IT NEWS

Security researchers and technical architects from SpecterOps have found that almost every Active Directory installation they have looked at over the last decade has had some kind of misconfiguration issue. And misconfigurations can lead to security issues, such as privilege escalation methods.

The researchers have written a paper (pdf) about Active Directory Certificate Services (AD CS) to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system. They will also present this material at BlackHat USA 2021.

Active Directory Certificate Service

Countless organizations around the world use Windows Server as the base for their IT infrastructure. Many of them also use  Public Key Infrastructure (PKI) for their authentication needs. For example, PKI is used for certificate based authentication, securing web servers (SSL), and in digital signatures for documents.

Active Directory Certificate Services (AD CS) is the server-functionality that allows you to set up PKI so it can provide the public keys, digital certificates, and digital signatures for your organization. All these things can be obtained in other ways, but the big advantage for large organizations is that AD CS can do this on a large scale. This is mainly because the Active Directory Domain Service, that has all the relevant information about each member of the domain, is linked to the AD CS and allows it to use that information.

Abusing AD CS

In their paper, the researchers lay out three areas where misconfigurations in AD CS can be abused for malicious purposes:

• Credential theft that can survive password changes and can bypass smart card authentication.
• Privilege escalation methods that allow attackers to act as any user in the domain, including their privileges.
• Domain persistence attacks that allow attackers to log on as any Active Directory user, so they can use their privileges at any time.

As you can see the researchers have really focused on user authentication and how to perform certificate-based authentication.

The paper provides a lot of details and many scenarios to achieve one or more of the above malicious purposes, which can really help a cybercriminal to infiltrate an organization’s network and provide the means for lateral movement once inside the network. It is beyond the scope of this post to go into those details, but I can recommend to read the paper to those interested in the gritty details (142 pages).

Too complicated

The researchers are the first to admit that while there is nothing inherently insecure about AD CS, it is hard to configure in a secure way. Many misconfigurations can be explained by system administrators and IT staff enabling settings for valid reasons, but without a complete understanding of the security implications that come with changing that setting.

An example form the paper:

“There is a GPO (Group Policy Object) setting titled “Allow certificates with no extended key usage certificate attribute” whose documentation makes it sound like you need to flip this switch to allow certificate authentication with the All Purpose EKU (Extended Key Usage), Client Authentication EKU, or no EKU in modern environments. However, this is a client side setting only. An older description for this GPO that states that it affects which smart card-based certificates will show up on a logon screen, which matches the behavior we’ve seen.”

Anyone that has ever worked with Windows GPOs will recognize how hard it sometimes is to work out what the effect of changing a setting will be. Let alone how it will influence security in conjunction with other settings.

Offensive tools

The researchers have decided to hold off on presenting any tools that can be used for offensive purposes until their presentation at BlackHat.

“We believe that the issues described in the paper are severe and widespread enough to warrant a delay in the offensive tool release.”

This gives those that are vulnerable some time to fix their issues and security providers to implement protection based on the IOCs/Yara rules that the researchers have published for their tools Certify and ForgeCert.

Mitigation

In response to this paper Microsoft has issued a blog post that details how recent Extended Protection for Authentication related updates can help safeguard authentication credentials on the Windows platform. This includes actions to change a default configuration that was flagged by the researchers as a serious security issue. Microsoft has indicated it has no plans to change this default configuration as part of an update, so system adminsitrators and IT staff are advised to do this themselves.

If you are curious about the security of your own AD CS settings, the researchers have released a tool called  PSPKIAudit that performs an audit of AD CS for vulnerable configurations. Their paper also contains instructions and guidelines for finding and fixing vulnerable AD CS configurations.

The post Complicated Active Directory setups are undermining security appeared first on Malwarebytes Labs.

The US National Security Agency (NSA) has announced it will fund the development of a knowledge base of defensive countermeasures for the most common techniques used by malicious threat actors.

The project will be made available through MITRE and will be called D3FEND as it complements MITRE’s existing ATT&CK framework.

MITRE ATT&CK

The MITRE Corporation is a non-profit organization with the mission to “solve problems for a safer world”. It wants to bring security focused communities together to develop more effective cybersecurity. Where most people may have heard of MITRE because it runs the CVE database of known vulnerabilities, another widely respected resource is its MITRE ATT&CK framework.

MITRE ATT&CK framework is a knowledge base of offensive tactics and techniques based on real-world observations. It contains information about malicious groups and techniques, and it’s open and available to any person or organization for use at no charge. It’s used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

An ATT&CK example

The MITRE ATT&CK framework is divided into a number of groups that reflect different stages of an ongoing attack.

As an example, let’s look at the entry “Phishing for information” in the “Reconnaissance” stage.

Users will find a description of the attack vector and some real-world examples, with links to articles or blogs about them. If you look under “Spearphishing” > “Higaisa” you will find a link to our own blogpost about Higaisa, for example. Further down below the description of the attack vector you can find “Mitigations” and “Detection” techniques against the attack vector.

MITRE D3FEND

So, now MITRE has started to build a similar framework for network defense, with NSA funding. The goal is to help security architects quickly understand the specific capabilities of a wide variety of defensive technologies. This framework will be shared publicly so everyone can use it, and benefit from it in the same way they use the ATT&CK framework.

The main entry to the knowledge base can be found at d3fend.mitre.org.

As you can tell from the layout the defensive techniques have been grouped into a similar linear arrangement to Harden, Detect, Isolate, Deceive and Evict.

Let’s look at an example in the new knowledge base, I’ll grab one that we happen to know a lot about: “File Content Rules“, under “Detect” > “File Analysis”.

The entry for “File Content Rules” explains how this simple method of pattern matching works and what some use-cases are. But lower down is the more interesting part. The knowledge bases ATT&CK and D3FEND are tied together by highlighting the ATT&CK techniques related to this D3FEND entry.

Conclusion

I must say that one of the sentences in the NSA announcement trying to explain the mission of D3FEND put me on the wrong foot.

“D3FEND enables cybersecurity professionals to tailor defenses against specific cyber threats, thereby reducing a system’s potential attack surface.”

The “tailor defenses against specific cyber threats” immediately gave me the mental image of a game of whack-a-mole. But looking at what has been established so far I think the following sentence describes the project a lot better.

“Our goal is to make it easier for architects to better understand how countermeasures work, so that they can more effectively design, deploy, and ultimately better defend networked systems.”

As explained by Peter Kaloroumakis, a principal cybersecurity engineer at MITRE who leads the work on D3FEND.

It’s about being able to make an assessment whether you have all the bases covered that you feel are worth covering in your case. Many organizations have a special threat model and need stronger defenses in one area and not so much in others. This gives them a tool to check whether they missed something or where improvements are possible.

Implementation

MITRE and the NSA have urged organizations today to start implementing the D3FEND framework into their security plans as soon as possible. The MITRE Corporation has also released a technical whitepaper (PDF) describing the basic principles and the design of this new framework.

The post MITRE introduces D3FEND framework appeared first on Malwarebytes Labs.

Liège, the third largest city in Belgium, and a major educational hub, has been hit by a ransomware attack, disrupting its IT services and network.

According to its official website (pictures above):

The City of Liège is currently the victim of a large-scale targeted computer attack, obviously of a criminal nature.

The City of Liège, surrounded by experts of international competence, analyzes the scale of this attack and its consequences in particular in terms of duration on the partial unavailability of its computer systems. It is making every effort to restore the situation as soon as possible.

Services to the public are currently strongly impacted.

The website has also provided a non-exhaustive list of services that have been impacted. These include the collection of passports, driving licenses, identity cards and other important documents; the ordering of new documents; appointment services for marriage, nationalities, and others; and the availability of police support for administrative purposes.

Two Belgian media outlets, a radio station and TV station, claim that the attack may have been conducted by a group using Ryuk ransomware. As you may recall, the National Cybersecurity Agency of France (ANSSI) recently discovered Ryuk’s new worm-like capabilities. In big game attacks like this, attackers can spend weeks or even months inside a victim’s network, conducting reconnaissance and quietly moving ransomware to important systems, often using standard Windows administration tools. The recent modification to Ryuk are designed to help it make its way laterally within an affected network without help from a human operator. Yikes.

The attack on Liège is just the latest in a catalogue of ransomware attacks against cities, schools, hospitals, health services and other critical infrastructure that has been going on for years, and getting steadily worse. According to a recent report by the Ransomware Task Force, in 2020 average ransom payments increased 170 percent year-on-year, and the total sum paid in ransoms increased 310 percent.

Among its many recommendations, the task force called for greater government action and more international cooperation. Perhaps this latest attack will hasten the creation of that joint rapid response cybersecurity team the EU has been planning to create.

What will it take to stop ransomware?

There is no quick fix to stopping the ransomware epidemic. You can learn more about what it’s going to take to stop these attacks, and why we may have been focussing on the wrong things so far, by listening to our recent Lock and Code podcast, with our guest, cybersecurity luminary Brian Honan, and host David Ruiz.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post City of Liège hit by ransomware, Ryuk suspected appeared first on Malwarebytes Labs.

If you’re in the UK, you’ve likely received a fake delivery SMS at this point. The original big driver for this over the pandemic was a non-stop wave of Royal Mail phishing scams. As that article mentions, most if not all of our interactions with organisations is done by mobile. I receive medical appointment updates by phone. Notifications from school? Phone. A reminder about my upcoming dental appointment? You better believe it’s arriving by phone.

The pandemic has exacerbated this, because nobody really wants to be handling mail and licking envelopes when you could just fire out bulk texts instead.

Unfortunately, scammers thought this was a very good idea and leapt aboard the hype train.

Choo choo, as they say.

Of lists and spamming

It seems no matter how careful you are with your number, eventually it’ll end up on a list. At that point, you’re subjected to a heady mix of real and fake messages. I myself have occasionally missed important notifications buried in a mix of spam and nonsense and it’s really quite aggravating.

When scammers realised the Royal Mail scams were now attracting mainstream levels of press attention, some changed their tactics. They made it much harder to analyse and explore the scams on offer.

Others decided to diversify. Different brands quickly started being thrown into the mix. It was no longer fake Royal Mail messages you had to worry about. It was now bogus Hermes, or DHL texts too.

It’s very difficult to find the perpetrators of these scams. With a small amount of digital know-how, culprits can make use of anonymous bulk mailers and almost never get caught.

Almost.

When real world incognito mode goes horribly wrong

The continued success of these SMS attacks rely on the criminal pulling the strings lurking in the background. There’s no reason for them to make themselves visible to the long arm of the law. It might go wrong, for example, if someone were to turn up somewhere public and do something suspicious.

A hotel, say. While carrying a bag stuffed full of wires and some electrical devices.

Step up, “man arrested in Manchester hotel on suspicion of fraud by misrepresentation”.

Now, I have occasionally wandered into a hotel with a bunch of tech stuff. I don’t know how I’d end up looking suspicious to staff though, short of my bag spilling all over the lobby while I yell “OH NO, MY DUBIOUS ELECTRONICS”. The article also doesn’t mention if staff became suspicious based on something they saw in the hotel room itself.

Either way, the police were called in. They took everything away. This person is now being questioned to establish what, exactly, has been going on. This is the opposite of how Carmen Sandiego or, to a lesser extent, Where’s Waldo, operates.

Counting up the cost

Law enforcement have been doing some early digging. So far, the results are as follows:

• Around 26,000 texts were sent from the devices, claiming to be from delivery company Hermes. The gimmick is the old faithful “You missed a delivery, please pay us” routine so beloved of Royal Mail scammers.
• Up to 44,000 mobile phone contacts are believed to be stored on the devices.

This seems quite novel, in terms of potential busts for dubious antics online. Perhaps the person under suspicion felt they would be more anonymous if they did this away from home. Things haven’t really gone to plan on that front.

No, fake SMS delivery scams haven’t gone away

The report mentions the investigation is in very early stages, so who knows what direction it might take. No matter how it ends up, it doesn’t mean the threat is over. There are plenty more SMS phish in the sea. Fake parcel delivery messages are still rife, and you can expect to see them for some time to come. Let’s not forget the life-changing impact falling for just one of these text-based missives can have.

Please subject all texts asking for logins and / or payment to scrutiny, and if in doubt, always contact the purported sender directly via official channels. It’s not worth having your life ruined over one bogus SMS with bad intentions.

The post Hotel staff bust Hermes SMS scammer with suspiciously large number of cables appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• How to delete your Instagram account.
• Working from home? You’re probably being spied on.
• Another one bites the dust: Avaddon ransomware group shuts down operation.
• Patch now! Apple fixes in-the-wild iPhone vulnerabilities.
• Windows 10 to retire in four years (or 52 Patch Tuesdays, in sysadmin years).
• Twitter takes aim at the chaos, clutter and trolls with new feature concepts.
• Jail for consultant who scraped colossal trove of Alibaba customer data.
• Clop stopped? Ransomware gang loses Tesla and other treasures in police raid.
• The 6 best Chrome extensions for privacy and security.
• Polazert Trojan using poisoned Google Search results to spread.
• Two Google plans that could make open source code more secure.

Other cybersecurity news:

• Audi and Volkswagen customer data is being sold on a hacking forum after allegedly being stolen from an exposed Azure BLOB container. (Source: BleepingComputer)
• US President Joe Biden told Russian President Vladimir Putin on Wednesday that certain critical infrastructure should be “off-limits” to cyberattacks. (Source: Reuters)
• Apple’s CEO Tim Cook says Android has 47 times more malware than iOS because of sideloading. (Source: TechSpot)
• Multiple digital artists and creators of non-fungible tokens (NFT) were at the center of a highly targeted malware campaign. (Source: The Record)
• Former Dallas-area ADT technician gets prison time for watching customers’ home security video feeds. (Source: MSN News)
• Amazon is blocking Federated Learning of Cohorts (FLoC), Google’s controversial cookieless tracking and targeting method. (Source: Digiday)
• The secretary general of NATO has warned cyber-attacks could result in a military response from its allies. (Source: BBC News)
• Computer scientist and technology entrepreneur Andrew Ng launches a campaign for data-centric Artificial Intelligence. (Source: Forbes)

Stay safe, everyone!

The post A week in security (June 14 – June 20) appeared first on Malwarebytes Labs.

Remember when we told you to patch your VPNs already? I hate to say “I told you so”, but I informed you thusly.

According to South Korean officials a North Korean cyber-espionage group managed to infiltrate the network of South Korea’s state-run nuclear research institute last month.

The crime: time and place

Cybersecurity news hounds The Record report that a spokesperson for the Korea Atomic Energy Research Institute (KAERI) said the intrusion took place last month, on May 14 to be exact, through a vulnerability in a virtual private network (VPN) server. Since its establishment in 1959, KAERI has been the only research institute in Korea dedicated to nuclear energy. Reportedly, thirteen unauthorized IP addresses accessed KAERI’s internal network.

The suspect: Kimsuky

Some of the addresses could be traced back to the APT group called Kimsuky. One of the IP addresses was used in an attack that targeted COVID-19 vaccine developers in South Korea last year.

North Korean cyber-attacks on its southern neighbor are not uncommon. And Kimsuky is the APT that is best known for these attacks. The Kimsuky APT is a North Korean threat actor that has been active since 2012 and targets government entities mainly in South Korea. Recently, we reported about this group using the AppleSeed backdoor against the Ministry of Foreign Affairs of South Korea.

The victim: KAERI

KAERI is a national research institute which was instrumental in developing nuclear technology for power generation and industrial applications. And while North Korea is ahead of South Korea in some nuclear fields—notably nuclear weapons—it is thought to be weaker than its neighbor when it comes to energy generation. As we stated in our earlier report one of the other targets was the nuclear security officer for the International Atomic Energy Agency (IAEA), a UN organization tasked with nuclear regulations and cooperation.

The weapon: a VPN vulnerability

In a statement, KAERI says that an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). It also states that the attackers’ IP addresses was blocked, and its system upgraded, when it found out about the attack, on May 31.

The name of the VPN vendor is being kept secret. Although we can’t rule out a zero-day, that fact that this wasn’t mentioned, and that the system was updated in response, suggests it wasn’t. It certainly doesn’t need to be, and there are a lot of known vulnerabilities in the running. Many of them are years old, and many are known to be used in the wild. Even though patches are available, the application of these patches has taken some organizations quite some time.

We also wrote recently about vulnerabilities in the Pulse Secure VPN. Pulse issued a final patch on May 3 for  a set of vulnerabilities that were used in the wild.

The NSA also issued an advisory in April about five publicly known vulnerabilities being exploited by the Russian Foreign Intelligence Service (SVR). The CVE numbers used to identify vulnerabilities start with year the CVE was issued. What’s most striking about the NSA’s list is just how old most of the vulnerabilities on it are.

• CVE-2018-13379 Fortinet FortiGate VPN
• CVE-2019-9670 Synacor Zimbra Collaboration Suite
• CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
• CVE-2019-19781 Citrix Application Delivery Controller and Gateway
• CVE-2020-4006 VMware Workspace ONE Access

As you can see, most of them are VPNs and other networking-related applications. By design a VPN is remotely accessible, which makes it a target that attackers can reach from anywhere. A VPN or gateway is always a likely target, especially if it has a known vulnerability. And a seasoned APT group, like Kimsuky, will have fewer problems reverse-engineering patches than your everyday cybercriminal.

Patching or lack thereof

The risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A Forbes study of 340 security professionals in 2019 found 27% of organizations worldwide, and 34% in Europe, said they’d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.

Stay safe, everyone!

The post Atomic research institute breached via VPN vulnerability appeared first on Malwarebytes Labs.

Ransomware attacks are on a different scale this year, with major attacks not just dismantling the business and management of Colonial Pipeline in the US, the Health Service Executive in Ireland, and the meatpacker JBS in Australia, but also disrupting people’s access to gasoline, healthcare, COVID-19 vaccinations, and more.

So, what is it going to take to stop these attacks? Brian Honan, CEO of BH Consulting, said that the process will be long and complex, but the end goal in sight should be simple: Put the cybercriminals responsible for these attacks behind bars.

Tune in to learn about how ransomware can dismantle a business, what governments are doing to fight back, and why we need better cooperation within private industry, on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Want to stop ransomware attacks? Send the cybercriminals to jail, says Brian Honan: Lock and Code S02E11 appeared first on Malwarebytes Labs.

Recently Google announced that it will fund the further development of Rust. Rust is a low-level programming language that is designed to be more memory secure than other popular programming languages, such as C.

Google has also proposed an end-to-end framework for supply chain integrity which it has dubbed Supply chain Levels for Software Artifacts (SLSA).

Rust in Linux

Google’s investment in Rust will take the form of a contract for Miguel Ojeda, who’s worked on programming language security, to write software in Rust for the Linux kernel. Adding Rust modules to the Linux kernel could improve security for phones, computers and servers, because the Linux kernel is used in all the different Linux distributions, and it is also the core kernel for Android, ChromeOS, and many embedded systems. Android already supports the Rust programming language for developing the OS itself.

Rust is already is a favorite language among programmers and the Rust for Linux community has already started adding support for the language to the Linux kernel build system. Traditionally, kernel programming was largely done in C, which has been around since 1972 and is more prone to some classes of security errors than contemporary programming languages.

The goal of the project is not to replace all the existing Linux code but rather to improve selective and new parts. Josh Aas, who runs ISRG‘s Prossimo project, plans to focus on certain security-critical components and drivers. The Prossimo Project is what Ojeda has been working on.

Memory secure

The density of memory safety bugs in the Linux kernel is already quite low due to high code quality, high standards of code review, and carefully implemented safeguards. However, memory safety bugs do still occur on a regular bases. On Android, vulnerabilities in the kernel are generally considered high-severity because they can result in a security model bypass due to the privileged mode that the kernel runs in.

Secure coding is something that every programmer wants to do, but what really makes the difference is making it easy to accomplish. And that is what Rust has the potential to do.

SLSA

The goal of SLSA (“Salsa”) is to improve code integrity, particularly open source code, making it more resilient to supply chain attacks. It is inspired by Google’s internal “Binary Authorization for Borg” process which has been in use for the past 8+ years and is mandatory for all of Google’s production workloads.

The SLSA framework will be designed to safeguard source integrity and build integrity. It should provide end-users with the ability to check the provenance of any code they’re installing, so they can tell if it has been tampered with.

SLSA consists of four levels, with SLSA 4 representing the ideal end state. The SLSA level will tell the end-user whether the source, build, provenance, and security aspects meet a certain standard.

Bringing secure code to the end user

Starting with a secure low level programming language and safeguarding that security until it reaches the end user sounds like a very good plan. But it will certainly not be achieved in a short span of time. Google sees adding a second, more memory secure, programming language to the Linux kernel as an opportunity to adopt best practices in terms of documentation and uniformity right away. The contract with Miguel Ojeda has the duration of one year, which certainly will be aimed at tackling the most elementary obstacles on the road to a secure kernel. If they reach the level where it is easier to add Rust elements to the kernel than it is to keep going in C, they will have made an important step.

Since many servers hosting software on the internet are running on Linux, improving the security of the OS of those servers can be a first step in the road to more secure and easy to verify software.

But getting the industry to accept a standard that provides the end-user with some sort of option to compare the security level of software will be an even bigger struggle. Unless some sort of legislation is introduced to enforce and monitor such a standard. But as we have seen in the past with bills trying to regulate the safety of IoT devices, getting governments to agree on the requirements they want vendors to meet, let alone to adapt an entire framework could prove to be a gargantuan task.

It will likely be left to developers who want to do the right thing to adopt the standard. Although many likely will, history suggests we generally get whatever level of security the path of least resistance leads to. That’s why making it easy for kernel developers to use Rust is so important, after all.

The post Two Google plans that could make open source code more secure appeared first on Malwarebytes Labs.

Trojan.Polazert aka SolarMarker has gone back and fine-tuned an old tactic known as SEO-poisoning to plant their Remote Access Trojan (RAT) on as many systems as possible. This RAT runs in memory and is used by attackers to install additional malware on affected systems.

Trojan.Polazert

Trojan.Polazert is specifically designed to steal credentials from browsers and provide an attacker with a backdoor that allows them to further compromise infected systems. To achieve this, collected data is sent to a C&C server. To gain persistence on an infected system it adds shortcuts to the Startup folder and changes existing shortcuts.

Distribution

According to Microsoft Security Intelligence, attackers have started using PDF files full of keywords that have a high SEO ranking, so that their links show up prominently in search results. Once victims have downloaded the PDF file they thought they were looking for, they are prompted to download another document that supposedly contains the information they set out to find. Instead of getting the coveted document they are redirected to through multiple sites to end up at a page where they download the Polazert Trojan.

In the past this threat actor used to flood search results with more than 100,000 websites claiming to offer free office forms and document templates. All with the same end-result, a download of the RAT. The malicious website serves up an executable disguised as a pdf document or a word document.

As you might expect, the attackers used cheap, scalable Cloud hosting like Amazon Web Services (AWS) and Google Sites to host their malicious PDFs.

SEO poisoning

SEO is short for Search Engine Optimization and it is a marketing strategy that is designed to make sure that your web pages are found if people search for certain keywords that are relevant to your business. The ranking of a page in Google’s search results is based on a huge array of factors, but two of the core principles are what the page is about, and the page’s reputation.

A PDF will be stuffed with keywords designed to convince Google its about something very specific that people will be searching for. To target lots of different searches, they’ll need lots of different, narrowly-focussed PDFs.

The reputation of a page is calculated in part by using the number of inbound links pointing to it. Links from pages about the same subject, that themselves have strong reputations, have a greater effect. Typically, threat actors can leverage a large amount of pages to create inbound links.

Lazy crooks that don’t want to put in the work link building, or those that can’t afford to hire someone, or those put off by heavy competition for keywords, may consider buying incoming links from an underground market vendor. These threat actors control a multitude of compromised sites that they can use to post links on. Another method that SEO poisoners may use is to build links is spam forums, with the help of spambots.

What they don’t use, is social media. Contrary to popular belief, posting links on social media like Facebook and Twitter does not help to improve a page’s SEO. The links on social media are “nofollow” links, and Google’s bots will not follow them or add them to the tally of incoming links.

Recognizing this threat

While it is not uncommon to be shown pdf files when you are using search engines, but it is advisable to scrutinize their content. Apart from the first page the stuffed PDF files look empty, but a closer look reveals their content.

It is also worth bearing in mind that aside from being used in SEO poisoning campaigns like this, malicious PDFs can also be used to trigger bugs in reader software, and there are no shortage of bugs.

The first page of the PDF file showcased by Microsoft Security Intelligence offers users a choice of a PDF download or a Word document download, under the heading “Select Download Format”. Or, in other words, would you like your RAT as a PDF or a DOC?

It is certainly feasible that this threat actor will change tactics again, but being aware of their current tactics may help you thwart their next attempt.

Stay safe, everyone!

The post Polazert Trojan using poisoned Google Search results to spread appeared first on Malwarebytes Labs.

While searching for security- and privacy-improving extensions, users may end up installing an extension that is counterproductive to their goals. To help our readers I have compiled a list of Chrome extensions that can actually help you improve your online privacy and security.

Our regular readers have seen me post various warnings about malicious Chrome extensions. The fact that these malicious extensions exist doesn’t mean it’s not safe to install extensions at all. Some extensions will even improve security and privacy. So, for a change, I am going to highlight a few of them, by sharing my personal favourites.

“How come you are focusing on Chrome?” you may ask. Well, Chrome is the most popular browser in the world, by far. It has a market share hovering around 65%. This popularity among users also makes it a popular target for advertisers and malicious actors. I would not dare say that Chrome is less secure than the other popular browsers. All of the modern browsers are highly complex, sophisticated pieces of software that offer a substantial target to attackers, and all of them take security seriously.

Although there certainly are better choices for privacy-oriented users, but that’s another topic for another day.

The 6 best extensions

In my list I have tried to include extensions that complement each other rather than ones that compete against each other by doing the same job. Obviously there will be some overlap, especially where it comes to ad and tracker blocking. Where I have listed that extensions are available for Chrome you will find that they are also available for most Chromium-based browsers like, for example, Vivaldi and Brave. Extensions are listed in no particular order.

Malwarebytes Browser Guard

Works with: Chrome, Edge, and Firefox.

Malwarebytes Browser Guard not only blocks some advertisements and trackers, it also stops in-browser cryptojackers (unwanted cryptocurrency miners), and it also uses an extended version of the Malwarebytes Premium blocklist that will stop malicious sites from loading—including sites that are involved in tech support scams. As a bonus, blocking unwanted content can speed up your browsing up to four times.

HTTPS Everywhere

Works with: Chrome, Edge, Firefox, and Opera. It is already included in Tor.

HTTPS Everywhere ensures that you always connect to sites using secure HTTPS encryption instead of HTTP. It forces sites to use HTTPS if they offer it can block access to sites that don’t. This protects information like logins and personal data when it’s travelling between your computer and the website you’re using.

Many sites on the web now offer HTTPS, but it may not be compulsory, or the default, and your connection can easily be downgraded to HTTP if you click on a link that somebody forgot to add the “s” to. The HTTPS Everywhere extension fixes these problems by rewriting URLs so they always use https://.

Ghostery

Works with: Chrome, Edge, Firefox, and Opera.

The free version of Ghostery blocks the ads and trackers that can follow you around the web, creating a profile of who you are and where you go. The Plus version offers additional application ad blocking.

uBlock Origin

Works with: Chrome, Safari, Opera, and Firefox.

uBlock will block advertisements, including video ads, as well as trackers. It also functions as a pop-up blocker and helps protect against some forms of malware.

1Password

Works with: Chrome, Edge, and Firefox.

1Password is a password manager that will create, store, and enter strong passwords for you. Unfortunately the free version of 1Password has a short life span, but the paid version is really worth having, not least because it can import the passwords stored in your browser. The autofill option will save you a lot of time and offers some protection from phishing attacks.

Click&Clean

Works with: Chrome, Edge, and Firefox. Some functionality requires the Click&Clean Host.

The Click&Clean extension helps you clean up your private browsing data. Modern browsers try to make browsing as quick and easy as possible, and that means remembering a lot of stuff, including a cache of pages you’ve visited, your search history, data you’ve entered into forms, cookies, and more. Click&Clean gives you an easy way to clear out the bits you don’t want to hold on to.

But I like the so-and-so extension better!

Don’t let me stop you from using the extensions that you are used to. Some of these extensions do have competitors that are just as good and you might like them better. But these are my personal choices and in my experience they work well together.

This is only here to help those looking for new security and privacy related Chrome extensions find something trustworthy. Unfortunately, looking for this type of extensions will sometimes lead to extensions that do the exact opposite of what they promise. For example, we have seen a lot of extensions that promise to perform more secure or privates searches, but all they do is redirect your searches somewhere else, often adding some advertisements as well.

What is the best antivirus extension for Chrome?

This is a question I get asked a lot and the answer is not that simple. Or actually it is. There are no antivirus extensions for Chrome in the traditional sense. Some of the extensions in my list will stop malware from entering your system, but removal and protection are two different things. There are some browser extensions that can remove malicious extensions from the browser they are installed on, but the anti-malware solution you are using should have no problem doing that. In fact, it will very likely do it better. Extensions that claim to clean anything more than the browser are to be distrusted.

Stay safe, everyone!

The post The 6 best Chrome extensions for privacy and security appeared first on Malwarebytes Labs.