IT NEWS

Both the Australian Cyber Security Centre (ACSC) and the US Federal Bureau of Investigation (FBI) have issued warnings about an ongoing cybercrime campaign that is using Avaddon ransomware.

The FBI states that is has received notifications of unidentified cyber actors using Avaddon ransomware against US and foreign private sector companies, manufacturing organizations, and healthcare agencies.

In a separate advisory (pdf), the ACSC says it is also aware of an ongoing ransomware campaign using the Avaddon Ransomware malware. This campaign is actively targeting Australian organizations in a variety of sectors.

Avaddon ransomware

Ransom.Avaddon is sold to criminal affiliates as a Ransomware-as-a-Service (RaaS) strain. It has been around since 2019 and in June of 2020 it got some real traction due to a malspam campaign. Later it started promoting higher rates for its affiliates using adverts on networks and RDP. Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. When encrypted the files get the .avdn extension.

No current decryptor

In you’ve heard about an Avaddon decryptor, don’t get your hopes up. It’s true that in February 2021 a researcher found a flaw in the Avaddon encryption routine that allowed them to create a free decryptor. However, one day later the ransomware developer posted a message that the flaw was fixed. So, the decryptor only works for older infections. If you have been affected by Avaddon since then, it will not work.

FBI description of Avaddon

Avaddon is used in targeted, “big game” ransomware attacks using familiar tactics. According to the FBI, Avaddon ransomware actors have compromised victims through remote access login credentials—such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN). After Avaddon actors gain access to a victim’s network, they map the network and identify backups for deletion and/or encryption. The malware escalates privileges, contains anti-analysis protection code, enables persistence on a victim system, and verifies the victim is not located in the Commonwealth of Independent States (CIS). Finally, a copy of the victim’s data is exfiltrated before the victim’s systems are encrypted.

Not afraid of law enforcement

Like many other ransomware operators hailing from the CIS they act as if they have nothing to fear from law enforcement. And as long as they do not attack organizations in their home country that is unfortunately probably true. Some Russian gangs have even been getting aggressive against law enforcement in the US. Statistics of how many police departments have been hit by ransomware attacks are hard to come by, as is information on whether departments ever pay a ransom. Homeland Security Secretary Alejandro Mayorkas has called ransomware a threat to national security and said the issue is a top priority of the White House. That sentiment was echoed in a recent report by the Ransomware Task Force.

Ransomware as a Service (RaaS)

Avaddon is offered as a Ransomware-as-a-Service (RaaS), a system that sees affiliates do the dirty work and use the ransomware however they like, provided they return a percentage of their profits to the Avaddon developers. The ACSC notes that Avaddon also has an active presence on underground dark web cybercrime forums, where it advertises the malware to potential affiliates. Avaddon threat actors also use a data leak site to identify victims who fail or refuse to pay ransom demands.

Typically, with RaaS you will see affiliates run different distribution vectors and look over each other’s shoulder to see what is working best. Probably because of this model we have seen Ransom.Avaddon spread by a botnet, in malspam campaigns, by exploit kits (RIG-EK), and recently by brute forcing RDP and VPN credentials.

Additional threats

Like many other ransomware operators Avaddon has also increased pressure on its victims by threatening to publicize exfiltrated data on the dark web, and by performing DDoS attacks. The extortion/data leak process typically follows these steps:

• Leak warning: After initially gaining access to a victim network, Avaddon actors leave a ransom note on the victim’s network and post a “leak warning” to the Avaddon dark web leak website. The warning consists of screenshots from files and proof of access to the victim’s network.
• 5 percent leak: If the victim does not quickly pay the ransom within 3 to 5 days, Avaddon actors increase the pressure on victims by leaking a portion of the stolen files. The Avaddon actors leak this data by uploading a small .zip file to Avaddon’s dark web leak website.
• Full leak: If the ransom is not paid after the 5 percent leak, Avaddon actors post all their exfiltrated data in large .zip files in the “Full dumps” section of the Avaddon dark web leak website.

Detection and protection

Malwarebytes detects Ransom.Avaddon and protects user by means of real-time protection, both by using detection rules as well as patented anti-ransomware technology.

Stay safe, everyone!

The post Avaddon ransomware campaign prompts warnings from FBI, ACSC appeared first on Malwarebytes Labs.

This week on Lock and Code, we speak to cybersecurity and privacy attorney Jake Bernstein about ransomware attacks that don’t just derail a company’s reputation and productivity, but also throw them into potential legal peril.

In 2020, the cybersecurity community noticed a worrying trend from ransomware operators. No longer satisfied with just demanding a ransom payment to unlock their victims’ encrypted files, some ransomware gangs employed a new device to squeeze their targets: after initially breaching a business, they would pilfer sensitive data and then threaten to publish it online.

These are the so-called “double extortion” attacks, in which ransomware operators can hit the same target two times over—we’ve not only locked your files, which will cost money to decrypt, we’ve also stolen your data, which will cost money to keep private. But this threat doesn’t stop there. For companies hit with these attacks, not only do they often rebuild their databases, not only can they lose days or even weeks of work, not only are their reputations pummeled if their sensitive data is published online, but, depending on how much data is leaked, and what kind, they could also get into legal trouble.

“This is a big deal, and it is a legal issue,” Bernstein said. “It is not just an IT problem.”

Tune in to learn about these ransomware attacks, what state laws get triggered, how new privacy laws affect legal compliance, and why Bernstein does not expect any federal legislation to standardize this process, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Alleviating ransomware’s legal headaches with Jake Bernstein: Lock and Code S02E08 appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we discussed how Spectre attacks have come back from the dead; why Facebook banned Instragram ads by Signal; we highlighted the differences between the most popular VPN protocols; pointed out that Google is about to start automatically enrolling users in two-step verification, and how millions are put at risk by old, out of date routers.

Other cybersecurity news:

• Cisco HyperFlex web interface has a critical flaw. (Source: The Register)
• NSA advised to strengthen the security of operational technology (OT). (Source: Tripwire)
• Tesla automobiles vulnerable to compromise over WiFi. (Source: Kunnamon)
• Fix for critical Qualcomm chip flaw is making its way to Android devices. (Source: ArsTechnica)
• Multiple critical vulnerabilities in Exim Mail Server dubbed 21Nails. (Source: Qualys)
• Domain hijacking via logic error; Gandi and Route 53 vulnerability. (Source: Cyberis)
• Tour de Peloton: Exposed user data. (Source: PenTestPartners)
• Apple fixes 2 iOS zero-day vulnerabilities actively used in the wild. (Source: BleepingComputer)
• Google and Mozilla will bake HTML sanitization into their browsers. (Source: The Daily Swig)
• tsuNAME, a vulnerability that can be used to DDoS DNS. (Source: tsuname.io)

Stay safe, everyone!

The post A week in security (May 3 – 9) appeared first on Malwarebytes Labs.

UPDATE 10:47 AM Pacific Time, May 10: At 8:55 AM Pacific Time, the FBI confirmed that Colonial Pipeline was attacked by Darkside. According to a statement posted on Twitter, the FBI said:

“The FBI confirms that the Darkside ransomware is responsible for the compromise of Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.”

FBI Statement on Compromise of Colonial Pipeline Networks https://t.co/XxHgezpref pic.twitter.com/McrRFOil64

— FBI (@FBI) May 10, 2021

Original story below:

Ransomware caused major trouble last week, as the famous Colonial Pipeline fell victim to a devastating cyber-attack.

Presenting: the Colonial Pipeline

The pipeline exists to supply gasoline and other products across the southern and eastern United States. We’re talking from Texas all the way up to New Jersey. The pipeline is the largest of its kind in the US, reportedly transporting almost half of the fuel consumed by the east coast.

This is an incredible volume of supply and demand, and anything going wrong could be disastrous. There’s enough to worry about with more general accidents, without the threat of people maliciously breaking into systems.

That’s where we are now.

What happened?

Ransomware brought everything to a standstill on Friday. According to those performing analysis on the attack, the culprits are likely a group known as DarkSide. This is a group that rose to mainstream prominence in 2020, via dubious donations to charities. Going for that whole Robin Hood angle, they stole from corporations and handed the cash to causes they felt were deserving.

Well, they tried to.

When help turn out to be a hindrance

As it happens, charities don’t want a bunch of stolen money circulating in their bank accounts. Charity trustees can get into all kinds of trouble. Not just charities; any organisation could end up in a baffling sequence of money laundering shenanigans if not careful.

There were also suspicions that the “Good Samaritan” act was a way to cover for the fact that they’re still criminals, stealing money. The group behind these attacks seemed to have got the message. The Robin Hood charity drive went away, and we wondered what the criminal group’s follow up would be.

If the investigators are correct, this is several orders of magnitude more serious than anything people could have imagined.

 Lockdown and emergency powers

The US government declared an emergency and brought in emergency powers to ensure people are still supplied with fuel. Those emergency powers allow for more flexibility for drivers to transport petroleum products to various locations. From the text:

FMCSA is issuing a temporary hours of service exemption that applies to those transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.

The digital to physical impact of the Colonial Pipeline attack

The real-world consequences from this attack are clear, and spread in several directions. There’s the immediate risks of transporting fuel across 5,500 miles, and of people having no supplies. We also have potential danger on the roads, as road use increases and drivers have to cope with potentially longer driving hours. Fuel prices? Those appear to have risen, though it seems the supply would need to be down for a few days for it to cause significant impact. 

Finally, there’s the issue of the shutdown itself. How many systems are compromised? What’s the damage? Can they guarantee all traces of infection are gone?

If it does turn out to be DarkSide, then this surely destroys their whole Robin Hood angle. And, if a recent message via DarkTracer is to be believed (the message has not been verified by Malwarebytes) then the group is making no pretence this time: “Our goal is to make money.”

If this attacker is DarkSide, it clearly doesn’t help those in need to eliminate their fuel reserves.

They’re coming for your Crypto-coins…maybe

2021 is already shaping up to be a mast year for ransomware. Ransomware gangs now have years of experience and tool making to draw on, cash in the bank, and a cryptocurrency boom to profit from. It is hard to imagine the status quo holding and it seems inevitable governments will respond strongly.

Prior to the attack the US Justice Department has already announced a 120-day review of its approach to combating cyberthreats, that will include an analysis of how cryptocurrencies enable cybercrime. This echoes concerns raised in a recent strategic plan for tackling ransomware, conducted by the Ransomware Task Force. Among many recommendations, the task force called for ransomware to be treated as a national security threat, and for greater regulation of the cryptocurrency sector. A collision course seems inevitable at some point, and it’s already a significant talking point for experts in this field.

That’s for the future, though. For now, we’re left with supply lines left reeling. A few megabytes of code, perhaps a stray email with a dubious attachment, or maybe even just a server vulnerability that someone didn’t manage to patch in time.

Small issues, massive consequences.

The post Ransomware attack shuts down Colonial Pipeline fuel supply appeared first on Malwarebytes Labs.

A Virtual Private Network (VPN) creates a safe “tunnel” between you and a computer you trust (normally your VPN provider) to protect your traffic from spying and manipulation. Any VPN worth its money encrypts the information that passes through it, so in this article we will ignore those that don’t use encryption. Among VPNs that offer encryption there is a large choice of available protocols. Every one of those protocols has some advantages and disadvantages. These are the important factors to look at when you are about to choose one:

• Speed
• Strength of the encryption
• Stability
• Ease of use
• Security/privacy

In this article we’ll look at the different VPN tunneling protocols and how they perform.

What does the VPN protocol do?

Basically, the VPN protocol, or better the rules it uses, decides how exactly your data is routed through a connection. All these protocols have different rule sets based on what they care about most. For example, some VPN protocols prioritize data throughput speed while others focus on masking or encrypting data packets for privacy and security.

How many VPN protocols are there?

This extensive list is not complete, but it covers the most commonly used VPN protocols:

• OpenVPN
• L2TP/IPSec
• SSTP
• IKEv2
• PPTP
• WireGuard

Why does a fast VPN protocol matter?

Even though speed should not be the deciding factor, a slow VPN will discourage users and will therefore quickly be abandoned. You don’t pay top dollar for a fast internet connection just for the VPN to slow it down. Or, when you have a slow connection, you don’t want your VPN to make it even worse. But speed is often a trade-off with other characteristics like the encryption strength and security. And the speed also depends on factors outside of the protocol, like the distance to the VPN server, and obviously the basic speed of your internet connection. Using a VPN will never make it faster.

Security and privacy

This will be the deciding factor for many users when they are about to make a choice for a VPN. It needs to be said that the vendor is at least as important here as the protocol. After all, what good is a secure protocol if it turns out the vendor is willing to hand over your data at the first request? So, if you hear people ask what is better than OpenVPN, for example, the answer is that it depends on what you are looking for exactly. Many protocols are capable of comparable speeds and levels of secure encryption.

Ease of use

A point that we have made often in the past is that security and privacy software that is hard to set up or difficult to manage often misses the target. Misconfigured software doesn’t do what it potentially can do for the user, so it’s basically a waste of time and money. To be honest, we have seen cases where the user would have been safer using a free VPN or none at all.

What VPN protocol should I use?

This is a question that everyone has to answer for themselves. We can tell you about some protocols that are often recommended and why. But you will have to make up your own mind.

OpenVPN

OpenVPN is an excellent open-source protocol, but many users struggle to set it up properly. If you have an installer software or expert help, then this is not your problem. You will find that OpenVPN is the default protocol used by many paid VPN providers. It is a secure protocol but not super-fast (not super-slow either).

L2TP/IPSec

L2TP/IPSec is actually a combination. Layer 2 Tunnel Protocol (L2TP) is the protocol that is paired with Internet Protocol Security (IPsec). In speed and security, it is on par with OpenVPN. It is easier to set up unless you have to bypass a firewall. Some security concerns have been raised because the NSA helped develop IPSec.

SSTP

SSTP is short for Secure Socket Tunneling Protocol which was developed by Microsoft. Although the protocol works on Linux it is primarily thought of as a Windows-only technology. It is easy to set up on Windows machines as you might expect. It is impossible to use on Macs and hard to deploy on Linux. Speed and security are about the same as for OpenVPN and L2TP/IPSec.

IKEv2

IKEv2 was developedin a joint effortby Microsoft and Cisco. It is very well suited for mobile devices on 3G or 4G LTE because it’s good at reconnecting whenever the connection drops out. The protocol is very fast and secure. It is also easy to set up on the few devices that are compatible.

PPTP

PPTP is short or point-to-point-tunneling. This protocol was originally developed by Microsoft for dial-up networks. PPTP is fast and easy, but this is mostly due to a low encryption standard and it comes with some known vulnerabilities, it is no longer suitable for users that are privacy-focused.

WireGuard

WireGuard is relatively new compared to the other protocols, but it’s quickly become widely adopted because of the high security standard. This does not take away from the speed because WireGuard ditched a lot of unnecessary extras that other protocols are burdened with, and it runs from a Linux kernel. Which also makes it suitable for many platforms and applications.

Choose wisely!

We can only hope you read this article because you set out to make an informed decision (and we hope we have helped you with that). It is important to consider what matters to you in a VPN and also take into account that VPN software is more than just the protocol. The reason why you need a VPN and whether you trust the VPN provider should be equally important. Aside from a few outdated protocols, speed should no longer be an issue. Internet speeds are usually so much higher than what we actually need, a modern VPN should not interfere in a way that is noticeable.

The post VPN protocols explained and compared appeared first on Malwarebytes Labs.

If you use a Google account, it may soon be mandatory to sign up to Google’s two-step verification program. As recently as 2017, a tiny amount of GMail users made use of its two-step options. Maybe the uptake is still slow, and Google has decided enough is enough. With so much valuable data stuffed inside Google accounts, it’s beyond time to ensure they’re locked down properly.

It’s enrolment time

With this need for security in mind, Google has announced the roll-out of automatic two-step verification. If your account is “appropriately configured”, you’ll be ushered into a land of extra security measures. There doesn’t seem to be any additional information about what “appropriately configured” means yet. The Google blog cites the security check-up page, but that simply lists:

• Devices which are signed in
• Recent security activity from the last 28 days
• 2-step verification, in terms of sign-in prompt style, authenticator apps, phone numbers, and backup codes
• Gmail settings (specifically, emails which you’ve blocked)

How this translates into “Hello, we’re going to enrol you into our two-step verification program”, I’m not entirely sure. Perhaps they’ll add more specific requirements which need to be met to enable the enrolment process at a later date. If the requirement is a minimum level of setting up various security options, then only the most security conscious might be asked to enable it in the first place. This would surely mean those in most need of security fine-tuning, won’t get it.

The password problem

Questions how this will work aside, Google continues to keep plugging away at the eternally relevant password problem. Their password import feature allows people to save passwords as a CSV file, then port it into Chrome. If you’re hopping from one password manager to another, and have a lot of yourself tied into Google services, this may be ideal.

We’re all impacted by weak security. Compromised logins have a knock-on effect for everybody. When your email is broken into, it allows attackers potential access into every account tied to it. A few password resets later, and one account used for spam is now multiple accounts spamming, sending infections, social engineering, the works. This is how people quickly build up small armies of compromise and go about their shenanigans on a daily basis.

It doesn’t have to be a major campaign. The operators don’t have to be criminal masterminds. A couple of random people with a little bit of tech know-how can quickly figure out how to monetise a few dozen stolen accounts. That’s how you eventually do end up with major campaigns, with more work for law enforcement and security researchers to figure out who the new kids on the block are.

Step up, and lock down

By keeping your accounts secure, you’re not just helping yourself. You’re helping everybody, and preventing them losing their savings or non-compromised PC to attackers leveraging your bad password practices. This is a good thing to keep in mind as we wave goodbye to this year’s World Password Day. It’s never too late to start brushing up on your passwords. Get yourself familiar with a couple of password managers and pick the right one for you.

Lock down your master password. Set up restrictions on who can login, and how. Make it so that only people in your specific geographical region can log in. Make yourself some backup codes, print them off, put them somewhere safe in case you lose master password access. Just a few of these steps will go a long way towards keeping both yourself and others much more secure than you were previously. There can’t be any better way to close out the week playing host to World Password Day than that.

The post Google to start automatically enrolling users in two-step verification “soon” appeared first on Malwarebytes Labs.

Since the first stay-at-home measures were imposed by governments to keep everyone safe from the worsening COVID-19 pandemic, we at Malwarebytes have been making sure that you, dear reader, are as cyber-secure as possible in your home network, while you try to work and while your children attend online classes.

There has been much discussion of antivirus protection, patching your software, and using VPNs. But what if the security flaws aren’t in your phones or laptops, but the router your ISP gave you?

Which?, a consumer watchdog in the UK, recently released its findings about routers issued by UK Internet Service Providers (ISPs). Based on its assessment, it reckons that at least two million Britons are at risk from routers that haven’t been updated since 2016. This alone seems to go against the Secure by Design proposal, an already-drafted law that gives power to the Department of Culture, Media, and Sports (DCMS) to order tech makers (phone, tablet, IoT) to be transparent about when they’ll stop providing security updates to their new devices from launch.

Granted, the Secure by Design hasn’t been made law yet, so the ISPs aren’t breaking any regulations. However, it seems preposterous to think that companies would have to wait to be mandated before they start caring about their customers’ security and privacy.

Router flaws found by Which?

Which? has looked into routers provided by EE, Sky, TalkTalk, Virgin Media, and Vodafone. Based on 13 router models it tested, the watchdog found that two-thirds—9 routers out of the 13—had flaws that, if the Security by Design law were in effect, would easily mark these providers as non-compliant. Below are the old router vulnerabilities Which? found:

* Weak default passwords. These passwords can be easily guessed by hackers, are common across devices and could grant someone access. This can be done from outside of the home network, so a hacker could access a router from anywhere in the world.

* Local network vulnerabilities. While the risk here is lower as a hacker would have to be in the vicinity of the router, vulnerabilities such as this could allow a cybercriminal to completely control your device, see what you’re browsing or direct you to malicious websites.

* Lack of updates. Firmware updates aren’t only important for performance, they’re also needed to fix security issues when they arise. Most of the routers we looked at hadn’t had a security update since 2018 at the latest, with no guarantee of a new one in the near future.

The consumer body is concerned that many UK internet users are using old router models with no guarantee of an upgrade, thus making them “low hanging fruits” for criminal hackers to target. With its findings, Which? encourages customers of UK ISPs mentioned in the report to contact their provider and ask about potentially getting a router upgrade.

Although one of the companies that Which? contacted is using old routers, they said that they continue to monitor for threats and provide updates if needed. Despite this claim, Which? did find an unpatched vulnerability on one of the routers it tested. This could suggest that, although ISPs are doing what they can to patch flaws, it’s likely that they’d miss a few holes.

Virgin Media, one of the ISPs, didn’t accept the testing results from Which?, telling the BBC that “nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers.” However, Which? Noted that Virgin only considered the number of paying households, whereas the testing counted each member of the household.

A wake up call to ISPs

Which? is a proponent of ISP transparency with regard to routers receiving firmware and security updates, a requirement of the Secure by Design proposal. The company also calls for the government to ban the use of default passwords, or ISPs allowing users to set weak passwords on their routers.

This is a good move. Although convenient, setting a weak password isn’t going to strengthen anyone’s security. On top of that, ISPs allowing users to always take the convenient and insecure route misses a good opportunity to educate their customers on good computer—and password creation and management—practices.

“Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals.” says Kate Bevan, computer editor for Which?, in a press release. “Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”

Lastly, Which? calls for UK ISPs to “be ready to respond when security researchers warn them about possible issues – and should make it easy for researchers to contact them.”

Is your router secure?

Many households rely heavily on their routers, for working from home, studying, or simply keeping in touch with friends and families during these tough times. Sure, you may have been using it for years and you haven’t been hacked yet—”to the best of your knowledge”—but you shouldn’t take comfort in this for long. Now is a good time as any to focus on securing your router.

Using routers that can’t be patched if a serious vulnerability appears increases your risk of being exposed to attacks, and increases the risks for everyone else too. Routers are computers like any other and (as the Mirai botnet showed) they can be compromised and added to a botnet like any other.

So, the best way to stay safe is to make sure you’re using your ISPs latest router. 

Whatever router you’re using, be sure to change the default password if it had one. These are known to criminals and there are vast lists of default passwords circulating on the Internet for anyone to read. For more steps to take, Which? has a section on what to do if you’re affected by the routers mentioned in its lab tests.

The post Millions put at risk by old, out of date routers appeared first on Malwarebytes Labs.

Most of our readers are well aware of the fact that the big tech corporations, especially those that run social media know a great deal about us and our behavior. But it rarely hits home how much personal data they have about us and how they can guess, quite correctly, even more. Lots more.

Signal came up with an idea to drive that point home. A simple but very effective idea, nothing short of genius. They bought advertising space on Instagram and showed visitors ads full of the characteristics that were used to target them.

In an a blog post, the company explains what it tried to do and how Facebook banned their ads. While they only tried to demonstrate that Facebook’s own tools have the potential to divulge what is otherwise unseen.

About Signal

Signal is a privacy-focused messaging app that has picked up a lot of new users recently, after rival WhatsApp made an unpopular change to its privacy policy. It has made the news on several occasions after being asked by governments to hand over user data. It has always declined, stating that it does not record the data it is being asked to produce. The company says that it keeps minimal records about its users and all Signal messages and voice calls are end-to-end encrypted.

The many faces of Facebook

The US-based photo and video sharing social networking Instagram was acquired by Facebook in 2012. Facebook also developed and runs Facebook Messenger, a messaging app and platform. Facebook also owns WhatsApp, a massively popular messaging service that allows users to send text messages and voice messages, and with that is a direct competitor to Signal.

The contrast

The very different ways these two companies deal with user data while being active on the same playing field explains some of the animosity between the two. And Signal has never shied away from criticizing other companies it thinks are compromising users’ privacy or security. (I’m not even mentioning that Facebook introduced a discovery and curation tool called, you guessed it, Signal for Facebook and Instagram.)

The user data

All this does not take away from the fact that I would have loved to see the effect on Facebook users if these ads had been allowed to run. Would it have outraged users? Because seeing that sort of personal information displayed on a website really hits home. Could they even have scared users away from commercial social media? Let’s not forget that not only does Facebook gather that data, it also sells it to advertisers, as Signal tried to point out with its campaign.

What you share

Recently we have warned our readers against the worst possible info you could share on social media. And those are the ones that are the things that are easy to understand and follow once you see the dangers. But all the small details that you give away in your posts matter too. Taken together they can amount to a thorough customer profile that is valuable for advertisers. Knowing where your interests lie allows them to spend their advertising dollars more effectively.

Advertising on social media

Advertising is a straightforward way for social media networks to not only make money from the data they’ve collected—by offering ad space to advertizers, but also by allowing external parties to potentially dip into the same pool. Unlike traditional publishing, social media ads can be tailored, based on personalized data the social network sees you searching for, talking about, or liking daily.

If you thought hitting “like” (or its equivalent) on a website was simply a helpful thumbs up in the general direction of someone providing content, think again. Even if you don’t click like, if you’re a Facebook user and you’ve not logged out then Facebook knows you’ve visited that web page. And if you click “like”, it also knows that you liked that page. All of which feeds data into the big pot of “These are the ads we should show this person”, even when you’re not actually using Facebook.

Guessing the rest about you

What they know about you can be topped off by what they can guess about you. Guesses are based on the interests of you, your family, your friends, and your friends’ friends, plus other demographic clues, such as your job title, pictures of your home, travel experiences, cars, and marriage status. All of these data points help the social network figure out which specific adverts to send your way. And they offer this information readily to their customers, the advertisers.

They just don’t want you to see it in the ads.

The post Facebook bans Signal ads that reveal the depth of what it knows about you appeared first on Malwarebytes Labs.

Spectre is the name for a whole class of vulnerabilities discovered in January 2018 that affected huge numbers of modern computer processors that rely on a performance feature called speculative execution. Since then, some of the world’s most talented computer scientists from industry and academia have worked on software patches and hardware defenses.

Now it seems they may have to do it all over again.

New research has discovered Spectre attacks that bypass existing mitigations. Before we explain that though, let’s recap what Spectre is all about.

Speculative execution?

Speculative execution happens when a computer processor does some work it might need later, instead of waiting until it knows it definitely needs it. What emerged in 2018 is that speculative execution opens the possibility of side-channel attacks. Spectre-based attacks trick a program into accessing arbitrary locations in a program’s memory space. As a result an attacker may be able to read the content of the accessed memory, and thus potentially obtain sensitive data.

Or, as the researchers put it:

A Spectre attack tricks the processor into executing instructions along the wrong path. Even though the processor recovers and correctly completes its task, hackers can access confidential data while the processor is heading the wrong way.

Speculative execution can be compared to a reverse firing squad: One person has the gun and all the potential victims are lined up opposite. For the potential victims there is no way of knowing who will get executed first. But the person holding the gun may have one in mind.

Exploiting changes of heart

The researchers behind the latest discovery, a team of computer scientists from the University of Virginia and the University of California, San Diego, have just published a paper (pdf) describing a new set of Spectre attacks based on processor micro-op caches.

To return to our analogy, let’s say our executioner (the computer processor) is making preparations for the first target to be executed and writes some notes about what it’s going to do. Processors store these notes in what is called the op-cache. Basically, they are simple instructions that the processor expects to need later, when it executes that target instruction.

Now let’s say our executioner decides to target somebody else first instead. They still have their notes about the first target. When a processor decides to target another instruction first, or erroneously does so, it opens up a possible attack vector that can read its notes from the op-cache. With enough data an attacker can then predict which was the intended first target.

The new Spectre attacks

The research claims that all modern AMD and Intel chips with micro-op caches are vulnerable to Spectre-style attacks, and sets out “attacks that exploit the micro op-cache as a timing channel to transmit secret information”. The attacks exploit the micro-op cache to leak secrets in three ways:

• Across the user-kernel boundary.
• Between two SMT (Simultaneous MultiThreading) threads running on the same physical core
• Along a mis-speculated execution paths

Back to the drawing board

The new lines of attack demolish current defenses because they only protect the processor in a later stage of speculative execution. According to the researchers, all the defenses against Spectre side-channel attacks that have been developed since 2018 can be bypassed by these new attacks. Thus, “leaving billions of computers and other devices just as vulnerable today as they were three years ago”. So, it’s basically back to the drawing board for everyone that has put in the time and energy.

The paper propose three  possible mitigation techniques:

• Flushing the micro op-cache at domain crossings. This wipes the content of the op-cache so It can’t be queried for information. This however, causes a great deal of the speed that is gained by using an op-cache to be lost.
• Performance counter-based monitoring. A method to leverage performance counters and detect anomalies based on potential malicious activity in the micro-op cache.
• Privilege level-based partitioning. A partitioning of the op-cache based on the level of privilege assigned to the code would prevent unauthorized code from getting higher privileges, but given the -small- size of the op-cache partitioning could prove to be cumbersome.

The impact

The good news is that exploiting Spectre vulnerabilities isn’t easy. It will require an enormous amount of knowledge about the processor at hand and a lot of luck to find any specific information an attacker could be looking for. But it does allow for random gathering of information and then hope for that golden bullet to be in there. Given the large amount of affected processors it concerns, essentially all modern 32- and 64-bit PC processors and the vast majority of the standard server hardware, the laws of big data may apply.

May the 4^th be with you!

The post Spectre attacks come back from the dead appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at which age range is most likely to be targeted by online predators, talked to Malwarebytes CISO John Donovan on our Lock and Code podcast, and explored the latest deepfake happenings. We also dug into a supply chain attack, discussed threats from a ransomware group, and did a deep dive on wallet recovery code scams. There were also fines for cities, and a 101 guide to Smishing. We had Signal insisting it’s very private indeed, an explainer for ip addresses, vulnerabilities in IoT land, and a plan for success from the Ransomware Task Force.

Other cybersecurity news

• Australia starts cyber-learning early (Source: The Register)
• Vivaldi browser crumbles some cookies (Source: Vivaldi)
• UK rail network hit by ransomware (Source: Bleeping Computer)
• RAT malware causes problems for Telegram (Source: How To Geek)
• Linux malware and the art of evasion (Source: TechRadar)
• Phishing campaign targets Chase bank customers (Source: TechRepublic)
• Remembering Dan Kaminsky (Source: New York Times)
• Hackers attacking COVID-19 supply chain (Source: CBS News)
• Watch a TESLA have its doors hacked open by a drone (Source: Forbes)
• Banks fail in bid to share cost of refunding scam victims (Source: BBC)

Stay safe, everyone!

The post A week in security (April 26 – May 2) appeared first on Malwarebytes Labs.