IT NEWS

We’ve been warning about advergaming—the combination of virtual reality (VR) and ads—for years on the Labs Blog. I’ve given a few talks on the subject too, and how ad networks will slowly work their way into enclosed spaces formerly reserved for your head. They still might, but thanks to a recent decision by Oculus VR game Blaston, that version of the future looks like certain than it once did.

VR gaming: The hardware differences

There are two main types of VR headset, one more expensive than the other. The cheaper option is any “empty shell” headset you care to mention. They could be made of plastic, or cardboard, and may require self assembly. There’s no hardware or software component at all, it’s just fancy goggles with a space for your mobile. All of the VR activity takes place on your goggle-mounted phone. Unless you have a recent model, you may struggle to run software successfully.

The more expensive option is the dedicated headset. These work with VR-ready PCs, and combine a lot of intricate hardware and software built into the device. There’s frequently additional synchronicity with platform specific software installed on the PC. A final splash of integration may come from gaming platforms such as Steam.

The major players here are Oculus, HTC Vive, and Steam’s new Index headset. Now that we’ve covered the headsets, we’ll briefly dive into potential types of VR advertising.

VR adverts: The lay of the (virtual) land

VR ads are attractive to advertisers because they have the potential to crank the behavioural advertising we’re used to on the web—where advertisers watch what you do, build a profile, and show you personalised ads—up to eleven.

For the cheaper, mobile VR sets, Adobe made waves in 2017 with an ad platform optimised for mobile VR platforms. It also potentially had the ability to pop ads while in a movie theatre, which may or may not be your cup of heavily discounted tea. Nokia were particularly enchanted by mixed reality advertising. Indeed, adding digital elements to real world views has become very popular and mimics many common mobile features used daily. This familiarity probably helps put viewers of mixed reality ads somewhat at ease.

The really big potential for ads lies with the top end hardware though. In 2017, HTC made headway with “Innovative VR ads.” This was a pretty sophisticated setup, similar in look and feel at the sign-up process to other ad platforms, like Google Ads. Sales/payout reports, test/publish facilities, 2D and big screen video ads were just some of its features.

The most interesting part was the eye tracking functionality. Many VR games track eye movement to further aspects of gameplay. Here, it served to let publishers know if gamers or headset users looked at their ads. If nobody looked, no charges from the ad system would be forthcoming.

Deepening the ties between games and adverts

One potential danger from advergaming is that a deep level of ad tracking can impact a game’s level design. For example: developers make use of systems like heatmaps, particularly in multiplayer titles. A heat map shows where players go, and where they avoid. You can see which parts of your map are popular, and which are essentially dead zones. Developers will sometimes revamp maps based on this data.

Where it goes wrong, is if developers become too immersed in ad systems populating their games. Imagine a scenario where developers generate income from ads in their title. They may make money when people look at the ads, for example, the same way ad publishers are only billed if the ad network tracks players looking at the ads.

There’s an incentive for the developers to place the ads in ever more prominent…some may say intrusive…locations. This could harm the overall aesthetic of a title, or make level design bad in favour of jamming adverts everywhere. It also raises an interesting question. Is a game developer making adverts that are gaming the advertising network system? That’s something for the devs, ad publishers, and ad network to figure out.

This was all back in 2017. How did the VR ad landscape evolve?

The changing face of VR ads

By the end of 2018, companies involved in the VR/AR ad space were talking about serving 1 billion ad impressions, and how the “novelty” factor had mostly fallen away. By the end of 2019, there was evidence that some organisations had found success with so-called “immersive” ad campaigns. This was especially the case where technology like 360 degree video was deployed. Even so, there hasn’t really been a buzz with regards VR/AR ads in gaming spaces. Until now, that is.

Negative buzz is still a form of buzz, right?

A timeline of ad disaster

May, 2021

Back in May, Oculus announced a lot of additions for tools, apps, and videos. It also mentioned the introduction of an ad ecosystem, and tied it to notions of “discoverability” and helping developers. They did also link to an article explaining how to control the ads users see. However, leaving mention of ads till the very end is something which would annoy some people on the assumption it may be something a lot of folks don’t bother reading. What sort of reader numbers make it to the end of an arguably already niche post?

Not a major thing, but something which immediately leaps out.

June, 2021

This is the point where Oculus explained how ad testing is going to work. Specifically, adding in-headset ads to the popular VR title Blaston. There are ways to make ads properly integrated into a video game title. You wouldn’t have an advert for SPACE WARS 2067 in a World War 2 setting, or an advert for a brand new motorcar on the last billboard in a ruined apocalypse. I mean, you might, but it wouldn’t look very good.

Things like that leap out. By the same token, we can argue that ads seamlessly integrated into games to the point you don’t notice them are incredibly sneaky. You can see more of that fine line here.

I’m not familiar with Blaston myself, but the screenshots look very out of place. The blog talks about making sure the ad content is relevant to the VR user, but nobody seems to consider the relevance of the ad to its environment. Put simply: An ad for “Fast free delivery” of Jasper’s something or other, lit up in bright green against an otherwise grimey, purple landscape fairly screams “I don’t belong here”.

The post also goes into detail about restrictions on ads, which is welcome. For example, they don’t use information processed / stored locally. They don’t use movement data to target ads, unlike some other ad plans where tracking / movement is an important element. Random conversation content is also off the table, they don’t want it.

That’s good, then. However, they also promised “more to come”. Shall we see how this all panned out?

The crushing inevitability of what comes next

You can probably guess where this is going, so without further ado:

The major problem here is that Blaston is a paid-for title. Given Oculus headsets are a premium purchase as it is, gamers would likely feel incredibly annoyed at having ads placed in something they paid various amounts of money for. The game is also available on the Steam platform, where it can be played via Oculus, HTC Vive, or Valve Index. Unless I’ve missed it, there’s no mention of ads being introduced while playing with Vive or Index.

That’s an immediate product disparity liable to fan the flames of anger.

The devs appear to have realised this, and have suggested resuming the ad trial in one of their free titles at a later date. All the same, some damage has potentially been done to the game’s brand. I hadn’t heard of it prior to this, and now all I’ll probably think is “Oh, that game with the advert blowout.”

Game over?

Despite ads in VR games being pushed as “the next big thing” way back in 2017, it’s now 2021. There’s a lot of ad impressions for VR/AR generally. Organisations are definitely making money from it.

Games, though? Those are going to be a very tough sell. This is, again, one small test of ad-placements to see how it all fits together…and look what happened! Game developers will be looking at the sudden blast of negative reviews for Blaston, and likely choosing to avoid ad integration for their paid titles at a bare minimum. For whatever financial boost it gives a software house, the solid chorus of condemnation is probably something they’ll want to avoid for a long time to come.

The post Is it game over for VR advergaming? appeared first on Malwarebytes Labs.

This blog post was authored by Jérôme Segura

A very common practice among criminals consists of mimicking legitimate infrastructure when registering new domain names. This is very true for Magecart threat actors who love to impersonate Google, jQuery and many other popular brands.

In this post we look at a skimmer recently disclosed by security researchers that has been around for over a year but managed to keep a low profile. In addition to naming several of their domains after Google, the threat actor is also naming their domains after the websites they have compromised.

Often, identifying additional infrastructure on the same network is a relatively simple exercize. But in this case it is more complex because the hosting servers are comprised of a large number of domains names, many of which are also malicious but not skimming related. Hiding in the noise is another common trait for threat actors.

Keeping it simple

This skimmer was publicly mentioned by Eric Brandel in early June 2021 and unlike Magecart JavaScript code, this one is very straightforward. Jordan Herman had also previously spotted this skimmer and referred to it as Lil’ Skim. Based on an urlscan.io crawl, it appears the earliest instance is from at least March 2020, via googie[.]host.

A dense network hiding more skimmer domains

A quick review of the Autonomous System (AS198610 Beget) where those skimmer domains are found shows a significant number of malicious hosts tied to phishing kits, Windows payloads, and Android malware just to name a few. Two IP addresses in particular, 87.236.16[.]107 and 87.236.16[.]10, are host to additional skimmer domains belonging to Lil’ Skim.

For example, tidio[.]fun is a play on tidio.com, a chat application for website owners wishing to interact with customers. We recognize the same Lil’ Skim code here as well:

Custom domains by compromised store

And then we discovered a number of skimmer domains that were named after compromised stores. This in itself is not a new practice and is often seen with phishing sites. The threat actor simply replaced the top level domain name with .site, .website or .pw to create hosts that load the skimmer code and receive stolen credit card data.

All the domains we found (c.f. IOCs) were hosted on 87.236.16[.]107.

Conclusion

Lil’ Skim is a simple web skimmer that is fairly easy to identify and differs from other Magecart scripts. The threat actor is keen of impersonating internet companies but also the victim sites it goes after.

We were able to track this actor across the same ASN where they registered a number of different domains over a period of at least a year. There likely are more pieces of infrastructure to uncover here, but that might be a time consuming process.

We have notified the stores that have been impacted by this campaign. Additionally, Malwarebytes customers are already protected via our web protection module across our different products including Malwarebytes Browser Guard.

Indicators of Compromise

The following IOCs are linked to urlscan.io crawls whenever possible.

Standard skimmer domains

googletagsmanager[.]website
googie-analitycs[.]site
googie-analytics[.]online
googie-analytics[.]website
cdnattn[.]site
facebookmanagers[.]pw
googletagmanager[.]space
googie[.]website
googleapis[.]website
googie[.]host
tidio[.]fun
jquery[.]fun
cloudfiare[.]site

Skimmer domains impersonating compromised sites

perfecttux[.]site
gorillawhips[.]site
bebedepotplus[.]site
postguard[.]website
dirsalonfurniture[.]site
dogdug[.]website
bebedepotplus[.]website
perfecttux[.]website

Skimmer IPs

87[.]236[.]16[.]107
87[.]236[.]16[.]10

Known victim sites

acquafiller[.]com
bebedepotplus[.]com
cartpartsplus[.]com
cosmoracing[.]com
dirsalonfurniture[.]com
dixongolf[.]com
dogdug[.]com
gorillawhips[.]com
gpxmoto[.]com
instaslim[.]com
perfecttux[.]com
pitboss-grills[.]com
totalskincare[.]com

The post Lil’ skimmer, the Magecart impersonator appeared first on Malwarebytes Labs.

In layman’s terms, a VPN uses encryption to create a private online connection between a device and a VPN server. With a good VPN service, you can shield your data from curious eyes.

A VPN protocol is the set of rules that shapes how your data travels between your computer, mobile phone, tablet, or any other device, and a VPN server. The type of VPN protocol that you use can affect the speed, stability, ease of use, security, and privacy of your connection.

WireGuard is the newest player in the VPN protocol world and has many advantages over older types of protocols. Many experts are excited about WireGuard because it trims the fat to be faster and lighter than protocols like OpenVPN. For example, WireGuard has less than 4000 lines of code while other protocols have hundreds of thousands of lines. However, like any cutting-edge technology, the protocol also has some areas to improve.

WireGuard vs OpenVPN and other protocols

Many popular VPN protocols preceded WireGuard. While some are obsolete, others remain popular today. One of the earlier ones, the Point-to-Point Tunneling Protocol (PPTP), was created in the mid-90s by Microsoft to enhance privacy on the now obsolete dial-up networks.

PPTP’s basic encryption is a bit of a double-edged sword. Although PPTP is fast because of its light security, it’s also vulnerable to breaches. Its successor, Layer 2 Tunnel Protocol (L2TP), is more secure once paired with IPsec (Internet Protocol Security). Unfortunately, L2TP/IPsec is slow and easy to block with network firewalls. 

You must also look at Secure Socket Tunneling Protocol (SSTP) to truly compare VPN protocols. Another protocol from Microsoft, SSTP, is more secure and more challenging to block than PPTP. Unfortunately, it’s challenging to run on platforms other than on Windows and offers limited access to developers.

OpenVPN is popular because it’s a well-rounded protocol—it’s open-source and features the impressive AES-256-bit key encryption. Experts say that even the most powerful supercomputer today would need millions of years to breach 256-bit encryption.

Despite its many strengths, OpenVPN is far from perfect. The most common complaint about OpenVPN is that it’s slow. It’s not unusual for a video streaming through OpenVPN to turn into a slideshow. Some users also complain about connections dropping on OpenVPN. This is where WireGuard comes in. The protocol is stable, speedier, less complex, and easier to configure than OpenVPN.

How fast is WireGuard?

One study tested 114 VPN servers to see if WireGuard is faster than OpenVPN. Here are the highlights:

• WireGuard was quickest in nearly 60% of the download tests.
• WireGuard is almost 15% faster than OpenVPN on UDP.
• WireGuard is 56% faster than OpenVPN on TCP.

It’s faster than OpenVPN, but is WireGuard safe?

WireGuard isn’t just quick, it’s also very secure. At Malwarebytes, we pair WireGuard with a 256-bit AES encryption to safeguard connections.

One thing to note about WireGuard is that by default, the protocol assigns the same IP address every time a user connects. Using the same address each time gives users a predictable ID that’s shared with every service they use, including any advertisers watching on.

To counter this, some VPN service providers modify the VPN protocol so that it assigns a random IP address, which makes it harder for advertisers, websites, and others to track your activity from one session to the next.

A number of popular VPN services have embraced WireGuard to offer customers fast and secure connections. If you’ve heard that VPNs slow down your connection significantly, perhaps you’re looking for a VPN to use while gaming, or you just generally want a fast VPN service, providers that use the new WireGuard protocol are worth looking in to.

The post What is the WireGuard VPN protocol? appeared first on Malwarebytes Labs.

The privacy-forward web browser Brave launched its new search engine in beta on Wednesday, promising a more private experience that does not track user searches, build user profiles, or require the use of an external, pre-existing search index to deliver results.

Clear from the company’s early marketing, Brave intends to position its search tool as a foil to Google, telling audiences in a promotional video that using its new search tool alongside its browser provides “the first, independent, 100 percent private alternative to Google Search and Chrome.”

How Brave expects to compete against Google—which owns 92 percent of the global search engine market share—is less clear, as “search” today is not just the delivery of information, but also the integration of that information into a company’s product suite, like when a Google search for a restaurant’s location can auto-populate that restaurant’s address into Google Maps, or when a Google search for movie times considers a user’s location.

For Google, its search business is not just an Internet answer box. It is the oil that both fuels and smooths its online convenience machine.

To its credit, Brave is expanding its offering. The company launched both a news reader and a combination VPN and firewall tool last year, and since 2019, it has implemented a novel advertising model that lets users earn money for viewing “privacy-preserving” ads.

From a certain lens, then, Brave’s growing stable of products begins to resemble a response to Google’s massive data collection regime—a suite of tools that do not prioritize making life easier for the user but making life harder for those who invade user privacy. (The company has also pushed back against FLoC, Google’s new online tracking model released just months ago.)

Brave Search features

Brave Search, which was available to a limited number of users before Wednesday’s beta release, promises users a unique set of features that the company claims no other browser provides. Users will enjoy “fully private, anonymous search,” much like DuckDuckGo, which means that users will not have their searches collected, shared, or sold for advertising purposes, and users will not have profiles built on their search activity.

Users will also get the benefit of transparent search result rankings and a search engine that integrates directly into a web browser made by the same company. In fact, by next year, the company plans to make Brave Search the default search engine in its web browser.

Further, according to the company, Brave Search is one of the rare search engines today that is not built on another company’s search index, meaning that its search results are not just scoured and collected by Google and packaged by their engine. Instead, Brave Search is powered by an independent scan of the Internet—an enormous task which was likely made possible by Brave’s earlier purchase in March of Tailcat, a search engine developed by a team previously working for the privacy-focused web browser Cliqz. That Munich-based company once positioned its own product as an alternative to Google’s search, but it shuttered in May 2020 following disruptions due to coronavirus.

Brave Search also provides a surprising amount of information about its independent search index.

For instance, every single Brave Search query provides basic info about whether the engine relied on third parties—often Google and Bing—to complete the delivered search results. When Malwarebytes Labs searched “Malwarebytes,” Brave Search said that “all results” came from Brave alone. Brave Search also provides users with an “independence metric”—offered as a percentage—from a personal and global perspective. These metrics express the same measurement of whether Brave relied on third parties, but the personal metric is derived from someone’s aggregate, personal searches, whereas the global metric is derived “from all searches, across all people who use Brave Search,” the company said.

As to how Brave Search will make money? The company already hinted at two models—a paid option with no advertisements, and a free option supported by ads. In the Brave Search FAQ, the company wrote that both options could be on the table for users who want to choose.

It is still early days for Brave Search, and competing in the online search market is far from easy. Still, more options for users means more ways that users can take control of how they engage online. Whether enough users will peel away from Google is a different question, because Brave’s big bet isn’t about convenience—it’s about privacy.

The post Brave takes aim at Google with privacy-first search engine appeared first on Malwarebytes Labs.

Security researchers and technical architects from SpecterOps have found that almost every Active Directory installation they have looked at over the last decade has had some kind of misconfiguration issue. And misconfigurations can lead to security issues, such as privilege escalation methods.

The researchers have written a paper (pdf) about Active Directory Certificate Services (AD CS) to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system. They will also present this material at BlackHat USA 2021.

Active Directory Certificate Service

Countless organizations around the world use Windows Server as the base for their IT infrastructure. Many of them also use  Public Key Infrastructure (PKI) for their authentication needs. For example, PKI is used for certificate based authentication, securing web servers (SSL), and in digital signatures for documents.

Active Directory Certificate Services (AD CS) is the server-functionality that allows you to set up PKI so it can provide the public keys, digital certificates, and digital signatures for your organization. All these things can be obtained in other ways, but the big advantage for large organizations is that AD CS can do this on a large scale. This is mainly because the Active Directory Domain Service, that has all the relevant information about each member of the domain, is linked to the AD CS and allows it to use that information.

Abusing AD CS

In their paper, the researchers lay out three areas where misconfigurations in AD CS can be abused for malicious purposes:

• Credential theft that can survive password changes and can bypass smart card authentication.
• Privilege escalation methods that allow attackers to act as any user in the domain, including their privileges.
• Domain persistence attacks that allow attackers to log on as any Active Directory user, so they can use their privileges at any time.

As you can see the researchers have really focused on user authentication and how to perform certificate-based authentication.

The paper provides a lot of details and many scenarios to achieve one or more of the above malicious purposes, which can really help a cybercriminal to infiltrate an organization’s network and provide the means for lateral movement once inside the network. It is beyond the scope of this post to go into those details, but I can recommend to read the paper to those interested in the gritty details (142 pages).

Too complicated

The researchers are the first to admit that while there is nothing inherently insecure about AD CS, it is hard to configure in a secure way. Many misconfigurations can be explained by system administrators and IT staff enabling settings for valid reasons, but without a complete understanding of the security implications that come with changing that setting.

An example form the paper:

“There is a GPO (Group Policy Object) setting titled “Allow certificates with no extended key usage certificate attribute” whose documentation makes it sound like you need to flip this switch to allow certificate authentication with the All Purpose EKU (Extended Key Usage), Client Authentication EKU, or no EKU in modern environments. However, this is a client side setting only. An older description for this GPO that states that it affects which smart card-based certificates will show up on a logon screen, which matches the behavior we’ve seen.”

Anyone that has ever worked with Windows GPOs will recognize how hard it sometimes is to work out what the effect of changing a setting will be. Let alone how it will influence security in conjunction with other settings.

Offensive tools

The researchers have decided to hold off on presenting any tools that can be used for offensive purposes until their presentation at BlackHat.

“We believe that the issues described in the paper are severe and widespread enough to warrant a delay in the offensive tool release.”

This gives those that are vulnerable some time to fix their issues and security providers to implement protection based on the IOCs/Yara rules that the researchers have published for their tools Certify and ForgeCert.

Mitigation

In response to this paper Microsoft has issued a blog post that details how recent Extended Protection for Authentication related updates can help safeguard authentication credentials on the Windows platform. This includes actions to change a default configuration that was flagged by the researchers as a serious security issue. Microsoft has indicated it has no plans to change this default configuration as part of an update, so system adminsitrators and IT staff are advised to do this themselves.

If you are curious about the security of your own AD CS settings, the researchers have released a tool called  PSPKIAudit that performs an audit of AD CS for vulnerable configurations. Their paper also contains instructions and guidelines for finding and fixing vulnerable AD CS configurations.

The post Complicated Active Directory setups are undermining security appeared first on Malwarebytes Labs.

The US National Security Agency (NSA) has announced it will fund the development of a knowledge base of defensive countermeasures for the most common techniques used by malicious threat actors.

The project will be made available through MITRE and will be called D3FEND as it complements MITRE’s existing ATT&CK framework.

MITRE ATT&CK

The MITRE Corporation is a non-profit organization with the mission to “solve problems for a safer world”. It wants to bring security focused communities together to develop more effective cybersecurity. Where most people may have heard of MITRE because it runs the CVE database of known vulnerabilities, another widely respected resource is its MITRE ATT&CK framework.

MITRE ATT&CK framework is a knowledge base of offensive tactics and techniques based on real-world observations. It contains information about malicious groups and techniques, and it’s open and available to any person or organization for use at no charge. It’s used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

An ATT&CK example

The MITRE ATT&CK framework is divided into a number of groups that reflect different stages of an ongoing attack.

As an example, let’s look at the entry “Phishing for information” in the “Reconnaissance” stage.

Users will find a description of the attack vector and some real-world examples, with links to articles or blogs about them. If you look under “Spearphishing” > “Higaisa” you will find a link to our own blogpost about Higaisa, for example. Further down below the description of the attack vector you can find “Mitigations” and “Detection” techniques against the attack vector.

MITRE D3FEND

So, now MITRE has started to build a similar framework for network defense, with NSA funding. The goal is to help security architects quickly understand the specific capabilities of a wide variety of defensive technologies. This framework will be shared publicly so everyone can use it, and benefit from it in the same way they use the ATT&CK framework.

The main entry to the knowledge base can be found at d3fend.mitre.org.

As you can tell from the layout the defensive techniques have been grouped into a similar linear arrangement to Harden, Detect, Isolate, Deceive and Evict.

Let’s look at an example in the new knowledge base, I’ll grab one that we happen to know a lot about: “File Content Rules“, under “Detect” > “File Analysis”.

The entry for “File Content Rules” explains how this simple method of pattern matching works and what some use-cases are. But lower down is the more interesting part. The knowledge bases ATT&CK and D3FEND are tied together by highlighting the ATT&CK techniques related to this D3FEND entry.

Conclusion

I must say that one of the sentences in the NSA announcement trying to explain the mission of D3FEND put me on the wrong foot.

“D3FEND enables cybersecurity professionals to tailor defenses against specific cyber threats, thereby reducing a system’s potential attack surface.”

The “tailor defenses against specific cyber threats” immediately gave me the mental image of a game of whack-a-mole. But looking at what has been established so far I think the following sentence describes the project a lot better.

“Our goal is to make it easier for architects to better understand how countermeasures work, so that they can more effectively design, deploy, and ultimately better defend networked systems.”

As explained by Peter Kaloroumakis, a principal cybersecurity engineer at MITRE who leads the work on D3FEND.

It’s about being able to make an assessment whether you have all the bases covered that you feel are worth covering in your case. Many organizations have a special threat model and need stronger defenses in one area and not so much in others. This gives them a tool to check whether they missed something or where improvements are possible.

Implementation

MITRE and the NSA have urged organizations today to start implementing the D3FEND framework into their security plans as soon as possible. The MITRE Corporation has also released a technical whitepaper (PDF) describing the basic principles and the design of this new framework.

The post MITRE introduces D3FEND framework appeared first on Malwarebytes Labs.

Liège, the third largest city in Belgium, and a major educational hub, has been hit by a ransomware attack, disrupting its IT services and network.

According to its official website (pictures above):

The City of Liège is currently the victim of a large-scale targeted computer attack, obviously of a criminal nature.

The City of Liège, surrounded by experts of international competence, analyzes the scale of this attack and its consequences in particular in terms of duration on the partial unavailability of its computer systems. It is making every effort to restore the situation as soon as possible.

Services to the public are currently strongly impacted.

The website has also provided a non-exhaustive list of services that have been impacted. These include the collection of passports, driving licenses, identity cards and other important documents; the ordering of new documents; appointment services for marriage, nationalities, and others; and the availability of police support for administrative purposes.

Two Belgian media outlets, a radio station and TV station, claim that the attack may have been conducted by a group using Ryuk ransomware. As you may recall, the National Cybersecurity Agency of France (ANSSI) recently discovered Ryuk’s new worm-like capabilities. In big game attacks like this, attackers can spend weeks or even months inside a victim’s network, conducting reconnaissance and quietly moving ransomware to important systems, often using standard Windows administration tools. The recent modification to Ryuk are designed to help it make its way laterally within an affected network without help from a human operator. Yikes.

The attack on Liège is just the latest in a catalogue of ransomware attacks against cities, schools, hospitals, health services and other critical infrastructure that has been going on for years, and getting steadily worse. According to a recent report by the Ransomware Task Force, in 2020 average ransom payments increased 170 percent year-on-year, and the total sum paid in ransoms increased 310 percent.

Among its many recommendations, the task force called for greater government action and more international cooperation. Perhaps this latest attack will hasten the creation of that joint rapid response cybersecurity team the EU has been planning to create.

What will it take to stop ransomware?

There is no quick fix to stopping the ransomware epidemic. You can learn more about what it’s going to take to stop these attacks, and why we may have been focussing on the wrong things so far, by listening to our recent Lock and Code podcast, with our guest, cybersecurity luminary Brian Honan, and host David Ruiz.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post City of Liège hit by ransomware, Ryuk suspected appeared first on Malwarebytes Labs.

If you’re in the UK, you’ve likely received a fake delivery SMS at this point. The original big driver for this over the pandemic was a non-stop wave of Royal Mail phishing scams. As that article mentions, most if not all of our interactions with organisations is done by mobile. I receive medical appointment updates by phone. Notifications from school? Phone. A reminder about my upcoming dental appointment? You better believe it’s arriving by phone.

The pandemic has exacerbated this, because nobody really wants to be handling mail and licking envelopes when you could just fire out bulk texts instead.

Unfortunately, scammers thought this was a very good idea and leapt aboard the hype train.

Choo choo, as they say.

Of lists and spamming

It seems no matter how careful you are with your number, eventually it’ll end up on a list. At that point, you’re subjected to a heady mix of real and fake messages. I myself have occasionally missed important notifications buried in a mix of spam and nonsense and it’s really quite aggravating.

When scammers realised the Royal Mail scams were now attracting mainstream levels of press attention, some changed their tactics. They made it much harder to analyse and explore the scams on offer.

Others decided to diversify. Different brands quickly started being thrown into the mix. It was no longer fake Royal Mail messages you had to worry about. It was now bogus Hermes, or DHL texts too.

It’s very difficult to find the perpetrators of these scams. With a small amount of digital know-how, culprits can make use of anonymous bulk mailers and almost never get caught.

Almost.

When real world incognito mode goes horribly wrong

The continued success of these SMS attacks rely on the criminal pulling the strings lurking in the background. There’s no reason for them to make themselves visible to the long arm of the law. It might go wrong, for example, if someone were to turn up somewhere public and do something suspicious.

A hotel, say. While carrying a bag stuffed full of wires and some electrical devices.

Step up, “man arrested in Manchester hotel on suspicion of fraud by misrepresentation”.

Now, I have occasionally wandered into a hotel with a bunch of tech stuff. I don’t know how I’d end up looking suspicious to staff though, short of my bag spilling all over the lobby while I yell “OH NO, MY DUBIOUS ELECTRONICS”. The article also doesn’t mention if staff became suspicious based on something they saw in the hotel room itself.

Either way, the police were called in. They took everything away. This person is now being questioned to establish what, exactly, has been going on. This is the opposite of how Carmen Sandiego or, to a lesser extent, Where’s Waldo, operates.

Counting up the cost

Law enforcement have been doing some early digging. So far, the results are as follows:

• Around 26,000 texts were sent from the devices, claiming to be from delivery company Hermes. The gimmick is the old faithful “You missed a delivery, please pay us” routine so beloved of Royal Mail scammers.
• Up to 44,000 mobile phone contacts are believed to be stored on the devices.

This seems quite novel, in terms of potential busts for dubious antics online. Perhaps the person under suspicion felt they would be more anonymous if they did this away from home. Things haven’t really gone to plan on that front.

No, fake SMS delivery scams haven’t gone away

The report mentions the investigation is in very early stages, so who knows what direction it might take. No matter how it ends up, it doesn’t mean the threat is over. There are plenty more SMS phish in the sea. Fake parcel delivery messages are still rife, and you can expect to see them for some time to come. Let’s not forget the life-changing impact falling for just one of these text-based missives can have.

Please subject all texts asking for logins and / or payment to scrutiny, and if in doubt, always contact the purported sender directly via official channels. It’s not worth having your life ruined over one bogus SMS with bad intentions.

The post Hotel staff bust Hermes SMS scammer with suspiciously large number of cables appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• How to delete your Instagram account.
• Working from home? You’re probably being spied on.
• Another one bites the dust: Avaddon ransomware group shuts down operation.
• Patch now! Apple fixes in-the-wild iPhone vulnerabilities.
• Windows 10 to retire in four years (or 52 Patch Tuesdays, in sysadmin years).
• Twitter takes aim at the chaos, clutter and trolls with new feature concepts.
• Jail for consultant who scraped colossal trove of Alibaba customer data.
• Clop stopped? Ransomware gang loses Tesla and other treasures in police raid.
• The 6 best Chrome extensions for privacy and security.
• Polazert Trojan using poisoned Google Search results to spread.
• Two Google plans that could make open source code more secure.

Other cybersecurity news:

• Audi and Volkswagen customer data is being sold on a hacking forum after allegedly being stolen from an exposed Azure BLOB container. (Source: BleepingComputer)
• US President Joe Biden told Russian President Vladimir Putin on Wednesday that certain critical infrastructure should be “off-limits” to cyberattacks. (Source: Reuters)
• Apple’s CEO Tim Cook says Android has 47 times more malware than iOS because of sideloading. (Source: TechSpot)
• Multiple digital artists and creators of non-fungible tokens (NFT) were at the center of a highly targeted malware campaign. (Source: The Record)
• Former Dallas-area ADT technician gets prison time for watching customers’ home security video feeds. (Source: MSN News)
• Amazon is blocking Federated Learning of Cohorts (FLoC), Google’s controversial cookieless tracking and targeting method. (Source: Digiday)
• The secretary general of NATO has warned cyber-attacks could result in a military response from its allies. (Source: BBC News)
• Computer scientist and technology entrepreneur Andrew Ng launches a campaign for data-centric Artificial Intelligence. (Source: Forbes)

Stay safe, everyone!

The post A week in security (June 14 – June 20) appeared first on Malwarebytes Labs.

Remember when we told you to patch your VPNs already? I hate to say “I told you so”, but I informed you thusly.

According to South Korean officials a North Korean cyber-espionage group managed to infiltrate the network of South Korea’s state-run nuclear research institute last month.

The crime: time and place

Cybersecurity news hounds The Record report that a spokesperson for the Korea Atomic Energy Research Institute (KAERI) said the intrusion took place last month, on May 14 to be exact, through a vulnerability in a virtual private network (VPN) server. Since its establishment in 1959, KAERI has been the only research institute in Korea dedicated to nuclear energy. Reportedly, thirteen unauthorized IP addresses accessed KAERI’s internal network.

The suspect: Kimsuky

Some of the addresses could be traced back to the APT group called Kimsuky. One of the IP addresses was used in an attack that targeted COVID-19 vaccine developers in South Korea last year.

North Korean cyber-attacks on its southern neighbor are not uncommon. And Kimsuky is the APT that is best known for these attacks. The Kimsuky APT is a North Korean threat actor that has been active since 2012 and targets government entities mainly in South Korea. Recently, we reported about this group using the AppleSeed backdoor against the Ministry of Foreign Affairs of South Korea.

The victim: KAERI

KAERI is a national research institute which was instrumental in developing nuclear technology for power generation and industrial applications. And while North Korea is ahead of South Korea in some nuclear fields—notably nuclear weapons—it is thought to be weaker than its neighbor when it comes to energy generation. As we stated in our earlier report one of the other targets was the nuclear security officer for the International Atomic Energy Agency (IAEA), a UN organization tasked with nuclear regulations and cooperation.

The weapon: a VPN vulnerability

In a statement, KAERI says that an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). It also states that the attackers’ IP addresses was blocked, and its system upgraded, when it found out about the attack, on May 31.

The name of the VPN vendor is being kept secret. Although we can’t rule out a zero-day, that fact that this wasn’t mentioned, and that the system was updated in response, suggests it wasn’t. It certainly doesn’t need to be, and there are a lot of known vulnerabilities in the running. Many of them are years old, and many are known to be used in the wild. Even though patches are available, the application of these patches has taken some organizations quite some time.

We also wrote recently about vulnerabilities in the Pulse Secure VPN. Pulse issued a final patch on May 3 for  a set of vulnerabilities that were used in the wild.

The NSA also issued an advisory in April about five publicly known vulnerabilities being exploited by the Russian Foreign Intelligence Service (SVR). The CVE numbers used to identify vulnerabilities start with year the CVE was issued. What’s most striking about the NSA’s list is just how old most of the vulnerabilities on it are.

• CVE-2018-13379 Fortinet FortiGate VPN
• CVE-2019-9670 Synacor Zimbra Collaboration Suite
• CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
• CVE-2019-19781 Citrix Application Delivery Controller and Gateway
• CVE-2020-4006 VMware Workspace ONE Access

As you can see, most of them are VPNs and other networking-related applications. By design a VPN is remotely accessible, which makes it a target that attackers can reach from anywhere. A VPN or gateway is always a likely target, especially if it has a known vulnerability. And a seasoned APT group, like Kimsuky, will have fewer problems reverse-engineering patches than your everyday cybercriminal.

Patching or lack thereof

The risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A Forbes study of 340 security professionals in 2019 found 27% of organizations worldwide, and 34% in Europe, said they’d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.

Stay safe, everyone!

The post Atomic research institute breached via VPN vulnerability appeared first on Malwarebytes Labs.