IT NEWS

Google Play sign-ins can be abused to track another person’s movements

Even people that have been involved in cybersecurity for over 20 years make mistakes. I’m not sure whether that is a comforting thought for anyone or whether everyone should be worried now. But it is what it is and I make it a habit of owning my mistakes. So here goes.

With the aid of Google I was able to “spy” on my wife’s whereabouts without having to install anything on her phone.

In my defense, this whole episode happened on an operating system that I am far from an expert on (Android), and I was trying to be helpful. But what happened was unexpected.

What happened?

I installed an app on my wife’s Android phone and to do so, I needed to log into my Google account because I paid for the app. All went well, but after installing the app and testing whether it worked, I forgot to log out of Google Play. Silly, I know, but there you have it.

As it happens, at the time I installed the app on my wife’s phone I was investigating how much information the Google Maps Timeline feature was gathering about me. The timeline is an often-overlooked Google feature that “shows an estimate of places you may have been and routes you may have taken based on your Location History”. I was curious to see what Google records about me, even though I never actively check in or review places.

I started noticing strange things but couldn’t quite put my finger on what was going on. It showed me places I had been near, but never actually visited. I figured this was nothing more than Google being an over-achiever. But a few days ago I got my update and a place was listed that I had not even been near, but I knew my wife had been. Then, suddenly, it dawned on me: I was actually receiving location updates from my wife’s phone, as well as mine.

The only thing that might have alerted my wife to this unintentional surveillance—but never did—was my initial in a small circle at the top right corner of her phone, when she used the Google Play app. (You have to touch the icon to see the full details of the account that is logged in.)

After I logged out of Google Play on my wife’s phone the issue was still not resolved. After some digging I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store, but was not removed when I logged out after noticing the tracking issue.

What needs to change?

I have submitted an issue report to Google, but I’m afraid they will tell me that it is a feature and not a bug.

There are a few things that Google could improve here:

The Google timeline was enabled on my phone, not on my wife’s, so I feel I should not have received the locations visited by her phone.

When I logged in under my account on her Google Play I got a “logged in from another device” warning. I feel there should have been something similar sent to her phone. Something along the lines of “someone else logged into Google Play on your phone.”

Google Play only shows the first letter of the Google account that is logged in.

PlayStore

Like I said, my wife never noticed, and it’s easy to imagine how even this small giveaway could be overcome by a malicious user.

Of course, a cynic might say that the fundamental obstacle here is that if your business model demands that you hoover up as much information about somebody as possible, the opportunities for this kind of unintentional, tech-enabled abuse are likely to increase.

Coalition Against Stalkerware

Malwarebytes, as one of the founding members of the Coalition against Stalkerware (CAS), does everything in its power to keep people safe from being spied on. But malware scanners are limited to finding apps that spy on the user and send the information elsewhere. In this case even TinyCheck would not be helpful as the information is not sent to a known, malicious server.

We should be very clear here, though. This situation is not a form of stalkerware, and it does not, by design, attempt to work around a user’s consent. This is more aptly a design and user experience flaw. However, it is still a flaw that can and should be called out, because the end result can still provide location tracking of another person’s device.

Eva Galperin, director of cybersecurity for Electronic Frontier Foundation, which is also a founding partner of the Coalition Against Stalkerware, told Malwarebytes Labs that this flaw actually showcases why it is so important for technology developers to take into account situations of domestic abuse when designing their products.

The flaw “does highlight the importance of quality assurance and user testing that takes domestic abuse situations into account and takes the leakage of location data seriously,” Galperin said. “One of the most dangerous times in a domestic abuse situation is the time when the survivor is trying to disentangle their digital life from their abusers’. That is a time when the survivors’ data is particularly vulnerable to this kind of misconfiguration problem and the potential consequences are very serious.”

Tech-enabled abuse

You may be thinking that with physical access to my wife’s phone I could have done a lot worse than this, including installing a spyware app. But this kind of abusive misuse of legitimate technology is common enough that it has a name: Tech-enabled abuse.

And, as one of my co-workers pointed out, people are often lazy when they deal with computers and they will often settle for the first thing they find that works. And this really is a low effort method of spying on someone’s whereabouts. Plus you do not need to install anything and there is only a minimal chance of being found out.

How to stop it

For now the only thing we can do is to check which accounts have been added to your phone. While this post talks about Google Maps location information, I’m pretty sure there will be other apps that are linked to your account rather than to your phone. Those apps could be queried for information by people other than the owner of the phone if they are logged into Google Play.

The instructions below can be slightly different for different versions of Android, but you will have an idea where to look for the added accounts.

Under Settings > Accounts and Backups > Manage Accounts I found my Google account listed. Click on the account you want to remove and you will see the option to do that. After removing my account from there on my wife’s phone the tracking issue was finally resolved.

The post Google Play sign-ins can be abused to track another person’s movements appeared first on Malwarebytes Labs.

FTC bans SpyFone and its CEO from continuing to sell stalkerware

Nearly two years after the US Federal Trade Commission first took aim against mobile apps that can non-consensually track people’s locations and pry into their emails, photos, and videos, the government agency placed restrictions Wednesday on the developers of SpyFone—which the FTC called a “stalkerware app company”—preventing the company and its CEO Scott Zuckerman from ever again “offering, promoting, selling, or advertising any surveillance app, service, or business.”

Wednesday’s enforcement action represents a much firmer stance from the FTC compared to the settlement it reached in 2019, when the government agency refrained from even using the term “stalkerware” and it focused more on lacking cybersecurity protections within the apps it investigated, not on the privacy invasions that were allowed.

FTC Commissioner Rohit Chopra, who made a separate statement on Wednesday, said much of the same.

“This is a significant change from the agency’s past approach,” Chopra said. “For example, in a 2019 stalkerware settlement, the Commission allowed the violators to continue developing and marketing monitoring products.”

That settlement prevented the company Retina-X Studios LLC and its owner, James N. Johns Jr., from selling their three Android apps unless significant security rehauls were made. At the time, critics of the settlement argued that the FTC was not preventing Retina-X from selling stalkerware-type apps, but that the FTC was preventing Retina-X from selling insecure stalkerware-type apps.

This time, the FTC spoke more forcefully about the threat that these apps present to overall privacy and their undeniable intersection with domestic violence, saying in a release that the “apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence.”

In that same release Wednesday, Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection said:

“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information. The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security. This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy.”

The FTC’s enforcement against SpyFone will require the business—which is registered as Support King LLC—to also destroy any information that was “illegally collected” through its Android apps. It must also notify individuals whose devices were manipulated to run SpyFone apps, warning them that their devices both could have been monitored and may no longer be secure.

According to a complaint filed by the FTC which detailed its investigation into Support King, SpyFone, and Zuckerman, the company sold three versions of its SpyFone app (“Basic,” “Premium,” and “Xtreme”) at various prices. The company also sold “SpyFone for Android Xpress,” which the FTC described not as an app, but as an actual mobile device that came pre-installed with a one-year subscription for Android Xtreme. The price of the device started at $495.

The FTC also focused on the install methods for SpyFone’s apps, revealing that SpyFone required its users to subvert built-in cybersecurity protections on other mobile devices so to avoid detection by those devices’ operating systems. Certain functions advertised by SpyFone  also required extra manipulations by users, the FTC said.

“To enable certain functions of the SpyFone products, such as viewing outgoing email, purchasers must gain administrative privileges to the mobile device, such as through ‘rooting’ the mobile device, giving the purchaser privileges to install other software on the mobile device that the manufacturer would not otherwise allow,” the FTC said. “This access enables features of the SpyFone products to function, exposes a mobile device to various security vulnerabilities, and can invalidate warranties that a mobile device manufacturer or carrier provides.”

The FTC also found that SpyFone apps could hide themselves from view to their end-user—a telltale trait of apps that have been used to non-consensually track another user’s location and dig through their private messages and information.

The enforcement action also shows that the FTC is not strictly investigating the most popular or the most detected stalkerware-type apps on the market.

For example, Malwarebytes for Android detects the products made by SpyFone. Since the start of 2021 until yesterday, August 31, 2021, Malwarebytes detected these products a total of 334 times. The average detection count for the past six months is about 42 detections per month. These are comparatively low numbers when looking at similar apps, as our most-detected stalkerware-type apps have accrued roughly 4,000 detections since the start of 2021.

Malwarebytes also welcomes the news of the FTC’s enforcement and is excited for the agency’s new direction on this well-documented, pernicious threat to privacy.

The post FTC bans SpyFone and its CEO from continuing to sell stalkerware appeared first on Malwarebytes Labs.

ProxyToken: Another nail-biter from Microsoft Exchange

Had I known this season of Microsoft Exchange was going to be so long I’d have binge watched. Does anyone know how many episodes there are?

Sarcasm aside, while ProxyToken may seem like yet another episode of 2021’s longest running show, that doesn’t make it any less serious, or any less eye-catching. The plot is a real nail-biter (and there’s a shocking twist at the end).

This week’s instalment is called ProxyToken. It’s a vulnerability that allows an unauthenticated attacker to perform configuration actions on mailboxes belonging to arbitrary users. For example, an attacker could use the vulnerability to forward your mail to their account, and read all of your email. And not just your account. The mail for all your co-workers too. So there are multiple possible themes for this episode, including plain old data theft, industrial espionage, or just espionage.

Background and character development

Before we can explain this week’s plot, it’s important to catch up on some background information, and meet some of the principal players.

Exchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during installation. The installation also creates two sites in IIS. One is the default website, listening on ports 80 for HTTP and 443 for HTTPS. This is the site that all clients connect to for web access.

This front end website for Microsoft Exchange in IIS is mostly just a proxy to the back end. The Exchange back end listens on ports 81 for HTTP and 444 for HTTPS. For all post-authentication requests, the front end’s job is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.

Which is all good, if it weren’t for a feature called “Delegated Authentication” that Exchange supports for cross-forest topologies. An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, users, computers, and group policies. A single Active Directory configuration can contain more than one domain, and we call the tier above domain the AD forest. Under each domain, you can have several trees, and it can be tough to see the forest for the trees.

Forest trusts reduce the number of external trusts that need to be created. Forest trusts are created between the root domains of two forests. In such deployments, the Exchange Server front end is not able to perform authentication decisions on its own. Instead, the front end passes requests directly to the back end, relying on the back end to determine whether the request is properly authenticated. These requests that are to be authenticated using back-end logic are identified by the presence of a SecurityToken cookie.

The plot

For requests where the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end. But, the back end is sometimes completely unaware that it needs to authenticate these incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule that checks for this cookie is not loaded in installations that have not been configured to use the special delegated authentication feature. With the astonishing end result that specially crafted requests can go through, without being subjected to authentication. Not on the front end nor on the back end.

The twist

There is one additional hurdle an attacker needs to clear before they can successfully issue an unauthenticated request, but it turns out to be a minor nuisance. Each request to an Exchange Control Pane (ECP) page is required to have a ticket known as the “ECP canary”. Without a canary, the request will result in an HTTP 500 response.

However, imagine the attacker’s luck, the 500 error response is accompanied by a valid canary! Which the attacker can use in his next, specially crafted, request.

The cliffhanger

This particular exploit assumes that the attacker has an account on the same Exchange server as the victim. It installs a forwarding rule that allows the attacker to read all the victim’s incoming mail. On some Exchange installations, an administrator may have set a global configuration value that permits forwarding rules having arbitrary Internet destinations, and in that case, the attacker does not need any Exchange credentials at all. Furthermore, since the entire ECP site is potentially affected, various other means of exploitation may be available as well.

Credits

The ProxyToken vulnerability was reported to the Zero Day Initiative in March 2021 by researcher Le Xuan Tuyen of VNPT ISC. The vulnerability is listed under CVE-2021-33766 as a Microsoft Exchange Information Disclosure Vulnerability and it was patched by Microsoft in the July 2021 Exchange cumulative updates.

Other “must watch” episodes

Microsoft Exchange has been riveting viewing this year, and with four months of the year to go it seems unlikely that ProxyToken is going to be the season finale. So here’s a list of this season’s “must watch” episodes (so far). If you’ve missed any, we suggest you catch up as soon as possible.

And remember, Exchange is attracting a lot of interest this year. Everyone’s a fan. All of these vulnerabilities are being actively scanned for and exploited by malware peddlers, including ransomware gangs.

The post ProxyToken: Another nail-biter from Microsoft Exchange appeared first on Malwarebytes Labs.

A week in security (August 23 – August 29)

Last week on Malwarebytes Labs:

Other cybersecurity news:

  • A vulnerability in Microsoft Azure left thousands of customer databases exposed. (Source: Reuters)
  • Researchers from vpnMentor discovered an insecure database belonging to EskyFun, a Chinese Android game developer, exposing millions of gamers to hacking. (Source: vpnMentor)
  • The UK will begin making changes to privacy laws as they depart from GDPR as part of post-Brexit proceedings. (Source: The Wall Street Journal)
  • China is reportedly hiring hackers to become spies and entrepreneurs at the same time. (Source: The New York Times)
  • Phishers used an XSS vulnerability in UPS’s official site to spread malware. (Source: BleepingComputer)
  • JP Morgan Chase bank customers were notified that their data was inadvertently exposed to other users. (Source: SecurityWeek)
  • ALTDOS is hacking companies in Southeast Asia to steal data and either ransom it back to them or sell for profit. (Source: The Record by Recorded Future)
  • Flaws in infusion pumps could let hackers increase medication dosage. (Source: WIRED)
  • Researchers for Zscaler revealed the prevalence of fake streaming sites and adware during the 2020 Tokyo Olympics. (Source: Zscaler Blog)
  • Bumble, a popular dating app, was leaking users’ exact locations until recently patched. (Source: IT News)

Stay safe, everyone!

The post A week in security (August 23 – August 29) appeared first on Malwarebytes Labs.

Hackers, tractors, and a few delayed actors. How hacker Sick Codes learned too much about John Deere: Lock and Code S02E16

No one ever wants a group of hackers to say about their company: “We had the keys to the kingdom.”

But that’s exactly what the hacker Sick Codes said on this week’s episode of Lock and Code, in speaking with host David Ruiz, when talking about his and fellow hackers’ efforts to peer into John Deere’s data operations center, where the company receives a near-endless stream of data from its Internet-connected tractors, combines, and other smart farming equipment.

For Sick Codes, what began as the discovery of a small flaw grew into a much larger group project that uncovered reams of sensitive information. Customer names, addresses, equipment type, equipment location, and equipment reservations were all uncovered by Sick Codes and his team, he said.

“A group of less than 10 people were able to pretty much get root on John Deere’s Operations Center, which connects to every other third party connectivity service that they have. You know, you can get every farms’ data, every farms’ water, I’m talking everything. We had like the keys to the kingdom. And that was just a few people in two days.”

Sick Codes

During their investigation, Sick Codes also tried to report these vulnerabilities to the companies themselves. But his and his team’s efforts were sometimes rebuffed. For one vulnerability, Sick Codes said, he was even pushed into staying quiet.

Listen to Sick Codes talk about his cyber investigation into agricultural companies, and his response to being led into a private disclosure program which he wanted nothing to do with, on this week’s episode of Lock and Code.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Further, you can watch Sick Codes presentation at DEFCON on YouTube, and you can read a summary of the talk. The hackers who helped discover the vulnerabilities, which you can read about here, included:

The post Hackers, tractors, and a few delayed actors. How hacker Sick Codes learned too much about John Deere: Lock and Code S02E16 appeared first on Malwarebytes Labs.

Microsoft warns about phishing campaign using open redirects

The Microsoft 365 Defender Threat Intelligence Team posted an article stating that they have been tracking a widespread credential phishing campaign using open redirector links. Open redirects have been part of the phisher’s arsenal for a long time and it is a proven method to trick victims into clicking a malicious link.

What are open redirects?

The Mitre definition for “open redirect” specifies:

“An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.”

In layman’s terms, you click a link thinking you are going to a trustworthy site, but the link is constructed in a way so that it redirects you to another site, which in these cases is a lot less trustworthy. For instance, users that have been trained to hover over links in emails before clicking them may see a domain they trust and thus click it. After which they will be redirected and land somewhere unexpected. And if the phisher is any good, it will look as if the victim landed where they expected to land.

CAPTCHA

Another element this phishing campaign uses to gain the trust of the victim is adding Captcha verification to the phishing page. This is not uncommon. Researchers have found several new campaigns using legitimate challenge and response services (such as Google’s reCAPTCHA) or deploying customized fake CAPTCHA-like validation. Earlier research already showed there was an  increase of CAPTCHA-protected phishing pages. Hiding phishing content behind CAPTCHAs prevents crawlers from detecting malicious content and it even adds a legitimate look to phishing login pages.

After all CAPTCHA stands for the Completely Automated Public Turing test to tell Computers and Humans Apart. So it will try to keep the automated crawlers from security vendors and researchers out and only let “puny humans” in that are rife to be phished. I wrote try in that last sentence on purpose because there are several crawlers out there that are equipped with CAPTCHA solving abilities that outperform mine. And repeating the same CAPTCHA on several sites only makes it easier for those crawlers.

What the phishers also may not have realized, or bothered to think through, is that CAPTCHA uses a unique ID and if you start copying your CAPTCHA ID all over your phishing pages, it enables researchers to track your campaigns and it helps them to quickly find and identify your new phishing sites. Maybe even faster than it would normally take the security crawlers to find them.

Credential phishing

Credential phishing emails are usually a starting point for threat actors to gain a foothold in a network. Once the attacker manages to get hold of valid credentials they can try the credentials they have found rather than resort to brute-force attacks. In this campaign, Microsoft noticed that the emails seemed to follow a general pattern that displayed all the email content in a box with a large button that led to credential harvesting pages when clicked.

Once the victim has passed the CAPTCHA verification they are presented with a site that mimics the legitimate service the user was expecting. On this site they will see their email address already present and asking the user for their password. This technique is designed to trick users into filling out corporate credentials or other credentials associated with the email address.

If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again. This is likely done to get the user to enter their password twice, allowing attackers to ensure they obtain the correct password.

Once the user enters their password a second time, the page directs to a legitimate Sophos website that claims the email message has been released. This is another layer of social engineering to deceive the victim.

Recognizing the phish

Microsoft provides the reader with a lot of domains that are involved in this campaign, but for the recipient it is easier to recognize the format of the subject lines which might look like these:

  • [Recipient username] 1 New Notification
  • Report Status for [Recipient Domain Name] at [Date and Time]
  • Zoom Meeting for [Recipient Domain Name] at [Date and Time]
  • Status for [Recipient Domain Name] at [Date and Time]
  • Password Notification for [Recipient Domain Name] at [Date and Time]
  • [Recipient username] eNotification

Leading to sites (behind the CAPTCHA) pretending the recipient to log in to Zoom, Office 365, or other Microsoft services. The final domains used in the campaigns observed during this period mostly follow a specific domain-generation algorithm (DGA) pattern. Many of the domains hosting the phishing pages follow a specific DGA pattern:

  • [letter]-[letter][letter].xyz  (example: c-tl.xyz)
  • [letter]-[letter][letter].club (example: i-at.club)

One thing to remember, a password manager can help you against phishing. A password manager will not provide credentials for a site that it does not recognize, and while a phishing site might fool the human eye, it won’t fool a password manager. This helps users from getting their passwords harvested.

Stay safe, everyone!

The post Microsoft warns about phishing campaign using open redirects appeared first on Malwarebytes Labs.

How to stay secure from ransomware attacks this Labor Day weekend

Labor Day weekend is just around the corner and, believe it or not, cybercriminals are likely just as excited as you are! 

Ransomware gangs have nurtured a nasty habit of starting their attacks at the least convenient times: When computers are idle, when employees who might notice a problem are out of the office, and when the IT or security staff who might deal with it shorthanded. 

They like to attack at night and at weekends, and they love a holiday weekend. 

Indeed, while many people are looking forward to catching up with friends and family this Labor Day weekend, cybercrime gangs are likely huddling, too, planning to attack somebody

On the last big holiday weekend, Independence Day, attackers using REvil ransomware celebrated with an enormous supply-chain attack on Kaseya, one of the biggest IT solutions providers in the US for managed service providers (MSPs). Threat actors used a Kaseya VSA auto-update to push ransomware into more than 1,000 businesses. 

Why out-of-office attacks work

Ransomware works by encrypting huge numbers of files on as many of an organization’s computers as possible. Performing this kind of strong encryption is resource intensive and can take a long time, so even if an organization doesn’t spot the malware used in an attack, its tools might notice that something is amiss. 

“You never think you’re gonna be hit by ransomware,” says Ski Kacoroski, a system administrator with the Northshore School District in Washington state. Speaking on Malwarebytes’ Lock & Code podcast, he told us about Northshore’s nighttime attack: “It was an early Saturday morning. I got a text from my manager saying ‘something is up’ … after a short while I realized that [a] server had been hit by ransomware. It took us several more hours before we realized exactly how much had been hit.” He added “We had some high CPU utilizations alert the night before when they started their attack, but most of us were already asleep by midnight.” 

Criminals taking advantage while employees are away for holidays, weekends, or simply because their shift is over, is a classic “when the cat’s away” opportunistic crime. 

Be prepared for holiday disruption

We reached out to Adam Kujawa, Malwarebytes’ resident cybersecurity evangelist, and asked what organizations can do to minimize the chance their holiday weekend will be disrupted.  

Do these before the holiday 

  • Run a deep scan on all endpoints, servers, and interconnected systems to ensure there are no threats lurking on those systems, waiting to attack! 
  • Once you know those systems are clean, force a password change a week or two out from the holiday, so any guessed or stolen credentials are rendered useless. 
  • Employ stricter access requirements for sensitive data, such as multi-factor authentication (MFA), Manager Authorization, and requiring a local network connection. Although this will make it a more difficult for employees (for a short amount of time), this will also make it significantly more difficult for attackers to traverse networks and gain access to unauthorized data. Once the holiday ends, you can revert these policies since you’ll have more eyes to watch out for threats. 
  • Provide guidance to employees on not posting about vacations and/or holiday plans on social media. 
  • Provide free—or free for a limited time—security software to employees to use on personal systems 
  • Ensure all remotely accessible connections(e.g. VPNs, RDP connections) are secured with MFA. 

Do these during the holiday 

  • Ensure all non-essential systems and endpoints are shut down at the end of the day. 
  • Reduce risk by disabling or shutting down systems and/or processes which might be exploitable, if they aren’t needed. 
  • Ensure there is always someone watching the network during the holiday, and make sure they are equipped to handle a sudden attack situation. We suggest create a cyberattack reaction and recovery plan that includes call sheets, procedures on communicating with law enforcement and collecting evidence, and what systems can be isolated or shut down without seriously affecting the operations of the organization.

“The only mistake in life is a lesson not learned”

When we asked him why he came forward to tell his ransomware story when many others are reluctant to, Kacoroski told us: “The only mistake in life is a lesson not learned.” 

A lesson we can all learn from recent history is that cybercriminals are probably planning to ruin somebody’s Labor Day weekend. So don’t wait for an attack to happen to your organization before you decide you need to be ready. 

Prepare now, so you can enjoy an uninterrupted Labor Day weekend! 

The post How to stay secure from ransomware attacks this Labor Day weekend appeared first on Malwarebytes Labs.

US government and private sector agree to invest time, money in cybersecurity

In the wake of several high-profile ransomware attacks against critical infrastructure and major organizations in the last few months, President Biden met with private sector and education leaders to discuss a whole-of-nation effort needed to address cybersecurity threats and bolster the nation’s cybersecurity.

Several participants in President Biden’s meetings have recently announced commitments and initiatives:

  • The National Institute of Standards and Technology (NIST) will collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain.
  • The Biden Administration announced the formal expansion of the Industrial Control Systems Cybersecurity Initiative to a second major sector: natural gas pipelines.
  • Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain.
  • Google announced it will invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security.
  • IBM announced it will train 150,000 people in cybersecurity skills over the next three years, and will partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce.
  • Microsoft announced it will invest $20 billion over the next 5 years to accelerate efforts to integrate cyber security by design and deliver advanced security solutions. Microsoft also announced it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.
  • Amazon announced it will make available to the public at no charge the security awareness training it offers its employees.

And those are just the big players. The full list can be found here.

The importance and relevance of each of these is discussed below.

Supply Chain

An important attack vector for ransomware that lead to some of the biggest and most costly attacks were supply chain attacks. While not new, these attacks are always interesting because they usually involve highly skilled attacks and make a lot of victims. A prime example of such a case is the MSP provider Kaseya.


You can listen to what went wrong, exactly, in Kaseya on our podcast Lock and Code, with guest Victor Gevers of the Dutch Institute for Vulnerability Disclosure, which found seven or eight zero-days in the product.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”


The Industrial Control Systems Cybersecurity Initiative

In April 2021, the Biden Administration launched an Industrial Control Systems Cybersecurity Initiative to strengthen the cybersecurity of critical infrastructure across the United States. The Electricity Subsector Action Plan was the first in a series of sector-by-sector efforts to safeguard the Nation’s critical infrastructure from cyber threats. Expanding to gas pipelines may have been prompted by the attack on Colonial Pipeline.

Security training

Organizations know that training employees on cybersecurity and privacy are not only expensive but time-consuming. Putting together a cybersecurity and privacy training program that is not only effective but sticks requires an incredible amount of time, effort, and thought in finding out employees’ learning needs, planning, creating goals, and identifying where they want to go.

For organizations to offer that kind of training for free to people outside of their own organization is a big commitment, but it is also hard to make that training effective. The more you know about the environment a student will be working in, the more targeted and effective the training can be.

This type of training can be broken down in a few layers:

  • Awareness which is not really training, but making people aware of what dangers are out there. A regular reader of our blog will have a high awareness level, or so we hope.
  • Actual training strives to produce relevant and needed security skills and competencies. But as we pointed out, that is hard to do without having specific knowledge about the working environment. What programs the trainees will be using is essential for targeted and effective training.
  • Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce IT security specialists and professionals capable of vision and pro-active response. Which is a good thing, given the shortage of cybersecurity professionals, but that is not what I’m reading in the announcements.

We are glad about the initiatives and the amount of money and effort willing to be put into the initiatives. Some will certainly be more effective than others and we will certainly do our best to keep awareness levels high.

The post US government and private sector agree to invest time, money in cybersecurity appeared first on Malwarebytes Labs.

Latest iPhone exploit, FORCEDENTRY, used to launch Pegasus attack against Bahraini activists

Researchers from Citizen Lab, an academic research and development lab based in the University of Toronto in Canada, has recently discovered that an exploit affecting iMessage is being used to target Bahraini activists with the Pegasus spyware. The Bahrain government and groups linked to them—such as LULU, a known operator of Pegasus, and others like them who are associated with a separate government—were tagged as culprits of the surveillance activity.

Dubbed by Citizen Lab as FORCEDENTRY, this iMessage exploit is said to have been in use since February 2021. For an entity to get inside someone’s iPhone using FORCEENTRY to exploit an iMessage vulnerability, there is no need to come up with social engineering tactics to get their target to do an action, which is, usually, to click something. The attackers just deploy the exploit. No need for the target to click something. This is what we mean when we refer to some attacks as “zero-click”.

FORCEDENTRY is Megalodon

FORCEDENTRY and Megalodon—the name given to iMessage exploit activity witnessed by Amnesty International’s research arm Amnesty Tech in July 2021—are one and the same.

When FORCEENTRY is fired at a device, it crashes IMTranscoderAgent, a service the device uses to transcode and preview images in iMessage. According to The Hacker News, this is FORCEDENTRY’s way of getting around Apple’s BlastDoor security feature, which was designed to protect against attacks, including those from the KISMET exploit. Once this agent crashes, the exploit can then download and render items, likely images, from the Pegasus server.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” the researchers claim in the Citizen Lab report.

FORCEDENTRY has been observed targeting and deploying Pegasus against Bahraini activists, members, and writers belonging to Waad (a political society), Bahrain Center for Human Rights (a Bahraini NGO), and Al Wefaq (cited as “Bahrain’s largest opposition political society”).

KISMET: the other exploit

FORCEENTRY is actually the second known exploit to be used to target journalists using an iMessage vulnerability. In 2020, Citizen Lab named KISMET, a then 0-day exploit against iPhone iOS version 13.5.1 and above. It could also hack the iPhone 11, the latest model of that time. This made iPhone devices that were available before the release of iOS 14 vulnerable and exploitable.

No real protection in sight?

As of this writing, researchers at Citizen Lab believed that the KISMET and FORCEDENTRY exploits might have been prevented by users disabling iMessage and FaceTime. However, disabling these two cannot fully protect users from any spyware or zero-click attacks, the researchers said. Disabling iMessage also means that your once-encrypted message could be easily intercepted by attackers.

There are also other text and video messaging apps iPhone users can use in place of iMessage and FaceTime should they choose to disable them. Some of these are open-source, such as Signal.

The post Latest iPhone exploit, FORCEDENTRY, used to launch Pegasus attack against Bahraini activists appeared first on Malwarebytes Labs.

Cold wallet, hot wallet, or empty wallet? What is the safest way to store cryptocurrency?

In August of 2021, a thief stole about $600 million in cryptocurrencies from The Poly Network. They ended up giving it back, but not because they were forced to. Slightly more than one week later, Japanese cryptocurrency exchange Liquid was hacked and lost $97 million worth of digital coins.

These examples of recent news about hacked cryptocurrency exchanges left many investors wondering whether it was still smart to invest in cryptocurrencies and how to keep them safe.

We can’t answer the first question for you. I wish I knew. But we can explain the terminology, the methods, and the risks. So you can decide which would be best for you.

Wallets

A wallet is basically the name for the methods to store virtual money. Like you can keep non-virtual money in a bank account or under your mattress, you can keep virtual currencies in hot and cold wallets. An empty wallet has the same meaning ….. and the same value. So let’s try to avoid getting our wallets robbed empty.

Bank robbers

A big difference between bank robbers and hackers that are after crytpocurrency exchanges, besides the possible size of the loot, is that when money gets stolen from a bank they are not going to tell their customers that a certain amount of the stolen amount belonged to them. Unless the robbers emptied some private lockers, but that is not the point. If you have your cryptocurrency stored with an exchange and the hosted wallets get emptied, the exchange will be able to tell exactly whose money was stolen due to the traceability of each transaction that defines the very nature of cryptocurrencies. So the feeling that many will refer to as having the money safely in the bank, does not fully apply for crypto exchanges.

A hardware wallet

A hardware wallet is a place to safely store your private keys. The goal of the hardware wallet is to keep the private keys secret since they are needed to authorize transactions. Fundamentally, if you write the private key down on a piece of paper and put it in your safe at home, you have the most basic hardware wallet. And sometimes you will be advised to do just that.

Wallets often make use of a seed phrase. A seed phrase is a list of words which store all the information needed to recover cryptocurrency funds on-chain. Wallet software will typically generate a seed phrase and instruct the user to write it down on paper and keep it in a safe place. If you were to give out your seed phrase, for example as a result of a phishing attempt, the threat actor would then be able to get access to your wallet.

What is a cold wallet?

A much more sophisticated method of keeping your money under the mattress is a cold wallet. A cold wallet is a hardware wallet that is not connected to the internet. So this can be compared to having your money in a vault at home which you only open when you need to spend some of the funds. When it comes to the danger of having your cryptocurrency stolen by hackers, a cold wallet ranks highly as one of the safest storage methods. But a cold wallet has a few drawbacks:

  • They cost money. Prices for common hardware wallets range from $50 to $200. Not a big price to pay if you own a large amount of cryptocurrencies, but ridiculous to safeguard a few Satoshi.
  • They are not available for every cryptocurrency. You can easily find hardware wallets for the well-known cryptocurrencies like Bitcoin and Ethereum, but you will have more trouble finding a suitable one if you are investing in new or rare cryptocurrencies.
  • Lose your cold wallet or break it beyond repair and it is all gone.

Or as the IT engineer who accidentally threw away the hard drive of an old computer containing 7,500 bitcoins back in 2013 said: “I’ll keep looking.”

Hot wallet

A hot wallet may be called that because it compares to walking around with a lot of cash in your pockets in the worst of neighborhoods. A cryptocurrency exchange to hackers is like a huge pot of gold at the end of the rainbow. And looking at the events over the past years the coding behind these exchanges has been seriously lacking in the security department. Even if you can trust an exchange to not pull an inside job on you, can you trust the security measures they have taken to safeguard your savings?

The main job of an exchange is not to safely store your wallet, although many of them will certainly offer you that option. Their main job is to allow you to buy and sell cryptocurrencies. Most of the crypto brokers that works with these exchanges to ensure a continuous flow of supply and demand work with cold wallets and will probably advise you to do the same. But again, we are talking about amounts that are worth an investment in security.

Feel free to add your advice in the comments, but keep them civilized.

Remember, if you want to hold onto your cryptocurrencies, keep them safe!

The post Cold wallet, hot wallet, or empty wallet? What is the safest way to store cryptocurrency? appeared first on Malwarebytes Labs.