IT NEWS

Are you seeing some pattern here?

In what could be a called “shocking news” on Friday, BleepingComputer revealed that the gang behind the Avaddon ransomware shut down its operations after releasing more than 2,000 decryption keys to the technology news site.

BleepingComputer claimed they received an anonymous tip purporting to be from the FBI, containing a password and a link to a password-protected ZIP file.

If you may recall, Avaddon is a big game hunting (BGH), ransomware-as-a-service (RaaS) tool that the US Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) warned organizations about last month.

Malwarebytes detects this ransomware as Ransom.Avaddon.

Avaddon ransomware attack victims

While various sectors in Australia were noted to be particularly targeted, the Avaddon strain has been instrumental in the successful network compromise of the Asian division of the AXA Group, one of the biggest cyber insurance companies in the world. Avaddon threat actors were able to extract information about what appears to be client info: passports, bank account information, ID cards, contracts, fraud-related hospital files, and other medical reports containing sensitive data about patients, and more.

Coincidentally, this attack came close to a week after the insurance giant announced that it would cease covering customers in France who pay up after being attacked by ransomware. An insurance company refusing to cover for any monetary loss over a cyberattack will no doubt significantly increase the likelihood of victim companies refusing to cough up money to ransomware gangs.

Schepisi Communication, an Australia-based telecom service provider, was also hit by Avaddon last month after its platinum partner, Telstra, fell victim to a ransomware attack by the same group. The criminals claimed to have access to data of a large amount of SIM cards, mobile devices, contracts, and banking information to name a few. When the company refused to pay the demand, their official website was downed by distributed denial of service (DDoS) attacks, taking their website offline for several days.

Avaddon threat actors are also not one to shy away from going after organizations in the healthcare industry. According a threat report from eSentire, a leading Managed Detection and Response (MDR) service provider, Avaddon has targeted the Capital Medical Center in Washington, Bridgeway Senior Healthcare in New Jersey, and an intensive care online network.

A domino effect? Or a simple coincidence?

After DarkSide called it quits from the pressures of the US government following their attack against Colonial Pipeline, reading about Avaddon—considered to be a “second tier ransomware operator”—would make one think that there is cause for celebration. Indeed, this is a win and something we should be grateful for.

Let us not forget, however, that any time a ransomware gang decides to shut down, more gangs appear (If you’re on Twitter and follow several malware/ransomware hunters, you’ll agree).

It is also a known fact that ransomware actors have the habit of rebranding under the guise of shutting down—or to simply avoid US sanctions—so it won’t be far off to think that this is all a ruse. And speaking of sanctions, as of this writing, there is nothing that links Avaddon’s demise to the increased attention the US government has given ransomware groups lately. It’s likely then that this is all just part of the normal flow of events when groups give up from time to time. That said, this could be one of those wait-and-see scenarios.

Nonetheless, we welcome any ransomware gang quitting as good news. But perhaps, at the same time, we’re also left wondering: Is there a quiet chaos going on right now within and among the underground ransomware gangs? Will they start dropping like flies? Will we be left with our old, insecure ways if or when ransomware attacks do plummet?

Well, let’s wait and see.

The post Another one bites the dust: Avaddon ransomware group shuts down operation appeared first on Malwarebytes Labs.

Although sharing your day’s highlights in snapshots and videos on Instagram can be entertaining, some people claim to feel happier after deleting their accounts. Consuming media tailor-made to make other people’s lifestyles appear alluring can be addictive for some and induce anxiety in others. Not only do people delete Instagram for their wellbeing, but they remove it for privacy concerns. Hackers, scammers, and stalkers can use the photo and video sharing social networking platform to target others, and Instagram is part of Facebook’s advertising panopticon.

For any of these reasons, a number of Instagram users decide to take a break from the platform at some point, either temporarily or permanently. If you do, remember that you will lose the following data permanently when you delete your Instagram account:

• Profile
• Photos
• Videos
• Comments
• Likes
• Followers

You can sign up with the same username again after deleting your Instagram account. However, this won’t be possible if someone else has created an account with the same username. Hypothetically, someone could impersonate you after you leave by creating an account with the same username. That’s why you may want to disable your account rather than delete it.

How do I disable my Instagram account temporarily?

To hide your account, profile, photos, comments, and likes, you can opt to disable your Instagram account instead of erasing it. Disabling it is easy and requires a web browser on a computer, tablet, or mobile phone. Unfortunately, you can’t use an Instagram app to disable Instagram.

1. Log into your Instagram account from a web browser.
2. Click your profile picture on the top right of the screen.
3. Click Profile followed by Edit Profile.
4. Find Temporarily disable my account on the bottom right after scrolling down.
5. Pick an option from the drop-down menu that says Why are you disabling your account?
6. Enter your password.
7. Hit Temporarily Disable Account to hide your account until you’re ready to reactivate it.

How to download your Instagram data on a Computer, Android, or iPhone

You may want to back up your pictures, videos, and posts from Instagram before deleting your account. Once you delete your account, your media is irrecoverable. Here is how to get a copy of everything you’ve shared on Instagram:

1. Click or tap your profile picture and then find Settings.
2. Click Privacy and Security on a computer or tap Security on Android or iPhone.
3. Click Request Download on a computer or tap Download Data on your mobile device.
4. Enter your email address, Instagram account password and use the Request Download option.
5. Wait for an email from Instagram titled Your Instagram Data. Instagram says that it can take up to 48 hours to send the email.
6. Use the link in the email to download your data.
7. You can contact Instagram directly if you’ve lost your username or password and need access to your data.

How do I delete my Instagram account on a computer?

Log into your Instagram account. Follow this link to get to the Delete your account page. Pick from one of the listed reasons explaining why you want to delete your account. Re-enter your password and delete your account for good.

How do I delete my Instagram account on my iPhone or Android device?

Deleting an Instagram account through a mobile app isn’t possible. You may find it easier to delete it on a computer and remove the mobile app. You can use the following steps, but they eventually lead you to a hyperlink on a web browser.

1. Start the Instagram app on your phone.
2. Tap the Profile icon.
3. Go to the Profile page and tap Settings.
4. Scroll down to Help Center and tap Basics.
5. Hit Getting Started and then scroll through the options until you find Delete Your Account
6. Select How do I delete my account and follow the hyperlink to your web browser.
7. You may need to enter your Instagram password and choose a reason for deleting your account.
8. Hit Permanently deactivate my account and then tap OK.
9. Uninstall Instagram from your iPhone.

How do I make my Instagram account more secure?

While many users are concerned about scams on Instagram, or the threat of having their accounts hacked—they also don’t want to delete or deactivate their accounts. Thankfully, there is a compromise. Here are some measures that may help you improve your security and privacy on Instagram:

• Set a long, unique password.
• Enable two-factor authentication by clicking Security > Two-Factor Authentication > Get Started.
• Consider making your account private, so that only approved followers can see it. You can do this in your privacy settings by clicking Settings > Privacy > Account Privacy and toggling Private account.
• You may also want to visit the Comments or Story option under Settings > Privacy to manage how followers interact with your posts.
• Check the Add Automatically option under Privacy > Tags to stop tagged photos from being added to your profile.
• Check the authenticity of the accounts you follow by hitting the three-dot menu on a profile and selecting About this Account. Watch out for red flags like frequent username changes and more.
• Don’t hesitate to block, mute, restrict, or remove followers that affect your peace of mind or try to breach your account security.
• Use good antivirus/anti-malware software on whatever device you use to access your Instagram account. In case you accidentally click on something malicious, you’ll have protection for your computer, tablet, or mobile device.

The post How to delete your Instagram account appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Amazon SIdewalk starts sharing your WiFi data tomorrow, thanks
• White hat, black hat, grey hat hackers: what’s the difference?
• Can two VPN “wrongs” make a right? Lock and Code S02E10
• DOJ recovers pipeline ransom, signals more aggressive approach to cybercrime
• 800 arrests after police dupe crime groups into using backdoored phones
• TrickBot indictment reveals the scale and complexity of organised cybercrime
• Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw
• How to clear cookies
• Russia accused of hacking Dutch police during MH17 investigation
• How a Resident Evil image leaked in a ransomware attack ended up in the middle of a $12 copyright claim
• Cloud vs on premise: 3 reasons the cloud is winning
• How to deactivate or delete your Facebook account

Other cybersecurity news

• Hackers steal wealth of data from game giant EA (Source: VICE)
• JBS USA pay $11 million ransom to ransomware attackers (Source: JBS USA)
• China arrests over 1,000 for using cryptocurrency to help launder proceeds of phone scams (Source: The Register)
• Philippine investigators accuse ex-Wirecard COO of fraud, cybercrime (Source: France 24)
• UK promises tougher line on cybercrime (Source: Computer Weekly)
• Some banks could do more to protect customers from phishing scams, says Which? (source: Wales Online)
• The coming AI hackers (Source: Harvard Business Review)
• Hackers steal 26m account logins for Apple, Amazon, Facebook, Netflix and more (Source: Metro)
• This phishing email is pushing password-stealing malware to Windows PCs (Source: ZDNet)
• Researchers discover Stem Audio smart speaker eavesdropping risk (Source: The Daily Swig)

Stay safe, everyone!

The post A week in security (June 7 – June 13) appeared first on Malwarebytes Labs.

People worldwide use Facebook to connect with friends and family, and to engage in pointless debates with strangers over moderately amusing cat videos. But while some feel that the social media platform is an essential part of life, others find the data scandals and privacy issues disconcerting. For those who wish to take a break from Facebook either temporarily or permanently, instructions for deleting or deactivating your account are below.

Deleting your Facebook account

How to delete your Facebook account from a browser

Removing Facebook for good is easier than you think. Follow this link to the page that allows you to end your account permanently. Click Delete Account, enter your password, and your account is gone forever. But before you do, consider downloading a copy of the information you have stored on Facebook, including photos, videos, and more. Here is an official guide from Facebook that can help.

How to delete your Facebook account from the iPhone app

1. Start the Facebook app on your iPhone.
2. Tap the three-lined icon (hamburger menu).
3. Tap Settings & Privacy.
4. Tap Settings.
5. Tap Account Ownership and Control.
6. Tap Deactivation and Deletion.
7. Tap Delete Account.
8. Delete your Facebook app for good measure.

How to delete your Facebook account from the Android app

1. Start the Facebook app on your Android device.
2. Tap the three-lined icon (hamburger menu).
3. Tap Settings & Privacy.
4. Tap Settings.
5. Tap Account Ownership and Control.
6. Tap Deactivation and Deletion.
7. Tap Delete Account.
8. Delete your Facebook app for good measure.

The cons of deleting your Facebook account

Deleting your Facebook account can certainly feel liberating. You don’t have to worry about managing your privacy or consuming seemingly endless social media content. But rather than a permanent deletion, some people prefer to take a break from Facebook by deactivating their account for the following reasons:

• You won’t be able to access Facebook again unless you create a new account.
• It’s impossible to use Messenger without a Facebook account.
• Some accounts that you entered through Facebook Login may malfunction. You may need to contact those apps and websites or create new accounts.
• You’ll permanently lose your data unless you download a copy. 
• You’ll lose your app purchases, achievements, and more related to your Facebook login on Oculus.  

Can you undelete Facebook if you change your mind?

Facebook says that it needs up to 90 days from the start of the deletion request to remove everything you’ve posted permanently. It may even keep some data in backup storage for legal issues as part of its data policy. It also offers a 30-day grace period after you erase your account. Here is how to cancel your account deletion within 30 days:

1. Log in to your Facebook account.
2. Hit Cancel Deletion.

Deactivating your Facebook account

Deactivating your Facebook is a temporary measure. After you deactivate your account, your Facebook page, including your intro, photos, friends, and posts, is hidden. No one can send you friend requests either. However, your messages are still visible to their recipients. Here are some advantages of deactivating your Facebook instead of deleting it:

• Your photos, videos, and posts are hidden but not permanently deleted.
• Facebook Messenger is still fully accessible.
• You can still access accounts through Facebook Login.
• You can reactivate Facebook whenever you please by logging in.

How to deactivate your Facebook account from a browser

The same link that allows you to erase your account also allows you to deactivate your account. Hit Deactivate Account and then enter your password to lose access to Facebook temporarily. Alternatively, you can use the following steps:

1. Select Settings & Privacy from the drop-down menu on the top right.
2. Click Settings.
3. Click Your Facebook Information.
4. Click Deactivation and Deletion.
5. Select Deactivate Account and hit Continue to Account Deactivation.
6. Enter your password and deactivate your account.

How to deactivate your Facebook account from the iPhone app

1. Start the Facebook app on your iPhone.
2. Tap the three-lined icon (hamburger menu).
3. Tap Settings & Privacy.
4. Tap Settings.
5. Tap Account Ownership and Control.
6. Tap Deactivation and Deletion.
7. Tap Deactivate account.

How to deactivate your Facebook account from the Android app

1. Start the Facebook app on your Android device.
2. Tap the three-lined icon (hamburger menu).
3. Tap Settings & Privacy.
4. Tap Settings.
5. Tap Account Ownership and Control.
6. Tap Deactivation and Deletion.
7. Tap Deactivate Account.

Tips for using Facebook safely

We understand that some users don’t want to deactivate or delete Facebook, but still have safety concerns. There are steps you can take to better manage your privacy and security on Facebook. Here are some tips that may help:

• Set a long, unique password for your Facebook account. You can use a trusted password manager to make the task easier.
• Avoid oversharing information on Facebook. Threat actors can use it for social engineering.
• Be careful when accepting friend requests. Limit posts to trusted friends and not the public.
• Limit the audience of old posts on your Timeline by clicking General > Privacy > Your Activity > Limit Past Posts.  
• Stop Facebook from using your data to show you tailored ads by clicking General > Ads > Ad Settings.
• Manage third-party apps that have access to your data by clicking General > Apps and Websites.
• Beware of social media scams and be careful which links you click on Facebook or in Messenger.

The post How to deactivate or delete your Facebook account appeared first on Malwarebytes Labs.

Thanks to the vast rollout of COVID-19 vaccines to millions of people in the US and Europe, some of us are finally seeing some semblance of a return to normalcy. And organizations, who have experienced first-hand the struggle to stay afloat during months of struggle, are expecting to transition back to how things were.

For some, a life back to normal means employees commuting back to workplaces. Empty cubicles will slowly start filling up again. And face-to-face meetings, either a big group in a conference room or a small one in a coffee shop, will be A Thing once again.

But what about those employees who prefer to work from home, or at least to have the option? And what of businesses happy to be liberated from the constraints of physical workspaces? It seems there are many of both.

The normal we knew of may no longer fit the kind of normal organizations have adjusted for. Remote working during the pandemic has made leadership roles in organizations understand that connectivity—making company data and resources available for all employees who need them, no matter where they are, while keeping that data as secure as possible—is what they and every business really need.

The Cloud, in other words.

Cloud adoption

“Cloud” is a term used to describe a vast network of remote servers located around the world linked together to form a contiguous platform for computer services that can be subdivided and scaled with ease. It has been around for nearly two decades, and organizations adapting a Cloud strategy have been on the uptick, pre-pandemic. And the lockdowns and (some imposed) mandatory work from home (WFH) measures during the pandemic have only accelerated Cloud adoption even further.

It is noted that enterprises are the big spenders on Cloud computing. Yet, many have yet to embrace the Cloud—particularly those in the SMB sector. According to the Small & Medium Business Trend Report from Salesforce, “digital forward SMBs”—or SMBs that have invested in technology, including the cloud, to drive customer interaction and growth—were better equipped to handle the pandemic.

If you’re still on the fence about whether you should move your data and operations to the Cloud, or you’re locked in the “on-premise versus Cloud” debate on which one is better, we have identified below the three main reasons why organizations, regardless of size, are migrating to the Cloud.

1. Cost efficiency

Setting up servers and making sure that they are physically secure, have uninterrupted power and air conditioning, and are loaded with properly licensed, patched and updated software is no small task. There are high, upfront fees, a multitude of things can go wrong, and it is hard to scale. And the lifetime costs aren’t small either: From electricity bills and maintenance, to that dreaded “end of life” for both hardware and software. When it comes to this kind of computing infrastructure, economies of scale matter, and almost no business can compete with the scale of Cloud providers like Google, Microsoft and Amazon.

Suffice to say, many organizations are opting not to worry about servers and server rooms at all, and instead choosing to pay for what they use by using Cloud infrastructure like AWS, or Cloud services, like Office 365.

2. Security and compliance

Cloud service providers, especially the big-named ones like Amazon and Microsoft, boast of having excellent and powerful security in place by default. And Cloud service providers have made it a point to make their security as robust as possible, relieving businesses of many of the basics they struggle with, such as backups, single sign-on, encryption, firewall configuration, and consistent security updates—you name it. The Cloud doesn’t mean you can forget about security, but it can make it much easier to do the right thing.

The same robustness can be said about the physical security of their servers. It would be extremely hard for intruders to physically break into servers that house an organization’s precious data. Cloud providers keep data safe from physical destruction by keeping it in multiple places, and keep it safe from theft by investing in layers of physical security, like fences, guards, surveillance cameras, and biometric access systems.

Security in the Cloud also reduces the attack surface for insider threats because employees and contractors cannot go in and out of rooms they’re not supposed to go to.

When it comes to disasters—and by this, we mean natural and local ones—locations of on-premise servers are expected to withstand whatever nature can throw at it, may these be floods, earthquakes, tornadoes, and even your random lava spill. However, many on-premise operators don’t have the redundancies they need, seeing them as not cost efficient. On the other hand, redundancy is built into a Cloud or hybrid configuration.

Lastly, we’d like to mention that many Cloud providers comply with various security, privacy, and data protection regulations. In the US, we have the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA) among others. Other countries have their own standards that a Cloud provider complies to as well.

The security advantage of Cloud services was graphically illustrated in March this year, after Microsoft released patches for four zero-days being exploited by a group dubbed Hafnium. The patches were quickly reverse engineered by multiple criminal groups and automated attacks began soon after. The attacks turned unpatched Exchange servers into backdoors that could be used to steal data or launch ransomware inside company networks. IT teams dropped everything to find and patch their vulnerable servers, Microsoft released a flurry of tools to help, and the FBI even took the highly unusual step of remotely cleaning up some of the compromised servers.

What was notable about the incident is that it affected on-premise servers with Exchange, but not not the Cloud version. The “patch gap”, the often months-long gap between a patch being made available and it being used—the gap that criminals were so ruthlessly exploiting—simply didn’t exist in the Cloud.

3. Flexibility

The Cloud allows enormous flexibility, whether you’re adapting quickly to good news or bad. Famously, the Cloud allows services to scale up extremely quickly, avoiding many of the technical problems that can come from growing too fast or becoming suddenly popular.

It can also help when businesses are faced with a sudden, unexpected and challenging situation, as many were in April 2020 as COVID spread around the world. Dyer Brown, a Boston-based architectural firm, is an SMB that adopted the Cloud prior to 2020 and was able to successfully and fully shift their entire workforce to remote work. Employees were able to access important files wherever they were, thus, productivity and collaboration weren’t sacrificed. This flexibility afforded by the Cloud not only made it possible for their 50 employees to work offsite but also take care of sick family members, home school kids, and focus on their health more.

It has also been made apparent that flexibility with work schedule due to working remotely has become a make-or-break factor for employees on whether they should stick with their current company or move to a new one. Some even welcome pay cuts in exchange for working from home.

This is something organizational leaders will need to consider seriously.

The post Cloud vs on premise: 3 reasons the Cloud is winning appeared first on Malwarebytes Labs.

Back in November, gaming giant Capcom suffered a ransomware attack. In its press notification, it mentioned the various types of data potentially grabbed by their attackers. Things took an ominous turn when they refused to pay the ransom, and the group behind the attack said that was the wrong move. Capcom had the chance to “save data from leakage”; they did not take it. Sure enough, a whole collection of files were leaked soon after.

The threat of data drops from scorned ransomware groups is now a common extortion tactic. What we couldn’t have predicted here, is one of the ramifications of said drop. Time to wind things forward to June 2021 and a date with a lawsuit. The twist? The lawsuit isn’t aimed at the ransomware authors, but the compromised company.

Of data drops and research collections

I used to work in and around game / movie development a long time ago. We were incredibly low budget, and did very low budget things. An invaluable source of help at the time were resource guides and collections. Essentially: Big books filled with work compiled by visual artists, composers, designers, whoever. If you were lucky, the book came with a CD loaded with material from the book. Even luckier? You could use the contents for your own work for free. If the project was commercial, you’d typically pay a license fee of some kind.

There were also companies which curated content from multiple artists, and made sure all the licensing behind the scenes was watertight. Where this often went wrong was if the disc went walkabout away from the book.

Organisations would end up with discs lying around in desks, with nobody sure of the source / who had paid for licensing. If someone ripped disc contents, you’d then end up with self-burnt CDs lying around the place which appeared to be in-house creations. You have to be incredibly careful where resource materials are concerned.

If you’re wondering how this ties into the ransomware attack, I’m about to fill in the blanks.

The unintended consequence of a data leak

An artist in this case is seeking $12m in damages from Capcom, claiming Capcom used their imagery from a resource book / CD in a number of its video game titles. This has all come about off the back of the data leak from the ransomware hack. At least one of the images from the stolen and leaked files shares the same file name as what appears to be an identical image from the book’s CD-ROM.

The Juracek Vs Capcom document can be seen here, along with multiple examples of images potentially making their way into games. Sadly, it doesn’t go into detail on the most fascinating part…whether or not the artist became aware as a result of the data breach and subsequent leak. Most reports simply say the artist is using the breach as part of their evidence. There’s also the question of how they became aware of the images in the dump in the first place.

If I had to guess, incredibly knowledgeable fans saw the high resolution images, wondered where they came from, and perhaps got in touch with the creator. This isn’t an unusual thing to happen. Back in the mid 90s I tracked down the music composer for a AAA game series on Japanese language message boards, in order to tell them how cool their music is. It’s a lot easier to do things like this these days which may be a blessing or a curse, or perhaps a bit of both.

However you stack it up, it promises to be a fascinating day in court. This story raises some other issues, too.

Turning a negative into a positive

Some ransomware groups have tried to mix it up a bit in the realm of PR. They present themselves as Robin Hood style renegades, robbing the rich to give to the poor…or, more specifically, giving to charities. An interesting tactic, except charities face all sorts of problems if they’re gifted ill-gotten gains. As mentioned elsewhere, there’s every possibility the “we’re being helpful, honest” approach is merely a ruse to keep up the pretence of respectability. Here, though, we run into a bit of a problem.

The artist in question has made what they feel to be a valid complaint, and are having their day in court as a result. Being able to tie specific file names from their CD-ROM to named files in Capcom folders off the back of the hack? That probably strengthens their case quite a bit.

Put simply, these ransomware authors…and anyone else, for that matter…can now point to this story as evidence that they did in fact “help” someone in indirect fashion.

New frontiers in the ransomware world

The fallout from the attack could prompt a new ransomware tactic. It’s not a stretch to think breachers will go looking for copyright / related violations. After all, some ransomware groups have already shown an interest in how they can weaponize the data they’ve stolen, beyond simply leaking it.

With so many ways to tie found materials to the original source online, they may view this as an easy PR win. On top of all the other issues with ransomware, we probably don’t need its authors yelling “Look! We’re helping!” every time a new leak hits. When a creator is potentially $12 million out of pocket, it becomes increasingly tricky to argue against it.

Sure, this is still potentially another way for people who don’t actually care about helping people to act as if they do. But if the end result is the same and someone does benefit, it doesn’t really matter a whole lot. As far as the ransomware authors are concerned, they’ll have a collection of individuals telling everyone how cool they are.

It’s to be hoped we don’t end up fighting a PR war on top of the technical battle already raging across networks everywhere. I’m not sure I agree that “any publicity is good publicity”, but good publicity certainly is. So in case anyone is tempted to offer ransomware operators the benefit of the doubt, let’s not forget they’re same organised crime gangs that think little of attacking hospitals.

The post How a Resident Evil image leaked in a ransomware attack ended up in the middle of $12m copyright claim appeared first on Malwarebytes Labs.

Journalists at the Dutch newspaper “De Volkskrant” have reported that the country’s intelligence service, AIVD, discovered in 2017 that Russian hackers had broken into Dutch police systems. The De Volkskrant report is based on knowledge from anonymous sources. The reason behind this act of espionage is thought to be the ongoing MH17 investigation.

MH17

A little background: on July 17, 2014, Malaysia Airlines Flight 17 (MH17) was shot from the sky on its way from Amsterdam to Kuala Lumpur above the Ukraine. The plane was hit by a surface-to-air missile, and as a result, all 298 people on board were killed, the majority of them Dutch.

At that time, there was a revolt of pro-Russian militants against the Ukrainian government which is thought to have been backed by Russia. Russian denied any direct involvement at the time but later admitted to having military intelligence officers in the country. Both the Ukrainian military and the separatists denied responsibility for the MH17 incident.

A large disinformation campaign was launched to obscure who was responsible.

The discovery

The Dutch police only became aware it had been breached after a tip off from AIVD, and the discovery caused a major panic, according to the newspaper. Whether and which data was stolen, is not clear, insiders told the Volkskrant. Understandably, the police network is a huge one and spread out across the country. Apparently the point of first entry was a server of the Police Academy. After discovery, the decision was made that putting a stop to the intrusion as quickly as possible was more important than figuring out what the intruders were after.

So, at this point it is unsure what the exact information was the intruders were after and even whether they were successful in finding that information. According to the Volkskrant, due to a lack of monitoring and logging, the AIVD and Dutch Police have very little knowledge of what the hackers did inside the police network. “There were a lot of question marks,” the newspaper’s source said. “How long had they been inside? Was this the first time? Had they already siphoned off data? That wasn’t clear.”

Dutch police

The Dutch police took the lead in the investigation of the MH17 incident. The Joint Investigation Team (JIT), a special team set up to investigate the MH17 incident, comprises officials from the Dutch Public Prosecution Service and the Dutch police, along with police and criminal justice authorities from Australia, Belgium, Malaysia and Ukraine. On July 5, 2017 the JIT countries decided that the prosecution of those responsible for downing flight MH17 would be conducted in the Netherlands.

The timing of the attack against the police could be coincidental, but it is notable that the attack took place in that same month.

Information feeds disinformation

One possible motive for the attack is disinformation. The best lies are based on truth after all. Reportedly, the Dutch justice department and the Dutch police were targeted with phishing emails and cars filled with listening equipment were found in the vicinity of the “Landelijk Parket”, which is the part of the justice department that deals with both national and international organized crimes. Knowing which facts were already known could be instrumental in building believable lies without revealing new facts.

Disinformation

We have reported before about the Russian disinformation campaigns regarding this incident. More recently, in November of 2020, Bellingcat, which has been instrumental in retrieving information about the attack on flight MH17, published evidence that Bonanza Media, a self-styled independent investigative platform, is in fact a special disinformation project working in coordination with Russia’s military intelligence. The open-source intelligence outfit asserts that:

While we have not yet established conclusively whether the Russia’s military intelligence agency, best known as the GRU, was behind the initial launch and funding of the Bonanza Media project, we have established that shortly after it was launched, senior members of the GRU entered into direct and regular communication with the project leader

It is no coincidence that one of the main forces behind Bonanza is Dutch as well. Together with former Russia Today journalist Yana Yerlashova, Bonanza was set up by blogger and journalist Max van der Werff.

Eliot Higgins, the founder and executive director of Bellingcat has called out what he says are Russian lies, and the interplay between the official Russian position and the disinformation propagated by so-called MH17 “Truthers”, in his recent tweets about the on-going MH17 court hearings.

Cozy Bear

Top suspect of the attack on the Dutch police is APT29 (Cozy Bear), a well-known hacking group that the White House linked earlier this year to the Russian Foreign Intelligence Service, also known as the SVR. They are also suspected to be behind the SolarWinds attack and other international espionage cases.

Aftermath

Both the Dutch police and the AIVD did not provide comments on the publication by the Volkskrant, but we do know that the AIVD is closely monitoring a reorganization to improve the security of the Dutch police’s networks.

The international court in The Hague is in the middle of the MH17 trials and Russia’s interference is unlikely to do their case any good, but of course they will deny every involvement.

The post Russia accused of hacking Dutch police during MH17 investigation appeared first on Malwarebytes Labs.

Until the information age, cookies were only known as a tasty but unhealthy snack that some people enjoyed, and others avoided. HTTP cookies, also known as computer, browser, or Internet cookies, are similarly divisive. Although some people like the more personalized browsing experience created by cookies, others have privacy concerns.

Cookies are small pieces of information that websites can store in your browser. A website can check that information each time you interact with it, and that allows it to tell you apart from everyone else. Without cookies you would never be able to log in to a website or store items in a shopping cart.

However, that ability to tell you apart from everyone else is also what makes cookies extremely useful for cross-site tracking and advertising. Thankfully, privacy-conscious users can disrupt that tracking easily, because blocking or clearing cookies is easy. Although there are plenty of tools that can help manage your cookies, if you need to, you can easily clear the decks directly in your browser. Here’s how:

Clearing cookies on a desktop computer

The following instructions will guide you through clearing cookies on the most popular desktop and mobile browsers (as of June 2021).

How to clear cookies in Chrome on Windows

1. Start Google Chrome.
2. Click the vertical three-dots icon on the top right-hand corner and then select History—alternatively, press Ctrl+H in Chrome. 
3. Click Clear browsing data.
4. Select Cookies and other site data.
5. Select All time in the Time range dropdown menu.
6. Click Clear data to clear cookies in Google Chrome.
7. Click Block all cookies in Cookies and other site data to turn off cookies permanently.

How to clear cookies in Firefox on Windows

1. Start Firefox.
2. Click the three-lined icon (hamburger menu) on the top right-hand corner and select Options next to the gear icon.
3. Click Privacy & Security and then Cookies and Site Data.
4. Select Cookies and Site Data.
5. Select Cached Web Content.
6. Hit Clear to clear cookies in Firefox.
7. You can also click Strict in Privacy & Security to Block most cookies, but this may cause websites to malfunction in Firefox.

How to clear cookies in Edge on Windows

1. Start Microsoft Edge
2. Click the horizontal three-dots icon on the top right-hand corner and select Settings next to the gear icon.
3. Click Privacy, search, and services.
4. Click Choose what to clear under Clear browsing data.
5. Select Browsing history, Download history, Cookies and other site data, and Cached images and files.
6. Hit Clear now to clear cookies in Microsoft Edge.
7. Click Block third-party cookies in Cookies and site preferences to block third-party cookies permanently.

How to clear cookies in Opera on Windows

1. Start Opera.
2. Click Settings on the top left-hand corner.
3. Click Advanced and then Privacy & Security.
4. Click Clear browsing data. Alternatively, please Ctrl+Shift+Del to open your Clear browsing data options faster.
5. Select Cookies and site data.
6. Hit Clear data to clear cookies in Opera.
7. Click Cookies and site data under Site Settings to find options to block all third-party cookies permanently.

How to clear cookies in Safari on macOS

1. Start Safari on your Mac.
2. Select Preferences and then click on Privacy.
3. Find Cookies and website data and hit Manage Website Data.
4. Press Remove All and Done to clear cookies in Safari.
5. Click Block all cookies under Manage Website Data and tick Prevent cross-site tracking to turn off cookies permanently.

Clearing cookies on a mobile device

How to clear cookies in Chrome for Android

1. Start the Chrome app.
2. Click the vertical three-dots icon on the top right-hand corner and then select History.
3. Click Clear browsing data…
4. Select All time in the Time range drop-down menu.
5. Click clear data to clear cookies in Chrome on an Android device.

How to clear cookies in Firefox for Android

1. Start the Firefox app.
2. Click the three-dot icon in the corner and hit Privacy.
3. Click Delete browsing data.  
4. Select Cookies and click Clear Data.
5. Alternatively, click Clear private data on exit to clear cookies in Firefox on an Android device
6. Click Disabled in Cookies to turn off cookies permanently.

How to clear cookies in Safari for iOS

1. Click Settings on your iOS device.
2. Find Safari.
3. Click Clear History and Website Data to clear your cookies and history in iOS.
4. Alternatively, click Settings, Safari, Advanced, Website Data, and then hit Remove All Website Data to clear cookies in iOS but keep your history.
5. Click Block All Cookies in Safari to turn off cookies permanently.

How to clear cookies in Firefox for iOS

1. Start the Firefox app.
2. Click the three-lined icon (hamburger menu) on the lower-right corner.
3. Hit Settings.
4. Select Data Management.
5. Click Clear Private Data to clear cookies in Firefox on iOS.
6. Click Cookies in Data Management to turn off cookies permanently.

The post How to clear cookies appeared first on Malwarebytes Labs.

This patch Tuesday harvest was another big one. The Windows updates alone included seven zero-day vulnerability updates, two of them are actively being used in the wild by a group called PuzzleMaker, four others that have also been seen in the wild, plus one other zero-day vulnerability not known to have been actively exploited. Add to that 45 vulnerabilities that were labelled important, and security updates for Android, Adobe, SAP, and Cisco. You can practically see the IT staff scrambling to figure out what to do first and what needs to be checked before applying the patches.

PuzzleMaker

Security researchers have discovered a new threat actor dubbed PuzzleMaker, that was found using a chain of Google Chrome and Windows 10 zero-day exploits in highly targeted attacks against multiple companies worldwide. Unfortunately the researchers were unable to conclusively identify the Chrome vulnerability that was used (but they do have a suspect). The good news is that the two Windows vulnerabilities in the attack chain were included in the Windows 10 KB5003637 & KB5003635 cumulative updates. These vulnerabilities are listed as CVE-2021-31955, a Windows kernel information disclosure vulnerability, and CVE-2021-31956, a Windows NTFS elevation of privilege vulnerability.

Other critical issues

The other critical patches made available by Microsoft this June include these actively exploited vulnerabilities:

• CVE-2021-33739, a Microsoft DWM Core Library Elevation of Privilege Vulnerability.
• CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability.
• CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.
• CVE-2021-31201 another Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.

Not (yet) actively exploited zero day vulnerability:

• CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability.

Other critical updates:

• CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability.
• CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability.
• CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability.
• CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability.
• CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability.

Android

The Android Security Bulletin of June 7 mentions a critical security vulnerability in the System component that “could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process”, which is as bad as it sounds. That vulnerability, listed as CVE-2021-0507, could allow an attacker to take control of a targeted Android device unless it’s patched.

Cisco

Cisco has issued a patch for a vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software, that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message through an affected device. SSL/TLS messages sent to an affected device do not trigger this vulnerability. Cisco informs us that there is no workaround for this issue. Patching is the only solution.

SAP

In the SAP advisory for Security Patch Day – June 2021 we can find two issues that are labelled as “Hot News”:

• CVE-2021-27602 SAP Commerce, versions – 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.
• CVE-2021-27610 Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform.

Adobe

To top things off, Adobe has released a giant Patch Tuesday security update release that fixes vulnerabilities in ten applications, including Adobe Acrobat (of course), Reader, and Photoshop. Notably five vulnerabilities in Adobe Acrobat and Reader were fixed that address multiple critical vulnerabilities. Acrobat’s determination to cement its place as the new Flash shows no sign of dimming.

Successful exploitation could lead to arbitrary code execution in the context of the current user on both Windows and macOS. The same is true for two critical vulnerabilities in Photoshop that could lead to arbitrary code execution in the context of the current user.

CVE

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Which is why we try and link you to the Mitre list of CVE’s where possible. It allows interested parties to find and compare vulnerabilities.

Happy patching, everyone!

The post Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw appeared first on Malwarebytes Labs.

Back in 2016, we saw the emergence of a botnet mainstay called TrickBot. Initially observed by our Labs team spreading via malvertising campaigns, it quickly became a major problem for businesses everywhere. Whether spread by malvertising or email spam, the end result was the same. Data exfiltration and the threat of constant reinfection were the order of the day.

Over time, it evolved. Tampering with web sessions depending on mobile carrier is pretty smart. Other features such as disabling real-time monitoring from Windows Defender were also added. In fact, wherever you look, there’s the possibility of stumbling upon a TrickBot reference when digging into other attacks.

The tricky problem of “sophisticated” attacks

The word “sophisticated” is used a lot in security research. Sometimes, it’s used even if an attack being discussed is a basic phish, or maybe some very generic malware.

However, TrickBot is a pretty formidable opponent. As is often the case, the “sophisticated” part isn’t necessarily just about the files themselves. There’s also the organisation behind the scenes to contend with. We’re talking people, infrastructure, small groups of individuals all working to make some code, and keep it ticking over. To grab the exfiltrated data and make something of it. Wherever you look where TrickBot is concerned, there’s probably another cluster of specialised people up to no good. This isn’t a good thing when tackling malware developments.

“How bad is it, really?”

Have you ever stopped to consider “what, exactly, are we up against” when dealing with malware? This week’s events are a very good, and rather alarming, illustration.

What happened this week, you ask? That would be a potentially major blow to the TrickBot crew. A Latvian woman has been charged for their alleged role in a transnational cybercrime organisation. That organisation, as you’ll have guessed, is all about TrickBot shenanigans. What’s particularly interesting here, is how it illuminates just how much work goes into development. It isn’t one person sitting in their bedroom. It’s an actual criminal enterprise, run as a business, with lots of different divisions and moving parts.

There are malware managers in hiring roles, hiring developers to produce the files. This is done on Russian language job websites, and made to look as if it’s for “regular” coding jobs. 

There’s folks looking after finances, and testing malware against CAV services. Money mules and spear phishing are thrown into the mix alongside social engineering and international theft of money, personal, and confidential information.

Peeling back the TrickBot onion

This is just skimming the surface of what was happening under the hood. An entire infrastructure was created, with servers, VPNs, and VPS providers combined by the TrickBot crew to create the perfect malware deployment environment. That’s before you get to the crypters, hired to help evade detection from security software. Or how about those responsible for the spamming tools? The folks monitoring bank website flows to figure out how to defeat multi-factor encryption? There’s even someone creating coding tests, to ensure potential malware author hires know what they’re doing in terms of injections.

Make no mistake, the groups infecting millions of computers worldwide and making huge amounts of money aren’t doing it by accident. What cases like United States of America v. Alla Witte show us is that it’s efficient, structured, and very organised indeed.

The basic plan? Infect computers with TrickBot, spread across networks, grab banking details, and then steal funds. Said funds would then be laundered across a variety of bank accounts “controlled by the defendant and others”. Ransomware would also be deployed, for that final splash of cash.

As touched on above, the group hired experts in a variety of cybercrime fields. This was a perfect accompaniment to the modular, ever-evolving TrickBot. This itself was built upon the framework of the older Dyre malware, with all the years of experience and field expertise you’d expect coming along for the ride.

Evading the long arm of the law

Certain elements of the team helped evade detection by making use of multiple tricks to keep out of law enforcement’s reach. Stolen credit cards and fake identities paid for behind the scenes tech like servers and domains. Multiple proxies were used for communications purposes. Emails and attachments were encrypted, and chat in a private messaging server was also locked down. Multiple VPN services made use of around the world are the final anonymous splashes of icing on a very large cake.

Big scams, big numbers

The full arrest warrant document [PDF] is roughly 60 pages long, and contains an incredible amount of information. It breaks everything down by category, explaining how the malware and its injections worked. How the multi-stage laundering took place, including dates / transaction amounts. The wire transfers listed range from $44,900 to $230,400 across most of 2017 to 2018. There’s even an incredible attempted approximate wire transfer of $691,570,000 between the 19 and 20 October, 2017.

It’s possible time has now been called on this TrickBot crew. No matter what happens, you can be sure other groups are out there right now doing much the same things. A few of them will be just as big, just as well organised, and firing even bigger plundered sums of cash around banking infrastructure.

Next time you read about a piece of malware in the news, consider the sobering thought that it is the tip of a very long spear. An in-depth process lies under the surface keeping said malware in operation. How bad is it really? What, exactly, are we up against?

The answer is: all of the above, and more.

The post TrickBot indictment reveals the scale and complexity of organized cybercrime appeared first on Malwarebytes Labs.