IT NEWS

This blog post was authored by Jérôme Segura

Web skimming continues to be a real and impactful threat to online merchants and shoppers. The threat actors in this space greatly range in sophistication from amateurs all the way to nation state groups like Lazarus.

In terms of security, many e-commerce shops remain vulnerable because they have not upgraded their content management software (CMS) in years. The campaign we are looking at today is about a number of Magento 1 websites that have been compromised by a very active skimmer group.

We believe that Magecart Group 12, identified as being behind the Magento 1 hacking spree last fall, continues to distribute new malware that was observed by security researchers recently. These web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores. This technique is interesting as most client-side security tools will not be able to detect or block the skimmer.

Web shell hidden as favicon

While performing a crawl of Magento 1 websites, we detected a new piece of malware disguised as a favicon. The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file.

The way it is injected in compromised sites is by editing the shortcut icon tags with a path to the fake PNG file. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell.

Web shells are a very popular type of malware encountered on websites that allow an attacker to maintain remote access and administration. They are typically uploaded onto a web server after exploitation of a vulnerability (i.e. SQL injection).

To better understand what it does, we can decode the reverse Base64 encoded blurb. We see that it is meant to retrieve data from an external host at zolo[.]pw.

Further looking into the m1_2021_force directory reveals additional code very specific to credit card skimming.

The data exfiltration part matches what researcher Denis @unmaskparasites had found back in March on WordPress sites (Smilodon malware) which also steals user credentials:

A similar PHP file (Mage.php) was reported by SanSec as well:

That same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:

This hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at the infrastructure being used.

Magecart Group 12 again

Because we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the hacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found. RiskIQ documented these compromises and linked them with Magecart Group 12 at the time.

The newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.

There is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and cockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.

Dynamically loaded skimmer

There are a number of ways to load skimming code but the most common one is by calling an external JavaScript ressource. When a customer visits an online store, their browser will make a request to a domain hosting the skimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these skimmers using a domain/IP database approach.

In comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request to the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a database blocking approach would not work here unless all compromised stores were blacklisted, which is a catch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the DOM in real time and detect when malicious code has been loaded.

We continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure their stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers place in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with security tools such as our Malwarebytes web protection and Browser Guard.

References

https://blog.group-ib.com/btc_changer

https://twitter.com/unmaskparasites/status/1370579966069383168?s=20

https://twitter.com/sansecio/status/1367404202461450244?s=20

https://twitter.com/unmaskparasites/status/1234917686242619393?s=20

https://community.riskiq.com/article/fda1f967

https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html

https://sansec.io/research/cardbleed

https://blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/

Indicators of Compromise

facedook[.]host
pathc[.]space
predator[.]host
google-statik[.]pw
recaptcha-in[.]pw
sexrura[.]pw
zolo[.]pw
kermo[.]pw
psas[.]pw
pathc[.]space
predator[.]host
gooogletagmanager[.]online
imags[.]pw
y5[.]ms
autocapital[.]pw
myicons[.]net
qr202754[.]pw
thesun[.]pw
redorn[.]space
zeborn[.]pw
googletagmanagr[.]com
autocapital[.]pw
http[.]ps
xxx-club[.]pw
y5[.]ms

195[.]123[.]217[.]18
217[.]12[.]204[.]185
83[.]166[.]241[.]205
83[.]166[.]242[.]105
83[.]166[.]244[.]113
83[.]166[.]244[.]152
83[.]166[.]244[.]189
83[.]166[.]244[.]76
83[.]166[.]245[.]131
83[.]166[.]246[.]34
83[.]166[.]246[.]81
83[.]166[.]248[.]67

jamal.budunoff@yandex[.]ru
muhtarpashatashanov@yandex[.]ru
nikola-az@rambler[.]ru

The post Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity appeared first on Malwarebytes Labs.

Cybersecurity experts strive to enhance the security and privacy of computer systems. Quietly observing threat actors in action can help them understand what they have to defend against. A honeypot is one such tool that enables security professionals to catch bad actors in the act and gather data on their techniques. Ultimately, this information allows them to learn and improve security measures against future attacks.

Definition of a honeypot

What does “honeypot” mean in cybersecurity? In layman’s terms, a honeypot is a computer system intended as bait for cyberattacks. The system’s defenses may be weakened to encourage intruders. While cybercriminals infiltrate the system or hungrily mine its data, behind the smokescreen, security professionals can study the intruder’s tools, tactics and procedures. You might think of it as laying a trap for someone you know is coming with bad intentions and then watching their behavior so you can better prepare for future attacks.

Types of honeypots

In the world of cybersecurity, a honeypot appears to be a legitimate computer system, while the data is usually fake. For example, a media distribution company may host a bogus version of a film on a computer with intentional security flaws to protect the legitimate version of the new release from online pirates.

There are several different types of honeypots. Each has its own set of strengths. The kind of security mechanism an organization uses will depend on their goals and the intensity of threats they face.

Low-interaction honeypots

A low-interaction honeypot offers hackers emulated services with a narrow level of functionality on a server. The objective of this trap is usually to learn an attacker’s location and nothing more. Low-interaction honeypots are low-risk, low-reward systems.

High-interaction honeypots

Unlike the low-interaction variety, a high-interaction honeypot offers a hacker plenty to do on a system with few restrictions. This high-interaction ploy aims to study a threat actor for as long as possible and gather actionable intelligence.

Email traps

Technology companies use email traps to compile extensive deny lists of notorious spam agents. An email trap is a fake email address that attracts mail from automated address harvesters. The mail is analyzed to gather data about spammers, block their IP addresses, redirect their emails, and help users avoid a spam trap.

Decoy database

A SQL injection is a code injection procedure used to attacks databases. Network security experts create decoy databases to study flaws and identify exploits in data-driven applications to fight against such malicious code.

Spider honeypot

A spider honeypot is a type of honeypot network that consists of links and web pages that only automated crawlers can access. IT security professionals use spider honeypots to trap and study web crawlers in order to learn how to neutralize malicious bots and ad-network crawlers.

Malware honeypot

A malware honeypot is a decoy that encourages malware attacks. Cybersecurity professionals can use the data from such honeypots to develop advanced antivirus software for Windows or robust antivirus for Mac technology. They also study the malware attack patterns to enhance malware detection technology and thwart malspam like GuLoader and the like.

Pros and cons of honeypot use

Although there are many benefits of honeypots, they can also backfire if they fail to cage their prey. For example, a skilled hacker can use a decoy computer to their advantage. Here are some pros and cons of honeypots:

Benefits of using honeypots

• They can be used to understand the tools, techniques and procedures of attackers.
• An organization can use honeypots to ascertain the skill levels of potential online attackers.
• Honeypotting can help determine the number and location of threat actors.
• It allows organizations to distract hackers from authentic targets.

Dangers and disadvantages of using honeypots

• A clever hacker may be able to use a decoy computer to attack other systems in a network.
• A cybercriminal may use a honeypot to supply bad intelligence.
• Its use can result in myopic vision if it’s the only source of intelligence.
• A spoofed honeypot can result in false positives, leading IT professionals on frustrating wild goose chases.

While there are pros and cons, careful and strategic use of a honeypot to gather intelligence can help a company enhance its security response measures and stop hackers from breaching its defenses, leaving it less vulnerable to cyberattacks and exploits.

The post What is a honeypot? How they are used in cybersecurity appeared first on Malwarebytes Labs.

WhatsApp told users last week that there was no need for alarm regarding an upcoming privacy policy deadline, as users who refuse to accept the privacy policy will not have their accounts deleted—they will just have their apps rendered useless, eventually incapable of receiving calls and messages.

The planned removal of core features represents a stunning reversal for a company that long ago prioritized data privacy, transforming WhatsApp’s offering into an unworkable contradiction: Private messaging only for those who surrender a separate piece of their privacy.

At issue is WhatsApp’s 2021 privacy policy, which users first learned about in January. According to notifications sent at that time, WhatsApp began asking users to agree to share some of their data with WhatsApp’s parent company—Facebook—by a February 8 deadline.

That data does not include the content of any WhatsApp user’s messages or calls, as the company’s end-to-end encryption remains intact, and WhatsApp has repeatedly promised that its message security will not be compromised. However, the data does include interactions that users have with certain businesses over WhatsApp. And, per the new privacy policy, the entities at Facebook that will have access to that data include Facebook itself, Facebook Payments, Facebook Technologies, Onavo, and CrowdTangle.

The January notifications released a user avalanche, with many people ditching the service to install a separate, private messaging app called Signal. According to a report from TechCrunch, in just five days in January, the rival private messenger was downloaded more than 7.5 million times—growing its overall userbase at the end of 2020 by more than one third. Similar, meteoric growth was enjoyed by another private messaging app, Telegram.

But to hear WhatsApp tell the story, users got the wrong impression about the 2021 privacy policy update. The company tried to explain to some news outlets that the changes were not as dramatic as many had interpreted because the changes were not even new.

They had been in place since 2016.

According to reporting from Wired, in August of 2016, WhatsApp quietly updated its data sharing practices with Facebook:

“Under the new user agreement, WhatsApp will share the phone numbers of people using the service with Facebook, along with analytics such as what devices and operating systems are being used,” Wired wrote at the time. “Previously, no information passed between the two, a stance more in line with WhatsApp’s original sales pitch as a privacy oasis.”

Those changes came with an opportunity for then-existing WhatsApp users to opt out of the impact of that data sharing, but every new WhatsApp user who installed the app after those 2016 changes received no such option. Some of their data, according to Wired, was automatically sent to Facebook per WhatsApp’s new rules.

Technically, then, WhatsApp was right: Users misunderstood the January 2021 privacy policy notifications. There were no dramatic shifts to how WhatsApp would share data with Facebook, just minor changes to how WhatsApp will handle and share businesses-related interactions.

But those explanations did not sit right with users, security researchers, or digital rights activists.

As Matthew Green, cryptographer and professor at Johns Hopkins University, told Wired:

“WhatsApp is great for protecting the privacy of your message content. But it feels like the privacy of everything else you do is up for grabs.”

Gennie Gebhart, the acting director of activism at Electronic Frontier Foundation, also criticized WhatsApp’s unclear messaging in January.

“WhatsApp’s obfuscation and misdirection around what its various policies allow has put its users in a losing battle to understand what, exactly, is happening to their data,” Gebhart wrote.

The public blowback caused WhatsApp to postpone its initial February 8 deadline to May 15, and in the weeks in between, many users feared that the company would simply delete their accounts if they refused to accept the updated privacy policy.

But last week, WhatsApp clarified that “no one will have their accounts deleted or lose functionality of WhatsApp” on May 15 because of their choices to refuse to accept the new privacy policy.

Unfortunately, the alternative is nearly as harsh.

For WhatsApp users who decline to have their data shared with Facebook, WhatsApp will steadily remove core features, beginning with the option to view chat lists, and ending with the inability to even receive calls or messages on WhatsApp.

WhatsApp said that it has warned users about its new data policy agreement for weeks now. For users who do not agree to the privacy policy changes by May 15, WhatsApp said that “after a period of several weeks” the notification they’ve received will become persistent. At that point, WhatsApp said it will dole out consequences.

The company said:

“At that time, you’ll encounter limited functionality on WhatsApp until you accept the updates. This will not happen to all users at the same time.

You won’t be able to access your chat list, but you can still answer incoming phone and video calls. If you have notifications enabled, you can tap on them to read or respond to a message or call back a missed phone or video call.

After a few weeks of limited functionality, you won’t be able to receive incoming calls or notifications and WhatsApp will stop sending messages and calls to your phone.”

What message are users supposed to take from these limitations other than the fact that WhatsApp simply does not want users who refuse to share their data with Facebook? A private messaging app that cannot receive messages is useless, and it is ludicrous that the reason it is useless is because the company has chosen to make it that way.

This is an anti-privacy choice. It is also an anti-user choice, as users are being punished for their refusal to share data. And, finally, it is a sad but expected turn for WhatsApp, a former privacy darling launched by two co-founders—Jan Koum and Brian Acton—who both seemingly regret selling their company to Facebook for billions of dollars.

That sale in 2014 startled many users, as the two companies—one, a steadily-growing advertising giant, the other led by a man whose motto was reportedly “no ads, no games, no gimmicks”—were diametrically opposed. At the time, Koum tried to calm those fears, saying that “if partnering with Facebook meant that we had to change our values, we wouldn’t have done it.”

Four years later, Koum left. His co-founder, Acton, had left the year prior.

In an exclusive interview with Forbes, Acton explained his departure. Much of it was due to conflicting ideas on privacy.

“At the end of the day, I sold my company. I sold my users’ privacy to a larger benefit. I made a choice and a compromise,” Acton said. “And I live with that every day.”

In 2018, Acton donated $50 million to a familiar cause with a different name: the development of Signal.

The post WhatsApp calls and messages will break unless you share data with Facebook appeared first on Malwarebytes Labs.

Late last week, the business network systems of Colonial Pipeline, the biggest supplier of fuels on the East Coast of the United States, were compromised due to a ransomware attack, forcing the company to temporarily shut down its operations while investigations are underway.

Monday morning, Pacific time, the FBI confirmed that the ransomware culprit is DarkSide, a fairly new strain that started making a name roughly in mid- to late-2020. In this post, we take a look at the malware and the criminal gang, who many believe are based in Eastern Europe, behind the Colonial Pipeline attack.

Threat profile: DarkSide ransomware

DarkSide was first observed in the wild in August 2020 and used by the APT group Carbon Spider, also known as Carbanak and FIN7 among others, for their Big Game Hunting (BGH) campaigns. According to Crowdstrike’s adversary profile on this group, it originated in the Russian Federation and/or Ukraine. Since being active in 2013, Carbon Spider has targeted institutions in the Middle East, Europe, and eventually, the United States.

DarkSide ransomware is sold to affiliates using the Ransomware-as-a-Service (RaaS) distribution model, so attacks are carried out by affiliates.

There are currently two known versions of DarkSide: DarkSide v1.0 and DarkSide v2.1. The latter is less weighty in terms of file size (53 KB versus 59.5 KB) and has a shorter decryption time.

v2.1 has a new “call on us” feature, which allows ransomware affiliates to conduct a Voice Over IP (VoIP) session with victim organizations, their partners, and even journalists. It is believed that they added this feature to exert extra pressure against their victims.

DarkSide also has a Linux version that is capable of targeting VMWare ESXi vulnerabilities, making virtual machines (VMs) susceptible to hijacking and encryption of virtual drives.

Like other Big Game Hunting ransomware families, DarkSide is human-operated. This means that the ransomware is executed by an actual person behind the screen after they have successfully infiltrated a target network. This makes it possible for threat actors to move laterally, scouring the entire network to persistently backdoor several systems until they gain administrative access. They use these administrator credentials to deploy the DarkSide.

They also use their time in the network to harvest data and upload to their servers, before they encrypt the victim’s copy.

Once deployed, DarkSide begins to:

• Encrypt all files using a combination of Salsa20 and RSA-1024
• Empty the Recycle Bins
• Uninstall services
• Delete shadow copies
• Terminate processes
• Encrypt local disks
• Encrypt network shares

After all the data have been exfiltrated, the threat actors post it on their leak site, DarkSide Leaks, along with other pertinent information about the attack, such as the name of the company, the date it was breached, how much data was stolen, sample screenshots of the stolen data, and the types of stolen data.

It is observed that DarkSide and REvil ransomware, also known as Sodinokibi, share some similarities:

• Their ransom notes seem to have come from the same template.
• Both ransomware families use Windows PowerShell to delete shadow volume copies on compromised systems,
• …and both families also use a particular string of PowerShell code to perform this action.

DarkSide ensures that victims feel their personalized touch by customizing the ransom note and file extension for their victims. For example, a checksum of the victim’s MAC address is used as the extension name of encrypted files when, normally, ransomware would just use their own pre-defined extension. (HelloKitty ransomware uses .kitty, for example.)

A portion of a DarkSide ransom note is reproduced below. Ransom notes include the type of files, a link to the victim organization’s personal leak page, and instructions on what victims can do.

----------- [ Welcome to DarkSide 2.0] ----------->

What happend?
---------------------------------------------
Your computers and servers are encrypted, backups are deleted. We use Strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.
Follow our instructions below and you will recover all your data.

Data leak
---------------------------------------------
First of all we have uploaded more than full dump data.

These files include:
- finance
- private information
- partners documents

The DarkSide leaks website has a “Press Center” section where journalists can register. It has a section where “recovery companies”—victimized organizations that had no choice but to give in to DarkSide’s ransom demand—can register to receive decryptors, get additional “discounts”, and have a ready line to the threat actor’s support service. All of which demonstrates how organized DarkSide operators can be.

Malwarebytes’ signature-less protection detects all known variants of DarkSide.

Adversary profile: DarkSide operators

Leslie Carhart, DFIR at Dragos, has taken note that DarkSide operators have been increasing their double-extortion attacks yet somehow successfully getting little attention.

The threat actors behind DarkSide ransomware are doing all this to gain money. However, its original creators declared that criminal groups who want to partner with them via their RaaS scheme should avoid targeting companies in certain sectors. These are:

• Healthcare
• Education
• Nonprofit
• Government

DarkSide may seem like your common-or-garden ransomware gang who only cares about making money off of the backs of organizations, including hospitals, but they would like you to think otherwise. One of the things that separates the DarkSide gang from the other “heartless” gangs is their declared intent to “make the world a better place”.

In 2020, the gang did just that by donating a portion of the money they extorted from victims to charity—not realizing that charities, knowing that the money is fraudulent, would never accept it. Not only that, charities who do accept fraudulent money without them knowing can get into a lot of trouble from the law. They can be charged with crimes related to money laundering—something perhaps the DarkSide gang didn’t see coming when thinking about the children.

In common with many other ransomware gangs, it’s also their mandate not to target states under the Commonwealth of Independent States (CIS), including Georgia and Ukraine.

While they reach for this dubious moral high ground, let us not forget that DarkSide threat actors have not only threatened victim organizations to leak all their files but also weaponize them by sharing them to their competitors, the media, and government regulators.

After the Colonial Pipeline attack made headlines and got the attention of no less than the FBI and the US government, DarkSide released a statement about it:

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our [sic] motives.

Our goal is to make money, and not creating problems for society.

From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

Many suspect that DarkSide operators are already in a mad rush to patch things up, having bitten off more than they can chew.

The straw that broke the camel’s back?

The DarkSide attack on the Colonial Pipeline may turn out to be the straw that broke the camel’s back. Last week, the White House held emergency meetings to take a look at an already drafted Executive Order on cybersecurity—possibly to strengthen it following this latest attack—that is expected to be released soon. Prior to that, the US Justice Department has already announced a 120-day review of its approach to combating cyberthreats, and been urged by the Ransomware Task Force’s strategic plan for tackling ransomware to treat ransomware as a national security threat.

Yesterday, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory (CSA) against DarkSide ransomware. It contains detailed mitigation steps that business should follow to reduce the risk of successful ransomware attacks overall. These include simple steps, such as:

• Using multi-factor authentication (MFA) to access networks remotely
• Enabling stronger spam filters
• Updating software to their latest versions
• Regularly scanning systems using a good antivirus product, and
• Limiting access to resources over networks

Organizations of all sectors should take heed of these best practices. Because before the publication of this article, DarkSide appears to have netted another victim.

The post Threat spotlight: DarkSide, the ransomware used in the Colonial Pipeline attack appeared first on Malwarebytes Labs.

A new set of vulnerabilities with an aggressive name and their own website almost always bodes ill. The name FragAttack is a contraction of fragmentation and aggregation attacks, which immediately indicates the main area where the vulnerabilities were found.

The vulnerabilities are mostly in how Wi-Fi and connected devices handle data packets, and more particularly in how they handle fragments and frames of data packets. As far as the researcher is aware every Wi-Fi product is affected by at least one vulnerability.

The research

The researcher that uncovered the Wi-Fi vulnerabilities, some of which have existed since 1997, is Mathy Vanhoef. The vulnerabilities he discovered affect all modern Wi-Fi security protocols, including the latest WPA3 specification. You may remember Vanhoef as one of the researchers behind the KrackAttacks weaknesses in the WPA2 protocol. As Vanhoef puts it:

“it stays important to analyze even the most well-known security. Additionally, it shows that it’s essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them.”

Packet fragmentation

In each network, there is a maximum size to the chunks of data that can be transmitted on a network layer, called the MTU (Maximum Transmission Unit). Packets can often be larger than this maximum size, so to fit inside the MTU limit each packet can be divided into smaller pieces of data, called fragments. These fragments are later re-assembled to reconstruct the original message.

Wi-Fi networks can use this packet fragmentation to improve throughput. By fragmenting data packets and sending more, but shorter frames, each transmission will have a lower probability of collision with another packet. So, if the content of a message is too large to fit inside a single packet, the content is spread across several fragments, each with its own header.

Just like packets, frames are small parts of a message in the network. A frame helps to identify data and determine the way it should be decoded and interpreted. The main difference between a packet and a frame is the association with the OSI layers. While a packet is the unit of data used in the network layer, a frame is the unit of data used on the layer below it in the OSI model’s data link layer. A frame contains more information about the transmitted message than a packet.

The vulnerabilities

The researcher found several implementation flaws that can be abused to easily inject frames into a protected Wi-Fi network. These vulnerabilities can be grouped as follows:

Device-specific flaws

• Some Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network.
• Certain devices accept plaintext aggregated frames that look like handshake messages.
• Worse than those, some devices accept broadcast fragments even when sent unencrypted.

Design flaws in the Wi-Fi feature that handling frames

• The frame aggregation feature of Wi-Fi uses an “is aggregated” flag that is not authenticated and can be modified by an adversary.
• Another design flaw is in the frame fragmentation feature of Wi-Fi. Receivers are not required to check whether every fragment that belongs to the same frame is encrypted with the same key and will reassemble fragments that were decrypted using different keys.
• The third design flaw is also in Wi-Fi’s frame fragmentation feature. When a client disconnects from the network, the Wi-Fi device is not required to remove non-reassembled fragments from memory.

A few other implementation vulnerabilities that can be used to escalate the flaws mentioned above.

CVE’s

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Although each affected codebase normally receives a unique CVE, the agreement between affected vendors was that, in this specific case, using the same CVE across different codebases would make communication easier.

The design flaws were assigned the following CVEs:

• CVE-2020-24588: Aggregation attack (accepting non-SPP A-MSDU frames).
• CVE-2020-24587: Mixed key attack (reassembling fragments encrypted under different keys).
• CVE-2020-24586: Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

Implementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network were assigned these CVEs:

• CVE-2020-26145: Samsung Galaxy S3 accepting plaintext broadcast fragments as full frames (in an encrypted network).
• CVE-2020-26144: Samsung Galaxy S3 accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
• CVE-2020-26140: Alfa Windows 10 driver for AWUS036H accepting plaintext data frames in a protected network.
• CVE-2020-26143: Alfa Windows 10 driver 1030.36.604 for AWUS036ACH accepting fragmented plaintext data frames in a protected network.

Other implementation flaws are assigned the following CVEs:

• CVE-2020-26139: NetBSD forwarding EAPOL frames even though the sender is not yet authenticated.
• CVE-2020-26146: Samsung Galaxy S3 reassembling encrypted fragments with non-consecutive packet numbers.
• CVE-2020-26147: Linux kernel 5.8.9 reassembling mixed encrypted/plaintext fragments.
• CVE-2020-26142: OpenBSD 6.6 kernel processing fragmented frames as full frames.
• CVE-2020-26141: ALFA Windows 10 driver for AWUS036H not verifying the TKIP MIC of fragmented frames.

Vulnerable devices

On the dedicated site the researcher states that

“experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.”

The statement is based on testing more than 75 devices, which showed they were all vulnerable to one or more of the discovered attacks.

Mitigation

To mitigate attacks where your router’s NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices will need to be updated. Unfortunately, not all products get regular updates.

Using a VPN can prevent attacks where an adversary is trying to exfiltrate data. It will not prevent an adversary from bypassing your router’s NAT/firewall to directly attack devices.

The impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned.

Graveness of the vulnerabilities

We have been here before. When the KRACK vulnerabilities were revealed a few years ago some people treated it as if it was the end of Wi-Fi. You’ll have noticed it wasn’t. That doesn’t mean it was nothing, either, but a little perspective goes a long way.

The CVEs registered to the FragAttacks have been given a medium severity rating and have CVSS scores sitting between 4.8 to 6.5. Which indicates that the chances of anything resembling remote control is probably too difficult to achieve to make it attractive. The data stealing options however are more imminent and could well be used in specific attacks.

Proof is in the pudding

If you are interested, you can find a demo and a link to a testing tool on the dedicated website. You can also find some FAQs and a pre-recorded presentation made for USENIX Security about these vulnerabilities.

Stay safe, everyone!

The post FragAttack: New Wi-Fi vulnerabilities that affect… basically everything appeared first on Malwarebytes Labs.

It looks like patching a wormable Remote Code Execution (RCE) bug in the HTTP stack of Windows 10 and Windows Server is likely to be top of most sysadmins’ todo lists after reading May’s Patch Tuesday updates. The monthly bug bonanza also features three other critical items among its 55 patches.

Although the wormable RCE (CVE-2021-311660) is not known to have been exploited in the wild, Microsoft warns that the attack complexity is low, and that “An attacker can expect repeatable success against the vulnerable component” with no need for authentication or user interaction. It has given the vulnerability a CVSS score of 9.8 out of 10.

The attack on the vulnerable component could be triggered by no more than a specially crafted packet. Since that packet is processed by http.sys, which runs in the kernel, the malicious code runs with commensurate privileges.

Worms that turned

A wormable flaw is one that can be used to create a network worm, a bit of malware that replicates itself across a network. Network worms invade a vulnerable system and then use it to launch further attacks on other vulnerable systems. Because each infected computer can infect many others, network worms have the potential to replicate exponentially and spread with alarming speed. (In fact, even if a worm has no malicious payload, the volume of activity it generates can be enough to cause significant problems by itself.)

Where vulnerable systems are accessible from the Internet, network worms can spread around the world in a matter of minutes or hours. In 2003, the infamous SQL Slammer worm infected all 75,000 its global, Internet-accessible victims within ten minutes of the attack starting. More recently, the WannaCry ransomware worm spread around the globe (and into and through numerous computer networks along the way) and infected hundreds of thousands of targets in a single morning.

Although worm-ability poses a significant risk, it isn’t by itself a guarantee of criminal success. Sometimes turning a vulnerability into an exploit is simply too difficult, or the results too unreliable to create a viable attack. Readers may remember the furore that surround the May 2019 Patch Tuesday, which featured a fix for a wormable RDP vulnerability, know as CVE-2019-0708, later dubbed BlueKeep. The widely-expected, globe-trotting RDP worm never materialised. Despite the appearance of proof-of-concept code, no widespread attacks ever occurred. Perhaps criminals simply found no need for an RDP worm that was bound to attract a lot of unwanted attention while they were having sustained success simply milking so many weak RDP passwords.

Those responsible for Windows systems should assume that criminals have read the same information they have and are poring over the fixes in an attempt to reverse engineer them. Act accordingly: you are in a race, patch as soon as you can.

Critical issues

The other critical patches made available this May include CVE-2021-26419, a scripting engine flaw that can be triggered by having an Internet Explorer user (yes, somehow that dinosaur among Internet users is still not extinct) visit a malicious website. Or, perhaps more likely, the flaw can be triggered from Microsoft Office documents. According to Microsoft, an attacker “could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document”. Who could have guessed that in 2021 we’d still be finding ways to attack people with documents.

CVE-2021-28476 is an RCE vulnerability in the Hyper-V component of numerous Windows versions, with a CVSS score of 9.9. The flaw allows guest machines to meddle with their hosts, a strict security no-no. Microsoft reports that the most likely result of this meddling is denial of service but the flaw has the potential to trigger “device specific side effects that could compromise the Hyper-V host’s security.”

The last of the four critical vulnerabilities from this month’s lode is CVE-2021-31194, an OLE Automation RCE about which the company has little to say. Taciturn it may be, but it does tell us the bug has a CVSS of 8.8 and it’s rated critical, both signals you should patch it anyway.

Overall this month’s patch Tuesday is small compared to recent months, which we hope will be a relief to any sysadmins kept busy by recent Exchange vulnerabilities.

Take your rest while it’s (relatively) quiet. You know it won’t last.

The post Get patching! Wormable Windows flaw headlines Patch Tuesday appeared first on Malwarebytes Labs.

The ransomware attack on Colonial Pipeline last week caused the White House to hold emergency meetings to possibly strengthen a planned Executive Order on cybersecurity that could be released in the coming days or weeks, the New York Times reported.

The Executive Order—currently a draft—could place new restrictions on businesses that develop software and sell it to the federal government, such as the requirements to use multi-factor authentication and to access federal databases only when completely necessary. Such a strategy seemed like an appropriate response several months ago, when cybercriminals believed to be working with the Russian government infiltrated nine federal agencies by first hacking into the IT management company SolarWinds.

But the recent attack on Colonial Pipeline reveals that new rules meant only for federal contractors could still leave broad swaths of the American public at risk. Complicating the issue is that, while President Joe Biden has taken a harder stance against Russian cyberaggression than the past administration, the attack on Colonial Pipeline has no confirmed connection to the Russian government.

“I’m going to be meeting with President Putin, and so far there is no evidence based on, from our intelligence people, that Russia is involved, although there’s evidence that the actors’ ransomware is in Russia,” Biden said this week.

According to multiple reports of the planned Executive Order, companies that sell their products to the government could have to implement several new cybersecurity measures.

Such companies would have to use multi-factor authentication and they would have to encrypt data that belongs to federal government clients. The government would also begin using a “zero-trust” model with these contractors, meaning that such contractors would only gain access to federal systems on a “need-to-know” basis. Further, contractors would also have to notify government customers of any cyberbreach, bringing new transparency to the government about ongoing and increasingly frequent cybercrimes.

In speaking with Reuters, a spokeswoman for the National Security Council explained the importance of such a requirement, noting that the SolarWinds attack showed that “the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly.”

She continued: “Simply put, you can’t fix what you don’t know about.”

According to The New York Times, companies that violate these rules would have their products banned from being sold to the federal government. For many companies that count the federal government as their largest client, such a ban could serve as a revenue death knell.

Finally, the Executive Order could create a “cybersecurity incident review board” to investigate major cyberattacks in the US, and the Order could ask victims of cyberattacks to work with the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency when responding to attacks.

The post Colonial Pipeline attack expected to trigger imminent hardening of cybersecurity rules for federal agencies appeared first on Malwarebytes Labs.

Both the Australian Cyber Security Centre (ACSC) and the US Federal Bureau of Investigation (FBI) have issued warnings about an ongoing cybercrime campaign that is using Avaddon ransomware.

The FBI states that is has received notifications of unidentified cyber actors using Avaddon ransomware against US and foreign private sector companies, manufacturing organizations, and healthcare agencies.

In a separate advisory (pdf), the ACSC says it is also aware of an ongoing ransomware campaign using the Avaddon Ransomware malware. This campaign is actively targeting Australian organizations in a variety of sectors.

Avaddon ransomware

Ransom.Avaddon is sold to criminal affiliates as a Ransomware-as-a-Service (RaaS) strain. It has been around since 2019 and in June of 2020 it got some real traction due to a malspam campaign. Later it started promoting higher rates for its affiliates using adverts on networks and RDP. Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. When encrypted the files get the .avdn extension.

No current decryptor

In you’ve heard about an Avaddon decryptor, don’t get your hopes up. It’s true that in February 2021 a researcher found a flaw in the Avaddon encryption routine that allowed them to create a free decryptor. However, one day later the ransomware developer posted a message that the flaw was fixed. So, the decryptor only works for older infections. If you have been affected by Avaddon since then, it will not work.

FBI description of Avaddon

Avaddon is used in targeted, “big game” ransomware attacks using familiar tactics. According to the FBI, Avaddon ransomware actors have compromised victims through remote access login credentials—such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN). After Avaddon actors gain access to a victim’s network, they map the network and identify backups for deletion and/or encryption. The malware escalates privileges, contains anti-analysis protection code, enables persistence on a victim system, and verifies the victim is not located in the Commonwealth of Independent States (CIS). Finally, a copy of the victim’s data is exfiltrated before the victim’s systems are encrypted.

Not afraid of law enforcement

Like many other ransomware operators hailing from the CIS they act as if they have nothing to fear from law enforcement. And as long as they do not attack organizations in their home country that is unfortunately probably true. Some Russian gangs have even been getting aggressive against law enforcement in the US. Statistics of how many police departments have been hit by ransomware attacks are hard to come by, as is information on whether departments ever pay a ransom. Homeland Security Secretary Alejandro Mayorkas has called ransomware a threat to national security and said the issue is a top priority of the White House. That sentiment was echoed in a recent report by the Ransomware Task Force.

Ransomware as a Service (RaaS)

Avaddon is offered as a Ransomware-as-a-Service (RaaS), a system that sees affiliates do the dirty work and use the ransomware however they like, provided they return a percentage of their profits to the Avaddon developers. The ACSC notes that Avaddon also has an active presence on underground dark web cybercrime forums, where it advertises the malware to potential affiliates. Avaddon threat actors also use a data leak site to identify victims who fail or refuse to pay ransom demands.

Typically, with RaaS you will see affiliates run different distribution vectors and look over each other’s shoulder to see what is working best. Probably because of this model we have seen Ransom.Avaddon spread by a botnet, in malspam campaigns, by exploit kits (RIG-EK), and recently by brute forcing RDP and VPN credentials.

Additional threats

Like many other ransomware operators Avaddon has also increased pressure on its victims by threatening to publicize exfiltrated data on the dark web, and by performing DDoS attacks. The extortion/data leak process typically follows these steps:

• Leak warning: After initially gaining access to a victim network, Avaddon actors leave a ransom note on the victim’s network and post a “leak warning” to the Avaddon dark web leak website. The warning consists of screenshots from files and proof of access to the victim’s network.
• 5 percent leak: If the victim does not quickly pay the ransom within 3 to 5 days, Avaddon actors increase the pressure on victims by leaking a portion of the stolen files. The Avaddon actors leak this data by uploading a small .zip file to Avaddon’s dark web leak website.
• Full leak: If the ransom is not paid after the 5 percent leak, Avaddon actors post all their exfiltrated data in large .zip files in the “Full dumps” section of the Avaddon dark web leak website.

Detection and protection

Malwarebytes detects Ransom.Avaddon and protects user by means of real-time protection, both by using detection rules as well as patented anti-ransomware technology.

Stay safe, everyone!

The post Avaddon ransomware campaign prompts warnings from FBI, ACSC appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we discussed how Spectre attacks have come back from the dead; why Facebook banned Instragram ads by Signal; we highlighted the differences between the most popular VPN protocols; pointed out that Google is about to start automatically enrolling users in two-step verification, and how millions are put at risk by old, out of date routers.

Other cybersecurity news:

• Cisco HyperFlex web interface has a critical flaw. (Source: The Register)
• NSA advised to strengthen the security of operational technology (OT). (Source: Tripwire)
• Tesla automobiles vulnerable to compromise over WiFi. (Source: Kunnamon)
• Fix for critical Qualcomm chip flaw is making its way to Android devices. (Source: ArsTechnica)
• Multiple critical vulnerabilities in Exim Mail Server dubbed 21Nails. (Source: Qualys)
• Domain hijacking via logic error; Gandi and Route 53 vulnerability. (Source: Cyberis)
• Tour de Peloton: Exposed user data. (Source: PenTestPartners)
• Apple fixes 2 iOS zero-day vulnerabilities actively used in the wild. (Source: BleepingComputer)
• Google and Mozilla will bake HTML sanitization into their browsers. (Source: The Daily Swig)
• tsuNAME, a vulnerability that can be used to DDoS DNS. (Source: tsuname.io)

Stay safe, everyone!

The post A week in security (May 3 – 9) appeared first on Malwarebytes Labs.

UPDATE 10:47 AM Pacific Time, May 10: At 8:55 AM Pacific Time, the FBI confirmed that Colonial Pipeline was attacked by Darkside. According to a statement posted on Twitter, the FBI said:

“The FBI confirms that the Darkside ransomware is responsible for the compromise of Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.”

FBI Statement on Compromise of Colonial Pipeline Networks https://t.co/XxHgezpref pic.twitter.com/McrRFOil64

— FBI (@FBI) May 10, 2021

Original story below:

Ransomware caused major trouble last week, as the famous Colonial Pipeline fell victim to a devastating cyber-attack.

Presenting: the Colonial Pipeline

The pipeline exists to supply gasoline and other products across the southern and eastern United States. We’re talking from Texas all the way up to New Jersey. The pipeline is the largest of its kind in the US, reportedly transporting almost half of the fuel consumed by the east coast.

This is an incredible volume of supply and demand, and anything going wrong could be disastrous. There’s enough to worry about with more general accidents, without the threat of people maliciously breaking into systems.

That’s where we are now.

What happened?

Ransomware brought everything to a standstill on Friday. According to those performing analysis on the attack, the culprits are likely a group known as DarkSide. This is a group that rose to mainstream prominence in 2020, via dubious donations to charities. Going for that whole Robin Hood angle, they stole from corporations and handed the cash to causes they felt were deserving.

Well, they tried to.

When help turn out to be a hindrance

As it happens, charities don’t want a bunch of stolen money circulating in their bank accounts. Charity trustees can get into all kinds of trouble. Not just charities; any organisation could end up in a baffling sequence of money laundering shenanigans if not careful.

There were also suspicions that the “Good Samaritan” act was a way to cover for the fact that they’re still criminals, stealing money. The group behind these attacks seemed to have got the message. The Robin Hood charity drive went away, and we wondered what the criminal group’s follow up would be.

If the investigators are correct, this is several orders of magnitude more serious than anything people could have imagined.

 Lockdown and emergency powers

The US government declared an emergency and brought in emergency powers to ensure people are still supplied with fuel. Those emergency powers allow for more flexibility for drivers to transport petroleum products to various locations. From the text:

FMCSA is issuing a temporary hours of service exemption that applies to those transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.

The digital to physical impact of the Colonial Pipeline attack

The real-world consequences from this attack are clear, and spread in several directions. There’s the immediate risks of transporting fuel across 5,500 miles, and of people having no supplies. We also have potential danger on the roads, as road use increases and drivers have to cope with potentially longer driving hours. Fuel prices? Those appear to have risen, though it seems the supply would need to be down for a few days for it to cause significant impact. 

Finally, there’s the issue of the shutdown itself. How many systems are compromised? What’s the damage? Can they guarantee all traces of infection are gone?

If it does turn out to be DarkSide, then this surely destroys their whole Robin Hood angle. And, if a recent message via DarkTracer is to be believed (the message has not been verified by Malwarebytes) then the group is making no pretence this time: “Our goal is to make money.”

If this attacker is DarkSide, it clearly doesn’t help those in need to eliminate their fuel reserves.

They’re coming for your Crypto-coins…maybe

2021 is already shaping up to be a mast year for ransomware. Ransomware gangs now have years of experience and tool making to draw on, cash in the bank, and a cryptocurrency boom to profit from. It is hard to imagine the status quo holding and it seems inevitable governments will respond strongly.

Prior to the attack the US Justice Department has already announced a 120-day review of its approach to combating cyberthreats, that will include an analysis of how cryptocurrencies enable cybercrime. This echoes concerns raised in a recent strategic plan for tackling ransomware, conducted by the Ransomware Task Force. Among many recommendations, the task force called for ransomware to be treated as a national security threat, and for greater regulation of the cryptocurrency sector. A collision course seems inevitable at some point, and it’s already a significant talking point for experts in this field.

That’s for the future, though. For now, we’re left with supply lines left reeling. A few megabytes of code, perhaps a stray email with a dubious attachment, or maybe even just a server vulnerability that someone didn’t manage to patch in time.

Small issues, massive consequences.

The post Ransomware attack shuts down Colonial Pipeline fuel supply appeared first on Malwarebytes Labs.