IT NEWS

Two Dutch white-hat security specialists entered the annual computer hacking contest Pwn2Own, managed to find a Remote Code Execution (RCE) flaw in Zoom and are $200,000 USD better off than they were before.

Pwn2Own

Pwn2Own is a high profile event organized by the Zero Day Initiative that challenges hackers to find serious new vulnerabilities in commonly used software and mobile devices. The event is held to demonstrate that popular software and devices come with flaws and vulnerabilities, and offers a counterweight to the underground trade in vulnerabilities.

The “targets” volunteer their software and devices and offer a reward for successful attacks. Fans are treated to a hacking spectacle, successful hackers get kudos and no small amount of cash (in this case the reward was a whopping $200,000 USD), and vendors find nasty bugs that might otherwise be sold to criminals.

Pwn2Own 2021 runs from 6 April to 8 April. The full schedule for this year can be found on their site. This year the event has focused on software and devices used when working from home (WFH), including Microsoft Teams and Zoom, for obvious reasons.

The white hats

Keuper and Alkemade, who are employed by cybersecurity company Computest, combined three vulnerabilities to take over a remote system on the second day of the Pwn2wn event. The vulnerabilities require no interaction of the victim. They just need to be on a Zoom call.

The vulnerability

In the light of responsible disclosure, the full details of the method have been kept under wraps. What we do know is that it was Remote Code Execution (RCE) flaw: As a class of software security flaws that allow a malicious actor to execute code of their choosing on a remote machine over a LAN, WAN, or the Internet.

We also know that the method works on the Windows and Mac version of the Zoom software, but does not affect the browser version. It is unclear whether the iOS- and Android-apps are vulnerable since Keuper and Alkemade did not look into those.

The Pwn2Own organization have tweeted a gif demonstrating the vulnerability in action. You can see the attacker open the calculator on the system running Zoom. Calc.exe is often used as the program that hackers open on a remote system to show that they can run code on the affected machine.

Not patched yet

Understandably, Zoom has not yet had the time to issue a patch for the vulnerability. They have 90 days to do so before details of the flaw are released, but they are expected to do it way before that period is over. The fact that the researchers came out on the second day of the Pwn2Own event with this vulnerability does not mean they figured it out in those two days. They will have put in months of research to find the different flaws and combine them into an RCE attack.

Security done right

This event, and the procedures and protocols that surround it, demonstrate very nicely how white-hat hackers work, and what responsible disclosure means. Keep the details to yourself until protection in the form of a patch is readily available for everyone involved (with the understanding that vendors will do their part and produce a patch quickly).

Mitigation

For now, the two hackers and Zoom are the only ones that know how the vulnerability works. As long as it stays that way there is not much that Zoom users have to worry about. For those that worry anyway, the browser version is said to be safe from this vulnerability. For anyone else, keep your eyses peeled for the patch and update at earliest convenience after it comes out.

Stay safe, everyone!

The post Zoom zero-day discovery makes calls safer, hackers $200,000 richer appeared first on Malwarebytes Labs.

Several users of Trezor, a small hardware device that acts as a cryptocurrency wallet, have been duped by a fake app with the same name. The app was available on Google Play and Apple’s App Store and also claimed to be from SatoshiLabs, the creators of Trezor.

According to the Washington Post, the fake Trezor app, which was on the App Store for at least two weeks (from 22 January to 3 February), was downloaded 1,000 times before it was taken down. A fake Trezor app on the Play Store was downloaded by a similar number of users, but it’s not clear how long it was available on the platform.

Those victimized by the fake app couldn’t tell that they were downloading a dodgy app. Apart from the mimicked name and visual style of the Trezor brand, victims have also reported seeing high rating reviews—155 reviews giving it close to a 5 star rating—a common tactic of criminal app developers looking to gain the trust of users.

Phillipe Christodoulou, owner of a dry-cleaning service was one of the many Trezor users who downloaded the fake Trezor app from the App Store. He wanted to check his cryptocurrency balance on his phone and decided to search for and download an app instead of plugging the device into his computer via a USB connection. He lost 17.1 Bitcoins, which was worth $600,000 USD at that time. At the time of writing it is worth more than $1 million USD.

A similar incident happened with James Fajcz, a reliability engineer, in December 2020. He bought both Ethereum and Bitcoin worth $14,000 USD with his savings after seeing the price of digital tokens rising that same month. To ensure his investment was secure, be bought a Trezor, and then downloaded its purported app on his iPhone. When the app didn’t connect to his hardware wallet, he assumed that the app didn’t work. After buying a second round of cryptocurrencies weeks later, he checked the balance on his Trezor device using his computer, but it was empty. He realized he had been conned out of his digital currencies when he reached out to the Trezor community on Reddit.

Both men didn’t know that an official Trezor app doesn’t exist, and both also blamed Apple for letting a fake app into the App Store, a space touted by Apple as “the most trusted marketplace for apps.”

Both Google and Apple provide screening of apps before they’re added to their app stores, but these incidents remind us that no form of screening is perfect. Successful criminals are good at finding and exploiting loopholes, or using malicious techniques that are hard to screen for. We don’t know how this malicious app worked, but we can guess that it might simply transfer victims’ cryptocurrency to a wallet (that happens to be owned by the app’s creator), which is very similar to what a legitimate app would be doing.

With cryptocurrencies continuing to gain popularity, expect more scammers to bank on this wave. In May last year, Harry Denley, a cybersecurity researcher specializing in cryptocurrencies, revealed that he discovered almost 75 malicious Google Chrome extensions designed to steal money from cryptocurrency wallets.

Last month, CoinDesk went on a crypto scam hunt and found that both popular app stores have found fake crypto wallet apps.

Cryptocurrency owners are advised to be more vigilant than ever about phishing campaigns in the form of apps and extensions. Trezor users, in particular, should be aware that while there is no app for their hardware wallet now, there will be an official one in the future. Watch the company’s official website and Twitter account for news on that and, until then, avoid downloading Trezor apps and heed the company’s advice: never share your seed until your device asks you to do so.

The post Fake Trezor app steals more than $1 million worth of crypto coins appeared first on Malwarebytes Labs.

A timely warning to keep systems patched has appeared, via a jointly-released report from Onapsis and SAP. The report details how threat actors are “targeting and potentially exploiting unprotected mission-critical SAP applications”. Some of the vulnerabilities used were weaponised fewer than 72 hours after patches are released. In some cases, a newly deployed SAP instance could be compromised in just under a week if people aren’t patching.

Old threats cause new problems

The vulnerabilities being exploited were patched months or even years ago. Sadly, when organisations don’t patch and update, compromise is only a step away. This isn’t a new phenomenon, by any means. It doesn’t matter if we’re talking software or hardware fixes, or replacing an insecure Windows XP box on the network, or running updates you’ve been putting off for that old mobile phone in your drawer. Erratic update routines, or worse still, abandoning them altogether can lead to serious consequences.

In its own press release on the subject, SAP warns that a failure to patch could give cybercriminals “full control of the unsecured SAP applications”, while pointing out that its cloud-based solutions are not at risk:

The scope of impact from these specific vulnerabilities is localized to customer deployments of SAP products within their own data centers, managed colocation environments or customer-maintained cloud infrastructures. None of the vulnerabilities are present in cloud solutions maintained by SAP.

The US Department of Homeland Security’s CISA lists some of the serious end-results of failing to make use of the available SAP patches, in an announcement that followed the release of the report:

• Financial fraud
• Disruption to business
• Sensitive data theft
• Ransomware
• Halt of operations

Patch early, patch often

From the above list, ransomware alone could lead to any of those security issues. The data in the threat intelligence report is incredibly useful for anybody who thinks they could be affected. Thanks to SAP and Onapsis, we know how brief the window can be for those tasked with defending systems to do something about it. It also highlights how both security and compliance are at risk, along with some of the techniques attackers will try to use out in the wild.

Regular readers will know we’re big on patching and updating. Some of the most undesirable threats around thrive on a lack of regular updates. Manual, as opposed automatic updates, can also bring headaches for organisations struggling to get up to speed with best practices. It’s certainly not easy, with some organisations simply choosing to never patch at all.

A lack of patching may lead to disaster

That risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A study of 340 security professionals in 2019 found 27% of organisations worldwide, and 34% in Europe, said they’d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.

If your organisation is a touch lax on patching, or making it up as you go along – fear not! There’s still time to get a grip on this difficult subject. Whether you use any of the systems mentioned in the threat report up above or not, timely patching is the way to go. The threats to your business may not come knocking at the door today, or even tomorrow, but that won’t be the case forever.

The post SAP warns of malicious activity targeting unpatched systems appeared first on Malwarebytes Labs.

This post was authored by Hossein Jazi

As tensions between Azerbaijan and Armenia continue, we are still seeing a number of cyber attacks taking advantage of this situation. On March 5th 2021, we reported an actor that used steganography to drop a new .Net Remote Administration Trojan. Since that time, we have been monitoring this actor and were able to identify new activity where the threat actor switched their RAT from .Net to Python.

Document Analysis

The document targets the government of Azerbaijan using a SOCAR letter template as lure. SOCAR is the name of Azerbaijan’s Republic Oil and Gas Company. The document’s date is 25th March 2021 and the letter, related to export of catalyst for analysis, is written to the Ministry of Ecology and Natural Resources. The document’s creation time is 28th March 2021 and is aligned with the date mentioned on the letter. Based on the dates we believe that this attack happened between 28th and 30th of March 2021.

The embedded macro in this document is almost similar to what we have reported before with some small differences. We will talk about the similarities between these two documents in the next section.

The macro has two main functions “Document_Open” and “Document_Close”. In “Document_Open” after defining the required variables it creates a directory (%APPDATA%Roamingnettools48) for its Python Rat.

It then copies itself in a new format to the file path defined before in order to be able to extract the required data from an embedded PNG file (image1.png).

To extract the embedded data, it calls the “ExtractFromPng” function to identify the chunk that has the embedded data. After finding the chunk, it extracts the files from the PNG file and writes them into “tmp.zip”.

The “tmp.zip” is then extracted into “%APPDATA%Roamingnettools48” directory. It contains the Python 3.6 interpreter, NetTools Python library, Python Rat, the RAT C2 config, as well runner.bat.

The Python Rat will be executed when the document is closed. The “Document_Close” first delays execution to bypass security detection mechanisms by creating a junk loop for 100 times and then executes the runner.bat by calling Shell function.

The runner.bat is also delaying execution for 64 seconds and then it calls Python to execute the Python RAT (vabsheche.py)

SET /A num=%RANDOM% * (80 - 60 + 1) / 32768 + 60
timeout /t %num%
set DIR=%~dp0
"%DIR%python" "%DIR%vabsheche.py"

Python RAT Analysis

The Python RAT used by the attacker is not obfuscated and is pretty simple. It is using the platform library to identify the victim’s OS type.

The C2 domain and port are hardcoded within a file in the RAT directory. The RAT opens this file and extracts the host and port from this file.

In the next step if the victim is running Windows, it makes itself persistent through creating a scheduled task. It first checks if a scheduled task with the name “paurora*” exists or not. If it does not exist, it reads the content of bg.txt file and creates a bg.vbs file. Then adds the created VBS file to the list of scheduled tasks.

The created VBS file calls the runner.bat to execute the Python RAT.

The main functionality of the RAT is through a loop that starts by creating a secure SSL connection to the server using a certificate file (cert.pem) that was extracted from the PNG file and dropped into the RAT directory.

After building the secure connection to the server it goes to a loop that receives a message from the server and executes different commands based on the message type.

Here is the list of commands that can be executed by the RAT:

• OPEN_NEW_CONNECTION: Sends a message to the server with False as content
• HEART_BEAT: Sends a message to the server that the victim is alive
• USER_INFO: Collects victim info including OS Name, OS Version and User Name
• SHELL: Executes shell commands received from the server
• PREPARE_UPLOAD: Checks if it can open a file to write the received data from server into it and if that is the case it sends a “Ready” message to the server
• UPLOAD: Receives a buffer from the server and writes them into file
• DOWNLOAD: Archives files and sends them to the server

Similarity Analysis

In this sections we provide the similarities between two documents and TTPs used by them. This will help hunters to identify the future campaigns associated with this actor.

TTPs similarities

• Used steganography to embed RATs within the embedded images.
• Used scheduled tasks for persistence. In both cases It created a VBS file to execute the batch runner.
• Used a batch file with the same name (runner.bat) to execute the final RAT.
• Used the same technique to exfiltrate data. (Archive them and send them to the server)

Documents similarities

• Both have been obfuscated using same obfuscation techniques: Inserting random characters within the meaningful names to obfuscate the functions and variables names. After deobfuscation, the function graph of these two documents are almost similar.

• Both have used the similar method to obfuscate strings: using “MyFunc23” function that receives an array of numbers and decodes them into a string.

Other similarities

• both C2 domains have resolved to the same IP address.
• There are overlaps between the commands used by both .Net and Python RATs.

Conclusion

Due to tensions between Azerbaijan and Armenia, cyber attacks against these countries have been increasing in the past year. The Malwarebytes Threat Intelligence Team is constantly monitoring actors that are targeting these countries and was able to identify an actor that has targeted Azerbaijan using different RATs. This actor has used .Net and Python RATs to infect victims and steal data from them. The actor used spear phishing as initial vector that has used steganography to drop a variant of its RATs.

IOCs

The post Aurora campaign: Attacking Azerbaijan using multiple RATs appeared first on Malwarebytes Labs.

Users primarily located in Germany are experiencing malware that downloads and installs on their Gigaset mobile devices—right out of the box! The culprit installing these malware apps is the Update app, package name com.redstone.ota.ui, which is a pre-installed system app. This app is not only the mobile device’s system updater, but also an Auto Installer known as Android/PUP.Riskware.Autoins.Redstone.

Infected devices and other important notes

Although this issue seems to be primarily found on Gigaset mobile devices, we have also found other manufacturers involved. Here is a list of make/model/OS version of mobile devices found with Android/PUP.Riskware.Autoins.Redstone:

• Gigaset GS270; Android OS 8.1.0
• Gigaset GS160; Android OS 8.1.0
• Siemens GS270; Android OS 8.1.0
• Siemens GS160; Android OS 8.1.0
• Alps P40pro; Android OS 9.0
• Alps S20pro+; Android OS 10.0

We should note that the names Gigaset and Siemens have considerable overlap—Gigaset was formerly known as Siemens Home and Office Communications Devices. We listed both to erase any confusion.

It important to realize that every mobile device has some type of system update app. Unless you are experiencing the exact behaviors in the next section, you are most likely not infected. Another key point is that this pre-installed update app is the not the same as what is described in Android “System Update” malware steals photos, videos, GPS location. In that case, the malware is simply hiding as an update app, but is not a pre-installed system app.

Malware behavior

For most Gigaset users experiencing this infection, com.redstone.ota.ui installs three versions of Android/Trojan.Downloader.Agent.WAGD. The package name of this malware always starts with “com.wagd.” and is followed by the name of the app. Here are some examples:

• Package name: com.wagd.gem
• App name: gem

• Package name: com.wagd.smarter
• App name: smart

• Package name: com.wagd.xiaoan
• App name: xiaoan

According to forum users and analysis, Android/Trojan.Downloader.Agent.WAGD is capable of sending malicious messages via WhatsApp, opening new tabs in the default web browser to game websites, downloading more malicious apps, and possibly other malicious behaviors. The malicious WhatsApp messages are most likely in order to further spread the infection to other mobile devices.

In addition, some users also experience Android/Trojan.SMS.Agent.YHN4 on their mobile devices. The downloading and installation of this SMS Agent is due to Android/Trojan.Downloader.Agent.WAGD visiting gaming websites containing malicious apps. Thereupon, the mobile device contains malware capable of sending malicious SMS messages. Like with the malicious WhatsApp messages, it can in addition send malicious SMS messages to further spread the infection.

Awaiting resolution

Because com.redstone.ota.ui is a system app, you cannot remove it using traditional methods. Further, past evidence from Adups and other variants shows that disabling pre-installed update apps is either impossible or it re-enables shortly after disabling. Therefore, just as the case with UMX back in January 2020, it is up to the device manufacturer to push an update to truly fix this issue. Keep in mind that even after the manufacturer fixes the issue, they can push out yet another update in the future to re-infect. There is some evidence that this has been the case with UMX as of recent, but that is another blog for another day. 

In the case of Gigaset, German blogger Günter Born on his blog Borncity has already gotten the ball rolling by contacting Gigaset to resolve. In the meantime, according to an Attention pinned at the bottom of Mr. Born’s blog he suggests the following (translating from German to English using Google Translator):

Attention: I recommend all Gigaset Android device owners to heed the information in the blog post Malware attack: What Gigaset Android device owners should do now and to lay the device dead. At least until Gigaset has responded and the process has been completely clarified.

A safe workaround

The aforementioned recommendation to quote, lay the device dead, may not be an option for some users if this is their only mobile device. Allow me to suggest another option that still gives users the ability to use their Gigaset mobile device safely.

Yes, it is true you cannot remove it using traditional methods, but we have a workaround!

We can use the method below to uninstall Update (com.redstone.ota.ui) for current users (details in link below):

https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

From the tutorial above, use this command during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k –user 0 com.redstone.ota.ui

At this point, run a Malwarebytes for Android scan to remove any remaining malware apps.

Checking for updates

Here is the kicker. Remember that the Update app is also the mobile device’s only way to update the system. Thus, if and when Gigaset comes up with a resolution, you will need to check for system updates by re-installing Update.

You can re-install using this command:

adb shell pm install -r –user 0 <full path of the apk>

The two full path of the apk’s we have seen so far are as follows:

/system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk

/system/app/Rsota/Rsota.apk

If neither of these paths work, you can find the correct path, even after uninstalling for current user, by running this command:

adb shell pm list packages -f -u

Copy/paste the output into a text editor (like Notpad) and search for com.redstone.ota.ui to find the correct path.

If there are no updates to install or if the update that does install does not resolve the issue, remember to once again uninstall Update for the current user.

Never ending battle

Assisting customers with resolving pre-installed malware is a reoccurring action by me and our mobile support staff. Fortunately, in the case of Gigaset users, there is a workable resolution. If you are experiencing similar or other mobile malware issues you can reach us on our Malwarebytes Forum or for more thorough support submit a support ticket. As always, stay safe out there!

The post Pre-installed auto installer threat found on Android mobile devices in Germany appeared first on Malwarebytes Labs.

If you’re an Android phone user, now might be a good time to invest in a good pair of ear plugs. Fans of iPhones aren’t known for being shy when it comes to telling Android users that Apple products are superior, and things may be about to get worse, thanks to a new research paper (pdf). 

Researchers of the School of Computer Science and Statistics at Trinity College Dublin, Ireland decided to investigate what data iOS on an iPhone shares with Apple and what data Google Android on a Pixel phone shares with Google. Whilst it may not be the smoking gun some think it is (we think the sheer amount of telemetry data may come as a surprise for both sides of the argument), it didn’t go well for Android.

Research outline 

To get fair results a researcher needs to define experiments that can be applied uniformly to the handsets studied, to allow for direct comparisons, and the experiment needs to generate reproducible behavior. The research team decided to focus on the handset operating system itself, separate from optional services such as maps, search engines, cloud storage, and other services provided by Google and Apple. Although these come with practically every device, privacy-conscious minds are prone to disable these services.

The user profile was set to mimic a privacy-conscious but busy/non-technical user, who when asked does not select options that share data with Apple and Google. Otherwise, the handset settings were left at their default value. 

Test moments 

Data transfer was measured at 6 specific points of action during the phones’ normal use: 

• On first startup following a factory reset 
• When a SIM was inserted/removed 
• When a handset was left idle 
• When the settings screen was viewed 
• When geolocation services were enabled/disabled 
• When the user logged in to the pre-installed app store 

Test results 

Both iOS and Google Android transmit telemetry, despite the user settings. According to the research, both Android and iOS handsets shared data with Google and Apple servers every 4.5 minutes, on average.

Android handsets however, share 20 times more telemetry data than iPhones, it seems. During the first 10 minutes of startup the Pixel handset in the test sent around 1MB of data to Google, compared with the 42KB of data the iPhone sent to Apple. When the handsets were sitting idle the Pixel sent roughly 1MB of data to Google every 12 hours compared with the iPhone’s 52KB sent to Apple.

We should be careful not to draw too many conclusions from just the size of the data though. The quantity of data can be affected by things like the choice of protocols and whether or not compression is used. What matters far more, is the type of information being shared.

Type of information 

Researchers noted that devices on default privacy settings share information related to the IMEI, SIM serial number, phone number, hardware serial number, location, cookies, local IP address, nearby WiFi MAC addresses, and advertising ID. When a user has not yet logged in, Android phones don’t send location, IP address, and nearby WiFi MAC addresses, while iPhones don’t send their own WiFi MAC address. 

Unused apps and services 

Several of the pre-installed apps/services are also observed to make network connections, despite never having been opened or used. In particular, on iOS these include Siri, Safari and iCloud. On Google Android these include the YouTube app, Chrome, Google Docs, Safetyhub, Google Messaging, the Clock and the Google Search bar. 

Concerns 

The collection of so much data by Apple and Google raises some major concerns. Firstly, this device data can be fairly easily linked to other data sources. This is certainly no hypothetical concern since both Apple and Google operate payment services, supply popular web browsers, and benefit commercially from advertising.  

Secondly, every time a handset connects with a back-end server it necessarily reveals the handset’s IP address, which is a rough proxy for location. The high frequency of network connections made by both iOS and Google Android (on average every 4.5 minutes) therefore potentially allow tracking by Apple and Google of device location over time.  

And last but not least, the apparent inability for users to opt out. In the report the head researcher outlines a method to prevent the vast majority of the data sharing but noted that it needs to be tested against other types of handhelds. And from my perspective it’s not easy to pull it off, and it would not stop everything. 

Apple and Google do not agree 

The head researcher sent his findings to both companies. Google offered some clarifications and expressed its intention to publish documentation on the telemetry data collection soon. 

Apple noted that the report gets many things wrong. For instance, the company says that personal data sent to Apple is protected, and the company doesn’t collect data that can be associated with a person without their knowledge or consent. Google calls into question the methods used to determine the telemetry volume on Android and iOS. It claims the study didn’t capture UDP/QUIC traffic, nor did it look at whether the data was compressed or not, which could skew the results. 

The post Research claims Google Pixel phones share 20 times more data than iPhones appeared first on Malwarebytes Labs.

Unless you keep your social media at a pole’s distance, you have probably heard that an absolutely enormous dataset—containing over 500 million phone numbers—has been made public. These phone numbers have been in the hands of some cybercriminals since 2019 due to a vulnerability in Facebook that allowed personal data to be scraped from the social media platform, until it was patched it in 2019.

But now some miscreant has posted the entire dataset on a hacking forum, so every lowlife out there has access.

When did this happen?

In an apparent attempt to play down the seriousness of the situation, Facebook spokesperson Liz Bourgeois tweeted Saturday that the leak involved “old data that was previously reported on in 2019.” Some reports say the data was scraped in 2019, others talk about early 2020. To be honest, between scraping vulnerabilities dating back to 2010, and the Cambridge Analytica scandal, an old data breach is still a data breach, and you’re probably still going to need to pay attention to it. Whether you like it or not.

If you are, or were, a Facebook user this may very well concern you.

Why it still matters

Access to personal data allows cybercriminals to seem more believable when they pretend to be somebody, making social engineering and ID theft easier, and unlike passwords, many of them can’t be changed. There are countless examples of how personal information helps criminals, but here are three to give you a sense of what’s at stake.

The first thing that comes to mind is a scam where people text you pretending to be a relative or dear friend. First, they tell you they have a new phone number and then they ask you to transfer some money on their behalf.

The scam is more likely to succeed if the threat-actor has some private information that can convince you they are who they claim to be. And with the correlation between your Facebook profile and your telephone number, depending on your settings they can look up:

• Who your family and friends are
• How you phrase your responses to each other
• Some events from your life to talk about

Together with your phone number, that gives them an excellent attack vector for this type of scam.

Another devilish scheme can unfold if they have enough information about you to convince your telephone company that they are the cell phone owner. This can usually be done by providing the carrier with a phone number, a home address and the last four digits of a Social Security number.

Or you could become a victim of a text variant of a Business Email Compromise (BEC). One of the most profitable phishing scams, which is easier to pull off if the threat actor has more information available.

Limiting what you share

First off, cybercriminals don’t care where or how they get your information, so take care to hide your personal information on Facebook from profile visitors that are not friends. Facebook has a help page for this called Control Who Can See What You Share.

Go through that list and ask yourself if everyone needs to see all of that, and what you would rather hide from prying eyes.

Also, now that you know the information is out there, be vigilant, especially about unsolicited texts and phone calls. If any new tactics evolve from this you can always read about it right here.

How to check if your phone number is involved

There are a few sites that offer you the chance to look up your phone number and see if it’s been leaked. One that we trust, and that allows visitors to look for phone numbers from every country is the well-known have i been pwned?

Troy Hunt, the security guru that runs HaveIBeenPwned, explains in detail why he decided to include this dataset as a searchable entity on his blog. If you are too curious and want to dive right in, please note that you need to enter your phone number in the E.164 international standard format. Which is not as hard as it sounds. Replace the trailing 0 with your country code, only use numbers, and you should be good to go.

Stay safe, everyone!

The post Has Facebook leaked your phone number? appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, our podcast featured Malwarebytes senior security researcher JP Taggart, who talked to us about why you need to trust your VPN.

You’ve likely heard the benefits of using a VPN: You can watch TV shows restricted to certain countries, you can encrypt your web traffic on public WiFi networks, and, importantly, you can obscure your Internet activity from your Internet Service Provider, which may use that activity for advertising.

But obscuring your Internet activity—including the websites you visit, the searches you make, the files you download—doesn’t mean that a VPN magically disappears those things. It just means that the VPN itself gets to see that information instead.

On Malwarebytes Labs, we also wrote about six social media safety sins to say goodbye to, and we advised Steam users not to fall for the “I accidentally reported” scam that is making rounds right now. We also covered how a 5G slicing vulnerability could be used in DoS attacks, the one reason your iPhone needs a VPN, what you need to know about malicious commits found in PHP code repository, the latest ransomware attacking schools, called PYSA, and we tried to report on the npm netmask vulnerability in a way that anyone can actually understand it.

Finally, we looked at the latest Android “System Update” malware that steals photos, videos, GPS location, and we thought it was time to cool down some fervor and say that, you know what, Internet password books are OK.

Other Cybersecurity news:

• Fraud team response: More organizations look to grow their fraud teams (Source: Help Net Security)
• A fine old time: Dutch watchdog fines Booking.com after customer data theft fallout (Source: The Register)
• Gaming the system: Game cheat mod malware demonstrates risk of unlicensed software (Source: SC Mag)
• 365 ways to phish town: Credential attacks on the rise with Office 365 as top target (Source: Bdaily)
• Bad ads on the prowl: Bogus investment ads cause misery (Source: This is Money)
• Old data dump comes around again: Half a billion Facebook users’ information posted to hacking website (Source: CBS58)
• Older Americans under fire: Top scams targeting older Americans in 2021 (Source: AARP)
• Heartbreak: Tech makes romance scams easier than ever (Source: Dispatch)
• Tracing your steps: A long way to go where tracking protection is concerned (Source: Spread Privacy / DuckDuckGo)
• A digital throw-down: How Russian hackers targeted US cyber first responders in SolarWinds breach (Source: CNN)

Stay safe!

The post A week in security (March 29 – April 4) appeared first on Malwarebytes Labs.

A newly discovered piece of Android malware shares the same capabilities found within many modern stalkerware-type apps—it can swipe images and video, rifle through online searches, record phone calls and video, and peer into GPS location data—but the infrastructure behind the malware obscures its developer’s primary motivations.

First spotted by the research team at Zimperium zLabs, the newly found malware is already detected by Malwarebytes for Android. It does not have a catchy name, but because of its capabilities and its method for going unnoticed, we are calling it Android/Trojan.Spy.FakeSysUpdate, or in this blog, “FakeSysUpdate” for short.

FakeSysUpdate is not available on the Google Play store, and it is currently unclear how it is being delivered to Android devices. Even more obscured is the visibility of the app to victims.

Once FakeSysUpdate is implanted on a device, it disguises itself to its victims by masquerading as a generic “System Update” application. In fact, when a threat actor uses FakeSysUpdate to steal targeted information from an infected, asleep device, FakeSysUpdate will also send a fraudulent notification posing as a “System Update” that is “Searching for update.”

Beneath the surface, FakeSysUpdate can let a malicious actor steal highly sensitive information while also granting them dangerous control of a victim’s device.

According to Zimperium zLabs, the malware can allow a threat actor to monitor GPS locations, record phone calls, record ambient audio, take photos from the front-facing and rear-facing cameras on a device, observe the device’s installed applications, inspect bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser, and steal SMS messages, phone contacts, and call logs.

If you’ve read our coverage on these types of capabilities in the past, you might think that FakeSysUpdate is just the latest stalkerware-type app on the market. After all, the threats of stalkerware are near identical—pinpointed GPS locations that can reveal a domestic abuse survivor’s location after escape, stolen text messages that can uncover a survivor’s safety planning, and broad, non-consensual invasions of privacy that can harm anyone.

But the inner workings of FakeSysUpdate potentially betray the common uses of stalkerware.

First, according to the researchers at Zimperium zLabs, once the malware is installed on a device, the device is registered with the Firebase Command and Control (C2), upon which a threat actor can send commands through the Firebase messaging service to, for instance, steal a device’s contacts list, record microphone audio, or take a picture using the device’s cameras.

At issue here is who can send the C2 commands. If the commands can be sent by the apps users’, so they can spy on their victims, then it looks like a stalkerware-type app. If the commands can only be issued by the app’s creators, then there’s a good chance that FakeSysUpdate is not stalkerware, but information-gathering spyware. Unlike stalkerware, most (but not all) spyware doesn’t care who its victims are—it is simply looking for information that can be used for extortion or to facilitate further attacks with malware.

That’s contrary to many of the stalkerware-type apps that we see, which are, for lack of a better word, “user-friendly.” They do not require a high-tech proficiency to use or understand. They do not have illegible interfaces. Instead, these apps have familiar layouts, intuitive designs, and easy-to-use commands. For many apps, it’s as simple as logging into a web platform, clicking a menu item, and browsing through private photos without any consent.

Which brings us to the second point: If this piece of malware isn’t being advertised—or if it isn’t really known—as a stalkerware-type app, then it’s less likely that it’s been built as one.

Stalkerware-type apps do not hide in the shadows. They flood Google results for anyone searching how to spy on their romantic partners. They place sponsored articles in major city newspapers (yes, really). The more egregious ones even advertise themselves specifically on their so-called abilities to “catch” cheating partners.

Without knowing how FakeSysUpdate is being advertised—which relates to our lacking information on how it is primarily being delivered to devices—we cannot definitively ascertain its purpose.

Despite the uncertainty, though, one thing is clear: This piece of malware could be devastating. Whether for malicious information gathering or for non-consensual surveillance of a romantic partner, these invasions of privacy are flat-out wrong.

We thank Zimperium zLabs for discovering this malware and for bringing it to the public’s attention.

The post Android “System Update” malware steals photos, videos, GPS location appeared first on Malwarebytes Labs.

Passwords are a hot topic on social media at the moment, due to the re-emergence of a discussion about good password management practices.

There’s a wealth of password management options available, some more desirable than others. The primary recommendation online is usually a software-based management tool. Some include online syncing alongside web browser extensions. Others involve syncing passwords with services such as Dropbox.

That’s before we get to the notepad on desktop aficionados, or the time-honoured tradition of the Post-It note on the office monitor. Today, we’re here to talk about perhaps the most controversial method of password storage though.

The big book of passwords

There’s one password management tool which experiences more than its fair share of derision—the oft-maligned Internet password book. These are, as you may expect, physical books which are little more than empty notepads with “Internet password book” written on the front. Some allow owners to group logins by category, or add additional notes as they see fit.

For various reasons, you’ll usually see them being rubbished on social media as the worst thing around for password management. It’s a passionate debate, and one which comes back to life every 6 months or so. The most recent bi-annual flurry of excitement was kicked off by BBC technology reporter Zoe Kleinman:

One important aspect of whether these books should be used at all is something called a threat model. If you’re hoping for a brief run down of what a threat model is, then great news…that’s exactly what we’re going to do.

Threat models

The best description I’ve seen of what threat modelling consists of, is in an article by Katie Nickels who says it’s “the process of figuring out what you have that adversaries care about”.

We don’t all face the same risks, and we don’t all need to take the same precautions as a result. When you see the latest sophisticated nation state attack in the news, it’s bad. But, like most people, you can probably go on as if nothing has happened. That clever spearphishing attack targeting a dozen or so individuals worldwide?

It’s targeting a dozen or so individuals worldwide.

You’ll never see it, and you almost certainly won’t receive messages from Google about it. It’s not in your threat model.

My personal security concerns are based around what’s important to me, what I want to secure, which bits I’m not bothered about, and what is absolutely mission critical at all costs. That’s my threat model.

Sizing up your adversary

You may not need to worry about nation state attacks, but you’ll almost certainly have something in place for the 600^th fake tax return invoice landing in your mailbox. That’s an aspect of your threat model you know your business is up against, you know what they’re after, and you’ve put solutions in place to ward it off. It may or may not be the single most important threat your organisation faces…or it might be mid-tier. It will differ from place to place, and that’s fine.

What tends to happen when we see the infamous password book on display, is we apply a one-size-fits-all approach and dismiss it as silly or bad practice.

Well, it could definitely be sub-optimal for someone working with sensitive data. There’s far better ways for those individuals to secure their digital demands, in ways that scale up to the likely threats they face. On the other hand, there’s many people out there who the books will be a perfect fit for:

• People who are simply unfamiliar or uncomfortable with computers. This isn’t uncommon.
• Those with accessibility or cognitive issues.
• Folks who feel a lack of control at placing all their password eggs in one (digital) basket.

Password managers

The two pillars of bad password practices are reuse, and poor password selection. Software-based password managers are excellent tools for dealing with both problems, which is why they are so widely recommended. They are great for creating increasingly complex passwords all gated behind a variety of secure login methods. Everything from 2FA, to regional login lockouts are yours for the taking. That’s great! The more choice, the better.

Even so, many people won’t ever bother with password managers.

Maybe they’re overwhelmed for choice, or the tools they know of don’t meet specific operational requirements. Perhaps the tool they really want to use has no browser extension, or it’s offline only instead of syncing online. It’s also possible they may just find the whole thing too fiddly or complicated, or simply not know they exist.

Depending on OS, type of device, and feature set, something that should be easy can very easily become a chore. From there, bad habits can start to set in, including the eventual removal of the password manager. It’s then a short hop back to Password123.

Password management books: what works and what doesn’t

Some common objections to password books are as follows:

• If you lose the book while out and about, you’ve lost access to everything.
• Having to type in your passwords while reading them from a book, instead of having a password manager do it for you, could encourage people to use simple passwords instead of complex ones.
• Books become a form of abandonware over time, with missing entries, torn pages, logins which have been changed online and not updated, and other logins which never end up in the book at all.

The counters to these points are lengthy, so they get their own sections:

Loss or theft of a password book

Losing the book while outside the home isn’t that different from losing access to a password vault because of technical problems, forgotten master passwords, or other unforeseen happenings. In both cases, something has gone wrong. At least in the case of the book, it’s likely to be kept at home and is reliant on multiple real-world layers of physical security.

That’s much more reliable than “password management tool has their database broken into by anonymous criminals, and there’s nothing you can do about it”. If your home is burgled, you have bigger fish to fry than worrying about your logins. Also, realistically, burglars are looking for expensive items they can take and then sell on. They do not care about the password book in your clothes draw.

Password books: encouraging simple passwords?

Could books encourage simple passwords? It’s quite possible. Some may find it rather aggravating to hammer out dozens of complicated passwords from page to screen whenever they log in. In my experience, people writing passwords down tend to take more of an interest in making everything unique. After all, nobody is filling 30 pages of a password book with “password123”. What’s the point? Sure, we could end up with a variety of password1234/5/6 instead, but it’s still a bit more varied than the alternative.

I’ve also seen people write passwords only – not usernames or service / website on the pages. What they do instead, is associate certain pages with certain services. This is a great defence against theft or loss, but I’d be worried about forgetting the order. This is also a major negative if the book owner dies and family members need to attempt some form of data recovery. Where would you even begin?

Abandonware in paper format?

Abandonware books, what a concept. I think there’s some merit to this one, but I also think it offers a glimmer of hope. I know someone who did this, and what was happening was a slow transition to software password managers. If filling in some passwords in a book is the stepping-stone someone needs to feel more confident about moving logins to the PC, more power to them. It’s also possible some folks have typed out passwords from books so many times that they can remember the important ones anyway.

This concludes my lengthy counterpoint section.

Maybe they’re not the worst idea after all

The takeaway here is we’re dealing with an imperfect, messy solution for a messy, imperfect requirement to use our accounts. In situations where friends or relatives simply won’t entertain a password manager, it could be a decent (if not the only!) alternative. It really depends on the individual, and how safe it’ll be to drag their logins from screen to page. The password book won’t work for everybody, but it will definitely work for somebody and I think that’s perfectly fine.

The post Relax. Internet password books are OK appeared first on Malwarebytes Labs.