IT NEWS

The wheels of justice have turned, if perhaps a bit slower than you may have expected. A Dublin resident, Eric Eoin Marques, has been sentenced to 27 years in federal prison. The reason is the frankly terrifying tally of child sexual abuse material (CSAM) he helped to distribute. Eoin helped to make no fewer than 8.5 million images of abuse available on the Dark Web. No fewer than 2 million of those images contained victims not previously known to those in law enforcement circles.

The main point of reference for these acts was something called “Freedom Hosting”. This website hosting service helped keep all of the illegal content online, and available for distribution. Law enforcement seized $155,000 from Marques, who stated that his business had been “very successful”.

How did the FBI, Interpol, and the Garda set about taking this nest of vipers down?

How Freedom Hosting operated

Freedom Hosting operated as a hidden service (a destination on the Dark Web), available to Tor users if they knew where to look for it. To prevent any confusion, as per the Tor blog:

The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research.

According to the investigation, “the hosting service contained over 200 child exploitation websites that housed millions of images of child exploitation material”. Essentially, they played host to the absolute worst of the worst. 

Shortly after the FBI began seeking Eoin’s extradition in 2013, malware—later identified as EgotisticalGiraffe—was discovered on a number of Freedom Hosting sites. The malware exploited a bug in the Tor browser that revealed the IP addresses of visitors, defeating Tor’s anonymity protection, and allowing them to be located.

The FBI later revealed in court that it had taken control of Freedom Hosting in July 2013 and planted the malware to identify people looking for CSAM there.

Racking up the charges

Marques at this time was facing up to four charges, plus extradition to the US, which eventually happened in 2019. By the end of it all, he stood accused of creating and operating servers from 2008 to 2013. He pleaded guilty at the start of 2020, after a year-long investigation.

Things have now come to a conclusion, for him at least, and he won’t be out of prison for a very long time. Considering his initial admission of guilt came with a mandatory sentence of 15 years, he managed to end up with quite a few more added to the tally.

Watching the dominoes fall

The combined efforts of law enforcement around the world have made a significant dent on this one operation. One suspects in real terms it’s a drop in the ocean with regards to numbers. Even so, this is a fantastic result:

More than 200 primary sites taken offline, along with “hundreds of other sites” sponsoring or facilitating the various activities; “The activities of tens of thousands of online pornographers disrupted”; over 4 million images / videos seized, and more than 100 unknown series of abuse uncovered; “dozens” of offenders identified and prosecuted throughout the world.

As for Marques himself, he apparently kept out of the limelight and “lived a quiet life”. He is also said to have been searching for information on Russian visas and passports, hoping to make extradition as tricky as possible.

We’re pleased to say this didn’t happen, and he’s proof positive that you can’t always hide from the long arm of the law.

The post Freedom Hosting operator gets 27 years for hosting Dark Web child abuse sites appeared first on Malwarebytes Labs.

In a recent blog Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

A long time coming

At first glance this looks like a great idea and many user will sigh in relief and wait in hope for the next tech giant to take this step. All those that were in favor of this change must have thought: What took them so long?

In 2019 Bret Arsenault, Microsoft’s security chief, explained why the company was eliminating passwords. And in 2020 Microsoft started to enable alternatives for many of its products, like Yubico, HID Crescendo, TrustKey, and AuthenTrend.

All these alternatives are a lot more secure and harder to compromise and we have been advocating them as a second factor in login procedures for ages.

Why get rid of passwords?

Microsoft gives two reasons for this move:

• Nobody likes passwords, (which I can guarantee is not true).
• They are a prime target for attacks.

One of the reasons that nobody likes passwords is that the password situation has also been made worse by ridiculous and unnecessary rules, such as asking users to pick passwords that follow formulas, or forcing users to change their password every few months. Both have been discredited but continue to haunt us. Formulas reduce the number of possible passwords a user can pick from, and regular password resets encourage users to pick passwords that conform to a predictable pattern, both of which can make guessing passwords easier, which is the opposite of what we want.

I will agree with the fact that passwords can be guessed makes them a target. But the reasoning here is a bit crooked in my opinion. If the thieves are after my jewellery, sure I can sell them at the  nearest pawn shop. But is that not just shifting their attention elsewhere? Now I have money, and that’s a target too.

Shifting from passwords to biometrics has this same problem many times over. If I swap my password for my fingerprints, my fingerprints become a target. Can I replace my fingerprints if I lose them? What ways will criminals think of to steal them? And what happens when they have them? Talk about re-using the same credentials everywhere…

Expert opinion from Per Thorsheim

Malwarebytes Labs was somewhat divided in our opinions about this news, so we decided to reach out to one of the world’s leading experts on passwords. Per Thorsheim, who tweeted some major concerns about this Microsoft initiative.

Malwarebytes Labs: Per, thank you for your time, can you tell our readers a bit about yourself and how you got so interested in passwords?

Per Thorsheim: I’m Per Thorsheim, and I am the founder and main organizer of PasswordsCon, the first and only global conference dedicated to passwords and digital authentication. By day I work with security for BankID, the digital ID/authentication/signature solution in Norway, operated by vipps.no. My rather obsessive interest into passwords came about when I was working as a penetration tester for PWC, and somewhere pre-Y2K managed to get Domain Admin in less then a day of a Fortune 500 company due to an employee using “Password” as his password.

In december 2010 I ran PasswordsCon for the first time, by invitation from the university here in Bergen, on the west coast of Norway, where I live. (See passwordscon.org for more info.)

Malwarebytes Labs: Is it correct to assume that your major concern is what happens when people lose access to their account for some reason? And would the same objections not also apply if they used one of Microsoft’s passwordless options as a second factor of authentication?

Per Thorsheim: Yes, at the time of writing that is my main concern. Or not exactly, better rephrase that as “when people lose access to their choice of authenticator, and by that lose access to their Microsoft account”. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers. As a result I’ve seen people just resign and create a new account instead. This can in particular be seen with teenagers and their use of social media such as Instagram, TikTok, and Snapchat. It’s just easier to create a new account and tell your friends you have a new username.

Now that Microsoft allows you to actually REMOVE your password and thus your “something you know” factor, are we only left with options that can be easily stolen or abused in close relationships? Does this make those scenarios easier, as an attacker no longer has to guess or obtain a victims password? Are we essentially degrading from passwords to simple 4-6-8 digit PINs?

I don’t have the answers, but I have to say I am impressed by Microsoft taking this bold step forward.

I’m old enough to have seen tons of different solutions that promised better UX and/or better security, with so many failing miserably. I’ve seen corporate integrations of smartcards, a myriad of two-factor solutions, including the infamous RSA SecurID.

During pen-tests and audits I remember seeing admins removing the need for SecurID OTP and setting the PIN to “123456” or similar for CxO levels and members of the board. “Because they said it was too hard to remember bringing that hardware token with them all the time”.

CxO-level executives also sometimes have personal assistants, who administer the majority of the digital lives of the person they work for.  And then there’s the shared accounts to handle, like press, booking or helpdesk. That’s just some of the many challenges corporations face these days where ‘personal’ accounts are not the only types of accounts in existence.

Malwarebytes Labs: What would, in your expert opinion, be a better alternative  for abandoning passwords altogether—one that deals with brute force attacks and phishing for passwords?

Per Thorsheim: I honestly do not believe there is a solution available for abandoning passwords. There is no risk analysis justifying their removal, neither is there a cost/benefit analysis.

On the other hand, there are tons of business cases supporting attempts to develop and sell solutions to remove, replace or at least hide passwords for users.

Now that Microsoft provides an option to remove your password for free, I wonder what the REAL cost of doing so will be for us all—and for Microsoft. Only time will tell.

I hope this works for you. I can go on for hours on this, but…

Malwarebytes Labs: Thank you Per, for your precious time and your valuable insights.

While we still have passwords

Time will tell whether this “bold move” from Microsoft will make for an improvement in security or not. We would like to advise users to think it through before taking their first steps towards the password-less future.

Whether you embrace Microsoft’s passwordless features or not, the fact is that you are likely to be using passwords elsewhere for a long time to come. While that’s still true, one of the best things you can do for your password security is use a password manager. Not only do they make it easier to create and remember strong passwords, and to avoid password reuse, they also stop us filling out our credentials on fake (phishing) sites!

The post Microsoft makes a bold move towards a password-less future appeared first on Malwarebytes Labs.

In a joint advisory the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warn that advanced persistent threat (APT) cyber-actors may be exploiting a vulnerability in ManageEngine’s single sign-on (SSO) solution.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in questions is listed under CVE-2021-40539 as a REST API authentication bypass with resultant remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus version 6113 and prior.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network.

In-the-wild exploitation

When word of the vulnerability came out it was already clear that is was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat-actor. Yesterday’s joint advisory seems to support that, telling us that APT cyber-actors are likely among those exploiting the vulnerability.

They find this of high concern since this poses a serious risk to critical infrastructure companies. CISA recognizes 16 critical infrastructure sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The joint advisory points out that  the suspected APT cyber-actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors—including transportation, IT, manufacturing, communications, logistics, and finance.

It also warns that successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

According to the advisory, the JavaServer Pages web shell arrives as a .zip file “masquerading as an x509 certificate” called service.cer. The web shell is then accessed via the URL path /help/admin-guide/Reports/ReportGenerate.jsp.

However, it warns:

Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.

Please consult the advisory for a full list of IOCs.

Mitigation

A patch for this vulnerability was made available on September 7, 2021. Users are advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urge organizations to make sure that ADSelfService Plus is not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations. It also has information about how you can reach out to support if you need further information, have any questions, or face any difficulties updating ADSelfService Plus.

Stay safe, everyone!

The post FBI and CISA warn of APT groups exploiting ADSelfService Plus appeared first on Malwarebytes Labs.

For years, people have accused social media, and particularly image-driven sites like Instagram, of being bad for young people, particularly young women. It turns that Instagram’s owner, Facebook, agrees.

Thirty-two percent of teen girls said that when they felt bad about their bodies, Instagram made them feel worse.

This was one of the findings of internal Instagram researchers which was included in a presentation slide posted to Facebook’s internal messaging board in March 2020. It continues:

“Comparisons on Instagram can change how young women view and describe themselves.”

The Wall Street Journal (WSJ) has reviewed and revealed the contents of such slides in its latest instalment in the The Facebook Files, a WSJ series of investigative articles based on “internal Facebook documents, including research reports, online employee discussions and drafts of presentations to senior management.” Sometimes, included in these reports are findings from other companies the social network giant owns, like Instagram and WhatsApp.

Concerned parents and carers who may have observed or heard something from their teen who is being affected by Instagram would likely get confirmation on what they already know: Instagram is not helping with their body issues and sense of self at all. What may be more shocking to them, is that Facebook knows this too.

What Facebook knows

Facebook has been conducting internal studies of how Instagram affects its young users for three years, but had never shared any of its findings until three days ago, in response to the WSJ investigation.

According to the Journal, more than 40 percent of Instagram users are 22 years old or younger, with about 22 million teens logging on to Instagram in the US each day. The social media giant is said to have repeatedly found that Instagram is harming its young users, especially teenage girls.

It reports that the research conducted by Facebook revealed that Instagram makes body image issues worse for about one in three girls; that teenagers blame Instagram for increases in the rate of anxiety and depression; and that one in five teenagers said that Instagram makes them feel worse about themselves. The slides also revealed that a percentage of female teens in the US and UK have suicidal thoughts over what they see on Instagram.

Teen girls aren’t the only ones affected though. In Facebook’s 2019 research report, it found that 14 percent of boys in the US had said that Instagram made them feel bad about themselves. The following year, they found that 40 percent of teen boys experienced negative social comparisons. This, the researchers have concluded, is a problem specific to Instagram.

“Social comparison is worse on Instagram,” is what Facebook noted after doing a deep dive into body image issues in teen girls in 2020. What Instagram users tend to do is share only the best and most perfect photos and moments, which can trigger negative reactions, and may even lead to eating disorders, an unhealthy outlook towards themselves, and depression.

According to the researchers, young Instagram users who are struggling with mental health are aware that the app is affecting them in a negative way and need to spend less time on it, but admit they couldn’t stop themselves.

Facebook executives are stumped

The Journal claims that Facebook’s internal documents reveal that it has done little to address these issues, and even downplays these in public. For example, Adam Mosseri, head of Instagram, has told reporters that the research suggests the app’s effects on teen well-being is, “quite small”.

“In no way do I mean to diminish these issues…. Some of the issues mentioned in this story aren’t necessarily widespread, but their impact on people may be huge,” Mosseri further said in an interview with the Journal.

In another example, Mark Zuckerberg, CEO of Facebook, said at a March 2021 congressional hearing that, “The research that we’ve seen is that using social apps to connect with other people can have positive mental-health benefits,” which only highlights one side of the story while failing to mention the other.

Instagram’s response to the WSJ, written by Karina Newton, head of public policy on Instagram, says the Journal focusses on “a limited set of findings and casts them in a negative light”. She stands behind the company’s research and efforts to make things better for every teen user on Instagram, writing that “It demonstrates our commitment to understanding complex and difficult issues young people may struggle with, and informs all the work we do to help those experiencing these issues.”

In other words, as so many Facebook profiles say: It’s complicated. “The research on the effects of social media on people’s well-being is mixed, and our own research mirrors external research. Social media isn’t inherently good or bad for people. Many find it helpful one day, and problematic the next. What seems to matter most is how people use social media, and their state of mind when they use it.”

The Journal claims that Facebook executives are struggling to find ways to reduce Instagram’s harm while keeping people on the platform. Project Daisy, for example, was a pilot program created as a potential solution to keeping kids from feeling anxious and having negative feelings, based on a focus group feedback, when they see “like” counts. In Project Daisy, “like” counts are hidden. However, the results of the program have revealed that it didn’t improve teens’ lives.

Project Daisy was rolled out, nonetheless, with executives noting in an internal discussion that this, essentially, is just for show. “A Daisy launch would be received by press and parents as a strong positive indication that Instagram cares about its users, especially when taken alongside other press-positive launches.”

Mosseri acknowledges in an interview with the Journal that he doesn’t think there is a clear-cut solution to fixing Instagram. “I think anything and everything should be on the table,” he said, “But we have to be honest and embrace that there’s trade-offs here. It’s not as simple as turning something off and thinking it gets better, because often you can make things worse unintentionally”.

In an comparison that might not have come across in the way he hoped it would, Mosseri recently equated social media to cars in a podcast interview with Peter Kafka on the Recode Media podcast. “Cars have positive and negative outcomes. We understand that. We know that more people die than would otherwise because of car accidents. But by and large, cars create way more value in the world than they destroy. And I think social media is similar.”

However, Kafka, and some helpful users on Twitter, pointed out that they are not the same at all: Cars are heavily regulated, licensed, policed, regularly tested for problems, are not accessible to teens who are 16 years old and below, and have meaningful safety measures in place.

This is a call for help

Perhaps what stands out most from the reporting is not a single statistic, or how negatively Instagram has been affecting teens for years, or even that Facebook is well aware of the negative side of its social media empire, but the fact that the teens who are reporting problems are finding it really difficult to unplug or quit the app.

Parents and carers: Do not expect Instagram or Facebook to do this for you any time soon, because these online services were engineered to make users want to come back for more, even when they know it’s not good for them.

As computer scientist Dr. Cal Newport said in his memorable TED Talk, Why you should quit social media, social media is designed to provide a constant flow of small, intermittent rewards, just like a slot machine. Newport: “It’s one thing to spend a couple of hours at a slot machine in Las Vegas, but if you bring one with you, and you pull that handle all day long, from when you wake up to when you go to bed: We’re not wired for that”.

Kids cannot be expected to handle the social media slot machine alone—parents, family members, and our childrens’ friends all have a role to play in helping our kids overcome this.

Recommended reading:

• How to delete your Instagram account

The post Facebook’s own research reveals the harm that Instagram can inflict appeared first on Malwarebytes Labs.

The Krita digital painting application is currently being targeted by ransomware authors. Available on Steam and other platforms, it’s a powerful tool with a very cheap purchase price and great reviews. A perfect bit of bait to start reeling in potential victims, in other words.

How does the scam work?

Ransomware scammers send out mails to artists. Those mails claim to be from the team behind the Krita tool, and contain links which redirect potential victims to the real domain. This is to make everything look above board and legitimate.

The mails seen so far read as follows:

Hello dear, please give me a moment of your time. Krita team is eager to collaborate with you.

After this follows a generic promo text for the program. They follow this up with:

We would like to consider integrating a 30-45 second ready-made promo into your media space (Facebook, Instagram, Youtube), can we consider that?

Other mails claim that once the registration process is done and dusted, an email address, payment information, and phone number are required. Yes, there’s a bit of data grabbing alongside the malware slinging.

The aim of the game is revenue generation, and this is always going to be an attractive proposition for artists.

The bogus mediabank zip makes its entrance

Regardless of how the emails present themselves, there’s one common factor. They claim to link to a “mediabank” which contains icons, screenshots and previous video campaigns. The contents are “confidential”, which is a sneaky way to prevent potential victims telling anybody about it.

Some folks have reported the contents of the zip as .scr files masquerading as images/videos.

Why an scr file?

Any scam which involves images has a good chance of falling back on scr files. It’s a very old technique. Folks unfamiliar may think it means “screenshot”. This is especially the case where they’re opening up zips expecting to see imagery. Sadly, this isn’t the case. An scr is a screen saver file, and it runs on your system like a program. If it contains bad things, then bad things will be headed your way in an instant.

Tricking visual artists with scr files seems like a particularly cruel trick, whether intentional or not.

What happens next?

Krita previously reported this as ransomware, and as you can see, the mails are still going strong:

They look pretty convincing, which certainly won’t hurt the scammers one bit. If you’re going to trick people who work with visuals, it pays to look as good as possible.

Forward on any dubious messages you receive to the Krita team, and delete the mails afterwards. Don’t trust zip attachments, and give any scr file extensions a wide berth. Showing file extensions is also helpful, both for this and any other potential attacks generally. It appears a lot of the domains used for these mails are down, but it’s easy enough to put up replacements. Be careful out there!

The post Ransomware scammers target artists with fake Krita revenue deals appeared first on Malwarebytes Labs.

HP has released a patch to fix a flaw in the HP OMEN driver.

As far as we know the flaw isn’t being actively exploited, but it’s worth applying the patch as soon as you can.

The flaw, the fix

The driver vulnerability, which is tracked as CVE-2021-3437, was found by Kasif Dekel, a senior security researcher at SentinelLabs.

If exploited, the vulnerability could allow a malicious threat actor to escalate privileges to kernel mode. This would enable the actor to perform tasks within affected systems, such as disabling security solutions, running malicious code in kernel mode, and elevating privileges of other users, and more. Exploiting this flaw could also allow the actor to trigger a denial-of-service (DoS) condition, which prevents traffic from going to the device.

The driver, HpPortIox64.sys, is used by the HP OMEN Gaming Hub (previously called HP OMEN Command Center), software that comes pre-installed in HP OMEN systems. Although this SYS file is created by HP, according to Dekel, it is actually “a partial copy of another problematic driver, WinRing0.sys, developed by OpenLibSys.”

HpPortIox64.sys essentially inherited the privilege kernel-mode problem from WinRing0.sys.

“It’s worth mentioning that the impact of this vulnerability is platform dependent,” continues Dekel in the report, “It can potentially be used to attack device firmware or perform legacy PCI access by accessing ports 0xCF8/0xCFC. Some laptops may have embedded controllers which are reachable via IO port access.”

The flawed HP driver accepts IOCTL (Input/Output Control) requests from non-privileged users, who aren’t subjected to access control rules. Because of this, such drivers can be abused, “by design.”

Road 96 and OMEN

It’s worth mentioning that HP’s first official video game, Road 96, gives its video game players and fans the option to download the OMEN Gaming Hub in a section of the game.

Although we can’t say for sure if the driver problem will pose a threat to non-HP users should they agree to install the Hub, we do note another threat to consider. According to Chris Boyd, lead malware intelligence analyst for Malwarebytes, “Certain games offer additional skills or abilities in return for installing OMEN, such as the award-winning, Road 96. As a result, many people will have it on their system even if they have no intention of ever using it. Where updates aren’t taking place, this could be dangerous should an exploit arise in the wild.”

The post HP OMEN users, update your driver now! appeared first on Malwarebytes Labs.

Jay Tipton, chief executive for the Managed Service Provider (MSP) Technology Specialists, remembers his Fourth of July weekend this year like many MSP employees likely remember theirs: As a bit of a nightmare.

“That’s like the worst feeling you’ll ever have,” Tipton said about his initial impressions about a fast-moving ransomware attack that he originally thought hit just his company. His Microsoft Outlook instance closed down unexpectedly, his phone rang and he learned about a customer having trouble connecting to some software tools, and then, just minutes later, his phone rang again. The number of customer problems had already multiplied.

As Tipton and the world would soon learn, his Fort Wayne, Indiana-based MSP was just one of up to 1,500 companies ensnared in what was is probably the largest ransomware attack ever, when threat actors poisoned the remote monitoring and management software tool Kaseya VSA—a favorite for many MSPs—with ransomware.

The attack, which actually led to grocery stores shuttering their doors in Sweden, proved so detrimental because of its cascading nature. By attacking Kaseya VSA, threat actors not only managed to compromise the software, but also the MSPs that used the software, and the small- to medium-sized businesses that were supported by those same MSPs.

Recovery for Tipton’s company has been slow but hopeful. Technology Specialists retrieved data for its customers, maintained strong customer relationships, and even received an outpouring of support from ex-employees and clients themselves.

But in speaking with MJ Shoer, executive director for the nonprofit CompTIA’s Information Sharing and Analysis Organization, Tipton revealed that even the best recovery plans will hit unforeseen obstacles.

Take, for instance, Technical Specialists’ efforts in recovering their clients’ data. Their backups worked, Tipton said, but the process itself happened slower than expected.

“We’ve had some restoring issues, and part of it had to do with download speeds, because everyone was trying to hit the same data centers at the same time,” Tipton told Shoer. “That’s part of the problem. You can’t plan for that.”

Through this process, Tipton compiled a long list of things he’d like to change moving forward, most of it on a large Post-It note covering much of one of his walls. Here’s what Tipton is focusing on moving forward. His lessons are relevant to all organizations, not just MSPs.

Ransomware recovery lessons

1. Put passwords and disaster recovery plans on paper

If the worst happens, you’ll wish you had made a recovery plan. Recovery plans typically identify the key systems and data inside your organization, and the shortest path to restoring critical business functions.

Following the Kaseya VSA ransomware attack, Tipton said that he is focusing on a way to provide “paper printouts” for his company and his clients’ disaster recovery plans. He also added that he wants to find a way to “securely print out passwords” because the attack also seemingly affected Technical Specialists’ password vault.

“We had to wait almost 36 hours to get our password vault restored so we could get passwords out of it,” Tipton said.

Both ideas have immediate value for any business, big or small. A disaster recovery plan is only as useful as it is accessible, and an inaccessible password vault could slow down literally every single part of a data recovery effort if administrators simply cannot access their accounts.

2. Say goodbye to public whitelists

Allowing MSPs to manage some or all of their IT and security makes sense for lots of small businesses, but it comes with its own risks. MSPs act as administrators, so any tools they use get administrator privileges too. MSPs also need to make their toolchain work across all the various customer environments they work with too.

A common practice for MSP software vendors is to advise users of directories that should be “whitelisted” against antivirus software, so that their software can work without interference from cybersecurity tools. This practice is understandable—attackers try hard to disguise themselves as administrators and security tools have the difficult job of letting legitimate remote administration go ahead while stopping malicious remote administration—but it is ill-advised.

These whitelist guides are available for anyone to view online, but, according to Tipton, Technical Specialists is asking for more control into how to actually treat some directories. Tipton said some of what he’s doing moving forward is “not allowing the software vendors to push us into whitelisting directories. That’s not happening anymore.”

“Give me control of which directory it is and how far down I can bury it—I’ll consider it, because then I can control how it’s working, what’s going on in there, and where it’s at so it’s not public knowledge that directory exists,” Tipton said. “But this open whitelisting of programs and directories isn’t going to happen.”

3. Insist that software is digitally signed

In speaking with Shoer, Tipton mentioned that one of the vendors that Technical Specialists use has the annoying habit of changing its DLLs (the software libraries that their product uses) quite regularly. Tipton said he will not allow that anymore unless the vendor starts digitally signing the DLLs.

Why? Because this is another situation where legitimate behavior and malicious behavior can look very similar. If a DLL changes and it hasn’t been signed by the vendor, Tipton has no way of knowing if the new DLL is legitimate or if it has been tampered with by an attacker.

“I’ve got a vendor that likes to keep changing their DLLs, and I think some of them change on the fly and it causes all kinds of problems,” Tipton said. “You’re going to have to sign your program with a cert because I’m going to block it and it’s not optional.”

Moving on

People are often understandably reluctant to talk about their experiences with ransomware, so we applaud Tipton for being open and transparent, and giving us all the opportunity to benefit from his experience.

All of Tipton’s goals seem to be focused on giving Technical Specialists more visibility and capability into how it supports its clients. And perhaps that’s the right mindset—Tipton shared with Shoer that his business lost very few clients after the attack, and of the clients he did lose, seemingly all of them misplaced blame on the MSP itself.

“There are a few that don’t get it, won’t ever get it, will never understand, and say it’s all our fault,” Tipton said. “I can’t change their minds, so I’ll just shake their hands, part as friends, and go on with life.”

Ransomware podcasts

Ransomware recovery is an important subject that benefits enormously from the real-world perspective and experience of those who have been through it. Several recent episodes of Malwarebytes Labs’ Lock and Code podcast have dealt with different aspects of recovering from ransomware.

Racing against a real-life ransomware attack

At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against Northshore School District in Washington state. Early the next morning, Northshore systems administrator Ski Kacoroski arrived on scene. Kacoroski explains what happened next, and what Northshore did to recover from the attack and prevent it from happening again.

Listen to Racing against a real-life ransomware attack

“Seven or eight” zero-days: The failed race to fix Kaseya VSA

The Dutch Institute for Vulnerability Disclosure (DIVD) discovered “seven or eight” zero-days in Kaseya VSA before the REvil ransomware group did. DIVD chair Victor Gevers explains why that wasn’t enough to stop the biggest ransomware attack in history, and reveals that Kaseya VSA’s vulnerabilities represent just one data point in a far larger and more worrying trend.

Listen to “Seven or eight” zero-days: The failed race to fix Kaseya VSA

Why backups aren’t a “silver bullet” against ransomware

Any cybersecurity expert will tell you that the last line of defense against ransomware is backups. But if they’re so important, why are we still so bad at getting them right? Host David Ruiz speaks with VMware’s Matt Crape about why making good backups is so hard, and what missteps you should watch out for.

The post 3 security lessons from an MSP that survived the Kaseya VSA attack appeared first on Malwarebytes Labs.

We all know cookies as tasty baked treats that we love to eat, but computer cookies are quite different. Although they’re most popularly known as just “cookies”, they may be referred to as browser cookies, Internet cookies, HTTP cookies, web cookies, computer cookies, or digital cookies.

What are cookies?

Cookies are pieces of information that a website can save in your browser. Websites can ask your browser to save cookies whenever the browser asks it for a page, picture, download, or any other piece of information. Until the cookie expires, the browser will keep it, and send it back to the website whenever it requests anything else.

The language web browsers and websites use to talk to each other is “stateless”, meaning that every message is totally independent and isolated from every other message. It’s like having a conversation with somebody who instantly forgets who you are after every sentence.

One of the most common uses for cookies is to provide a link between messages, so that a website can remember who you are, and tell that your messages are coming from the same individual.

To do this, a website sends a web browser a cookie with a unique ID the first time they communicate, and the web browser repeats the unique ID back to the website every time it sends a message.

In the language of the web, cookies allow us to link sentences into conversations.

Without this functionality we would not be able to log in to any websites, keep wish lists, see recommendations, use web-based video or instant messaging, or do most of the other things we rely on websites for.

Importantly, websites can read their own cookies, but can’t read cookies saved by other websites. However, there is a loophole that has led to most of the problems we have come to associate with cookies: third-party cookies.

Tracking with third-party cookies

Many people associate cookies with the cross-site tracking used by advertising companies. Advertisers like Google and Facebook can track users as they travel around the web from site to site, building up profiles of the kinds of sites they like to visit, and showing them targeted advertising.

Tracking somebody across multiple sites like this relies on third-party cookies.

Although a website can only read cookies that it has created, individual web pages can be assembled from components hosted by multiple websites. Sometimes those components are visible, like images, and sometimes they are just bits of code you can’t see.

If a website you visit includes a component pulled from another website (a third-party), that third-party website can send and receive cookies along with the component. If you visit a different website that includes the same third-party component, the third-party can read its cookies on both sites.

This is how Facebook uses its Like buttons, and Google uses its advertising code, to track you across the web. They can tell whenever you visit a site that includes one of their components because they can read their own cookies.

Importantly, the tracking stops if you block or delete those cookies.

Session cookies, persistent cookies, and “super cookies”

Just like edible cookies, digital cookies come in different flavors. Cookies that expire whenever you close your browser are called session cookies. These are used for temporary things, like telling a website that you have logged in successfully. If a website uses session cookies for its logins then you will be logged out when you close your browser, and you will have to log in again when you next visit.

Cookies that aren’t deleted when you close your browser are called persistent cookies. Persistent cookies last until you delete them, or until they expire. These are useful for things like remembering your username, so it can be pre-filled when you visit a website you have logged out of.

For all practical purposes, persistent cookies can last forever. (On 32-bit systems cookies can’t live past 2038, but we assume you’ll be using a different device by then.)

Because third-party tracking can be defeated by users deleting their cookies, some unscrupulous advertisers have turned to other things that can offer cookie-like persistence, such as ETags or browser fingerprints. Technologies that act like cookies, but aren’t affected by blocking or deleting regular cookies, are unofficially referred to as super-cookies.

So, are cookies bad?

No. Cookies are essential to the operation of the web as we know it and used for many useful, helpful things. However, cookies can also be used for things some people don’t like, such as third-party tracking, and adverts that seem to follow you around the web.

Luckily, cookies are easy to control. All browsers let you delete cookies, and there are numerous browser add-ons that can be used to block cookies, or control what cookies you will and won’t allow.

In response to increased sensitivity about cross-site tracking, some browsers, including Firefox, Safari, and Brave, now block third-party cookies by default. Google is working on an alternative, more privacy-conscious tracking technology called FLoC, and plans to block third-party cookies in 2023.

Cookie consent

In the European Union (EU), websites have to ask for your consent before they can set cookies, which has lead to web users seeing a profusion of cookie popups. Some people argue that this has led to “cookie fatigue“, and that privacy has not been improved.

What happens if you decline to accept cookies varies from site to site, and can range from the site working perfectly to the site not working at all.

Will a VPN stop tracking cookies?

No. A Virtual Private Network (VPN) guards your privacy by masking your IP address and your location, and by passing your traffic through an encrypted tunnel that protects it from rogue WiFi hotspots, or ISPs that want to sell advertisers information about your browsing habits.

To block or rewrite cookies, a VPN would have to look at your web traffic as it passed through its servers. VPNs can’t read encrypted communication, like HTTPS, so cookie blocking would be impossible for most web traffic.

Even it was possible it would probably cause some websites to malfunction. And if that could be overcome, privacy-loving VPN users would probably rather their VPN provider stayed out of their traffic anyway.

The post What are computer cookies? appeared first on Malwarebytes Labs.

You may have seen the Dark Web referenced in popular TV shows and have gotten the wrong idea, or if you already knew about it, you may have snorted in derision. The Dark Web is also sometimes called the Deep Web, when in fact the Dark Web is only a part of the Deep Web.

Terminology

• Surface Web is what we would call the regular World Wide Web that is indexed and where websites are easy to find.
• The Deep Web is the unindexed part of the Web. Actually, anything that a search engine can’t find.
• The Dark Web is intentionally hidden, anonymous, and widely known for illicit activities.

Maybe it’s a good idea to clear up some of the misconceptions about the Dark Web for those that are not in the know. That should tell you a lot about what it really is.

The Dark Web is a separate part of the World Wide Web

Well, it’s not as much separate, but sites on the Deep Web are harder to find as the Deep Web is an unindexed part of the internet. Actually, the indexed part of the Web, which is the part that can be found by robots, is only a small fraction of the entire web. It is hard to tell how big the Dark Web is, since, again, it is unindexed. Estimates say that only 5% of the Web is easily accessible and searchable to the general public. Many other sites can only be visited if you have a direct URL.

Only criminals use the Dark Web

Even though most of the traffic on the Dark Web is used up by criminal activities, such as—

• Drug trafficking
• Selling weapons to countries where they are forbidden or selling types of weapons that are prohibited
• Child (and other illegal) porn
• Malware (as a Service), think of this as programmers selling their malware for a fee or part of the profit
• Sites where victims can pay the ransom for some ransomware they have been hit with
• Buying and selling stolen data
• Fraud related services
• Fake ID’s
• Leak sites where ransomware gangs publish exfiltrated data if the victim refuses to pay

—there are also groups of users that need the Dark Web for reasons that are only considered illegal in a few places, such as:

• Journalists working in “difficult” countries
• People resisting a totalistic regime
• Whistleblowers
• Places where crimes can be reported anonymously
• Bitcoin services
• Forums on various subjects that do not wish to be public

As you can see there are some grey areas, depending on where you stand in a certain situation.

You need a special browser to access the Dark Web

There are several methods of restricting access to many of the resources on the Dark Web, but you can certainly expect you will have to login when you arrive at the site that you want to access. But in most cases, you will also need to be using some kind of service like a VPN, proxy, or an anonymized network.

For sites with an Onion (hence the symbol) domain, you will need a Tor browser to access them. This browser protects your privacy and anonymity by encrypting your traffic to and from the websites you are visiting, and by using a proxy. But if you are a Firefox user, you may see a big resemblance with the Tor Browser, so the browser is not that special. It’s the way how it connects that is different. You can also use Tor on the surface Web. People often do this for privacy reasons.

Surfing the Dark Web is dangerous

If you take the necessary precautions, surfing the Dark Web will not get you hurt, robbed, and mugged. But, like on the surface Web, you have to be vigilant and be protected. Keep in mind, for example, that torrents often bypass your proxy settings and might, therefore, expose your real location. And, needles to say, when you’re actively dealing with criminals, you can actually expect to get deceived and even robbed. So, stay away from those guys.

But as we recently learned, even the bad guys are not always safe on the Dark Web. People do get careless after a while and in these cases, it got the bad guys busted. Keep that in mind if you make it a habit to visit the darker corners of the Web. Curiosity killed many a cat.

The post What is the Dark Web? The Dark Web explained appeared first on Malwarebytes Labs.

The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare… nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this patch is so easy to circumvent.

The total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are “old friends”. There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.

Azure was the subject of five CVE’s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.

PrintNightmare

PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.

The problem was made worse by significant confusion about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.

This month, Microsoft patched the remaining Print Spooler vulnerabilities under CVE-2021-36958. Fingers crossed.

MSHTML

This zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only found last week, but has attracted significant attention. It was listed as CVE-2021-40444, a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML.

Threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.

Given the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.

DNS elevation of privilege vulnerability

This vulnerability was listed as CVE-2021-36968 and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.

Microsoft says that exploitation is “less likely”, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP).

OMIGOD

OMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:

• CVE-2021-38647 OMI RCE Vulnerability with a CVSS score of 9.8 out of 10.
• CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability
• CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability
• CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability

The researchers that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:

Wiz’s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.

OMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It’s likely that many users aren’t even aware they have it running.

The RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.

A coding mistake means that any incoming request to the service without an authorization header has its privileges default to uid=0, gid=0, which is root.

OMIGOD, right?

The researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.

They advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:

• For Debian systems (e.g., Ubuntu): dpkg -l omi
• For Redhat based system (e.g., Fedora, CentOS, RHEL): rpm -qa omi

If OMI isn’t installed, the commands won’t return any results, and your machine isn’t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.

The post Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD appeared first on Malwarebytes Labs.