IT NEWS

Researchers have been able to get hold of 372,072 Windows domain credentials, including 96,671 unique credentials, in slightly over 4 months by setting up a Microsoft Exchange server and using Autodiscover domains.

The credentials that are being leaked are valid Windows domain credentials used to authenticate to Microsoft Exchange servers.

What is Autodiscover?

From Microsoft’s site we learn that “the Autodiscover service minimizes user configuration and deployment steps by providing clients access to Exchange features. For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the EWS endpoint URL. However, Autodiscover can also provide information to configure clients that use other protocols. Autodiscover works for client applications that are inside or outside firewalls and in resource forest and multiple forest scenarios”.

Which boils down to a feature of Exchange email servers that allows email clients to automatically discover email servers, provide credentials, and then receive proper configurations. Designed to make the user’s life easier while forgetting that such designs need to be done with security in mind. Because cybercriminals love such features and use them for their own purposes.

How can it be abused?

The protocol’s goal is to make an end-user be able to completely configure their Outlook client solely by providing their username and password and leave the rest of the configuration to Microsoft Exchange’s Autodiscover protocol.

To accomplish this the Autodiscover protocol looks for a valid Autodiscover URL in these formats, where the example.com is replaced by the domain name (the part after the @) in the users’s email address:

https://autodiscover.example.com/Autodiscover/Autodiscover.xml
http://autodiscover.example.com/Autodiscover/Autodiscover.xml
https://example.com/Autodiscover/Autodiscover.xml
http://example.com/Autodiscover/Autodiscover.xml

This means that to start with, Autodiscover is looking for a URL at a domain or subdomain that is owned by the organization the user belongs to, so mistakes are contained and unlikely to cause problems. But, and here it comes, if none of the above send a valid response the process gets wonky, where it should probably have given up.

If those attempts fail, the next attempt to build an Autodiscover URL drops the example.com part that confines lookups to the user’s organization and looks here:

http://autodiscover.com/Autodiscover/Autodiscover.xml

This gives whoever owns the domain autodiscover.com a huge opportunity.

And the same is true for other Autodiscover top-level domains (TLDs) too, such as autodiscover.es, which will receive requests from all unresponsive .es domains.

To complete the mess, there is no login procedure required on the server side. The unsuspecting user trying to set up their Exchange account is just sending their credentials to an unknown server. There is also no attempt on the client’s side to check if the resource is available, or even exists on the server, before sending an authenticated request.

How bad is it?

It is important to understand that since Microsoft Exchange is part of the Microsoft domain suite of solutions, the credentials that are necessary to login to an Exchange-based inbox are in most cases the same as their domain credentials. The possible consequences of a domain credential leak at such a scale are enormous, and can put entire organizations in danger. Especially in the light of the ongoing ransomware attacks that are daily news. What easier way could an attacker ask for than to gain entry into an organization by using legitimate and valid credentials?

A quick search on my part learned that in most of the big TLDs the autodiscover domains have already been picked up.

Some of the most dangerous ones have been registered by the researchers to do their testing.

Detection and mitigation

Organizations can protect themselves by establishing their own Autodiscover domains, and blocking Autodiscover.TLD domains at the firewall or in their local DNS. Users can block Autodiscover.TLD domains in their hosts file.

Software vendors and developers who are implementing the Autodiscover protocol in their products should make sure that they are not letting it “fail upwards”, meaning that domains such as autodiscover. should never be constructed by the “back-off” algorithm.

When deploying or configuring Exchange server setups, organizations should also make sure that support for basic authentication is disabled. Using HTTP basic authentication sends credentials in clear text, making them easy to intercept.

When a user is being redirected to an Autodiscover.TLD server trying to make use of the leak, a security alert might pop up if it doesn’t have a security certificate, or if it has one that is self-signed. This could easily be avoided by the attacker if they deploy a valid TLS certificate though.

Microsoft was not informed of the problem before the credential harvesting was set in motion and the results were already published, so they are still investigating and promised to take appropriate steps to protect customers.

Stay safe, everyone!

The post Microsoft Exchange Autodiscover flaw reveals users’ passwords appeared first on Malwarebytes Labs.

The Spanish National Police (Policía Nacional) has successfully dismantled an organized crime ring of hundreds of members in a sting operation supported by Europol, the Italian National Police (Polizia di Stato), and Eurojust. This is the end result of a year-long investigation.

The organized crime ring, which operated in Spain’s Canary Islands, is said to have ties with the Italian Mafia who are “involved in online fraud, money laundering, drug trafficking and property crime.” The official site of the Spanish National Police named the Italian mafia clans as the Casamonica, Camorra Napolitana, Nuvoletta, and Sacra Corona Unita.

In just a year, they were able to steal a total of 11.72M USD (10M EUR) from hundreds of victims of phishing attacks and other fraudulent activities such as SIM swapping (also known as SIMjacking), business email compromise (BEC), and money muling. The Spanish National Police page also mentioned other crimes, such as “kidnapping, falsification of documents, injuries, threats, coercion, robbery with violence, Social Security fraud and illegal possession of weapons.

Europol has summarized the overall results of this sting:

• 106 arrests, mostly in Spain and some in Italy
• 16 house searches
• 118 bank accounts frozen
• Seizures include many electronic devices, 224 credit cards, SIM cards and point-of-sale terminals, a marijuana plantation and equipment for its cultivation and distribution.

Europol described the ring as “very well organized”, saying it included computer experts who created the phishing domains and spear headed cyber fraud, money mule recruiters and organizers, and money launderers, some of whom are said to be cryptocurrency experts.

Most of the suspects are Italian nationals, who largely victimized Italian citizens into sending large sums of money to bank accounts the criminal network controls. From there, the money was then moved by money mules and invested into shell companies. Countries affected by their fraudulent schemes include Spain, Germany, Ireland, Italy, Lithuania, and the United Kingdom.

“Cyber mafia” is not an unknown concept in the cybersecurity world.

In 2012, Belgian police were called in to investigate a case involving computers of the Swiss Shipping Company, MSC. They found “tiny computers known as pwnies (pronounced ponies) packed in memory sticks and sitting on several of the workstations”, which caused dramatic and consistent computer slowdown. They realized that these pwnies were being used to steal important information needed “to track specific containers and gain access to restricted areas of the port.” Once these containers were ready for collection, the mafia swooped in, sending in their trucks to drive the containers away. Journalist Misha Glenny called it “the most dramatic example that law enforcement had ever seen of the fusion of two types of crime: a traditional mafia operation and criminal hackers.”

In a more recent example, Italy’s Anti-mafia Directorate (DIA) published a report [PDF, in Italian only] in August about Italian Mafia groups turning to the dark web to hide their criminal activities, and masking the transfer of ill-gotten money using cryptocurrencies like Bitcoin and Monero.

The post Italian mafia cybercrime sting leads to 100+ arrests appeared first on Malwarebytes Labs.

It’s not every day you receive a big money offer from someone claiming to sit in political asylum, but here we are. The following missive landed in our spam traps at the weekend.

The mail claims to be from the daughter of no less than the late Colonel Gaddafi. Ayesha Gaddafi promises you untold riches if you help her find a home for $27.5 million.

The bogus mail, titled “Re: Please i need your help”, reads as follows:

Re: Please i need your help

I am sending my greetings to you from the Sultanate of Oman, In the capital city of Muscat.

May i use this medium to open a mutual communication with you, and seeking your acceptance towards investing in your country under your management as my partner, My name is Aisha Gaddafi and presently living in Oman, i am a Widow and single Mother with three Children, the only biological Daughter of late Libyan President (Late Colonel Muammar Gaddafi) and presently i am under political asylum protection by the Omani Government.

I have funds worth “Twenty Seven Million Five Hundred Thousand United State Dollars” -$27.500.000.00 US Dollars which i want to entrust on you for investment project in your country.If you are willing to handle this project on my behalf, kindly reply urgent to enable me provide you more details to start the transfer process.

I shall appreciate your urgent response through my email address below: aishaggaddafi36[removed]

Thanks

Yours Truly Aisha

The background to this tall tale

Ayesha fled Libya shortly after the Battle of Tripoli back in 2011. She eventually moved from Algeria to Oman, where she claims political asylum to this day. Note that the mail claims she’s a “single mother with three children”. The scammers can’t even get this right; Aisha has had four children, but two of them were killed during the fighting in 2011.

This is likely something they’re hoping most recipients of the mail will bother digging into too deeply. The prize, after all, is a remarkably large one.

What’s the impact of the scam here?

Should you respond, there’s a very good chance one or all of the below will take place.

• You’ll lose an incredible amount of money. They just want your bank details. You’ll either find yourself sending them sums of cash for [inexplicable reason goes here], or you’ll be sent some money.
• Being sent some money means you’re now a money mule. This is illegal, and you’re helping criminals to move around ill-gotten gains. You know how in cartoons, a character is left holding the bag in front of the police while the criminal is free to slink away? This will be you.
• Personal details stolen. Many of these scams involve you sending scanned copies of passports or other forms of ID. This now leaves you open to identity theft, and other related shenanigans.

The following will not happen:

• At no point will you be conversing with the real Ayesha Gaddafi
• You will not get rich

Should this wind up in your mailbox: Report, delete, and block the sender. There’s no scenario here which plays out any other way than you losing your time, identity, and money to a fraudster.

For “Ayesha”, the search for an overseas investment opportunity continues.

The post No, Colonel Gaddafi’s daughter isn’t emailing to give you untold riches appeared first on Malwarebytes Labs.

VMware is urging users of vCenter server to patch no fewer than 19 problems affecting its products.

These updates fix a variety of security vulnerabilities, but and one of them is particularly nasty. That would be CVE-2021-22005, a critical file upload vulnerability with a CVSS score of 9.8 out of 10.

It’s so bad the company is advising users to sort it out “right now“:

These updates fix a critical security vulnerability, and your response needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an “emergency change.”

CVE-2021-22005

vServer Center is a way to manage large infrastructure. If you have lots of hosts and virtual machines, this is a very good way to manage every aspect of your setup. With this in mind, if someone manages to compromise your vCenter, it probably won’t end well.

And that’s exactly what CVE-2021-22005 does. It’s a file upload vulnerability and anyone with access to vServer Center over a network can exploit it. The configuration settings of vServer Center don’t make any difference. If criminals get network access they can upload a specially made file and use it to execute code on the vServer Center.

As VMware points out, bad actors are often already in your network. They wait patiently to strike. It’s likely they’ll exfiltrate data slowly and nobody will ever know they’re there. Being able to snag a win like this for themselves could increase the threat from ransomware and other malicious activity.

What should I do?

Well, patch immediately is definitely the go-to advice. If an emergency patch falls outside how you usually do things, VMware mentions, but it really does impress upon readers that patching needs to be done as soon as possible. It is, perhaps, unusual (and refreshing) to see an organisation stress this fact so plainly, so kudos for being so forthright.

Is my vServer setup affected by this?

It depends. Some versions, such as vCenter Server 6.5, are not affected. Others are. You should refer to the dedicated rundown on this issue and take appropriate action as soon as you possibly can. We’ll leave the last word to VMware with regard to when you should be patching:

Immediately, the ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.

With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.

This seems like very good advice.

The post Patch vCenter Server “right now”, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure appeared first on Malwarebytes Labs.

In a detailed post on Github, security researcher Watchful_IP describes how he found that the majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical, unauthenticated, remote code execution (RCE) vulnerability, even with the latest firmware.

Hikvision

Hangzhou Hikvision Digital Technology Co., Ltd. engages in the development, production, and sale of security products. Its business activities include the provision of services for hard disk recorders, video codes, video servers, surveillance cameras, monitoring of ball machine, road mounts and other products, as well as security services. The company was founded on November 30, 2001 and is headquartered in Hangzhou, China.

According to global market data provider IHS Markit, Hikvision has 38% of the global market share, and it has been the market leader since 2011. Hikvision is also known for its research on technologies such as visual recognition, cloud computing, and their adoption in security scenarios.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability found by Watchfull_IP is listed under CVE-2021-36260 and could allow an unauthenticated attacker to gain full access to the device and possibly perform lateral movement into internal networks.

The critical bug has received 9.8 out of 10 on the CVSS scale of severity, clearly demonstrated by the fact it enables the attacker to gain even more access than the owner of the device has, since the owner will be restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.

According to the researcher, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner. The attack will not be detectable by any logging on the camera itself. A threat actor can exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.

Affected products

Users can find a list of affected products in the security notification from Hikvision. Among them are IP Cameras and  PTZ Cameras. PTZ is short for Pan/Tilt/Zoom and the name is used for cameras that can be remotely controlled and pointed. These cameras can, and are often used in surveillance mode where they cover an area by moving between preset points and the footage is often recorded, so it can be reviewed at a later time.

Users of other brands should also be advised that there are a huge number of OEM resellers offering Hikvision cameras under their own model numbers.

Responsible disclosure

The researcher has not disclosed any specifics about the attack to protect potential victims. In his post he describes how he worked with Hikvision since the discovery made on Sunday June 20, 2021. He was extremely pleased that they took him seriously and involved him in taking care of the problem.

On August 17, Watchfull_IP received the patched IPC_G3 (V5.5.800 build 210628) and IPC H5 (V5.5.800 build 210628) firmware from HSRC for testing.

“Decrypted and reversed the code in addition to live testing on my own equipment and confirmed to HSRC that the patched firmware resolves the vulnerability.

Was further pleased to note this problem was fixed in the way I recommended.”

We are glad that researchers like this check the security of the products we use and do responsible disclosure when they find problems, so manufacturers can resolve matters before some cybercriminal can start using our security equipment against us.

Mitigation

A word of caution is needed here, since not all the software portals have been provided with the latest firmware that is patched against this attack. To be sure to get a patched version it is recommended by Hikvision to download the latest firmware for your device from the global firmware portal. The researcher however notes that at the time of writing updated firmware seems to be properly deployed on the Hikvision China region firmware portal for Chinese region devices, but only partially on the global site. If you are in doubt there is a list of the vulnerable firmware versions in the researchers post.

In general it is a good idea not make your cameras accessible from the internet and if you do, put them behind a VPN.

The post Patch now! Insecure Hikvision security cameras can be taken over remotely appeared first on Malwarebytes Labs.

Malwarebytes has reason to believe that the MSHTML vulnerability listed under CVE-2021-40444 is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.

The first template we found is designed to look like an internal communication within JSC GREC Makeyev. The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic holding of the country’s defense and industrial complex for both the rocket and space industry. It is also the lead developer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia’s largest research and development centers for developing rocket and space technology.

The email claims to come from the Human Resources (HR) department of the organization.

It says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.

The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.

The second attachment we found claims to originate from the Ministry of the Interior in Moscow. This type of attachment can be used to target several interesting targets.

The title of the documents translates to “Notification of illegal activity.” It asks the receiver to please fill out the form and return it to the Ministry of Internal affairs or reply to this email. It also urges the intended victim to do so within 7 days.

Russian targets

It is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard.

Patched vulnerability

The CVE-2021-40444 vulnerability may be old-school in nature (it involves ActiveX, remember that?) but it was only recently discovered. It wasn’t long before threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that everyone was able to follow step-by-step instructions in order to launch their own attacks.

Microsoft quickly published mitigation instructions that disabled the installation of new ActiveX controls, and managed to squeeze a patch into its recent Patch Tuesday output, just a few weeks after the bug became public knowledge. However, the time it takes to create a patch is often dwarfed by the time it takes people to apply it. Organizations, especially large ones, are often found trailing far behind with applying patches, so we expect to see more attacks like this.

Будьте в безопасности, все!

The post MSHTML attack targets Russian state rocket centre and interior ministry appeared first on Malwarebytes Labs.

Another day, another example of how the data sharing choices we make can come back to haunt us. The Guardian reports a Florida resident finding his bike ride data requested by law enforcement. This is due to his route taking him close to the scene of a burglary a year earlier.

According to the report, he had just seven days to put something in front of a judge to block the data’s release. Not everyone would know how to do this, much less have heard of geofencing before.

What happened here?

Geofencing 101

Geofencing wraps virtual “fences” around real locations. It’s commonly talked about in relation to advertising and marketing activities, and it helps you track movement by pinging away should you enter or leave a specified location. It can be helpful or adversarial, depending on your need, and your point of view. It can be used for things as varied as keeping your advertising spend focussed on people from a particular area, or tracking that serious offenders under some form of house arrest don’t outside the areas they’re allowed to visit.

What is a geofence warrant?

A geofence warrant, also known as “reverse location warrants”, involve grabbing data on everybody close to a crime scene. Were you involved? Or simply passing by? Doesn’t matter! Into the pile of law enforcement data you go. You just have to hope you’re not caught up in some sort of mistaken identity fiasco down the line.

These warrants are increasingly being used for all sorts of reasons. The fear is they’ll contribute to a chilling effect on free speech, protest, and more. Indeed, Google has recently said these warrants “make up one quarter of all US demands” for its data. It’s easy to see why this would be the case. It’s lots of incredibly precise movement data, tied to big slices of people’s personal identity and physical objects kept about their person.

Which keywords open the door?

It’s not just geofencing causing headaches for privacy advocates. Requests for keyword searches are very popular too. This is where your search history is grabbed and examined for signs of…well…who knows. Essentially, you’re at the mercy of completely random investigations aligning with your completely random searches.

While Google states these data requests “…represent less than 1% of total warrants and a small fraction of the overall legal demands for user data that we currently receive”, it’s still rather uncomfortable to think about.

Is there any refuge in anonymity?

Well, that’s a very good question. There’s plenty of examples where theoretically anonymous data turned out not to be, after ending up online. Time and again we’ve seen that, with surprisingly few data points, users can be identified from anonymised data.

Geofence warrants leapfrog several of those issues and go directly for the user ID. If you make use of any form of location data whatsoever, it can be used against you. Even if you disable your Bluetooth, refuse beacon access, turn off all GPS features, choose not to store your exercise routes in your latest exercise app. Simply carrying the phone around and using it as intended is potentially more than enough.

There is no simple solution to this one; primarily it’s down to Google to run a tight ship. It’s also incumbent on privacy orgs and people working at various levels of Government to ensure no overreach is taking place.

What can I do to reduce any privacy risk?

You can consider using services other than Google. If you don’t want your entire online existence in one big pot of data, feel free to mix and match a little. Try out DuckDuckGo for your searching perhaps, or fire up a VPN. Just be aware that other organisations may not have the same outlook on these requests as Google does. It might be the case that they don’t have the same legal might Google carries. They may have no policy on this kind of request at all, and hand everything they have on you to whoever asks for it. This would probably not be ideal in the privacy stakes.

The choice, as they say, is yours.

The post Google, geofence warrants, and you appeared first on Malwarebytes Labs.

Last week, security researcher Patrick Wardle released details of a new piece of malware masquerading as the legitimate app iTerm2. The malware was discovered earlier the same day by security researcher Zhi (@CodeColorist on Twitter), and detailed on a Chinese-language blog. (For those who don’t speak Chinese, Safari seems to do a fair job of translating it.)

iTerm2 is a legitimate replacement for the macOS Terminal app, offering some powerful features that Terminal does not. It is frequently used by power users. It is a favorite of security researchers because of the propensity for Mac malware to take control or detect usage of the Terminal app, which can interfere with attempts to reverse engineer malware. This makes iTerm2 an ideal app to trojanize to infect people who may have access to development system, research intelligence, etc.

The website for the legitimate iTerm2 app is iTerm2.com. However, the malicious version of iTerm2 was apparently being distributed via iTerm2[.]net, which was a very convincing duplicate of the legitimate iTerm2 site.

Clicking the download link on the lookalike site would result in an iTerm2.dmg disk image file being downloaded from kaidingle[.]com.

The disk image throws the first red flag. The real iTerm2 is distributed in a zip file, rather than a disk image. Further, for an app with a very professionally designed website, the disk image file is quite unpolished. It also includes a link to the Applications folder with a Chinese name, which is unusual for an app that is English-only and does not contain any Chinese localization files.

Malware behavior

The malicious iTerm2 app appears to be a legitimate copy of the iTerm2 app, but with one file added:

iTerm.app/Contents/Frameworks/libcrypto.2.dylib

When launched, the malicious app loads and runs the malicious libcrypto.2.dylib dynamic library, which in turn does a couple things.

The main purpose seems to be to connect to 47.75.123[.]111, from which it downloads a Python file named g.py and a mach-O binary named GoogleUpdate into the /tmp folder, then executes both of them.

The GoogleUpdate binary is heavily obfuscated, and it’s currently not known exactly what it does. However, according to Patrick, it communicates with what appears to be a Cobalt Strike server (47.75.96[.]198:443), which may mean it is a Cobalt Strike “beacon,” which would provide comprehensive backdoor access to the attacker.

The g.py file is clear-text Python code, and thus its intent is quite clear. It collects the following data:

• Machine serial number.
• Contents of the user’s home, desktop, Documents, and Downloads folders.
• Applications folder contents.
• Command histories for bash and zsh, which can contain sensitive information such as credentials.
• The git config file, which contains potentially sensitive information, including an e-mail password.
• The /etc/hosts file, which can contain details on custom servers accessed by the user.
• The .ssh folder, which can contain credentials for SSH.
• The user’s keychains, which contain many credentials and can be unlocked if the user’s password can be obtained.
• The config file for SecureCRT, a terminal emulator program.
• The saved application state for iTerm2.

These files are all copied into ~/Library/Logs/tmp/, compressed into a file at ~/Library/Logs/tmp.zip, which is then uploaded to http://47.75.123[.]111/u.php?id=%s (where the %s is replaced with the machine’s serial number).

Thus, the primary goal of the g.py script seems to be to harvest credentials and other data that would be of use for lateral movement within an organization. Presumably, the backdoor provided by the GoogleUpdate process would be used to perform that lateral movement and infect other machines.

Additional trojanized apps

Subsequent findings revealed additional apps that had also been trojanized, using the same libcrypto.2.dylib file. These apps were:

• Microsoft Remote Desktop
• SecureCRT
• Navicat Premium (a database management app)

Who is affected?

At the moment, few people with Malwarebytes installed seem to be affected. We’ve only seen a detection on one computer so far, in Asia.

There are indications that this malware may be primarily distributed in China and other southeast Asian countries, where Malwarebytes has a relatively small install base. For readers outside that region, you probably don’t have much to fear.

However, out of an abundance of caution, if you have one of these apps, it would not be a bad idea to replace them with a known legitimate copy, being sure to get it from the official website of the developer rather than from a lookalike site or a download mirror.

You should also run a scan with Malwarebytes, which will detect this malware as OSX.ZuRu.

Samples

iTerm2.dmg                   e5126f74d430ff075d6f7edcae0c95b81a5e389bf47e4c742618a042f378a3fa
com.microsoft.rdc.macos.dmg  5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259
Navicat15_cn.dmg             6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff
SecureCRT.dmg                1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921

The post New Mac malware masquerades as iTerm2, Remote Desktop and other apps appeared first on Malwarebytes Labs.

When it comes to picking a new device for your child, it’s often difficult to know where to start.

Whether you’re looking for a smartphone, a laptop, a gaming device or something else, or even just signing up for an account online, you want to make sure your kids are protected. It’s important to get the basics right, and you also want to be able to set parental controls, leaving little room for your child end up in online destinations you don’t want them going.

Of course, setting controls shouldn’t be a be-all and end-all. Nothing can replace having good and open communication with your kids.

Today’s generation of kids and teens consider their devices and the Internet as extensions of their lives. So it’s really important to talk to them about how they should use their devices responsibly, what they should and shouldn’t be doing online, and how they should be treating other people.

So without further ado, let’s dive into what we should be teaching our kids about Internet safety and what we can do to enforce these teachings.

C O N T E N T S

1. Keep your online accounts secure
2. Respect your privacy
3. Capture and share with care
4. Take care of your data
5. Take care of your device
6. Be wary of certain sites and content online
7. Be kind

7 Internet safety tips

1. Keep your online accounts secure

Whether your child needs their own personal email address, an account for school, or a social media login, the advice is largely the same. Show them these tips:

Never use the same password twice

It seems like we can’t go a week—or even a day sometimes—without hearing about an online service being breached.

After a breach, cybercriminals often sell and re-sell the stolen data. And if your child uses the same password across multiple accounts, when one gets breached they are all vulnerable.

This is where a password manager comes in.

As parents and carers, you can introduce your kids to this nifty tool. Not only can it create lengthy and complex passwords, it remembers them all for you. Many of them auto-populate the login fields when you attempt to access an online account, so you know you are on the correct site and not an imitation site that’s phishing you.

Use strong passwords

You need to make sure the passwords your kids use are strong, and by today’s standard, this means they should have a decent amount of length.

Some websites cap the length of the characters one can use in a password. Some welcome a level of complexity you can bake into a password. What you should be considering is a site should have a set minimum password length of 8-characters. Anything below that…you might want to reconsider ever joining at all.

A strong password is one that nobody else knows, and is extremely hard (for a powerful computer) to guess. Make sure your child uses the maximum length with the maximum level of complexity a site can offer. For example, if a site only allows passwords that are 18 characters long and a combination of numbers and big or small letters, then create a password that has all these elements.

Your password manager can help with this. Just make sure you choose a super-strong password for the manager itself.

Enable multi-factor authentication (MFA)

Passwords alone just aren’t enough these days. You need to put in as much friction as possible in order to protect your kids’ accounts. Multi-factor authentication is a great step to add in on every service that offers it.

MFA provides an additional layer of identity confirmation. Once your child has entered their username and password, they’ll need to prove they are the account holder by using another method of verification. This could be a one-time login code sent via text, a code on an authenticator app, or a push notification, among others.

Make sure your child takes advantage of this feature when available, and if a site your child would like to try doesn’t have MFA, perhaps the better question to ask is: Security-wise, should they even be using it?

2. Respect your privacy

In our Malwarebytes 2019 Privacy Survey we found that younger generations of Internet users are actually quite privacy-conscious. However, one thing we learned is that when it comes to potentially identifiable information (PII), younger people tend to have different opinions from older generations on what counts as personal data and what doesn’t.

Various states, countries, and organizations also have their own list of what data should and shouldn’t be considered PII. The European Union, for example, considers an IP address as personal data, but under the California Consumer Privacy Act (CCPA) an IP address is only “sometimes” classed as PII.

Clearly it’s confusing. But teach your kids to, at the very least, carefully consider not sharing:

• their full name
• the school they’re currently attending
• their personal contact number
• their personal email address
• their Social Security Number (SSN)
• your home address
• your home phone number/landline (if you still use one)
• email addresses of relatives and/or friends
• information about relatives and friends, such as where they work.

Telling your kids what they can share and what they shouldn’t is a good first step to taking their privacy seriously.

From here, carefully look through your child’s browser privacy and security settings to make sure they’re as tight as they can be. Do this on all the devices they use, including their smartphones.

You might also want to install some privacy- and security-enhancing extensions for the browser. If you don’t know where to start, Pieter Arntz, Malware Intelligence Researcher and regular contributor to the Malwarebytes Labs blog, has shared the six brilliant Chrome extensions he personally uses.

Bonus points if you can encourage your kid into using a browser that is already optimized for privacy and security.

Lastly, don’t just stop at browsers. Your child’s social media platform of choice may need its privacy and security settings tinkering with as well.

3. Capture and share with care

If your kid respects their own privacy, then they should respect other people’s privacy, too.

Thanks to smartphones, we’ve found in ourselves our inner shutterbug. While being creative is good, snapping images here and there and sharing them online with nary a though is not. This is also true for video, of course.

Tell your kids that if they plan to share online photos and videos of other people in the background, they should take the time to edit out the faces, or other elements in them that might give away locations they frequent.

And they should always ask permission first from the people in the photo or video before posting them online.

4. Take care of your data

Securing your child’s data is one of the biggest concerns of parents today. With stories of ransomware targeting and successfully hitting schools, not to mention the many other data breaches, parents and carers might feel that there is nothing they can do to protect their child’s data.

Far from it.

Securing your kid’s online accounts is the first step (see above), but there are other steps you can take to secure your child’s data.

Be careful with files and links. Cybercriminals use files and malicious links to get their malware into devices. So teach your kids to treat files and links with caution. Although criminals used to send unsolicited private messages to random recipients, things have moved on. Now they create fake social media profiles of celebrities or people your kid knows, or even compromise legitimate accounts to spread their malware.

If your child is messaged privately by a friend, classmate, relative, or anyone they might know containing a link or a file, encourage your child to contact the person via a separate method to ask if they have indeed sent that message.

Make sure all software is updated. One way for cybercriminals to infiltrate systems is to find weaknesses in software and then exploit them. Think of it like a door that anyone can open without alerting those already in the house. Make sure that door in your child’s computer is sealed, and apply updates as soon as they’re available.

Be careful when connecting to public Wi-Fi. Your child’s school Wi-Fi isn’t the only hotspot they can connect to. When they’re out with friends or at a classmate’s house, they’re bound to connect to other Wi-Fi networks. Remind your kids that they shouldn’t allow their devices to connect to Wi-Fi that doesn’t use a password. And even then, they should also be picky about what they do online or what accounts they are accessing.

If connecting to a public Wi-Fi can’t be avoided, advise them to use a virtual public network (VPN).

Don’t share passwords with anyone. And we mean, anyone—including friends. If your kid does this, it not only puts their data at risk, but also opens the door for abuse. They might be a close friend at school, but that doesn’t mean they wouldn’t try pulling a prank using your kid’s account, for example. Better safe than sorry, right?

Install an antivirus (AV) you trust. Accidents happen. Many people have clicked a dodgy link or opened a questionable email attachment at some point. And when accidents like this happen to your kids, its good to have an AV installed to stop malicious code from downloading or running before it could wreak havoc on your device. It could also prevent you from seeing potentially malicious sites, such as phishing sites, when you click a questionable link.

Back up data. Even if you do everything you can to protect your kid’s data, you could still end up as one of the unlucky ones. This is why it’s good practice to back up your data. This is the process of creating at least one copy of (usually) important files that we can’t afford losing. Ever.

5. Take care of your device

How your kids look after their computing devices is just as important as how they take care of the data stored in them. One form of data compromise your kids should avoid is device theft.

Lock down the device after a certain time of idleness. This way, if your child takes their eyes off their device for a bit when in a public space, the device won’t be able to be quickly accessed by anyone else.

Secure their laptop to an object. If your child is prone to spending time in public places to work on their laptop, it’s a good idea to suggest using a security cable to physically secure their laptop onto a chair or desk in case they need to leave the device for a while. Security cables can be bought online or in computer hardware shops.

Speaking of theft, it’s also good to install anti-theft or tracking software in your child’s phone and other mobile devices, such as a laptop, that they bring with them to school or anywhere.

Password protect the device. For mobile devices, this could either be a PIN or a pattern. For laptops and desktop computers, this could be a local user password, a physical security key, or a picture code to name a few.

Update your child’s device’s firmware. Just like any software that’s installed on their devices, it is equally important to update firmware. Firmware can have vulnerabilities like any regular software, and so updates should be installed as soon as possible.

6. Be wary of certain sites and content online

The Internet is a place where misinformation, fake news, and scams spread if people aren’t careful enough. Not every site on the Internet is a safe place to visit, and this is something to gently drill in your child’s mind.

Indeed, there are so many social media platforms right now that a lot of us parents cannot keep up. It’s great that your child has a number of options to choose from, but in this case ask them to be picky.

If your child has a Facebook account, perhaps it’s a good idea to talk to them about fake news and how to identify it.

They need to be wary of everyone they are talking to online. Omegle, for example, is a social site where investigators found predators encouraging young boys to expose themselves on camera. Usually, these people claim to be the same age as their victims but they are, in fact, evil grown-ups taking advantage of kids. And it’s not just boys at risk, recent research found 11-13 year old girls are the most likely targets of predators.

When it comes to picking which sites they should join or content to consume, your child could be as confused as you are. And most of the time, they follow the herd, their friends, and what’s trendy at the moment. They might need your guidance here, so prepare to learn the ropes together.

7. Be kind

…to others

Online abuse could happen to anyone. Cyberbullying, cyberstalking, threats of physical violence, flaming, non-contact sexual abuse—this includes flashing, forcing a child to perform sexual acts or take part in sexual conversations, and showing pornography among others—and other forms of abuse continue to affect many for life, with some destroying the lives of their targets and those close to them.

Instil in your child the kindness, understanding, and patience you would want others to approach them with. Having a healthy communication between children and parents or carers becomes significant here. Talking about any or all of these topics doesn’t just happen once. As you help them navigate through life—both in the real and the digital one—such conversations should be expected to come up and (hopefully) the topics are tackled with care, respect, and zero judgement.

If you want your kids to be kind to others online, show, don’t just tell.

…to yourself

Yes, your kids can be kind to themselves, too. Being online all the time, could be really fun and entertaining at first. But after a while, this could take a toll on them mentally and emotionally. Your kids could feel anxious, stressed, or tired because they’re absorbing and processing everything they see and read about.

This is why it’s advisable that they disconnect from the digital world often and reconnect with family, friends, and even with themselves. When was the last time they picked up a hobby that doesn’t involve a computer or phone? Or perhaps…when was the last time your child actually picked up a book to read for pleasure?

Should you accept this challenge…

The Internet is both a good and bad place. A good approach is to spend little to no time on sites that do not give your child a positive and learning experience. And when it comes to Internet safety for kids and teens, the best approach is for parents and carers to be involved in their child’s digital life.

I don’t mean micromanaging their digital life or making all their online decisions for them. If only that was possible!

Being involved means taking interest in your child’s online activities. It means becoming a presence when they need to understand, be reassured, be guided, be confident in what they do online. Being involved also means allowing them to decide for themselves and make mistakes—even after repeated warnings—but always on the ready to be a confidante or sounding board when things get rough.

Internet safety should start from the home. So raise your digital native to not only be smart about staying secure online and respectful of their (and other people’s) privacy, but also a force of good in the digital realm. This is a challenge every modern parent must recognize and take to heart.

Challenge accepted.

The post Internet safety tips for kids and teens: A comprehensive guide for the modern parent appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Why backups aren’t a “silver bullet” against ransomware, with Matt Crape: Lock and Code S02E17
• The many tentacles of Magecart Group 8
• Apple releases emergency update: Patch, but don’t panic
• Update now! Google Chrome fixes two in-the-wild zero-days
• Parts of the Dark Web “awash” with school children’s personal data
• Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD
• What are SSL certificates?
• Ransomware scammers target artists with fake Krita revenue deals
• HP OMEN users, update your driver now!
• What are computer cookies?
• What is the Dark Web? The Dark Web explained
• FBI and CISA warn of APT groups exploiting ADSelfService Plus
• Facebook’s own research reveals the harm that Instagram can inflict

Other cybersecurity news

• Hackers stole the source code of an application Puma, the German sportswear company, is using internally. (Source: The Record)
• Fake UPS courier phishers unmasked by researchers. (Source: vpnMentor)
• What are zero-click attacks, and how do they work? (Source: Security Week)
• There’s a black market for fake COVID vaccine certificates, and it’s booming (Source: Check Point Blog)
• Threat actors pretended to be the US Department of Transportation, so they can harvest Microsoft credentials (Source: INKY)
• New Zealand companies are being bombarded with DDoS, but their government is mum about it. (Source: The Register)
• A top FBI official said that there is “no indication” that Russia has cracked down ransomware gangs. (Source: The Record)
• Exclusive: Gaggle follows kids home for remote learning. (Source: The 74 Million)
• A ransomware gang has encrypted the entire network of South Africa’s Department of Justice (Source: BleepingComputer)
• One ransomware gang has threatened to delete decryption keys if its victims contact law enforcement or hire a negotiator. (Source: BleepingComputer)

Stay safe!

The post A week in security (Sept 13 – Sept 19) appeared first on Malwarebytes Labs.