IT NEWS

An IP address tells computers how to find a certain device within a computer network. An IP address is like an address label for information packets. For each network your computer is connected to, it has a unique IP address on that network. So, one device can have several IP addresses at the same time. In most home computers you may see traffic on these IP addresses:

• 127.0.0.1 is the loopback address which is used if something on your device needs to talk to another service on the same device.
• A home network address which is usually in a range reserved for private networks. Well known ranges for this purpose start with 10. and 192.168. which are often pre-programmed in routers whose job it is, among others, to assign IP addresses to connected devices.
• Your IP address on the Internet, which is in most cases is assigned to you by your Internet Service Provider (ISP), and changes from time to time. You can learn your current Internet IP address by looking at this site.

What does IP stand for?

IP is short for Internet Protocol and is part of TCP/IP which is the networking software that makes it possible for your device to interact with other devices on a computer network, including the Internet. TCP/IP is actually a stack of protocols that make it possible for computers around the world to communicate without differences between languages and hardware. For a device to be able to use the Internet protocol it needs to have IP software and an IP address.

How are IP addresses written?

Most IP addresses that you see will be Internet Protocol version 4 (IPv4) addresses. These have 32 bits of information and are written in four octets of eight bits. Since we are used to working with decimal numbers, you will usually see the four octets written as four decimal numbers between 0 and 255, separated by dots. For example, at the time of writing, the computer running this website had an IP address of 130.211.198.3.

Decimal vs octal

In some cases, it might be beneficial to know the difference between the different notations.

Decimal means a number expressed in the base-ten system which is the system that we use every day that uses the ten digits 0-9, whereas octal means the number system that uses the eight digits 0-7.

Since an IP address is a 32-bit number, sometimes it makes sense to use the octal number system instead of decimal. The decimal IP address 127.0.0.1 looks like 0177.0000.0000.0001 in octal. A computer will recognize both of them as different, equally valid ways of writing the same address. Here’s why:

In decimal, numbers are written according to how many ones they have, how many tens, how many hundreds, and so on. So, the number 127 is 1 * 100, 2 * 10 and 7 * 1.

In octal, numbers are written according to how many ones they have, how many eights, how many 64s, and so on. So, the number 127 is represented as 0177, which is 0 * 128, 1 * 64, 7 * 8 and 7 * 1.

Running out of IP addresses

There are only 4,294,967,296 different combinations of four numbers between 0-255, so that is the theoretical maximum number of IPv4 addresses you could have on any one network (in reality it’s less than this because some IP address ranges are reserved).

In November 2019, the RIPE NCC (the regional Internet registry for Europe, West Asia, and the former USSR) announced that it had exhausted its pool of IPv4 addresses. This did not come as a surprise, and it didn’t mean that suddenly nobody could have an IP address—sometimes addresses can be recovered, and networks can be extended using Network Address Translation—but it demonstrated the need to implement the successor of IPv4. RIPE warned that “Without wide-scale IPv6 deployment, we risk heading into a future where the growth of our Internet is unnecessarily limited. “

IPv4 and IPv6

What is Internet protocol version 6 (IPv6) and what makes it different from IPv4? Obviously, since one of the reasons to deign IPv6 was the shortage of IPv4 addresses, there are more IPv6 addresses available. As we pointed out earlier an IPv4 address is a 32 bit number, whereas IPv6 address is a 128 bit number. IPv4 is a numeric addressing method whereas IPv6 is an alphanumeric addressing method. And where IPv4 binary bits are separated by a dot(.), the IPv6 binary bits are separated by a colon(:).

The difference in bits allows for IPv6 to multiply the number of possible IP addresses by 1028, which may not sound like much, but it gives us 340 trillion trillion trillion possible addresses!

There are technical differences between the protocols as well. We will not handle them in detail as that is outside the scope of this post, but it’s good to be aware of them:

• IPv6 has built-in quality of service (QoS).
• IPv6 has a built-in security layer (IPsec).
• IPv6 eliminates the need for Network Address Translation (NAT).
• IPv6 enables multicasting by default which means the same packet can be sent to several addresses.

IP addresses and geolocation

IP addresses are allocated on a geographic basis, so they can be used for a crude form of geolocation. An important thing to remember though, especially for all the Internet detectives out there, is that finding out an IP address does not provide you with a physical location. The result you get from looking up an IP address’s location can be wrong by hundreds of miles. The location of an IP address on a map can be very misleading as it will often point to the location of the ISP that assigned the address, or to the center of an area where similar IP addresses reside. Innocent people have been harassed, even by the police, based on misunderstanding these “maps”.

IP-based geolocation is useful for website geotargeting (showing users content based on their country or region) but it is not suitable if you want to pay someone a visit.

Aside from geolocation, there is another way to connect an IP address into a physical address: Your Internet IP address is typically allocated by your ISP, and your ISP typically knows your physical address. Anyone who can convince your ISP to give up that information, either by buying it, issuing a subpoena or by social engineering, can learn your address.

How to hide your IP address

Many people don’t like their IP address to be known or visible to the websites or services they are interacting with. There are various possible reasons for wanting to hide your IP address. As awareness of corporate surveillance and criminal hacking has grown, so have concerns about personal privacy. Many people believe that it should be their choice when and how they give up some of their privacy, and don’t want prying eyes on their normal, legitimate behavior.

A Virtual Private Network (VPN) gives you more control over the IP address and other information that is visible on the Internet. Of course, you still need an IP address when using an online service or website, or the packets will not know where to go, but the outside world can only see your VPN provider’s IP address, not the one given to you by your ISP.

By using a VPN, your packets are taking a detour. Compare it to a PO box where you can have your mail sent without providing your physical address to the sender. With the difference that you don’t have to go out and fetch it, it still gets delivered to your home by the one thing that knows your real IP address: The VPN provider that you have decided to trust.

The post What is an IP address? Do I need one? appeared first on Malwarebytes Labs.

The Cybersecurity and Infrastructure Security Agency (CISA) has published advisory ICSA-21-119-04 about vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. Those operating systems and libraries are widely used in smart, Internet-connected “things”. The number of affected devices could be enormous.

As is the fashion these days, the collection of vulnerabilities has been given a name: BadAlloc. CISA has assigned a vulnerability score of 9.8 out of a maximum of 10 for the BadAlloc vulnerabilities and has urged organizations to address these issues as soon as possible.

The vulnerabilities included in BadAlloc

BadAlloc is a large set of remote code execution (RCE) vulnerabilities found by Microsoft’s Section 52:

These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.

Section 52 is Microsoft’s Azure Defender for IoT security research group consisting of IoT/OT/ICS domain experts that reverse-engineer malware, and track ICS-specific zero-days, campaigns, and adversaries.

Where does the name BadAlloc come from?

The researchers found that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.

Heap is the name for a region of a process’ memory which is used to store dynamic variables. If these get written to the wrong place, an attacker could input malicious data, which if it is not validated, could allow an attacker to perform remote code execution, or crash the affected system.

In the programming language C++, bad_alloc is the type of the object thrown as exceptions by the allocation functions to report failure to allocate storage. So, this may have been the inspiration for the name.

Which devices are affected?

This is a long list and some of these, in turn, represent a lot of different devices:

• Amazon FreeRTOS, Version 10.4.1
• Apache Nuttx OS, Version 9.1.0 
• ARM CMSIS-RTOS2, versions prior to 2.1.3
• ARM Mbed OS, Version 6.3.0
• ARM mbed-uallaoc, Version 1.3.0
• Cesanta Software Mongoose OS, v2.17.0
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
• Google Cloud IoT Device SDK, Version 1.0.2
• Linux Zephyr RTOS, versions prior to 2.4.0
• Media Tek LinkIt SDK, versions prior to 4.6.1
• Micrium OS, Versions 5.10.1 and prior
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior
• NXP MCUXpresso SDK, versions prior to 2.8.2
• NXP MQX, Versions 5.1 and prior
• Redhat newlib, versions prior to 4.0.0
• RIOT OS, Version 2020.01.1 
• Samsung Tizen RT RTOS, versions prior 3.0.GBB
• TencentOS-tiny, Version 3.1.0
• Texas Instruments CC32XX, versions prior to 4.40.00.07
• Texas Instruments SimpleLink MSP432E4XX
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
• Uclibc-NG, versions prior to 1.0.36 
• Windriver VxWorks, prior to 7.0

Microsoft worked with all the affected vendors in collaboration with the US Department of Homeland Security (DHS) to coordinate the investigation and release of updates.

Mitigation

For now, we have not seen any indications of these vulnerabilities being exploited, but given the amount of available targets, you can be sure exploits are being sought. Unlike computers, Internet-connected devices can be difficult, or even impossible to update. Because of that, mitigating against these issues could be extremely important for years to come.

In the CISA advisory you can find a list (under 4. Mitigations) which shows the updates that are available. The agency advises users to take the following defensive measures, to minimize the risk of exploitation:

• Apply available vendor updates.
• Ensure that affected devices are not accessible from the Internet.
• Minimize network exposure for all control system devices and/or systems.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required.

Microsoft provides the following mitigation advice:

…we recognize that patching IoT/OT devices can be complex. For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets, as described in the mitigations section at the end of this blog post.

Stay safe, everyone!

The post IoT riddled with BadAlloc vulnerabilities appeared first on Malwarebytes Labs.

The Ransomware Task Force (RTF), a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments, has recently pushed out a comprehensive and strategic plan for tackling the increasing threat and evolution of ransomware.

The report, entitled “Combating Ransomware – A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force”, which you can read here [PDF]  advocates for “a unified, aggressive, comprehensive, public-private anti-ransomware campaign.”

The purpose of creating the document seems to be threefold: first, to educate the targeted reader—in this case, policy makers and industry leaders—about the dangers of ransomware; second, to call for unification amongst organizations to collectively beat the ransomware enterprise; and third, to guide organizations and governments on action items (48 in total) they can pursue to disrupt the ransomware-as-a-service (RaaS) model and extensively lessen the impact of current and future attacks.

“This is great news and sorely needed,” says Jerome Segura, Director of Threat Intelligence at Malwarebytes, in an email. “One key aspect is, of course, international cooperation (or the lack thereof) which has proven to be a key reason why many criminals from Eastern Europe can continue their business without real fear of prosecution.”

Ransomware: a threat to national security

Ransomware attacks had been popping up left and right, even before the COVID-19 pandemic threw a wrench into cybersecurity efforts of many already challenged companies and industries. Ransom demands inflated steeply through the pandemic, and the money raised appears to be being reflected in increasing innovation and sophistication.

The report quantifies the impact of a ransomware attacks with some startling statistics. According to the RTF the average ransom payment in 2020 was $312,493, an increase of 171% over the previous year. Perhaps even more costly and damaging, it puts the average time it takes to fully recover from a ransomware attack at just over nine months.

Note that these are average numbers, which means that there are cases when organizations have dealt with much longer downtimes and paid far higher ransoms (demands go into the tens of millions) to get their businesses back up and running as quickly as possible.

Gone are the days when threat actors behind ransomware campaigns targeted organizations they thought had the means to readily cough up money to meet their demands. These past few years, ransomware gangs have become more opportunistic, perhaps comforted by the wide availability of ransom insurance. They have deliberately targeted networks and breached systems of vital infrastructure, such as hospitals, schools, local governments, and nuclear plants, knowing full well that they may be putting lives at risk.

Organizations who refuse to pay the ransom have then to deal with the data leaking that will inevitably follow; the delays caused by identifying and fixing the problems that allowed the ransomware gang into its systems; and the cost to undergo crisis management efforts and generally getting back on track as quickly as possible, while also increasing their overall cybersecurity posture. On the other hand, organizations who do pay the ransom get to spend millions of dollars, too, on top of the ransom payment and still aren’t guaranteed to get their data back, or a speedy recovery.

Ransom payments may then used to fund criminal enterprises that, for example, engage in human trafficking, terrorism, and “the proliferation of mass destruction”. But perhaps the most damaging of all is that ransomware attacks can sow doubt in the minds of the public towards public institutions.

To add salt to the wound, ransomware threat actors do this from within countries that are turning a blind eye to, or even encouraging, these cybercrime campaigns. They are safe havens where gangs know they won’t be charged, prosecuted or extradited for their actions. It is not difficult then to see why the RTF urged its audience to “raise the priority of ransomware within the intelligence community, and designate it as a national security threat” while advocating the use of “criminal prosecution and other tactics”.

Core actions organizations and governments must take

Although there are multiple steps recommended in the report, the RTF prescribes that these steps should be viewed and considered part of a bigger whole as they were each designed to complement and build on each other.

According to the report:

“The strategic framework is organized around four primary goals: to deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; to disrupt the business model and reduce criminal profits; to help organizations prepare for ransomware attacks; and to respond to ransomware attacks more effectively.”

To see the necessary impact against the ransomware enterprise, the task force stresses the importance of adopting these steps as soon as possible, with continuous coordination among the involved parties at a national and international level. (The RTF has proposed that the US government take charge in international coordination efforts with its partners.)

Among its priority recommendations, the RTF proposes that greater prioritization be given to an intelligence-driven anti-ransomware efforts; mandatory reporting of ransomware attacks and the creation of Cyber Response and Recovery funds; the development of a framework to help organizations prepare for, and respond to, ransomware attacks; and greater regulation of the cryptocurrency sector.

About the RTF and other anti-ransomware efforts

The Institute of Security and Technology (IST) is the host organization that launched the Ransomware Task Force four months ago in December 2020. Before this, significant efforts have been made by organizations within or associated with the cybersecurity industry in combating ransomware.

In January this year, the Cybersecurity and Infrastructure Security Agency (CISA) launched the Reduce the Risk of Ransomware Campaign where it focused on educating the public and private sectors on anti-ransomware best practices and what tools and resources to use to mitigate attacks. CISA’s one-stop page for everything one needs to know about ransomware can be found on this CISA ransomware page.

In July 2016, Europol’s European Cybercrime Centre joined forces with other law enforcement bodies and IT security companies to launch No More Ransom (NMR). Similar to the above mentioned efforts, NMR also aims to help victims recover their data without shelling out money. They do this by collating decryption tools for ransomware families, created by cybersecurity volunteers. You can learn more about No More Ransom by visiting its official website.

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malwarebytes Labs.

Signal—the private, end-to-end encrypted messaging app that surged in popularity in recent months—once again reminded criminal investigators that it could not fully comply with a legal request for user records and communications because of what it asserts as a simple, unchanging fact: The records do not exist on Signal’s servers.

This is at least the second request of this kind that Signal has received in the last five years, and in the same time period, similar government demands to pry apart end-to-end encrypted communications have become commonplace. Every single time the government has tried this—from the FBI’s insistence in 2016 that Apple create new software to grant access to a device, to the introduction of the EARN IT Act in Congress last year—cybersecurity experts have pushed back.

The legal request to Signal came from the US Attorney’s Office in the Central District in California in the form of a federal grand jury subpoena. According to the subpoena, investigators sought “all subscriber information” belonging to what appeared to be six Signal users. The requested information included “user’s name, address, and date and time of account creation,” the date and time that the users downloaded Signal and when they last accessed Signal, along with the content of the messages sent and received by the accounts, described in the request as “all correspondence with users associated with the above phone numbers.”

Signal responded to the subpoena with help from lawyers from American Civil Liberties Union. According to the company’s response, Signal could only comply with two categories of information requested by the US Attorney’s Office.

“The only information Signal maintains that is responsive to the subpoena’s inquiries about particular user accounts is the time of account creation and the time of the account’s last connection to Signal servers,” wrote ACLU attorneys Brett Kauffman and Jennifer Granick. Kauffman and Granick also addressed some of the US Attorney’s Office’s questions about the physical locations of Signal’s servers and whether the technical processes of account creation and communication for Signal users in California ever leave the state of California itself.  

In a blog published this week, Signal said why it again could not comply with a subpoena for user information, explaining that, because of the app’s design, such user information never reaches their hands.

“It’s impossible to turn over data that we never had access to in the first place,” the company wrote. “Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for.”

This lacking access, while excellent for user privacy, has frustrated law enforcement for years. It is a problem that is often referred to as “going dark,” in that the communications of criminals using end-to-end encrypted messaging apps are inaccessible to any third parties, including government investigators. Former Deputy Attorney General Rod Rosenstein has referenced the “going dark” problem, as has current FBI Director Christopher Wray. Many other representatives have, as well, and each time their refrain has stayed the same: End-to-end encrypted messaging apps provide a level of security that is too extreme to allow without a way for law enforcement to break through it.

But it’s magical thinking on the government’s part.

As many cybersecurity experts have explained over literal decades, allowing third parties to access secure, end-to-end encrypted communications will, by definition, make them less secure, functioning in effect as a backdoor. And a backdoor, in and of itself, is a security vulnerability.

Signal’s efforts to publicize its grand jury subpoena are notable—these requests often come with an instruction that the recipient not disclose any details of the request, else they risk jeopardizing an ongoing criminal investigation. These are valid concerns, but so are the concerns raised by Signal, which are that, even after all this time, government agents still believe that evidence can be conjured out of thin air.

The post Signal app insists it’s so private it can’t provide subpoenaed call data appeared first on Malwarebytes Labs.

The Dutch information watchdog—the Autoriteit Persoonsgegevens (AP)—has fined the city of Enschede for € 600,000 for tracking its citizens’ movements without permission. It is the first time that a Dutch government body has been fined by the AP. The investigation was set in motion after it received a complaint about tracking.

The Autoriteit Peroonsgegevens is the Dutch supervisor that has been commissioned to keep an eye on how companies and governments process Personally Identifiable Information (PII) in the Netherlands. In other words, it guards privacy-sensitive information, and how it is handled.

What did Enschede do wrong?

The city of Enschede hired a company to keep track of how crowded its city center was. The company they hired used Wi-Fi-tracking to measure how many people were present at one time. The Wi-Fi-tracking system assigned a unique ID to each passing phone that had Wi-Fi enabled (based on each phone’s unique MAC-address), so it could count the number of these phones. Which gave them a pretty accurate idea of the number of people.

However, because this method of measurement was used over a period of years (2017-2020) which overlapped with the period that the EU’s General Data Protection Regulation (GDPR) came into effect, the AP ruled that the method that was intended for counting, had turned into something that could be used for tracking.

The AP mentioned in its ruling that since a MAC-address is a unique identifier for a device, and since mobile devices like phones and tablets are mostly personal items, they can be used to identify a person. The system in Enschede used pseudonymization for the MAC addresses, but the AP ruled that was not enough to make the data truly anonymous, as they could still be combined with other data.

The AP ruled that the privacy of regular visitors and inhabitants of the city was compromised because they could be tracked without a real necessity. This was never the intention, but the fact that Wi-Fi-tracking over a prolonged period made this possible was reason enough for the steep fine.

In its ruling, the AP was adamant about the distinction between counting and tracking and emphasized how important it is that citizens should not be followed around, intentionally or not.

Tracking data can be turned into PII

If you find the same phone often enough, data intended for counting can be turned into data suitable for tracking. And if you put in enough effort and have enough data points you can establish patterns that can be used to identify a person (when this approach is used deliberately and legitimately, it’s called “Big Data”, for good reason). For example, if the same phone checks in at a certain point at 9 AM in the morning and leaves around 5 PM in the afternoon, you can make the assumption that the owner of that phone probably works in or near that location.

And even if none of the companies collecting or accessing that data intend to use it for that purpose, they or anyone buying or stealing the data, could.

The AP has strict rules about using Wi-Fi and Bluetooth-tracking and makes it clear that it is forbidden in most cases. It describes the large numbers of data points that can be collected by such tracking as “indirectly identifiable data” because while it is pseudonymous, it can be used to track people, and can be combined with other data to unmask individuals and render PII. For example, combining Wi-Fi-tracking with CCTV footage or payment data.

Who had access to the data?

The city and two companies that were involved in the measurements had access to the raw data. One of the companies carried out the order from the city and the other maintained the hardware and processed the data. The AP held the city responsible since it was the commissioning party. The city has filed an appeal against the ruling because they do not consider the data to be PII and their sole objective was counting, not tracking.

100 other cities

The company that operated the sensors in Enschede has 100 other cities and townships among its customers. But, when asked, it stated that the data gathered with Wi-Fi-tracking was no longer saved for more than 24 hours. Which, given the original goal for gathering the data makes perfect sense.

The post City fined for tracking its citizens via their phones appeared first on Malwarebytes Labs.

Smishing is a valuable tool in the scammer’s armoury. You’ve likely run into it, even if you didn’t know that is its name. It doesn’t arrive by email or social media direct message, instead choosing a route directly aimed at what may be your most personal device: the mobile phone. So, what is Smishing? We’re glad you asked.

Defining a Smish

Smishing is a combination of the words “phishing” and “SMS”, to indicate phishing sent across your mobile network in the form of a text. It’s often thought of as the latest scam on the block, but it’s been popular for a few years now. The Pandemic combined with a rise in home deliveries has only increased its popularity still further.

What is a Smishing attack?

It’s a fake message sent to mobile devices, using social engineering to encourage the recipient to click a link. The difference between Smishing and Vishing, is that Vishing is fraudulent voice messages as opposed to text and links.

Common Smish attempts focus on everyday needs or requirements. Late payments, missed deliveries, bank notifications, fines, and urgent notices are prime vehicles for a smishing attack.

COVID-19 has ensured that bogus vaccination messaging is also a common Smishing technique.

Most smishing text messages attempt to direct victims to fake login screens, with the possibility of asking for payment details further on. They may use URL shortening services in an attempt to conceal overtly fake login links. Potential victims may have never seen a Smish before, and so assume anything sent via SMS is legitimate. It may also be more difficult to view the full URL on a mobile browser, which is to the phisher’s advantage.

Smishing attack examples

Offering fake discounts on bills is a popular method of smishing attack. The drawback here is that these messages aren’t typically targeted. As a result, large numbers of people without the relevant accounts will simply disregard the message. This isn’t necessarily a problem for the smisher, however. These messages are sent in bulk, and the scammer expects a small number of responses from casting a wide net. The combined ill-gotten gains from the people who do fall for it, likely more than makes up for initial outlay.

Late / delayed parcels are a huge prospect for Smishers. If you wanted to define Smishing, this would be the current-day quintessential Smish attack. With so many people at home, and so many daily purchases made online, we’re awash with cardboard. It’s very difficult to keep track of everything coming into the house. Combining well-known delivery services with fake “delivery fee” notifications is a recipe for Smishing success.

In both examples, you can see the potential for success. Pinning these two attacks around what people can gain (or indeed, lose) gives them added credibility by playing on the hopes and fears of victims.

Can we stop these attacks?

The reality of this situation is, nobody can stop Smishing 100%. However, we can certainly take some steps to significantly reduce it:

• If it sounds too good (or too bad) to be true, it probably is. Having said that, many Smish messages sound totally innocent and aren’t trying too hard to bribe or threaten. What we’re trying to say here, is don’t assume any message from services or organisations are the real deal. If you’re being asked to do something, the very best thing you can do is contact them directly via a known method you trust. When it turns out to be a fake, you should be able to report it to them, there and then.
• Those living somewhere with Do Not Call lists or spam reporting services, should make full use of them. Report, report, report those bogus messages and numbers. Your mobile device may already have some form of “safe” message ID enabled without you knowing. It’s tricky to give specific advice here because of the sheer difference of options available on models of phone, but the Options / Safety / Security / Privacy menus are a good place to start.
• Never click the links, and don’t enter personal information on the websites the Smisher sends you. Avoid replying to the scam SMS too. Best case scenario, it’s not a real number and your message bounces. Worst case, you’ve confirmed you exist and they add you to spam lists and / or start harassing you further. Report, block, and move on.

Anti-Smishing efforts

It’s not just phone owners doing their bit to tackle Smishing. Organisations have been taking steps to lock this threat down for some time now. Last year, the SMS SenderID Protection Registry gave companies the ability to register and protect message headers. We have Attorney Generals warning of the dangers, and the sheer saturation by fake Royal Mail delivery fee messages has made the issue go mainstream in the UK. We can only hope Smishing’s sudden rise to fame during the pandemic leads to an equally speedy demise.

For the time being, keep a watchful eye on those text messages and treat them with the same suspicion you’d give to a random missive in your email inbox.

The post What is Smishing? The 101 guide appeared first on Malwarebytes Labs.

Using a proven method of text messages about missed deliveries, an old player on the Android malware stage has returned for an encore. This time it seems to be very active, especially in the UK where Android users are being targeted by text messages containing a link to a particularly nasty piece of spyware called Flubot.

Warning from the National Cyber Security Centre

On its website, the National Cyber Security Centre (NCSC) warns about the spyware that is installed after a victim receives a text message that asks them to install a tracking app, because of a missed package delivery. The tracking app is in fact spyware that steals passwords and other sensitive data. It will also access contact details and send out additional text messages in order to further the spread of the spyware.

Network providers join in

Apparently, the problem is so massive that even network providers have noticed the problem and some of them, including Three and Vodafone have also issued warnings to users over the text message attacks.

Three urges victims that have installed the spyware:

You should be advised that your contacts, SMS messages and online banking details (if present) may have been accessed and that these may now be under the control of the fraudster.

It goes on to tell victims that a factory reset is needed or you will run the risk of exposure to a fraudster accessing your personal data.

Branding of the text messages

Most of the reported messages pretend to be coming from DHL.

But users have also reported Royal Mail and Amazon as the “senders.” Readers should be aware that it isn’t enough to simply watch out for messages from one or two senders though. If the campaign proves successful for the criminals running it, it will evolve and change over time and they will likely try other tactics.

History of Flubot

These types of smishing (SMS phishing) attacks are on the rise the last few years. Previously, Flubot has been noticed operating a fake FedEx website targeting Android users in Germany, Poland, and Hungary in basically the same way. By sending text messages with a parcel tracking URL that led to malware downloads. Initially they operated in Spain (with Correos Express as the sender), until some arrests were made there which slowed the operation down for a while. It would not come as a surprise if the continued success will lead the Flubot operators to target the US next.

Infection details

Malwarebytes for Android detects the several Flubot variants as Android/Trojan.Bank.Acecard, Android/Trojan.BankBot, or Android/Trojan.Spy.Agent.

As we pointed out the initial attack vector is a text message with a link that downloads the malware. The package names often include com.tencent and have the delivery service’s logo as the icon. During the install the malware will show you misleading prompts to get installed and acquire the permissions it needs to perform the actions it needs. These permissions allow it to:

• Send messages to your contacts
• Act as spyware and steal information

Depending on the variant, Flubot can also:

• Intercept incoming messages
• Intercept notifications
• Open web pages
• Disable Google Play Protect
• Uninstall other applications
• Contact a Command and Control server based on a Domain Generating Algorithm (DGA)

Don’t click!

Unless you know exactly what to look for to determine whether a message is actually coming from the claimed sender, it is better not to click on links in unsolicited text messages. Which is always solid advice, but when you are actually expecting a parcel, the message may not count as unsolicited in your mind.

Our first impulse is often to click and find out what’s up. At the very least, we should stop and ask if the message and the URL stand up to scrutiny. If you think the message is genuine, it is still best not to click on the link, but instead search for the vendor’s website and look for its parcel tracker.

If you did not click the link, simply remove the message from your device so you do not click it by accident in the future.

If you have clicked the link but then stopped because you were suspicious of the fact that it initiated a download, well done. You stopped in time.

If you did download the malware, scan your device with a legitimate Android anti-malware app. If it can’t disinfect your phone, you will need to perform a factory reset to remove it. If you do this, there is a possibility you will lose more than just the malware, unless you have made backups.

You should also change any passwords you stored on the device, and any you entered on the device after the infection began, because they may have been compromised by the spyware.

Finally, if you used the device for online banking, check your bank balances and contact your bank so that they can stop or correct any fraud that results.

Stay safe, everyone!

The post Watch out! Android Flubot spyware is spreading fast appeared first on Malwarebytes Labs.

We’re no strangers to the Twitter customer support DM slide scam. This is where someone watches an organisation perform customer support on Twitter, and injects themselves into the conversation at opportune moments hoping potential victims don’t notice. This is aided by imitation accounts modelled to look like the genuine organisation’s account. The victim is typically sent to a phishing page where accounts, payment details, identities, or other things can be stolen.

We first observed the technique used on gamers back in 2014, and it eventually branched out into bank phishing. This time around, it’s being used to bag bitcoin. Shall we take a look?

Emptying your wallet

Trust Wallet is an app used to send, receive, and store Bitcoin along with other cryptocurrencies, including NFTs. With cryptocurrency being so very mainstream at the moment, it’s only natural lots of people are jumping on the bandwagon. Even those who know what they’re doing often run into trouble. I suspect the newcomers to the field are experiencing all manner of issues daily. This is a perfect storm of confused users and scammers lying in wait.

Take note of what the official TrustWalletApp account says, in relation to keeping your coins safe:

They are emphatic about keeping the recovery phrase safe. This is a method to regain access to a wallet, made up of 12 words. Whoever possesses the phrase, holds the keys to the kingdom (or at least, your wallet). If your coins have a lot of value attached, it would clearly be disastrous to lose access.

This is where our tale begins in earnest, in the replies to that tweet.

Oh no, my coins!

An individual claims they had their coins stolen, but managed to regain them.

Thank God I finally got all my stolen coin and money back!

I can now rest my head.

So far, so good. Further down, however, it all goes a bit wrong. Just a few replies down, they say this:

I lost all my money and coins my wallet last week, until I contacted their support page and they helped me rectify and resolved it, I think if you have any of this problem you should write to them too at [URL removed]

The link (powered by a DIY survey creator, where anybody can make whatever batch of questions they want) does exactly what TrustWalletApp says not to do: asks for the 12 word recovery phrase.

A swarm of bad tidings

The scam isn’t being spread by just one account, nor is there just one bogus support form. Multiple Twitter profiles lurk in the replies of anyone having a bad cryptocoin experience. One even claims to be the “Trust Wallet Team”, and does nothing but spam links to a Google Doc. The accounts are most likely set up to autorespond to anybody sending messages to the TrustWalletApp account, especially if it looks like they need assistance. No fewer than 19 responses were sent in one day from one account, and given the ever-fluctuating cryptocurrency values, just one bite could result in a decently-sized payday for the scammers.

This is a low maintenance attack, which brings potentially high gains. It’s very common, to the extent that one of the accounts sending bogus Google Doc links does so to the person, or bot, we originally saw firing out bad links!

What can you do to keep your coins secure?

This isn’t just imitation organisation accounts dropping themselves into support chats. We also have lots of random, non-imitation accounts trying the same tactic. As a result, “regular account” doesn’t necessarily mean they’re being helpful. The kindness of strangers is often very helpful, but never take anything for granted. Cryptocurrency is in a bit of a modern-day gold rush at the moment, and people will do absolutely anything to get their hands on it.

Legitimate companies are unlikely to be performing technical support via Google Docs or survey sites, so avoid links that attempt to do that. Most importantly though, as per the Trust Wallet team themselves: never send anybody your 12 word recovery phrase. Not even Trust Wallet. Ever.

Passwords, pass codes, pass phrases, pass-whatevers are meant to be secrets, and they aren’t secrets if you tell somebody else. No company worth bothering with will ever ask for your password so don’t give them out. It’s the surest way imaginable to lose control of an account. And, because of the way that cryptocurrencies work, once the scammers have your wallet, it’s theirs. You almost certainly won’t be able to recover it.

That’s one promise you can take to the crypto-bank.

The post Bitcoin scammers phish for wallet recovery codes on Twitter appeared first on Malwarebytes Labs.

UPDATE 12:12 PM Pacific Time, April 28: As of at least 9:40 AM Pacific Time, the Babuk ransomware gang removed any reference to the allegedly stolen DC Police Department data from its data leak website. This does not indicate with any certainty that the DC Police Department paid Babuk, but it is rare for a ransomware group to remove data without first receiving payment.

A screenshot captured by a Malwarebytes researcher is shown below, with no reference to the DC Police Department hack.

Original story below:

One day after a ransomware group shared hacked data that allegedly belonged to the Washington, D.C. Police Department online, the police force for the nation’s capital confirmed it had been breached.

“We are aware of unauthorized access on our server,” the Metropolitan Police Department—the official title of the DC police—said on Tuesday. “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”

But as the DC police sort out the attack, they’re working against the clock—the cyberattackers threatened to share information on police informants with criminal gangs in just three days, threatening the safety of those informants and the stability of related criminal investigations.

The attack represents the latest example in two growing trends, in which cybercriminals have increasingly targeted government agencies since the start of 2021, and in which ransomware operators are exchanging their bread-and-butter tactics—which include encrypting a victim’s files and then demanding a payment to unlock those files—with new threats to publish sensitive data.

Claiming responsibility for the DC police cyberattack is the ransomware gang Babuk. On Monday, the group said on a dark web data leak site that it had stolen 250 GB of data from the DC police, and it posted several screenshots as proof. According to Bleeping Computer, which viewed the images, the screenshots included folder names that related to “operations, disciplinary records, and files related to gang members and ‘crews’ operating in DC.”  

Bleeping Computer also shared Babuk’s threat that was made to the DC police:

“Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon.” 

The ransomware group also warned that one of the files in its possession could be related to arrests made following the January 6 insurrection against the US Capitol.

The attack, while severe, is part of an increasingly commonplace trend. According to the New York Times, this is the third police department hit by cybercriminals in just three weeks. Further, since the start of 2021, 26 government agencies have been victims of ransomware attacks, and 16 of those agencies were specifically hit with threats to publish sensitive data.

These attacks follow what Malwarebytes has called a “double extortion” model, in which ransomware operators hit the same target two times over—not only locking a victim’s files, which will cost money to decrypt, but also stealing sensitive data, which will also cost money to keep private.

The double extortion model is relatively new, but it is already popular.

According to a March analysis from the cybersecurity company F-Secure, nearly 40 percent of the ransomware families discovered in 2020, as well as several older families, demonstrated data exfiltration capabilities by year’s end. And almost half of those families used those capabilities in the wild. Further, as we learned in the Malwarebytes State of Malware 2021 report, the double extortion model has proved to be surprisingly lucrative: One ransomware group pulled in $100 million in 2019 without pressing victims to unlock encrypted files.

That Babuk—which was discovered by Bleeping Computer just months ago—has already incorporated the double extortion model likely means that this threat will not be going away any time soon.

The post Ransomware group threatens to leak information about police informants appeared first on Malwarebytes Labs.

In the latest example of a supply chain attack, cybercriminals delivered malware to customers of the business password manager Passwordstate by breaching its developer’s networks and then deploying a fraudulent update last week, said Passwordstate’s maker, Click Studios.

Though the number of infected computers is currently unknown, Click Studios said in an April 24 advisory that the victim count “appears to be very low.” That estimate may increase though, said Click Studios, as it continues to investigate. According to the company, its password manager is used by more than 29,000 customers across the industries of banking, retail, manufacturing, education, healthcare, government, aerospace, and more.

The attack lasted just 28 hours, Click Studios said, from April 20, 8:33 PM UTC to April 22, 0:30 AM UTC. Only the customers who initiated an update between those hours are at risk.

As to how the cybercriminals breached the company, Click Studios only said that “a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality.” Click Studios said the “initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au,” which regularly points Passwordstate’s in-place upgrade function to approved software versions loaded onto Click Studios’ Content Distribution Network, or CDN. By compromising the in-place upgrade functionality, the cybercriminals were able to point users to their own CDN, which carried the malware.

The malware—currently referred to as Moserpass—stole system information and Passwordstate data and then delivered it back to the servers that were controlled by the cybercriminals responsible for the attack.  

That data included computer name, username, domain name, current process name, current process ID, and several fields from a customer’s Passwordstate account, including title, username, description, notes, URL, and password. Data for certain “generic field” entries was also delivered, but Click Studios said that users who chose to encrypt that data averted the malware’s data harvesting and delivery capabilities.

Click Studios also clarified in its April 24 advisory that, “although the encryption key and database connection string are used to process data via hooking into the Passwordstate Service process, there is no evidence of encryption keys or database connection strings being posted to the bad actor CDN.”

According to Bleeping Computer, the CDN servers used in the attack are no longer active.

The Passwordstate attack is the latest example of a re-emerging cyberthreat that saw great attention back in 2013 when the US retailer Target suffered an enormous data breach that compromised the payment information of 41 million customers. That attack, which resulted in an $18.5 million settlement, began with an attack on the company’s HVAC vendor. Four years later, cybercriminals again relied on a supply chain attack to breach Equifax, and just two years after that, the SolarWinds supply chain attack rattled the entire cybersecurity industry.

These attacks are difficult to catch, and for an attack like the one that targeted Passwordstate, they pose a significant threat to cybersecurity overall, as users and businesses could begin to question the legitimacy of regular software updates.

For Passwordstate’s customers who did install the fraudulent update, Click Studios advised to contact the company’s customer support, and, following specific instructions, to begin resetting all passwords saved in Passwordstate.

The post Password manager hijacked to deliver malware in supply chain attack appeared first on Malwarebytes Labs.