IT NEWS

Last week on Malwarebytes Labs

• Apple delays plans to search devices for child abuse imagery.
• ProtonMail hands user’s IP address and device info to police, showing the limits of private email.
• Patch now! Netgear fixes serious smart switch vulnerabilities.
• Tor vs VPN—What is the difference?
• Windows MSHTML zero-day actively exploited, mitigations required.
• Sextortion on the rise, warns FBI.
• 500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords.
• Gamers beware: The risks of Real Money Trading (RMT) explained.
• Facebook puts on Ray-Bans, struts into the privacy minefield of smart glasses.
• That’s the way the cookie banner crumbles?

Other cybersecurity news

• The capricious relationship between technology and democracy, an analysys of public policy discussions in the UK and US. (Source: Wiley Online Library)
• How can we use technology to weed out online disinformation? (Source: TheStar)
• Germany wants smartphones to get seven years of updates. (Source: Fossbytes)
• Ragnar Locker gang warns victims not to call the FBI. (Source: ThreatPost)
• Apple pays hackers six figures to find bugs in its software and then it sits on their findings. (Source: Washington Post)
• The OpenSSL Software Foundation released a completely refreshed version of its software. (Source: DarkReading)
• Google published the Android Security Bulletin for September 2021 with patches for a total of 40 vulnerabilities, including seven that are rated critical. (Source: SecurityWeek)
• CISA Warns of actively exploited Zoho ManageEngine ADSelfService vulnerability. (Source: The Hacker News)
• Microsoft has fixed a vulnerability in Azure Container Instances called Azurescape. (Source: Bleeping Computer)
• LAPD documents reveal use of social media monitoring tools. (Source: Brennan Center)

Stay safe, everyone!

The post A week in security (Sept 6 – Sept 12) appeared first on Malwarebytes Labs.

A recent spate of ransomware attacks in the US and abroad have derailed major corporations, spurring a fuel shortage on the US East Coast, shuttering grocery stores in Sweden, and sending students home from grade schools. The solution, so many cybersecurity experts say, is to implement backups, which are additional copies of vital data, databases, and networks so that, even if a ransomware attack takes root, an organization can recover quickly with a second set of safe, unencrypted data.

But if backups are so useful, why aren’t they visibly working?

In June, the meat supplier JBS was hit by ransomware and despite the company having backups in place, it still paid the attackers $11 million for a decryption key. And Northshore School District in Washington State, which suffered a ransomware attack years ago, also had backups in place, but those backups were improperly configured, providing little value to the district during its cyber emergency.

Today, on the Malwarebytes podcast Lock and Code, host David Ruiz speaks with Matt Crape, technical account manager for VMware, about why backups are so hard to get right, and what the most basic missteps are when companies roll out a backup plan.

“At the end of the day, though, unfortunately, a lot of folks likely won’t realize how important backups are until they need them, and you’re usually not in a very good situation at that point.”

Matt Crape

Tune in to learn about backup complexity, common backup pitfalls, and why backups are not just a “set-it-and-forget-it” solution to today’s thorniest cybersecurity problem.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Backups are not a simple ransomware defense, with Matt Crape: Lock and Code S02E17 appeared first on Malwarebytes Labs.

This blog post was authored by Jérôme Segura

During the past couple of years online shopping has continued to increase at a rapid pace. In a recent survey done by Qubit, 70.7% of shoppers said they increased their online shopping frequency compared to before COVID-19.

Criminals gravitate towards opportunities, and these trends have made digital skimming attacks such as Magecart all the more profitable.

To protect our customers, we need to constantly look out for novel attacks. Having said that, we sometimes need to check for past ones too. In fact, many threat actors will reuse certain patterns or resources which allows us to make connections with previous incidents.

One Magecart group that has left a substantial amount of bread crumbs from their skimming activity has been documented under various names (Group 8, CoffeMokko, Keeper, FBseo). It is believed to be one of the older threat actors in the digital skimming space.

In this blog post, we publish a number of connections within their infrastructure usage that we’ve been able to uncover by cross-referencing several data sources.

Reconnecting with Magecart Group 8

In a recent article, RiskIQ researchers unravelled a large part of the infrastructure used by Magecart Group 8 and how they migrated to different hosts in particular Flowspec and OVH over time.

We had been looking at Group 8 also, but starting from a different angle. Back in June we were checking skimmer code that looked somewhat different than anything we could categorize. We didn’t think much of it until in July Eric Brandel tweeted about a skimmer he called ‘checkcheck’ that was using some interesting new features and was essentially the same thing we had found.

After some additional research we noticed that some parts of the code were unique but not new. In particular the exfiltration of credit card data was using a string swapping function identical to the one used by the ‘CoffeMokko‘ family described by Group-IB. In their blog, they mention some overlap with the original Group 1 (RiskIQ) that was eventually merged into what is now Group 8.

From there, we were reacquainted with a threat group that we had not seen in a while but that had been busy. There were a number of domain names that were new to us. We rapidly got down a rabbit hole and lost track of the big picture. However, the blog from RiskIQ helped to put some perspective on one part of the infrastructure that we referred to as Flowspec – OVH.

Most of the domains and IP addresses have already been covered by RiskIQ. However we were to create some mapping that showed some interesting historical connections between well-known past campaigns. In Part 1, we will explore those links.

We had also uncovered another large part of infrastructure while reporting our findings on ‘checkcheck’ to Eric Brandel. Then in August, Denis tweeted about some of those domains which interestingly are old but somehow managed to stay low for a long time. We will review those in Part 2.

Part 1: Flowspec and OVH

The RiskIQ article describes this part of the infrastructure in great details. We will review some connecting points that allowed us to rediscover older campaigns. Flowspec is a known bulletproof hosting service that has been used beyond just skimmers, but also for phishing, ransomware and other malware.

[1] The domain safeprocessor[.]com was hosted at 176.121.14[.]103 (Flowspec) and 178.33.231[.]184 (OVH). It was listed in the indicators of compromise (IOCs) from Gemini Advisory’s “Keeper” Magecart Group Infects 570 Sites blog post. On the same OVH IP is the domain foodandcot[.]com listed in the IOCs section for Group-IB’s Meet the JS-Sniffers 4: CoffeMokko Family.

[2] scriptopia[.]net was also on 176.121.14[.]103 (Flowspec) and 178.33.71[.]232 (OVH). The domain was spotted by Dmitry Bestuzhev on the website for a Chilean wine. Other domains on that IP were also caught by Rommel.

[3] mirasvit[.]net shares the same registrant as scriptopia[.]net. It was hosted at 194.87.144[.]10 and 176.121.14[.]143 (Flowspec). That IP address came across Denis’ radar in a tweet and was largely covered by RiskIQ.

[4] shourve[.]com shares the same registrant as the other skimmer domains hosted at 178.33.71[.]232. It was hosted at 5.135.247[.]142. On that same IP is adaptivestyles[.]com which shared the same registrant as scriptopia[.]net, and fileskeeper[.]org from which Gemini Advisory derived the name of their blog post.

[5] stairany[.]com hosted at 5.135.247[.]141 (OVH) appeared in a report by CSIS Group. Another domain on that IP address is clipboardplugin[.]com which was mentioned by Félix Aimé along with a screenshot of a carding website.

[6] csjquery[.]com shares the same registrant as stairany[.]com and is hosted at 169.239.129[.]35 (ZAPPIE-HOST). On that IP are hundreds of carding sites.

[7] zoplm[.]com hosted at 37.59.47[.]208 (OVH) and 51.83.209[.]11 (OVH) shares the same registrant as cigarpaqe[.]com and fleldsupply[.]com mentioned in our blog using Homoglyph domains.

[8] 176.121.14[.]189 (Flowspec) was covered by RiskIQ for its number of skimmer domains that later moved to Velia.net hosting.

Part 2: ICME and Crex Fex Pex

This bit of infrastructure was interesting because it tied back to activity we saw from domains like jquery[.]su. This was actually the starting point of our investigation, which eventually led to Part 1: Flowspec and OVH and back to Group 8.

Crex Fex Pex (Крекс-фекс-пекс) refers to a Russian play with a character that looks like Pinocchio. However in our case it is a bulletproof hoster that has seen significant skimmer activity.

[1] gstaticx[.]com was hosted at 217.8.117[.]166 (Crex Fex Pex) and 185.246.130[.]169 (ICME). We can see a recent compromise here, and the skimmer (which uses that character swapping function) in particular here.

[2] googletagnamager[.]com hosted at 217.8.117[.]141 (Crex Fex Pex) shared the same registrant as gstaticx[.]com. Interestingly, one version of this skimmer from googletagnamager[.]com/ki/x19.js loaded JavaScript from jquery[.]su.

We can find a similar path structure at jquery[.]su/ki/x2.js which also references the same min-1.12.4.js script. A version of this script can be seen here (capture).

[3] The domain jquery[.]su was registered by alexander.colmakov2017@yandex[.]ru. The same email address was used to register serversoftwarebase[.]com which is connected to brute force attacks against various CMS. In that blog post, we mention googletagmanager[.]eu hosted at 185.68.93[.]22 which is associated with a campaign against MySQL/Adminer.

[4] googletagmanages[.]com has the same registrant as googletagnamager[.]com. contrary to the other domains we’ve seen so far, this one is on Amazon. Reviewing the IP addresses which hosted it (AS14618-Amazon), we find hundreds of typosquat domains for skimming (see IOCs section for list). It seems though that most were not used, perhaps just kept for a rainy day.

Digital skimming artifacts

While checking this infrastructure we came across a number of artifacts related to web skimming activity including webshells, panels, and other tools. With such a sprawling network, it’s not hard to imagine that the criminals themselves may have a tough time keeping track of everything they have.

Tracking digital skimmers is a time consuming effort where one might easily get lost in the noise. Criminals are constantly setting up new servers and moving things around. In addition, with the help of bulletproof services, they make it difficult to disrupt their infrastructure.

However we and many researchers regularly publish information that helps to identify and block new domains and IP addresses. We also work with law enforcement and have reported many of these artifacts, in particular the stolen customer data. Finally, we also notify merchants although too many are still unaware of this threat and lack the proper contact details.

Malwarebytes customers are protected against digital skimmers thanks to the web protection module available in our consumer and enterprise products.

Indicators of Compromise (IOCs)

Skimmer domains

Related IP addresses

Typosquat

The post The many tentacles of Magecart Group 8 appeared first on Malwarebytes Labs.

Any game with an online component can be at risk from a practice known as Real Money Trading (RMT), where in-game items, artefacts, characters and the like are sold for real money. It’s a big problem for developers, especially in competitive and / or massively multiplayer online role-playing game (MMORPG) circles. Some games even explicitly allow you to report it as a prohibited in-game activity.

One major developer recently took sustained action against this practice, so we thought we’d take the time to explain what is it, and why it’s such a big deal.

Real Money Trading

RMT generally falls into two distinct camps: Power-levelling, and in-game item or currency purchases. Messages related to RMT sites are spammed across in-game chat, and also directly to other players if the game allows it. Sometimes games restrict what new accounts can do, so scammers find that hijacked accounts with more permissions are useful for this activity.

Here’s some examples we’ve seen in Final Fantasy 14. Note that one doesn’t place a link into the chat directly. Instead, they tell gamers to search for a specific phrase. This will likely be an attempt to avoid tripping spam filters.

Power levelling

This is very common in MMORPG circles. It’s in the game’s interest to keep you playing as long as possible. This is especially true if the game comes with any kind of monthly / yearly subscription. Once the content is fully exhausted, people will naturally move on to other things. A few of the biggest titles have been around for a decade or more. They contain so many activities and pieces of gated content, you could essentially play them forever. Even so, some people want to rush as fast as they can to what they consider late-game “good stuff”.

RMT gives them an alternative to grinding out hundreds of hours levelling up. After all, why do it yourself when you can pay real money to somebody else and they’ll do it for you, right? It’s a bit like passing your friend the controller when you can’t get past a level in Super Mario, except you’re handing your friend a pile of money and also breaking a bunch of terms and conditions. So, not really like that at all.

Item, account, and currency buying and selling

Real money trading of in-game currency involves third-party services that act as a broker for selling your rare items to other players, for real money, outside the game. People will also do this to buy large chunks of in-game fictitious currency with real money via RMT websites. Once the payment goes through, the player will find the money in their gaming account via whatever method the RMT site operates by.

Inflation risk

This is a hotly-debated topic, but generally folks seem to think that RMT causes some inflation in gaming currencies over the short term, if not the long term. A lot of RMT activities involve the use of bots (computer programs that play in place of humans), cheats, and hacks. This gives rise to piles of illegitimately-generated money floating around the gaming environment.

The use of bots also often denies other players the ability to harvest materials found in the game world. If four bots spawn in at a resource location, harvest everything in sight in seconds and then vanish, it’s problem time. Legitimate players can’t generate real virtual currency, they’re denied materials they need to craft and/or progress in the game, and they can’t buy or sell on the in-game marketplace as a result.

When all the resources, and all of the money is going to RMT, that’s a recipe for killing off a title.

Security implications

Some of these RMT services are very slick. You could be assigned one specific player who’ll follow the exact steps / levelling requirements you give them. You can set up calendars so they’ll log out at specific times and let you play for a while before handing control back. A few will simply take your money and run, but that’s the price you (may) pay.

Make no mistake, sites offering RMT services know they’re not supposed to be doing it. They’ll even tell you as much before you sign up for anything.

Alongside the risk of being kicked off the game you like, using an RMT service is also comes with security risks too, if you have to share your login credentials with them. The second you share a password with somebody else, you lose control of it, and you lose control over decisions about who else it’s shared with and how it’s stored.

Some provide security reassurance and tips. They may promise not to leak your details, though they don’t say where or how they’re stored. Some will advise you to change your login once the service is complete, which is at least nice of them. A lot of MMORPG titles plagued by these services offer multi-factor authentication (MFA) or similar. One presumes that RMT services make arrangements for you to send them the short-lived MFA codes in real time and then login to the game platform.

This would make the whole arrangement quite an endeavour. Final Fantasy 14 will save your username, but not your password, in its launch client. You also have to punch in your OTP code—assuming you have it enabled—every single time you load the game up.

How much money do these sites make?

It varies. One site we saw offered multiple forms of powerlevelling / item harvesting in Final Fantasy 14. A high end set of armour was estimated to take 2 days to grind out, at a cost of $399.99. We saw an offer on certain types of weapon for a cool $699.99 over 7 days. The biggest time investment / cost we saw was for a whistle. We assume it’s to summon…something. How much?

A little over $2,600, covering a solid month of playing.

That’s one impressive whistle.

What can developers stop RMT?

It’s a tough one, and bad activities will always slip through the cracks.

1. Limit the abilities of low-level characters. Developers have to balance out restrictions carefully. If a “solution” hinders a new player more than an RMT operation, it’s not worth it. You can prevent spammers from being able to shout to those around them to prevent chat spam. However, this means low-level characters in need of assistance can no longer call for help on the map. They’ll probably just get frustrated and not come back to the game.

   A more reasonable suggestion is to keep shouts, but prevent new / low-level characters from whispering (sending direct messages) to other gamers. This will reduce the risk of hidden spam / phishing attacks. On the other hand, this could interfere with other essential systems such as trading. Not an easy problem to solve!

2. Dedicated teams shutting down RMT activities are a boon for game developers. If you want to see how seriously Square Enix takes this, check out their news update page. Wall to wall takedowns of RMT accounts. The last three updates alone report a total of 10,539 accounts terminated for RMT antics, with more taken down for advertising. This is an astonishing number, and you have to consider they may have missed a few.

What are the dangers to gamers from RMT activities?

1. Account bans. Nobody wants to lose access to accounts with hundreds or even thousands of dollars sunk into them. It’s pretty easy for the RMT groups to pick up some cheap accounts in games. Not so easy for regular people to start from scratch. If the game is tied to a gaming platform such as Steam, they may have to set up a second Steam account to get back into the action. This is a lot of hassle for one game.
2. Account lost. If you purchase an account from somebody else, it doesn’t actually belong to you, and that person can reclaim it at any time. If enough people start saying “that account is mine” after some pass-it-around activity, the vendor will just shrug and close it. Sorry everyone, the only winner here would be the developers.
3. Account compromise. We’ll go back to the incredibly popular Final Fantasy 14 as an example. Spam messages will typically claim important information has been posted to the forum. It could be a fake missive about updates, as per the linked discussion. Either way, scammers direct victims to fake FF14 portals. These sites also ask for MFA codes. There’s likely some automation involved to punch these short-lived digits into the real site along with the stolen password. Nobody is sitting at the other end waiting to do it in real time 24/7. (Or perhaps they are?)
4. Loss of money. Remember, you have no real idea who you’re paying, and hundreds of dollars going AWOL isn’t unusual.
5. Enabling crime. You could be. As Lineage 2 developers NCSOFT explain, “in-game currency for sale most often comes from stolen accounts and other internet fraud”.

Conclusion

If you see a tempting message drift by in a public chat, don’t reply. Report it. At best you’ll waste time and money on dubious websites offering services they freely admit aren’t allowed. At worst, your accounts may be shut down and you could wind up being phished, hacked, or talking to law enforcement about goods supplied with stolen credit cards.

It simply isn’t worth the risk.

The post Gamers beware: The risks of Real Money Trading (RMT) explained appeared first on Malwarebytes Labs.

Facebook, neck-deep in virtual / augmented reality with the Oculus headset, continues to move things up a gear. It’s announced “Ray-Ban stories”, smart glasses which take video and photos. The company may yet go one step further and incorporate these features into Augmented Reality (AR) specs which a Facebook rep said were in development.

Hold my beer

Facebook’s decision to enter the smart glass market is remarkable considering what’s come before. About ten years ago, another tech giant with a similarly-tarnished reputation for gathering personal data tried it with Google Glass. This was the first mainstream attempt to put glasses with cameras on our heads. It didn’t work. Famously.

There were a few reasons for this, but cost, average ability at everything rather than standout ability in something, and privacy concerns helped tipped the scales against it. Nobody wants to be recorded in secret, and many companies didn’t want their events or offerings recorded either. Google Glass received bans from movie theatres, sports arenas, hospitals, and strip clubs, amongst others. Some bars, cafes, and restaurants sprouted warning signs telling customers-who may-or-may-not-be-recording everything that Glass wasn’t welcome. The bans created headlines. Wearers were occasionally attacked. The insult “glasshole” was born.

The distinctive look of Glass may not have helped. It’s possible the moment you see someone wearing them, you’d assume you’re at risk of being filmed or photographed. Even if the wearer was completely innocent, the simple sight of the things was enough for some.

Nobody wants their product appearing in “places you’ve been banned from” articles. Safety considerations related to activities like driving also did not help.

It’s incredible to think this tech appeared way back in 2013. The world of smart glasses has moved on since then. We have Snap Spectacles out in the wild, and I can still recall Instaglasses without knowing if they ever made it to production.

And now…at last…we have Facebook in tandem with Ray-Ban.

Is the privacy issue overblown?

As you’ll see from the video in the BBC article linked at the beginning of this article, both the presenter and Facebook rep dive into the privacy angle. “Can people film me without me knowing about it?” is absolutely a valid question. I have to admit, I’m not completely sold on the response.

From the presenter:

“If someone’s inclined to take hidden camera footage in a changing room, they can do that with their phone already. They don’t need to spend $300 on a pair of glasses”.

Even so, there is an admission that the glasses could be more overt about what they’re doing. Also: Is someone more likely to take hidden footage in a changing room with an incredibly obvious phone, or a pair of recording glasses that look exactly like regular glasses? Is it not incredibly suspicious the moment someone tries to get a phone out in that situation, no matter how discreetly?

The Facebook rep builds on this answer later in the video, claiming it’s put a fair bit of thought into this problem. He says the glasses are “quite a bit more overt” than what people are doing with their phone, focusing on visible LEDs and explicit hand gestures to take a photo or start recording. In practice, how well will this work? You’re probably not going to notice an LED on someone’s face embedded in a pair of glasses. How close do you have to be to see it? Is this practical in a crowd of people in a busy street?

Additionally, surely someone up to no good will simply enable recording away from prying eyes and then begin to film anybody who didn’t see the gesture. Or put tape over the LED. I don’t think these are particularly strong arguments. As with most things, they’re easily bypassed and not something I’d consider to be that helpful overall.

More tech integration = more problems?

The really interesting part for me is if Facebook launch their promised AR smart glasses. Integration into the Facebook platform can bring problems for device owners.

Last year, Oculus users were faced with quite the headache. They now needed Facebook accounts to continue using their devices. This, despite an apparent promise to not go down the account-requirement road. It didn’t take long before lots of angry lockout-style posts appeared.

Oculus isn’t cheap. Whatever form the AR glasses take will also set you back a decent amount. Do we really need a situation where several real-world devices’ operability depend entirely on something not happening to a social media account?

My suspicion is no, we probably don’t. It may be this rather large Damocles-style effort hanging above a thin sliver of “your device works…for now” anxiety which is a bigger blow to Facebook than any concerns about privacy. For now, we’ll just have to wait and see.

The post Facebook puts on Ray-Bans, struts into the privacy minefield of smart glasses appeared first on Malwarebytes Labs.

Elizabeth Denham, current head of the Information Commissioner’s Office (ICO), the UK’s data protection watchdog and the organization tasked to ensure that businesses comply with the country’s strict data protection laws, is said to have met with her counterparts in the G7 nations on Tuesday to tackle the issue of cookie banners.

According to the BBC, during this online meet up, each member country “will raise a technological problem they believe can be solved with closer co-operation.” Denham has decided to put cookie banners—and by association, cookie fatigue—on the table.

“No single country can tackle this issue alone,” Ms. Denham has said in an official ICO statement.

However, instead of a sigh of relief, the sudden unearthing of this apparent age-old problem stirred criticism from several privacy advocates.

Cookie fatigue

Cookie fatigue is the result of having to read (or ignore), and then click on a cookie banner every time you use a new website. This is required by EU law and is designed to give users insight into, and control over, how and when a website records information about them. While doing this complies with law, the after-effect is that users grow “tired” of having to repeatedly confirm consent, according to Denham. Because of this, she had the idea of suggesting that users should be able to indicate levels of consent once, at the browser, application, or device level.

Not only will this stop cookie fatigue, but “people’s privacy is more meaningfully protected and businesses can provide a better web browsing experience.”

The strong suspicion is that people are simply selecting the “I agree” option whenever they’re presented with a cookie pop-up, without reading the fine print. This, then, causes Internet users to give more of their personal data away than they’d like.

“The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience,” Denham said in the statement.

“There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”, she said.

Cookie fatigue has been around for some time now. But, arguably, Denham’s solution for the cookie problem isn’t new either. It resembles the ill-fated “Do Not Track” (DNT) feature that almost made it into browsers several years ago. Natasha Lomas remarked in a TechCrunch article that Denham’s idea “could be called the idea that can’t die because it’s never truly lived—as earlier attempts at embedding user privacy preferences into browser settings were scuppered by lack of industry support.”

Malwarebytes Labs’ editor-in-chief disagrees with the comparison: “Do-not-track was certainly a victim of industry politics, but it’s hard to imagine how it would ever have worked—it was designed to fail. It was the technical equivalent of asking nicely, with no way of knowing if your tracking preferences had even been heard, nevermind complied with. There is no reason that a browser-based or app-based consent mechanism has to be based on such weak sauce. It was the implementation that failed, not the idea.”

GDPR

Lomas isn’t alone in her criticisms against the ICO. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties (ICCL) and former Chief Policy Officer (CPO) of Brave, called Denham’s idea “daft” in a tweet.

Because the UK is no longer in the EU it is free to diverge its privacy regulations from the EU’s General Data Protection Regulation (GDPR), and the nuisance of cookie banners is just one thing under consideration.

Ryan contends, as does Lomas, that the UK could have addressed the cookie pop-up problem before it left the EU and without leaving tearing up the GDPR.

Open Rights Group (ORG) Executive Director, Jim Killock, said that the ICO should be doing more.

“If the ICO wants to sort out cookie banners then it should follow its own conclusions and enforce the law,” Killock said. “We have waited for over two years now for the ICO to deal with this, and now they are asking the G7 to do their job for them. That is simply outrageous. We fully support their call for automated signals, but in the meantime they should enforce the law, which is their job.”

The post That’s the way the cookie banner crumbles? appeared first on Malwarebytes Labs.

A threat actor has leaked a list of almost 500,000 Fortinet VPN credentials, stolen from 87,000 vulnerable FortiGate SSL-VPN devices. The breach list provides raw access to organizations in 74 countries, including the USA, India, Taiwan, Italy, France, and Israel, with almost 3,000 US entities affected.

According to Fortinet the credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. Even if the devices have since been patched, if the passwords were not reset, they remain vulnerable.

CVE-2018-13379

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability in question provides an improper limitation of a pathname to a restricted directory in several Fortinet FortiOS and FortiProxy versions. The vulnerable SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP requests. Apparently the FortiOS system files also contained login credentials.

In April, CVE-2018-13379 was mentioned in a joint advisory from the NSA, CISA, and the FBI as one of five vulnerabilities widely used in on-going attacks by the Russian Foreign Intelligence Service (SVR). A patch for the vulnerability has been available since May 2019, but this patch has not been applied as widely as necessary.

The threat actor

The source, and the websites that leaked the information, make for an interesting story as well. The list of Fortinet credentials was leaked by someone going by the handle ‘Orange.’ Orange is also the administrator of the newly launched RAMP hacking forum, and a previous operator of the Babuk Ransomware operation.

After the announced retirement of the Babuk gang, Orange apparently went his own way and started RAMP. Orange is now involved in the Groove ransomware operation, which allegedly employs several former Babuk developers. The leak of Fortinet VPN SSL credentials was mirrored on the Groove leak website. Both posts lead to a file hosted on a Tor storage server known to be used by the Groove gang.

Ransomware leak sites are used to create some extra leverage over victim organizations. The ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.

Vulnerable security software

Organizations use Virtual Private Networks (VPNs) to provide remote access to their systems from the Internet. By design a VPN is remotely accessible so employees can reach them from anywhere, which also means that attackers can reach them from anywhere. And since VPNs provide access to an organization’s soft underbelly, a VPN that has a known vulnerability represents a high value target that’s easy to reach.

That makes swift patching an absolute necessity, but many organizations find this difficult, in part because VPNs are so important for remote working. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.

A leak of this type is serious since valid VPN credentials could allow threat actors to access a network to steal data, expand their access, and run ransomware or other malware.

In light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, followed by initiating an organization-wide password reset, warning that you may remain vulnerable post-upgrade if your users’ credentials were previously compromised.

The post 500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords appeared first on Malwarebytes Labs.

The pandemic saw a surge in sextortion cases in 2020. Fast forward 12 months, and the numbers continue to rise significantly.

This revelation came from the FBI Internet Crime Complaint Center (IC3). Until 31 July 2021, it had received over 16,000 sextortion complaints, with victims losing a combined $8M USD at least.

“Nearly half of these extortion victims were in the 20-39 age group,” according to the IC3 PSA, “Victims over 60 years comprised the third largest reporting age group, while victims under the age of 20 reported the fewest number of complaints.”

Let’s not forget that the FBI released a sextortion page in their official site for kids and teens back in 2015. Today, internet users under the age of 18 are continuously targeted and victimized by sextortion, too.

It all starts innocently…

The start of any online relationship is usually not malicious. The same is true for all sextortion cases. The victims recount the common story of meeting someone either on social media, a dating app, or a gaming site. From there, their new-found “friend” suggests that they move their conversation elsewhere, either via email, a voice-over-IP (VoIP) service like Skype, or other platforms that allow the sharing or exchange of media.

Then, after some time, their “friend”—who at this point may still be a complete stranger to the victim—suggests that to the victim that they send some sexually explicit media of themselves, either a still photo. Sometimes, they even suggest conducting their intimate moments over a live video call, which the attacker surreptitiously records. Once the victim complies and performs the act, the “friend” then becomes an extortionist, threatening the victim and demanding payment to stop the “friend” sharing the images with the victim’s contacts, friends, and family.

While there are genuine sextortion attacks that follow the script above, there are also many fake sextortion attacks that rely on their notoriety to scare people into paying money. In this case, an attacker sends a message to a stranger that falsely claims to have control over a device or email account they own.

That this simple social engineering tactic works is evident from countless email campaigns over several years, targeting users of both PC and Mac.

Protect against sextortion

To avoid sextortion, the FBI advises that people turn off electronic devices and webcams that aren’t being used; don’t open attachments from people they don’t know; and never send compromising images of themselves to anyone, ever. The last piece of advice will work, but we suspect that it’s probably culturally impossible by now, and it also opens the door for people who want to blame the victim (although that is not what the FBI is doing). While not taking compromising pictures is the only surefire guarantee that nobody can have compromising pictures of you, you are not to blame for having them used against you if you choose to.

In addition, we suggest you secure your online accounts using two-factor authentication (2FA) and a password manager. This won’t stop people using pictures that you’ve shared against you, but it makes it much harder for people to steal pictures and use them against you.

Stay safe!

The post Sextortion on the rise, warns FBI appeared first on Malwarebytes Labs.

Several researchers have independently reported a 0-day remote code execution vulnerability in MSHTML to Microsoft. The reason it was reported by several researchers probably lies in the fact that a limited number of attacks using this vulnerability have been identified, as per Microsoft’s security update.

Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

MSHTML is a software component used to render web pages on Windows. Although it’s most commonly associated with Internet Explorer, it is also used in other software including versions of Skype, Microsoft Outlook, Visual Studio, and others.

Malwarebytes, as shown lower in this article, blocks the related malicious powershell code execution.

CVE-2021-40444

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one has been assigned the designation CVE-2021-40444 and received a CVSS score of 8.8 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.

The Cybersecurity and Infrastructure Security Agency took to Twitter to encourage users and organizations to review Microsoft’s mitigations and workarounds to address CVE-2021-40444.

ActiveX

Because MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications however, use the MSHTML component to display web content in Office documents.

The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.

So, the attacker will have to trick the user into opening a malicious document. But we all know how good some attackers are at this.

Mitigation

At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.

• Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones.
• Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.

Despite the lack of a ready patch, all versions of Malwarebytes currently block this threat, as shown below. Malwarebytes also detects the eventual payload, Cobalt Strike, and has done so for years, meaning that even if a threat actor had disabled anti-exploit, then Cobalt Strike itself would still be detected.

Registry changes

Modifying the registry may create unforeseen results, so create a backup before you change it! It may also come in handy when you want to undo the changes at a later point.

To create a backup, open Regedit and drill down to the key you want to back up (if it exists):

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones

Right click the key in the left side of the registry pane and select “Export”. Follow the prompts and save the created reg file with a name and in a location where you can easily find it.

To make the recommended changes, open a text file and paste in the following script. Make sure that all of the code box content is pasted into the text file!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones3]
"1001"=dword:00000003
"1004"=dword:00000003

Save the file with a .reg file extension. Right-click the file and select Merge. You’ll be prompted about adding the information to the registry, agree, and then reboot your machine.

Stay safe,everyone!

The post Windows MSHTML zero-day actively exploited, mitigations required appeared first on Malwarebytes Labs.

In a security advisory, NetGear has announced it has fixed three vulnerabilities in firmware updates for several network devices. Most of the affected products are smart switches, some of them with cloud management capabilities that allow for configuring and monitoring them over the web.

One of the vulnerabilities was dubbed Demon’s Cries and is regarded as critically severe by the researchers that reported it. This vulnerability received a CVSS score of 9.8 out of 10 from the researchers, where NetGear only scored it at 8.8. NETGEAR’s argument is that it doesn’t deserve the higher rating since the attack cannot be done from the Internet or from outside of the LAN the device is attached to.

The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively. Bickering over CVSS scores is not helpful and should not be necessary. If you would like to know more about how this scoring works, I can recommend reading How CVSS works: characterizing and scoring vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These three vulnerabilities have each been assigned their own name, but have not been assigned CVE’s yet.

Demon’s Cries

I think this one is called critical for a reason, especially if an attacker has already gained access to the victim’s intranet. The vulnerability can lead to an authentication bypass which would allow the attacker to change the admin’s password (among other things), which would obviously result in a full compromise of the device.

The Netgear Switch Discovery Protocol (NSDP) is implemented by the /sqfs/bin/sccd daemon. When the daemon is set to enabled it allows configuration changes that require a type 10 password authentication. But the daemon does not enforce the password and accepts “set” commands where authentication can be omitted from the chain and in such case the password verification never takes place.

Draconian Fear

This vulnerability has been given a CVSS score of 7.8 by the researchers and 7.4 by NetGear. Both scores result in the classification “high”. The affected smart switches are vulnerable to authentication hijacking. It allows an attacker with the same IP address as an admin that is in the process of logging in to hijack the session bootstrapping information, giving the attacker full admin access to the device web UI and resulting in a full compromise of the device.

During the login process a session file is created that, among other things, contains username, password, and the name of the result file /tmp/sess/guiAuth_{http}_{clientIP}_{userAgent}. All an attacker needs is to be on the same IP and guess a number in the range 1-5 to take over the session. And a bit of timing. An attacker on the same IP as the admin can just flood the get.cgi with requests and snatch the session information as soon as it appears. The window between get.cgi requests on the browser is 1 second, so an automated attack can have a high success rate.

Seventh Inferno

Details on Seventh Inferno will be publish on or after 13th September. Security researcher Gynvael Coldwind, who found and reported the vulnerabilities, so far explained two of the issues and provided demo exploit code for them.

Mitigation

In the NetGear security advisory you can find a full list of affected smart switches. Since NetGear has patched these vulnerabilities and both the discussed vulnerabilities are relatively easy to apply, owners of these devices are advised to download and apply the latest firmware as soon as possible.

The post Patch now! Netgear fixes serious smart switch vulnerabilities appeared first on Malwarebytes Labs.