling TrickBot.

EvilCorp has a history of using TrickBot to deliver its BitPaymer ransomware to victim systems. This suggests that a certain level of relationship is at play between the two groups.

Does it matter?

While the Analyst1 report contains some interesting findings, we agree that it doesn’t deliver a smoking gun. That doesn’t mean there isn’t a smoking gun, somewhere, of course. But even if there is, unless you’re an intelligence agency like the NSA, establishing the intent of a potential attacker can be a waste of time and effort.

Does that mean you shouldn’t care about attribution at all? No. It’s sensible to update your threat model in response to tactics used by real-world threat actors. But it often doesn’t matter who is doing the attacking. Ransomware is well established and well resourced threat to your business whether it’s state-funded or criminal gangs living off several years of multi-million dollar payouts and a Bitcoin boom.

You can read more about attribution in our two part series on the subject, starting with when you should care.

The post Analysts “strongly believe” the Russian state colludes with ransomware gangs appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Home routers are being hijacked using a vulnerability disclosed just 2 before
• Ransomware turncoat leaks Conti data, lifts the lid on the ransomware business
• Check your passwords! Synology NAS devices are under attack from StealthWorker
• PrintNightmare and RDP RCE among major issues tackled by Patch Tuesday
• Thief pulls off colossal, $600m crypto-robbery…and gives the money back
• If a QR code leads you to a Bitcoin ATM at a gas station, it’s a scam
• Twitter says it out loud: removing anonymity will not stop online abuse
• Microsoft’s PrintNightmare continues, shrugs off Patch Tuesday fixes
• Cyberbullying 101: a primer for kids, teens, and parents
• VPN test: how to check if your VPN is working or not
• Crypto-scams you should be steering clear of in 2021
• Phishing campaign goes old school, dusts off morse code

Other cybersecurity news:

• Activist raided by police over ‘confidential’ meeting notes (Source: The Register)
• Hacker claims to have data on more than 100 million T-Mobile customers, asks for $277,000 (Source: Gizmodo)
• Warzone hackers and cheaters make season 5 the worst update ever (Source: GamingIntel)
• In a first for Maine, ransomware hackers hit 2 public wastewater plants (Source: Bangor Daily News)
• DocuSign abused to launch devious phishing scams (Source: TechRadar)
• 50% of cybersecurity attacks are from repeat offenders (Source: Help Net Security)
• Phishing sites targeting scammers and thieves (Source: Krebs on Security)
• Most digital attacks today involve social engineering (Source: Security Intelligence)
• Discord malware is a growing and persistent threat (Source: PC Gamer)
• Google can take 2 months to remove malware apps from app store (Source: New Scientist)

Stay safe, everyone!

The post A week in security (August 9 – August 15) appeared first on Malwarebytes Labs.

Sometimes it’s hard to figure out what exactly is going wrong with your computer. What do you do if you’ve run all the scans, checked all the files, and everything says the PC is malware free? Here’s a list of common problems that resemble cybersecurity issues, but could be caused by something hardware-related instead.

My computer is overheating

Some types of malware try very hard to go unnoticed, but others can be CPU hogs capable of turning your keyboard into a waffle iron. The encryption routines in ransomware demand a lot of resources, for example. But there are other, far more obvious signs of a ransomware problem, so if you’ve got this far, it’s not that. So perhaps it’s a cryptominer grinding away in your browser or System32 folder. If your antivirus says “no” though, it’s more likely to be one of the problems below:

• One or more of your fans aren’t working. If you have a PC, you should be able to follow the wire connecting the problem fan to the motherboard / associated socket. Sometimes there’s so many wires in there, they can get nudged out of place. This is especially common when removing the panel on the side of the motherboard to clean behind the wires.
• A software change has affected your fan profile. A fan profile is software that exerts a specific amount of control over your fans. It tells them when to ramp up, and how. Sometimes updates to your fan control program or associated hardware can do odd things to settings. You’ll have to go back in and set them to your liking.
• Your thermal paste needs a refresh. A layer of thermal paste sits between your heat sink and your processor and conducts the heat—that would otherwise engulf the CPU—into the heat sink. It’s possible your paste needs replacing. This is quite a precise process however, so watch a few tutorial videos before attempting it.
• Your graphics card is about to die. This is the worst case scenario. If you’re lucky, a good clean may solve the issue, though you should be looking to regularly clean everything inside your PC anyway. Dust build up? Get rid of it sooner rather than later. Contacting your PC / parts supplier at this stage is also a good idea.

My computer keeps restarting / Blue screen of death

Plenty of malware files make PCs restart or trigger the dreaded blue screen of death (BSOD). Plenty of other things do too though. Here are some alternative causes to think about:

• Loose or faulty RAM sticks. I’ve had machines which restarted, popped a BSOD, or simply stuttered and staggered while on the desktop. Check to make sure all of your RAM sticks are in securely. If one seems a little loose, remove and reinsert it correctly. You can also run diagnostic tests on your sticks if the machine runs long enough for you to do so. If not, the long-winded approach is to remove one stick at a time and see if the problem magically goes away. If it does, there’s a good chance you’ve identified the problem.
• Peripheral devices left in at shutdown can cause odd issues when you boot up. There’s no real rhyme or reason to this. I’ve seen USB sticks, cameras, phones, and even a digital keyboard cause a PC to not load correctly or act strangely after booting up. I’ve also seen PCs refuse to boot because of a peripheral one minute, and ignore it entirely the next. If in doubt, just take it out.
• You might have a Windows-specific issue going on under the hood. You should consider sorting out various recovery tools and backup plans now.
• Your PSU (power supply) may not be working correctly, or on the verge of failure. This is a bit of a tricky one to test, because messing around with PSUs and electricity can be incredibly dangerous. If the thought of paperclip tests or getting out the multimeter fills you with dread, you’re better off asking the company you bought the PC from for help or switching it out for a different PSU.

I can’t see my files / my hard drive is missing

Yes, some malware will happily scrub all of your saved documents. Most won’t. There can be other explanations:

• Check your wires. I’ve seen PCs where the caddy holding the drive has broken, the hard drive has fallen to the bottom of the case, and a wire has been dislodged. Reattaching the wire and securing the caddy was all that was needed to stop the drive randomly disappearing and reappearing whenever it felt like it.
• Check your Windows. Some people reported files going missing after upgrading to Windows 10, or (occasionally) other updates. Considering Windows 11 is on the way, it might be worth revisiting what happened.
• The files might be hiding, or somewhere else. If files aren’t where they’re supposed to be but your hard drive usage suggests everything is still present, never fear. Fire up an app which tells you exactly how much space is being used, and what is using it. A relative of mine had some files go walkabout after a system update, and they were able to find them with a third party tool.
• Check the drive for signs of corruption or imminent failure. Sometimes hardware just fails. This is a mechanical issue and not something you can hope to prevent. Back everything up as soon as you can, if you aren’t already.

Conclusion

Computers are often surprisingly delicate, and their rugged cases don’t accurately reflect the 24/7 juggling operation taking place down on the motherboard. There are many other hardware problems, but the ones listed above tend to be the first port of call for budding hardware fixers.

If you can deal with both software and hardware issues as they arise, there’ll be no stopping you the next time a relative gives you a call at Christmas with a “small problem..”

The post How to troubleshoot hardware problems that look like malware problems appeared first on Malwarebytes Labs.

Nearly one year after the exclusive app Clubhouse launched on the iOS store, its popularity skyrocketed. The app, which is now out of beta, lets users drop into spontaneous audio conversations that, once they are over, are over. With COVID lockdown procedures separating many people around the world last year, Clubhouse offered its users immediate, unplanned, conversational magic that maybe they lost in shifting to a work from home environment.

At the time, it was perhaps an app to find a feeling.

And in 2021, Luta Security CEO and founder Katie Moussouris found a crucial vulnerability in it. But when she tried to tell Clubhouse about the flaw—which let her hide her presence inside a listening “room” so she could eavesdrop on conversations—the company failed to listen to her for weeks. Her emails went unanswered, and the vulnerability that she discovered could be exploited with a simple trick. Perhaps most frustratingly of all was that Clubhouse had actually set up what’s called a “bug bounty” program, in which the companies pay independent researchers to come forward with evidence and reporting of vulnerabilities in their products.

With a bug bounty program in effect, why then did Clubhouse delay on fixing its flaw?

“[Clubhouse] is too large, too popular, and too well-funded to be in the denial stage of the five stages of vulnerability response grief,” Moussouris said on the most recent episode of Lock and Code, with host David Ruiz.

Tune in to learn about the vulnerability itself, how Moussouris discovered it, how Clubhouse delayed in moving forward, and whether bug bounty programs are actually the right tool for developing secure software.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Katie Moussouris hacked Clubhouse. Her emails went unanswered for weeks: Lock and Code S02E15 appeared first on Malwarebytes Labs.

In an extensive report about a phishing campaign, the Microsoft 365 Defender Threat Intelligence Team describes a number of encoding techniques that were deployed by the phishers. And one of them was Morse code.

While Morse code may seem like ancient communication technology to some, it does have a few practical uses in the modern world. We just didn’t realize that phishing campaigns was one of them!

Let’s look at the campaign, and then we’ll get into the novel use of an old technology.

The campaign

Microsoft reports that this phishing campaign has been ongoing for at least a year. It’s being referred to as the  XLS.HTML phishing campaign, because it uses an HTML file email attachment of that name, although the name and file extension are modified in variations like these:

• xls.HTML
• xslx.HTML
• Xls.html
• .XLS.html
• xls.htML
• xls.HtMl
• xls.htM
• xsl_x.h_T_M_L
• .xls.html
• ._xslx.hTML
• ._xsl_x.hTML

The phishers are using variations of XLS in the filename in the hope the receiver will expect an Excel file if they open the attachment. When they open the file, a fake Microsoft Office password dialog box prompts the recipient to re-enter their password, because their access to the Excel document has supposedly timed out. This dialog box is placed on a blurred background that will display parts of the “expected” content.

The script in the attachment fetches the logo of the target user’s organization and displays their user name, so all the victim has to do is enter the password. Which will then be sent to the attacker’s phishing kit running in the background.

After trying to log in the victim will see a fake page with an error message and be prompted to try again.

It is easy to tell from the information about the target used by the phishers, like the email address and company logo, that these phishing mails are part of a targeted campaign that needed some preparation to reach this step.

And this phishing campaign is another step to gather more data about a victim. In the latest campaigns the phishers fetch the user’s IP address and country data, and send that data to a command and control (C2) server along with the usernames and passwords.

Encoding

The phishing campaign has been seen using different types of encoding, and combinations of encodings. For example, in one of the waves the user mail ID was encoded in Base64. Meanwhile, the links to the JavaScript files were encoded in ASCII before being encoded again, with the rest of the HTML code, in Escape.

Encodings seen in the campaign included:

• ASCII, a basic character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices.
• Base64, a group of binary-to-text encoding schemes that represent binary data in an ASCII string format. By using only ASCII characters, base64 strings are generally URL-safe, and allow binary data to be included in URLs.
• Escape or URL-encoding, originally designed to translate special characters into some different but equivalent form that is no longer dangerous in the target interpreter.
• Morse code, more about that below.

Not that encoding is different from encryption. Encoding turns data from one format into another, with no expectation of security or secrecy. Encryption transforms data in a way that only be reversed by somebody with specific knowledge, such as a password or key.

So, encoding methods won’t hide anything from a security researcher, so why bother? Changing the encoding methods around is designed to make it harder for spam filters trained on earlier versions of the campaign to spot the later versions.

Morse code

Morse code is a communication system developed by Samuel Morse, an American inventor, in the late 1830s. The code uses a combination of short and long pulses, which can be represented by dots and dashes that correspond to letters of the alphabet.

Famously, the Morse code for “SOS” is . . . - - - . . ., for example.

The International Morse Code encodes the 26 letters of the English alphabet, so the phishers had to come up with their own encoding for numbers. Morse code also doesn’t include special characters and can also not be used to distinguish between upper and lower case, which makes it harder to use than other types of encoding.

So, technically they didn’t use Morse code but an encoding system that used some base elements from Morse code using dashes and dots to represent characters.

This is how the javascript section for the morse code decoding looked.

In one wave, links to the JavaScript files were encoded using ASCII, then Morse code. In other cases, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.

Addendum

During our own research for this article we also came across files that used the pdf.html filename and similar variations on the theme we saw with the xls.html extension. These html files produced the same prompt to log into Outlook because the sign-in timed out.

These samples were named using the format: {company}-payroll-{date}-pdf.HtmL

For more information about phishing and how to protect yourself and your company please have a look at our page about phishing. For a full description of the phishing campaign, take a look a the Microsoft blog.

… – .- -.– / … .- ..-. . –..– / . …- . .-. -.– — -. . -.-.–

The post Phishing campaign goes old school, dusts off Morse code appeared first on Malwarebytes Labs.

At some point in our lives, we have likely either been bullied, stood back and watched others bullying, or participated in the act. Playing the role of offender, offended, and by-stander has become easier, thanks to the Internet and the technologies that make it possible to keep up connected.

In this article, we aim to arm you with the basics. From there you can decide for yourself if you want to further expand your knowledge so you know what to do to help someone—a family, a peer—who might be involved in incidents of cyberbullying.

What is cyberbullying?

Cyberbullying is a term used to describe the act of bullying someone using electronic and digital means. Bullying involves two things: intent and persistence. An offender intentionally says or does something negative to the offended and does so for a period of time. This sets cyberbullying apart from, say, a one-time encounter with someone being mean or rude to them.

Cyberbullying is often used interchangeably with the terms “online bullying”, “digital bullying”, “online aggression”, or “electronic aggression”.

Note that cyberbullying and physical bullying could happen to an individual at the same time.

Examples of cyberbullying

Cyberbullying can take many forms, can happen anywhere online, and can target anyone, including adults in the workplace. It is probably most commonly associated with kids and teens who send hurtful text messages to their victims, or spread rumors about them on social media. Some bullies share non-consensual images and video recordings of victims doing something in private.

Again, we’d like to stress that what classifies something as bullying isn’t a specific act or platform, but the wilfulness of the bully, and the repeated harm they inflict on their victim.

What are the effects of cyberbullying?

The effects of bullying can manifest in someone physically, emotionally, mentally, and socially. And cyberbullying doesn’t just affect the victim and the offender, it also affects those who stand by and watch as the bullying takes place.

Studies have shown that those involved in bullying—whether they’re the abuser, the abused, or a by-stander—can experience headaches, recurring stomach pains, and difficulty sleeping. They can also have problems concentrating, behavioral issues, and can find it difficult to get along with others. Emotionally and mentally, those who are abused can feel sad, angry, frustrated, scared, and worthless, and can cause suicidal thoughts.

The effects of bullying can manifest as depression or a sudden change of attitude, such as not wanting to go to school or avoiding smartphones for example.

Is cyberbullying the same as cyber violence?

Cyber violence appears to be short for “cyber violence against women and girls (VAWG)”. It is a term used to describe violent online behaviors aimed specifically at women and girls. Usually, they are victims of domestic abuse done to them by a former or current partner.

According to UNESCO (United Nations Educational, Scientific and Cultural Organization) [PDF], “Violent online behaviour ranges from online harassment and public shaming to the desire to inflict physical harm including sexual assaults, murders and induced suicides.”

In UNESCO’s eyes, the tragic case of Amanda Todd, the 15-year old Canadian teen who committed suicide after posting an emotional video on YouTube about the bullying she had suffered in the hands of a pedophile, is a crime rooted in cyber violence.

Is cyberbullying illegal?

All US states have some form of law that covers or addresses bullying behavior. You can learn and explore more about this by visiting Cyberbullying Research Center’s Bullying Laws Across America map.

How do you report cyberbullying?

Reporting an individual or a group for cyberbullying is a way for online harassment to stop.

If you or someone you know is experiencing negative behavior that could escalate to cyberbullying, let a trusted adult know. Take evidence of the online bullying, such as screenshots, and keep it them in a secure place. If the platforms where the bullying takes place allows it, block the bully.

You can also reach out to the websites and platforms where the bullying is taking place. The Cyberbullying Research Center has a huge list of contact details that direct you to the right place for reporting bullying on a wide variety of different platforms, including social media sites and games.

If you’re anywhere in the US or Canada, remember that you have the Crisis Text Line where you can reach a Crisis Counselor at any time, 24/7. Simply text HOME to 741-741. This free support can also be reached via WhatsApp at 443-SUPPORT. Additionally, residents in Canada can also contact Kids Help Phone by texting CONNECT to 686-868.

Residents in the UK and Ireland can text SHOUT to 85-258 and HELLO to 50-808, respectively.

The post Cyberbullying 101: A Primer for kids, teens, and parents appeared first on Malwarebytes Labs.

The primary function of a Virtual Private Network (VPN) is to enhance your online privacy and security. It should do this without slowing your Internet too noticeably. Performing a VPN test or two can help you ensure that it’s up to the mark.

VPN privacy test

Your Internet Service Provider (ISP) assigns a unique IP address to your router, the device that connects the computers, phones, and tablets in your house to the Internet. Every device in your home that connects through that router uses its IP address on the Internet. The IP address is allocated from a pool of addresses your ISP controls, so it can change from time to time, but it probably doesn’t change very often.

IP addresses are necessary for getting your Internet traffic to the right place, and getting the responses back to you, but they have a couple of drawbacks:

• They are allocated geographically, so they can be used for a form of crude geolocation.
• Because you have to tell all the websites and services you use what your IP address is, it can be used by advertising and tracking services to track you across the web, either on its own or as part of a fingerprint.

When you use a VPN, you create an impenetrable, encrypted tunnel between your computer and your VPN provider, and then join the Internet from one of your VPN provider’s computers. This protects your privacy in a few different ways.

• Because your connection joins the Internet from your VPN provider, you use an IP address assigned by your VPN provider, rather than your router’s, on the Internet.
• The encrypted tunnel between you and your VPN provider stops your ISP, rogue Wi-Fi hotspots or other interlopers snooping on your traffic. In particular it stops them looking at your DNS traffic, which can reveal which websites you’re visiting.

VPN leaks

Part of a VPN’s privacy protection comes from hiding your real IP address, so it’s important to understand that IP addresses can “leak”. You can leak your IP address via DNS, if your DNS traffic passes through the encrypted tunnel where your ISP can’t see it, exits your VPN, and the goes back to your ISP’s DNS servers for resolution.

You can also leak your IP address via WebRTC, a real-time communication protocol your web browser uses for things like video calls.

An IP leak is rare on a reputable and secure VPN service because the best VPN companies have workarounds to reduce their likelihood. Please avoid free VPNs. Your privacy is often not their priority.

Checking for basic IP address leaks

1. Ensure that your VPN is disconnected and visit a search engine like DuckDuckGo. Type “what is my IP address.” Hit enter and then note down your IP address.
2. Launch your VPN client and connect to a VPN server. Double-check to see that you’re connected and note down your the IP address the VPN has given you (if it tells you).
3. Repeat step one and note down what your IP address is now. If your IP address hasn’t changed from step one, your IP address is not being masked. If it matches the one you picked in step two, your IP address is being masked.

Testing for DNS and WebRTC leaks

Even if your VPN passes the basic IP leak test, you should run tests for DNS and WebRTC leaks. You can test for IP address leaks via DNS on websites like DNSLeaktTest or DNSLeak. You can test for IP leaks via WebRTC on websites like browserleaks.com. You may have to disable WebRTC to stop the leak.

The post VPN Test: How to check if your VPN is working or not appeared first on Malwarebytes Labs.

A fair few cryptocurrency scams have been doing the rounds across 2021. Most of them are similar if not identical to tactics used in previous years with an occasional twist. Here’s some of the most visible ones you should be steering clear of.

Recovery code theft

Many Bitcoin wallets make use of something called recovery codes. These are, as the name suggests, codes allowing you to regain access to wallets you’ve locked yourself out of. These are the last roll of the dice for anyone unable to view their funds, and not a situation people would wish to find themselves in. As a result, they’re a fantastic target for scammers wanting to do some wallet plundering.

One of the sneakiest ways to grab a code is to jump into customer support discussions on social media. Scammers set up fake customer support style accounts, then direct potential victims to phishing pages hosted elsewhere. If you lose a recovery code or its equivalent in this manner, it’s almost certainly gone for good. Always ensure the entity you’re talking to is:

• The official support channel and
• you haven’t inadvertently started talking to someone else entirely.

By doing this, your digital funds should be kept safe from this technique.

Fake Elon Musk cryptocurrency scams

Another social media shenanigan involving cryptocurrency? You bet. This tactic involves stealing verified Twitter accounts, making them resemble Elon Musk, and then spamming bogus Bitcoin offers in replies to viral tweets.

This has been happening for quite some time now, and refuses to go away. It’s not pocket change, either. The FTC estimates at least $2 million has been stolen from cryptocurrency investors. It’s not just happening on Twitter, either. Rogue SpaceX crypto scams were doing the rounds back in June of this year.

If in doubt, remember that Elon is not going to make you rich beyond your wildest dreams with Bitcoin.

Covert container mining

This one is a bit more technical than most, and relies on bad things happening behind the scenes. There’s no direct social engineering aspect, because that’d give the game away.

If you’re a developer working on a project, it’s common to make use of pre-made code libraries. There are all kinds of ways to give your project a leg up, but one of the most popular is Docker. Docker bundles up all the things your project needs (including operating systems, applications, and other people’s projects it depends upon) in a “container”, a self-contained, portable environment. Because why write code if somebody’s already written it for you?

Turns out this area of work wasn’t safe from crypto-antics either. Rogue mining images involved in cloud-based mining attacks were discovered sitting on Docker Hub. The images contained software people might want to include in their Docker project, along with a cryptominer that would churn away in the background, making cryptocoins for somebody else at your expense.

This is a tricky one to avoid, but you can make a start by checking out the list of image names which could indicate bad files ahoy here. 30 malicious images downloaded roughly 20 million times(!) equals an awful lot of potential mining activity taking place.

419 crypto scam

Advance fee fraud scams involve sending dubious chunks of cash to / from a victim’s bank account. The money vanishes without trace, and the victim becomes a money mule, and is left carrying the blame.

We recently saw a mail along these lines. Nothing new there. However, this one asks victims to install a wallet app and transfer funds.This is not something you want to be doing. The scammers wants people to get in touch on WhatsApp, where they may well ask for additional personal information. This could easily be used elsewhere in other scams.

Conclusion

There’s many more crypto-scams waiting in the wings, but these are the ones we tend to see the most of. Give yourself a head start and learn to spot the signs of attempted compromise out there in the wild. Your digital wallet will thank you for it.

The post Crypto-scams you should be steering clear of in 2021 appeared first on Malwarebytes Labs.

I doubt if there has ever been a more appropriate nickname for a vulnerable service than PrintNightmare. There must be a whole host of people in Redmond having nightmares about the Windows Print Spooler service by now.

PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a vulnerable machine a malicious printer driver. The problem was made worse by confusion around whether PrintNightmare was a known, patched problem or an entirely new problem. In the end it turned out to be a bit of both.

What happened?

In June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as CVE-2021-1675. At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.

In a rush to be the first to publish a proof-of-concept (PoC), researchers published a write-up and a demo exploit to demonstrate the vulnerability. Only to find out they had alerted the world to a new 0-day vulnerability by accident. This vulnerability listed as CVE-2021-34527 was introduced under the name PrintNightmare.

Ominously, the researchers behind PrintNightmare predicted that the Print Spooler, which has seen its fair share of problems in the past, would be a fertile ground for further discoveries.

At the beginning of July, Microsoft issued a set of out-of-band patches to fix this Windows Print Spooler RCE vulnerability. Soon enough, several researchers figured out that local privilege escalation (LPE) still worked. This means that threat actors and already active malware can still exploit the vulnerability to gain SYSTEM privileges. In a demo, Benjamin Delpy showed that the update failed to fix vulnerable systems that use certain settings for a feature called Point and Print, which makes it easier for network users to obtain the printer drivers they need.

On July 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” because it became aware of multiple threat actors exploiting PrintNightmare.

Also in July, CrowdStrike identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims.

An end to the nightmare?

In the August 10 Patch Tuesday update, the Print Spooler service was subject to yet more patching, and Microsoft said that this time its patch should address all publicly documented security problems with the service.

In an unusual breaking change, one part of the update made admin rights required before using the Windows Point and Print feature.

Just one day later

On August 11, Microsoft released information about CVE-2021-36958, yet another 0-day that allows local attackers to gain SYSTEM privileges on a computer. Again, it was security researcher Benjamin Delpy who demonstrated the vulnerability, showing that threat actors can still gain SYSTEM privileges simply by connecting to a remote print server.

Mitigation

The workaround offered by Microsoft is stopping and disabling the Print Spooler service, although at this point you may be seriously considering a revival of the paperless office idea. So:

• Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.
• For the systems that do need the Print Spooler service to be running make sure they are not exposed to the Internet.

Microsoft says it is investigating the vulnerability and working on (yet another) security update.

Like I said yesterday: To be continued.

The post Microsoft’s PrintNightmare continues, shrugs off Patch Tuesday fixes appeared first on Malwarebytes Labs.

The largest crypto-robbery in history is rapidly turning into the most bizarre as well. Let’s start at the beginning…

In an apparent scream for mercy, 21 hours ago the Poly Network Team reached out via Twitter to “hacker(s)” that had managed to transfer roughly $600 million in digital tokens out of its control and into separate cryptocurrency wallets.

It alerted the world to what looks like the biggest crypto-heist in history, dwarfing even the landmark Mt. Gox theft in 2014.

Dear Hacker,

We are the Poly Network team.

We want to establish communication with you and urge you too return the hacked assets.

The amount of money you hacked is the biggest one in the defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousdands of crypto community members, hence the people.

You should talk to us to work out a solution.

Poly Network Team

Poly Network describes itself as a project to “implement interoperability between multiple chains” and says it has already integrated Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo, and Huobi ECO Chain. What really matters though, is that underneath all that, it’s a website users can join their cryptocurrency wallets to. Something that makes both legitimate trading and theft much easier.

Insecure code

As with any exchange type of robbery (and they are many, and frequent) there are screams about inside jobs. The Poly Network team says hackers have exploited a vulnerability in its system to steal about $267m of Ether currency, $252m of Binance coins, and roughly $85 million in USDC tokens. According to Poly Network a preliminary investigation found a hacker exploited a “vulnerability between contract calls” (contracts are code stored on blockchains).

Not long after the heist, SlowMist published a post on Medium explaining the vulnerability. Cutting to the chase, the important part of the analysis is this bit: “After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.” In other words, the Poly Network code had a bug that allowed attackers to make themselves the owner of other people’s money.

Freezing accounts

Poly Network has blocklisted the addresses of the cryptocurrency was transferred into. It said it is also working with its partners to freeze the hackers’ accounts. This is a step that can make it harder for the thieves to use stolen money. Cryptocurrency payments are pseudonymous but they are not private: Every transaction is traceable and if everyone agrees not to trade with blocklisted accounts they are essentially frozen.

Making it impossible for the thieves to move the stolen cryptocurrency would certainly make them more admissible for negotiations. After all, what is your full bank account worth if you can never hope to spend the money?

A rough time for cryptocurrencies

Like any technology, cryptocurrencies are neutral, neither intrinsically good or bad, but they do have a way of attracting bad news. Poorly-secured exchanges, exit scams, pump-and-dump scams, inside jobs, and colossal thefts are part of the furniture. Cryptocurrencies are also popular for tax evasion and, of course, an essential part of the recent boom in ransomware.

Recently, we have seen a call to action from governments that want more oversight and control over cryptocurrencies. Their concern isn’t following where the money goes, that’s easy, but linking real identities to the anonymous IDs used in blockchain transactions.

Among those contributing to the mood music that “something must be done” about cryptocurrencies, the US senate is getting ready to vote on a bipartisan infrastructure package, which would impose more federal regulation on cryptocurrencies; the director of the Dutch economic advisory Centraal Planbureau (CPB) has argued that all cryptocurrencies should be banned; Turkey has banned cryptocurrencies as a legal from of payment; India is considering whether to make the mining and possession of cryptocurrencies illegal; and China has banned initial coin offerings and announced a crack down on Bitcoin mining and trading.

Listening to the plea?

Poly Network provided the hacker with three addresses and as it seems the hackers have been busy returning some funds. At the time of writing they had returned less than 1 percent of the money,

You should be able to follow the developments in this thread on Twitter.

Update 11 August, 15:10 UTC. It gets weirder

Elliptic reports that the crypto-robber has now returned $258 million worth of cryptocurrency, suggesting that the crypto-robber may be serious about returning all the stolen money.

Negotiations between Poly Network and the thief started early and appear to be going well. Communicating via metadata on Ether transactions, the thief declared early on (about 12 hours ago) they were “NOT SO INTERESTED IN MONEY, NOW CONSIDERING RETURNING SOME TOKENS”.

In response, Poly Network offered an undisclosed “security bounty”, and dangled the carrot of notoriety, saying: “We want to offer a security bounty and we hope it will be remembered as the biggest white hat hack in the history.”

Seeming to prefer the role of hero over villain, the thief replied “IT’S ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD”.

As if that wasn’t weird enough, in a further bizarre twist, the thief has also declared they are taking donations, should anyone wish to thank them for returning all the money, or finding the bug, or something.

The post Thief pulls off colossal, $600m crypto-robbery …and gives the money back appeared first on Malwarebytes Labs.