IT NEWS

The PRODAFT Threat Intelligence Team has published a report (pdf) that gives an unusually clear look at the size and structure of organized cybercrime.

It uncovered a global cybercrime campaign that uses modern management methods, sophisticated tools—including its own malware testing sandbox—and has strong ties with the SolarWinds attack, the EvilCorp group, and some other well-known malware campaigns.

SilverFish uncovered

The research team managed to do a full investigation of one of the SilverFish group’s Command and Control (C2) servers, after detecting an online domain (databasegalore[.]com) from previously published Identifiers of Compromise (IOCs).

It was possible for researchers to create a unique fingerprint of one of the online servers by using multiple metrics, such as installed software. After 12 hours of global scans of the IP4 range, they identified more than 200 other hosts with a very similar setup.

According to the report this “enabled the PTI Team to access the management infrastructure” of the group and learn significant information about how the group worked, who it had attacked, and how.

Sophisticated organization

What the researchers found was a highly sophisticated group of cybercriminals targeting large corporations and public institutions worldwide, with a focus on the EU and the US. They named this organization the SilverFish group.

By linking together the C2 servers they found, and comparing them to known IOCs, the researchers were able to connect the SilverFish group to the infamous SolarWinds attacks.

A large subset of the servers the researchers identified were also used by the infamous EvilCorp group, which modified the TrickBot infrastructure for the purpose of a large-scale cyber espionage campaign.

Links to SolarWinds

The report describes a “significant overlap” between the 4,700 victims identified during the investigation and organizations affected by the SolarWinds attacks. A significant part of the large infrastructure was found to have strong connections with the SolarWinds IOCs shared by three different security companies. The conclusion being that these servers most likely took part in the SolarWinds campaign.

Links to Trickbot

By looking at the group’s tactics, techniques, and procedures (TTP), combined with the technical complexity of the SilverFish group’s attacks, PRODAFT was able to detect similar findings in the c2 server, command statistics, infection dates, targeted sectors and countries, tools used during the attacks, executed commands, and other information that was very similar to those used by TrickBot.

So, is this group related with TrickBot? Not likely, but the research shows that the SilverFish group is using a similar version of the TrickBot infrastructure and codebase. It also found evidence of WastedLocker malware and other TTPs that matched with both EvilCorp and SolarWinds.

Links to EvilCorp

EvilCorp is the name of a vast, international cybercrime network. The alleged leaders of this network are very high on the FBI’s wanted list. In 2019, US authorities filed charges against EvilCorp’s alleged leaders, Maksim Yakubets and Igor Turashev, accusing them of using malware to steal millions of dollars from groups, including schools and religious organizations, in over 40 countries. EvilCorp is held responsible for the development and distribution of the Dridex and WastedLocker malware.

Malwarebytes’ Threat Intel Team commented:

Prodaft also mentions ties with the WastedLocker ransomware thought to be operated by EvilCorp, likely from the Traffic Distribution System analysis. One of the hostnames in particular is related to the SocGholish social engineering toolkit and is used to fingerprint victims before distribution of the final payload.

Management

According to PRODAFT, the main dashboard of the SilverFish C2 control panel features a section named “Active Teams”. SilverFish uses a team-based workflow model and a triage system similar to modern project management applications. Each user can write comments about each victim. Based on these (mainly Russian) comments, the researchers gained a better understanding of the motivation of the group and the prioritization of the victims—operations were prioritized based on these comments.

A hierarchy was also found to be present in the comments on the C2 server, enabling management of different targets, assignment of these targets to different groups and triage of incoming victims.

Targets

The main areas of focus for the SilverFish group appear to be the US and Europe, with each region serviced by different teams. They also seem to primarily target critical infrastructure. Successfully compromised victims were found in nearly all critical infrastructures (as defined in the NIST Cyber Security Framework).

The SilverFish group predominantly targets critical entities like energy, defense, and government or Fortune 500 enterprises. Second, the researchers found comments in the C2 servers that indicate ignoring victims like universities, small companies, and other systems which they consider worthless.

Approximately half of the victims were found to be corporations which have a market value of more than $100 million USD, as per their public financial statements.

WordPress

In contrast to traditional attacks that use a domain name purchased via means of anonymous payments, SilverFish is using hacked domains for redirecting traffic to their C2 control panel.

To avoid disrupting the legitimate traffic of the hacked website, the SilverFish group creates new subdomains, which makes it almost impossible for a website owner to understand that their domain is being exploited in an attack. The frequency in which they change domains would imply that the SilverFish group has more than 1,000 already compromised websites, which are rotated almost every other day.

A significant number of these compromised websites were using WordPress. The report notes that while it is possible to buy login credentials from underground markets, “the amount of compromised websites with the same software shows us that the SilverFish group might also be leveraging 0-day or N-day exploits.” WordPress is, by far, the world’s most commonly used web Content Management System, and out-of-date installations and vulnerable plugins provide no shortage of targets.

Post-exploitation

Perhaps unsurprisingly, the SilverFish group was found to make extensive use of publicly available “red teaming” tools such as Empire, Cobalt Strike and Mimikatz, as well as Powershell, BAT, CSPROJ, JavaScript and HTA files used for enumeration and data exfiltration.

Executed Cobalt Strike beacons use domain fronting for communicating to the C2 server. Domain fronting obscures the eventual destination of HTTP traffic by relaying it from the server listed in the publicly-readable SNI portion of a request, to a different server listed in the private (encrypted) Host header.

The main goals of the SilverFish group are likely to be covert reconnaissance and data exfiltration. According to PRODAFT, the commands and scripts the SilverFish group use “strongly indicates sophistication and an advanced post-exploitation skillset”.

Remote sandboxing

The most astounding find the researchers uncovered was that the SilverFish group has designed an unprecedented malware detection sandbox, formed by actual enterprise victims, which enables the adversaries to test their malicious payloads on live systems with different enterprise AV and EDR solutions (enterprise systems can be hard for criminals to acquire).

Malwarebytes Threat Intel Team commented:

Machines are profiled and used as a testing ground, a sort of live antivirus testing platform featuring many different EDR products.

The SilverFish attackers were using this system to periodically test their malicious payloads on more than 6,000 victim devices, scripts, and implants. According to the report, the SilverFish group members appear to be tracking the detection rate of their payloads in real time.

Level of sophistication

PRODAFT says “we believe this case to be an important cornerstone in terms of understanding capabilities of organized threat actors”, and it is hard to disagree.

Although ransomware groups can be well organised, they are mostly engaged in noisy smash-and-grab raids. The SilverFish group is something different. According to PRODAFT it is an “organization that operates in an organized and disciplined manner in a hierarchical environment, one that is even highly compartmentalized,” that takes a “structured approach to covert cyber-espionage.”

Attribution

The Prodaft researchers refrain from attribution, but there are some strong pointers which can be found in their extensive report.

• Russian comments and use of Russian slang words on the C2 servers.
• Indications that the group is sparing countries that were part of the former USSR and still have strong ties with Russia.
• The group is active during European work hours, with most of its activity recorded between 08:00 and 20:00 (UTC).
• The attention to critical infrastructure, and major companies in the US and Europe.

Attribution is hard and sometimes the conclusion you come to is the one the threat-actors want you to reach. But if it walks like a duck and quacks like a duck….

The post Report goes “behind enemy lines” to reveal SilverFish cyber-espionage group appeared first on Malwarebytes Labs.

Since 2017 desktop users have had the opportunity to use physical security keys to log in to their Facebook accounts. Now iOS and Android users have the same option too. Physical security keys are a more secure option for two-factor authentication (2FA) than SMS (which is vulnerable to SIM swap attacks and phishing), and apps that generate codes or push notifications (which are also vulnerable to phishing).

Two-factor authentication (2FA)

2FA is the least complex version of multi-factor authorization (MFA) and was invented to add an extra layer of security to the—now considered old-fashioned and insecure—simple login procedure of using a username and password. By definition, 2FA depends on two different methods of identifying a user.

Authentication factors are commonly divided into three groups:

• Something you know, such as a password.
• Something you have, such as a code sent by SMS, or a hardware key.
• Something you are, such as your face or fingerprints.

Different 2FA schemes typically rely on users providing a password and one of the other factors. If you are an Android or iOS user, Facebook will now let you authenticate yourself with a password (something you know) and a hardware security key (something you have).

Hardware security keys

Hardware keys, also known as physical security keys, connect to your device via USB-A, USB-C, Lightning, NFC, or Bluetooth, and are portable enough to be carried on a keychain.

Most of them use an open authentication standard, called FIDO U2F. U2F enables internet users to securely access any number of online services with one single security key, with no drivers or client software needed. 

FIDO2 is the latest generation of the U2F protocol and it allows devices other than hardware keys, such as fingerprint sensors or laptops and phones with face recognition, to act as hardware keys.

How do security keys work?

You can use a hardware security key for as many accounts as you like. Once the key has been set up to work with a service, logging in is as simple as inserting the security key into your device (or wirelessly connecting it) and pressing a button on the key itself.

Behind the scenes, the security key is presented with a challenge by your web browser or app. It then cryptographically signs the challenge, verifying your identity.

Setting up Facebook for physical security keys

To add a physical security key as a 2FA factor for Facebook, open Facebook on your device and open the menu.

In the Menu click on Settings under Settings and Privacy.

You will see the Account Settings menu. Click on Security and Login under Security.

You will see the Security and Login menu. Click on Use two-factor authentication under Two-Factor Authentication.

In the Two-Factor Authentication menu select the Security Key option and click on Continue.

From there, follow the instructions that are device and key-specific to add your security key as an extra factor of authentication.

Privacy and security

Imagine all the information an attacker might find out about you if they should get hold of your Facebook credentials. It’s not just all your public, and private posts, but your Messenger conversations as well. The first thing a successful attacker will do is enable 2FA to lock you out. So get ahead in the game and enable it yourself. Any 2FA is better than none, but a security key is the most secure form of 2FA.

Stay safe, everyone!

The post How to enable Facebook’s hardware key authentication for iOS and Android appeared first on Malwarebytes Labs.

A bill introduced in the US Senate could help domestic abuse and sex trafficking survivors—including those tracked by stalkerware-type applications—regain digital independence through swift, shared phone plan termination and the extension of mobile phone plan subsidies.

Titled the Safe Connections Act, the bill targets the significant problem of shared mobile phone contracts between abuse survivors and their abusers. For survivors in these situations, a shared mobile phone plan could reveal who the survivor has called and when. Shared mobile phone plans also complicate matters for survivors who hope to physically escape their abusers, as abusers could report phones owned in their name as stolen, weaponizing law enforcement to locate a survivor.

Democratic US Senator Brian Schatz, who is one of the sponsors of the bill, said that he hopes the Safe Connections Act will give control back to survivors.

“Giving domestic violence abusers control over their victims’ cell phones is a terrifying reality for many survivors,” Schatz said in a press release. “Right now there is no easy way out for these victims – they’re trapped in by contracts and hefty fees. Our bill helps survivors get out of these shared plans and tries to find more ways to help victims stay connected with their families and support networks.”

Importantly, the bill would also extend easier access to government-subsidized mobile phone programs, which means that survivors being tracked through stalkerware-type applications could more easily toss their compromised device and start anew.

What does the Safe Connections Act do?

The Safe Connections Act—which you can read in full here—was introduced earlier this year by a bipartisan slate of US Senators, including Sens. Schatz of Hawaii, Deb Fischer of Nebraska, Richard Blumenthal of Connecticut, Rick Scott of Florida, and Jacky Rosen of Nevada.

The bill has three core components to aid “survivors,” which the bill defines as anyone over the age of 18 who has suffered from domestic violence, dating violence, sexual assault, stalking, or sex trafficking.

First, if passed, the bill would place new requirements on mobile service providers—such as Verizon, AT&T, T-Mobile, and Mint Mobile—to more rapidly help survivors who request to remove either themselves or an abuser from a shared phone plan, whether the survivor is the primary account holder or not. Wireless phone companies will have to honor those requests within 48 hours, and in doing so, they cannot charge a penalty fee, increase plan rates, require a new phone contract under a separate line, require approval from the primary account holder if that account holder is not the survivor, or prevent the portability of the survivor’s phone number so long as that portability is technically feasible.

Also, in severing a shared phone contract, companies must also sever a contract for any children who are in the care of a survivor.

The bill specifies, though, that survivors who make these requests will have to show proof of an abuser’s behavior by submitting one of two categories of information. Survivors can submit “a copy of a signed affidavit” from licensed social workers, victim service providers, and medical and mental health care providers—including those in the military—or a survivor can submit a copy of a police report, statements provided by police to magistrates or judges, charging documents, and protective or restraining orders.

The second core component of the bill would require phone providers to hide any records of phone calls or text messages made to domestic violence hotlines. As the bill states, those providers must “omit from consumer-facing logs of calls or text messages any records of calls or text messages to covered hotlines, while maintaining internal records of those calls and messages.”

This provision would not come into effect until 18 months after the bill passes, and it would require the US Federal Communications Commission to create a database of those hotlines, providing updates every quarter. This section would also apply to providers of both wireless and wired phone services.

A possible stalkerware intersection

The third component of the Safe Connections Act could help survivors who are also facing the threat of stalkerware. The bill would enroll survivors who have severed their contract under the new powers of the bill into the government’s Lifeline phone assistance program “as quickly as feasible,” with a period of coverage in the program for a maximum of six months.

The Lifeline program, run by the FCC, attempts to provide subsidized phones and phone services to low-income communities. Extending program eligibility to survivors could help them physically escape their situations while offering them a quick opportunity to regain digital independence.

In fact, in Malwarebytes’ continued work to protect users from the threat of stalkerware, it has learned that many of those who suffer from stalkerware tracking often have to leave their cell phones behind and start with entirely new devices.

As Chris Cox, founder of Operation Safe Escape, told Malwarebytes Labs last year when discussing how to help survivors of domestic abuse who have encountered stalkerware on their devices:

“What we always advise, consistently, if an abuser ever had access to the device, leave it behind. Never touch it. Get a burner,” Cox said, using the term “burner” to refer to a prepaid phone, purchased with cash. “You have to assume the device and the accounts are compromised.”

With access to the Lifeline program, that purchase of a new device could become more feasible.

Unfortunately, the benefits of the Lifeline program must be looked at comprehensively. Last year, Malwarebytes Labs discovered that two Android devices offered through the Lifeline program actually came with pre-installed malware. The devices are no longer available through Assurance Wireless, which was the supplier contracted with the Lifeline program, but the broader point remains: No one should have to suffer lowered cybersecurity because of their income. With the Safe Connections Act, we hope that the Lifeline program’s unfortunate mishap does not repeat, harming even more communities.

The post Safe Connections Act could help domestic abuse survivors take control of their digital lives appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, our podcast featured Adam Kujawa, who talked us through our 2021 State of Malware report.

We cover our own research on:

• Royal mail parcel scam
• How your iPhone can tell you if you’re being stalked
• Careers in cybersecurity
• ProxyLogon PoC whack-a-mole
• Teen behind 2020 Twitter hack pleads guilty
• FBI warns of increase in PYSA ransomware attacks targeting education
• Apple shines and buffs Mac security
• Mother charged with using deepfakes to shame daughter’s cheerleading rivals
• HelloKitty: When Cyberpunk met cy-purr-crime
• NFTs explained: daylight robbery on the blockchain
• Report reveals scale of Business Email Compromise losses
• Resident Evil 8 the latest game plagued by fake demos and scams

Other Cybersecurity news

• College experiences sharp end of ransomware: 8 campuses close with teaching moved online, after ransomware attack takes over key systems (Source: SCCB)
• Smart targets: Research suggests smart doorbells make your home a more attractive proposition for criminals (Source: The Register)
• CopperStealer running riot: malware racks up big infection numbers at the start of 2021 (Source: SCMagazine)
• Trouble in the club house: Fake Android app pretends to be social media app ClubHouse (Source: Infosecurity Magazine)
• FBI alert: Phishing mails spreading “sophisticated” malware (Source: ZDNet)
• Young adults under fire: It’s not just older generations threatened by scams and fakery (Source: GoErie)
• Bogus giveaway scams on the prowl: Edmonton businesses warn of social media impersonations (Source: Global News CA)
• Taxing times: Fake tax mails come bearing Remote Access Trojans (Source: Bank Info Security)
• Twitter compromise leads to gaming scam: NHS Boss suffers Twitter account takeover, which is used to push Playstation 5 sales (Source: BBC)
• Banking on security: reports suggest bank industry hardware may provide inroads for wily attackers (Source: Forbes)

Stay safe, everyone!

The post A week in security (March 15 – 21) appeared first on Malwarebytes Labs.

There’s been a number of scams targeting fans of major upcoming video game releases over the last week or two. Why is this happening, and what can you do to ensure both you and your children avoid such fakeouts?

Preview power: the 80s and 90s

Back in the 80s, games reviews were only really found in dedicated gaming magazines like ZZap!64 or Amstrad Action. A couple of magazine publishers had the idea to distribute full games and demos on cassette tapes mounted to the cover. This led to some spectacular covertape related magazine warfare, distribution of games without permission, and copyright breach extravaganzas.

Downloadable demos: 2000s and beyond

When net-connected consoles blasted their way into homes from around the time of the original Xbox onward, this granted a second life to the old cover tapes and discs. Consoles came with demos pre-loaded, you could download demos or full games, and update purchased titles on the fly.

Consoles going digital slowly came with its own problems. Even so, the digital download revolution encouraged new funding models and ways to play games. Early access, where players are granted first look at a title by paying or for free, is where our latest scam lies.

What are the scammers doing?

Scammers are using demos and early access promises as bait for phishing and other forms of attack. The upcoming Resident Evil title, Village, currently has a spin-off demo version called “Maiden” on the Playstation 5 with other versions to follow. Enterprising phishers are distributing fake mails offering “Early access invitations” to play Village itself, which is the full game, set after the events of Maiden.

In this way, they’re trying to ride the wave of popularity for Maiden by encouraging people to get their hands on the rest of the content. The game developers, Capcom, also mention avoiding any files offered up by the phish. This sounds very much like the phishers were also dabbling in malware distribution.

We bring tidings. Bad tidings.

The full Capcom message sent to press reads as follows:

We’re sending this message as we’ve been made aware that there are currently emails circulating that pretend to contain “Early Access invitations” to Resident Evil Village. The sender address is being displayed as “no-reply(at)capcom(dot)com”.

We want to inform you that these messages are NOT from Capcom and appear to be phishing attempts by an unauthorized third party. If you have received such a message, please DO NOT download any files or reply, and delete the message immediately.

If you are unsure of the authenticity of correspondence from Capcom, please contact us directly to verify.

This is perfect bait for younger gamers who may not be aware of this type of scam attempt. No doubt it’ll have caught out many an adult gamer, too. That’s the most recent attempt at tricking people with fake early access. Shall we take a look at a slightly earlier effort?

Fake Beta build scammers come for Far Cry

Far Cry 6 is the soon to be released entry into Ubisoft’s unstoppable game series. Last month, a supposed “beta” build of the game was mentioned in emails to various influencers / content creators in the gaming space. The mail, flagged as being under embargo, comes complete with an access password. When the password is entered, and we’re not sure if they mean to open a zip or on a fake website, an infection is downloaded to the PC. According to potential victims, it “watches your screen and records everything you do”.

That’s bad enough. This is by no means the end of the wave of fake beta/early access/demo invites though.

Gaming a wide audience

In January, THQ Nordic warned of scam mails related to their game Biomutant. As with the other missives, it seems to focus on content creators / developers. Seeing developers state that no early builds of games are being mailed to people is bad news. Could one group specifically be trying this early access build gimmick? Or is everyone at it? Quite often, a new way to go on the offensive is posted to underground forums and then people go off and try it. That could be what is happening with these attacks, or it could just be coincidence.

As far as fake betas go, those have been around for a long time. A good example of this is Cyberpunk 2077, back in July of last year. How about a Fortnite Android beta scam from 2018? We can certainly round things out with a Valorant themed, malware laden closed beta key generator from last April.

Some tips to avoid fake beta/access scams

1. At least some of these attacks are targeted towards gaming influencers or people with big platforms. As a result, this means you may not encounter a few of them. If you do fall into this category, basic security hygiene applies. Check the security of all your accounts and enable two-factor authentication if it’s available. Run up to date security software, and ensure all your devices are patched and up to date.
2. Begin locking down your gaming accounts if you haven’t already. It might not just be your PC at risk from attacks. They could be after your console logins / details too. All major gaming consoles have plenty of security features. It’s well worth digging out their security documentation and shoring up any gaps in your defence.
3. If a games developer emails you out of the blue, it’s fairly easy to figure out what’s real and what isn’t. Major titles announce betas, and early access programs clearly on websites, social media, and gaming portals. It isn’t left to random mail shots and mysterious attachments. If there’s no evidence of whatever you’ve been sent in some sort of official capacity, steer clear. Worst case scenario, you can always contact most developers on social media. They will likely be happy to help if what you’re showing them is a scam.

Press X to continue?

We recommend telling younger gamers in your household about these scams, and also the security solutions used to address them. The “exclusive preview build” technique aimed at influencers probably won’t remain aimed at them exclusively for very long, so watch out for that. You may as well get ahead of the game now before the inevitable next wave of beta invite scams land in mailboxes near you. There’s always something to think about in video game land.

The post Resident Evil 8 just the latest game plagued by fake demos and early access scams appeared first on Malwarebytes Labs.

Internet crime is ever present, and with the ongoing pandemic, levels of scams and fraud were exceptionally high in 2020. Opportunistic fraudsters didn’t give a second thought to riding the COVID-19 wave and preying upon those who are truly in need of help, or those who truly want to help.

The Internet Crime Complaint Center (IC3), an arm of the FBI where internet users can report online fraud crimes, recently released the 2020 Internet Crime Report, an annual report that contains high-level information on suspected fraud cases reported to them and their losses. A state-by-state statistical breakdown of these cases were included in an accompanying report, 2020 State Reports, that you can browse through here.

The IC3 has found that the three biggest complaints they received in 2020 are phishing scams, which garnered the highest number of complaints (241,342), ransomware (2,474), and, perhaps the most striking of these, Business Email Compromise (BEC) (19,369). It’s striking, not because of the number of complaints but because BEC scams recorded the highest total losses by victims, at roughly $1.8 billion USD. Although phishing led to the highest number of complaints, victims “only” lost $54 million USD, a fraction of the money lost to BEC scams.

According to IC3, BEC can also be called Email Account Compromise (EAC). It may or may not involve a layered attack, depending on how a threat actor can better mimic the person they’re spoofing, and how much their target employee would be able to buy into the overall deception.

It starts off with an email, either from a compromised account or spoofed address, to make it look like it originated from a particular sender. The threat actor, usually posing as a higher-up within a company, contacts a more junior employee in the company who is cleared to perform funds transfers. The attacker gives the junior employee a plausible but urgent instruction to make a large, confidential transfer of money to a fake supplier.

“In 2020, the IC3 observed an increase in the number of BEC/EAC complaints related to the use of identity theft and funds being converted to cryptocurrency,” according to the report. “In these variations, we saw an initial victim being scammed in non-BEC/EAC situations to include Extortion, Tech Support, Romance scams, etc., that involved a victim providing a form of ID to a bad actor. That identifying information was then used to establish a bank account to receive stolen BEC/EAC funds and then transferred to a cryptocurrency account.”

We remind businesses, regardless of sector, to be aware of BEC attack trends and be very vigilant in combatting it. BEC scams rely, in part, on the pressure that junior employees feel when asked to comply with demands from senior employees, and told not to alert anyone else. Employees should be empowered to seek advice and take the time they need.

Also, if your company doesn’t have an extra layer or two of authentication before the request to transfer money is green-lit, put one in place now. A phone or video call is ideal.

True, these steps introduce a bit of friction into your company processes, but a little inconvenience and delay could your company millions of dollars.

Good luck!

Other post(s) on the subject of business email compromise:

• Business email compromise: gunning for goal

The post Report reveals the staggering scale of Business Email Compromise losses appeared first on Malwarebytes Labs.

On February 9, after discovering a compromise, CD Projekt Red (CDPR) announced to its 1+ million followers on Twitter that it was the victim of a ransomware attack against its systems (and made it clear they would not yield to the demands of the threat actors, nor negotiate).

Cyberpunk 2077, the latest game released by CD Projekt Red and once hailed as the “most anticipated game of the decade”, was released in December 2020 with many calling it an “unplayable mess”.

No surprise then that some people suspected that enraged gamers were hitting back at the company for releasing the game in that state. But infamous ransomware hunter Fabian Wosar (@fwosar), of Emsisoft begged to differ.

Although what he said was an informed claim, we cannot say for sure what hit CDPR until a ransomware sample is retrieved and analyzed. Nevertheless, the name-check was enough to put the HelloKitty ransomware family in the headlines.

HelloKitty ransomware

The HelloKitty ransomware, also known as Kitty ransomware, was first seen in November 2020, a few months after the first variants of Egregor were spotted in the wild.

CEMIG (Companhia Energética de Minas Gerais), a Brazilian electric power company, revealed on Facebook in late December 2020 that it was a victim of a cyberattack. Succeeding reports revealed that HelloKitty was the ransomware behind it, and that this ransomware strain was used to steal a large amount of data about the company. The attack didn’t cause any damage, however, but it caused the company to suspend its WhatsApp and SMS channels, and its online app service.

This ransomware family was named after a mutex it used called “HelloKittyMutex.”

Some researchers refer to HelloKitty as DeathRansom—a ransomware family that, based on its earlier variants, merely renames target files and doesn’t encrypt them. We speculate, however, that HelloKitty was built from DeathRansom. As such, Malwarebytes detects this ransomware as Ransom.DeathRansom.

The threat actors behind HelloKitty ransomware aren’t as active as some other threat groups, so there is little information about it. Below is what we know so far.

Infection vector

According to SentinelLabs, current intelligence suggests that HelloKitty arrives via phishing emails or via secondary infection from an initial malware attack.

Symptoms

Systems affected by HelloKitty ransomware display the following symptoms:

1. Terminated processes and Windows services. Once it reaches an affected system and executes, HelloKitty terminates processes and Windows services that may interfere with its operation. These processes are generally associated with security software, backup software, accounting software, email servers, and database servers (to name a few). Overall, it can target and terminate over 1,400 processes and services.

It performs the termination process using taskkill.exe and net.exe, two legitimate Microsoft Windows programs.

SentinelLabs also notes that if there are processes HelloKitty cannot terminate using these executables, it then taps into Windows’s Restart Manager to perform the termination.

2. Encrypted files with .KITTY or .CRYPTED file extensions. On Windows systems, HelloKitty ransomware uses a combination of AES-128 + NTRU encryption. On Linux systems, it uses the combination AES-256 + ECDH. These encryption recipes are not known to have any weaknesses, making decryption impossible without a key.

Encrypted files will have the .kitty or .crypted file extension appended to the file names. For example, an encrypted sample.mdb file will either have the sample.mdb.kitty or sample.mdb.crypted file names.

3. Targeted ransom note. The HelloKitty ransom note is usually a plain text file bearing either the name read_me_lkdtt.txt or read_me_unlock.txt that references its target and/or its environment. For a sample content of the note, below is a portion of the CEMIG ransom note as follows:

Hello CEMIG!

All your fileservers, HyperV infrastructure and backups have been encrypted!

Trying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss of data!

The only way to recover your files is by cooperating with us.

To prove our seriousness, we can decrypt 1 non-critical file for free as proof. We have over 10 TB data of your private files, databases, personal data… etc, you have 24 hours to contact us, another way we publish this information in public channels, and this site will be unavailable.

The ransom note also includes a .onion URL that victims can open using the Tor browser. URLs are different for each victim.

4. Deleted shadow copies. Similar to other well-known ransomware families like Phobos and Sodinokibi, HelloKitty deletes shadow copies of encrypted files on affected systems to prevent victims from restoring them.

Indicators of Compromise (IOCs)

Tor Onion URLs:

• 6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion
• x6gjpqs4jjvgpfvhghdz2dk7be34emyzluimticj5s5fexf4wa65ngad.onion

SHA256 hashes:

• 78afe88dbfa9f7794037432db3975fa057eae3e4dc0f39bf19f2f04fa6e5c07c
• fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb
• c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e
• 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
• 38d9a71dc7b3c257e4bd0a536067ff91a500a49ece7036f9594b042dd0409339

The post HelloKitty: When Cyberpunk met cy-purr-crime appeared first on Malwarebytes Labs.

Did you hear about the JPG file that sold for $69 million?

I’ll give you some more detail, the JPG file is a piece of digital art made by Mike Winkelmann, the artist known as Beeple. The file was sold on Thursday by Christie’s in an online auction for $69.3 million. This set a record for artwork that exists only digitally. Which for many people raised the question: what’s to stop me from copying it and becoming an owner as well? After all, digital files can be copied ad infinitum, with no loss of quality.

Which is where non-fungible tokens (NFTs or “nifities”) come in. NFTs are the latest, most eyebrow-raising use of blockchain technology.

Non-fungible means the token has unique properties so it cannot be interchanged with something else. Money, for example, is fungible. You can break down a dollar or a bitcoin into change and it will still have the same value. An artwork is more like a house, each one is unique and can’t be broken into useful fractions. (Although for houses sometimes it is only the location that makes it different from its neighbors.)

But I made the analogy because for houses we have a ledger to keep track of who owns the house. If you want to know who owns a house, you look it up in the ledger. You can think of an NFT as a certificate of ownership for a unique object, virtual or tangible.

Art and technology

While the combination of art and technology may have sounded strange a century ago, nowadays they are no longer a rare combination. The first use of the term digital art was in the early 1980s when computer engineers devised a paint program which was used by the pioneering digital artist Harold Cohen. This became known as AARON, a robotic machine designed to make large drawings on sheets of paper placed on the floor.

Andy Warhol or David Hockney may be more familiar names, even for those that are not that into art. Andy Warhol created digital art using a Commodore Amiga where the computer was publicly introduced at the Lincoln Center, New York in July 1985. Hockney is huge fan of the iPad.

Art and NFTs

The maintenance of the digital ledger to keep track of who owns a digital work of art is done using blockchain technology. Blockchains make it almost impossible to forge records.

Copies of the blockchain are kept on thousands of computers and each item in the blockchain is cryptographically linked to every item that comes after it. Forging a record in a blockchain ledger means re-doing the transaction you want to forge, and every subsequent transaction, on a majority of all the copies in existence, at the same time.

Unlike bitcoins, each NFT is unique and can contain details like the identity of its owner or other metadata. NFTs also include smart contracts. Smart contracts store code instead of data in a blockchain, and execute when particular conditions are met. An example of an NFT smart contract might give an artist a percentage of future sales of their work.

But to answer the original question, this doesn’t stop anyone from copying a digital masterpiece and enjoying it at home. The NFT ledger only shows who the owner of the original is.

Stolen NFTs

Even though the blockchain technology itself is secure, the applications that are built on or around it, such as websites or smart contracts, don’t inherit that security, and that can cause problems.

Users of the digital art marketplace Nifty Gateway reported hackers had taken over their accounts and stolen artwork worth thousands of dollars over the weekend.

Someone stole my NFTSs today on @niftygateway and purchased $10K++ worth of today’s drop without my knowledge. NFTs were then transferred to another account.

Some victims reported that the digital assets stolen from their accounts were then sold on the chat application Discord or on Twitter. The underlying problem, according to many claims, was that the thieves hacked the owner’s accounts. They then used the accounts to sell, buy, and re-sell NFTs.

This is possible because blockchain security is designed to prevent forgery, not theft. If somebody steals your NFT and sells it, the blockchain will faithfully record the sale, irreversibly.

Art turned into NFT without the artist’s knowledge

Some artists are reporting their work has been stolen and sold on NFT sites without their knowledge or permission. In some cases, the artist only learned about the theft weeks or even years later, having stumbled upon their work on an auction site. The people creating the NFT had no ownership and probably just copied the artwork from the artist’s website.

Identifying the original file

The way NFTs are set up now they depend too much on URLs that might end up broken at some point in time. Or get hijacked by some clever threat actor. Jonty Wareing did an analysis on how Nifty references the original and was not impressed. He expressed his concerns on Twitter. He found the fact that both the NFT token for the json metadata file as well as the IPFS gateway are defined by URLs set up by the seller. IPFS is a distributed system for storing and accessing files, websites, applications, and data.

The NFT token you bought either points to a URL on the internet, or an IPFS hash. In most circumstances it references an IPFS gateway on the internet run by the startup you bought the NFT from.

Which means when the startup who sold you the NFT goes bust, the files will probably vanish from IPFS too

Problems with art and NFTs

The reported crimes are made possible by two apparent flaws in the way the system was set up.

• It is possible to create more than one NFT for the same work of art. This creates separate chains of ownership for the same work of art.
• If no NFT exists for a certain work of art, creating one does not require you to be the owner. This creates false chains of ownership.
• The references defining the original depend too heavily on URLs that are vulnerable and could vanish at some point.

To circle back to our analogy with real estate, the only way a ledger can be expected to give an accurate account of ownership is by having one central ledger that checks whether the first owner did buy the object directly from the creator. The creation of such a new ledger should also include a check whether there is not an existing registration for the same object to avoid creating a duplicate. And for digital files we need a better way to define them. Storing URLs in the blockchain will protect the URL and not the underlying file.

The post NFTs explained: daylight robbery on the blockchain appeared first on Malwarebytes Labs.

A Pennsylvania woman reportedly sent doctored photos and videos of her daughter’s cheerleader rivals to their coaches, in an attempt to embarrass them and get them kicked off the team. She’s alleged to have used deepfake technology to create photo and video depictions of the girls naked, drinking, and vaping, law enforcement officials said.

The woman—50-year-old Raffaela Spone—was arrested in early March and charged with multiple misdemeanor counts of cyberbullying, after targeting three teen girls in Victory Vipers, her daughter’s cheerleading squad, and three counts of harassment. However, she was later released on the condition that she attends her preliminary hearing on March 30.

A deepfake, is a realistic fake image or video that uses machine learning to replace the original subject with somebody else’s likeness. The usual recipe needed to create one is a deepfake tool, which are becoming widely accessible online, the original image or video, and a photo or photos of the person being added to it.

According to reports, Spone likely used images from the girls’ social media accounts to create the fake media. She also anonymously sent harassing text messages from multiple fake phone numbers to the girls, their parents, and the owners of the gym where the cheerleading squad practiced. Some messages contained deepfakes, and some messages urged them to kill themselves, according to The Philadelphia Inquirer.

Police were able to identify that the fake numbers Spone used belonged to an app called Pinger. This allowed them to acquire the IP address messages were coming from, and then use the IP to acquire Spone’s home address and phone carrier. Further searches on Spone’s phone revealed evidence tying her to the deepfakes.

Per court records, there was no indication that her daughter knew what her mother was doing.

“Here are some of my concerns in this case,” said Bucks County District Attorney Matt Weintraub during a news conference Monday, “[deepfake] tech is now available to anyone with a smartphone. Your neighbor down the street, somebody who holds a grudge—you’ll just have no way of knowing. This is prevalent.”

He continued, “This is also another way for an adult to now prey on children, as is the case of the allegations in this instance.”

Crimes committed by Spone was something Henry Ajder, a deepfake researcher, saw coming. Speaking to The New York Times, Ajder, who anticipates that deepfake depictions will become more realistic in the next five years, is concerned they could be used to “attack individuals, create political disinformation … conduct fraud and manipulate stock markets”.

Robert Birch, Spone’s attorney, revealed to WPVI-TV, a local network, that his client has received death threats after reports about the deepfakes appeared in the press.

Victory Vipers apologized to all individuals involved in this case. “Victory Vipers has always promoted a family environment and we are sorry for all individuals involved. We have very well-established policies, and a very strict anti-bullying policy in our program.” said Mark McTague and Kelly Cramer in a statement.

“When this incident came to our attention last year we immediately initiated our own internal investigation and took the appropriate action at the time. This incident happened outside of our gym. When the criminal investigation ensued, we fully cooperated with law enforcement. All athletes involved, are no longer a part of our program.”

Other posts on the subject of deepfake:

• Deepfakes laws and proposals flood US
• Deepfakes or not: new GAN image stirs up questions about digital fakery
• The face of tomorrow’s cybercrime: Deepfake ransomware explained

The post Mother charged with using deepfakes to shame daughter’s cheerleading rivals appeared first on Malwarebytes Labs.

The so-called “mastermind” behind the 2020 Twitter hack that compromised the accounts of several celebrities and public figures—including President Barack Obama, Bill Gates, and Elon Musk—pleaded guilty to several charges on Tuesday in a Florida court.

As part of an agreed-upon plea deal with prosecutors, Graham Clark will serve three years in juvenile prison, with an additional three years spent under probation.

First reported by 10 Tampa Bay WTSP-TV, Clark’s plea deal will include restrictions to “electronic devices,” with access only permitted by the Florida Department of Law Enforcement and by those supervising Clark during his eventual probation. According to 10 Tampa Bay, at 18 years old, Clark will also be sentenced as a “youthful offender,” which could allow him to serve some of his prison time in a “boot camp.” He will also earn credit for the 229 days that he has already spent in jail.

Clark’s plea deal represents a reversal of his earlier position on August 4, 2020, when he pleaded not guilty to 30 charges of fraud brought against him by state prosecutors in Florida for allegedly stealing Bitcoin payments from countless victims. According to Hillsborough State Attorney Andrew Warren at the time, the charges filed against Clark were for “scamming people across America.”

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.” 

Last year, Clark allegedly worked with two other individuals to compromise the accounts of about 130 Twitter users in a broader scheme to steal Bitcoin payments from unsuspecting victims. On July 15, the Twitter accounts of several celebrities and industry leaders began tweeting nearly the exact same message: Sparked by sudden gratitude, anyone who donated payments to a specific Bitcoin address would receive double those payments in return.

According to the public bitcoin ledger, at the time, the hackers conned people out of more than $100,000.

Nearly two weeks later, Clark was arrested at his apartment in Tampa. Two other men—Mason Shepperd from the UK and Nima Fazeli of Orlando—were also charged in connection with the hack. Shepperd was charged with wire fraud and money laundering, while Fazeli was charged with aiding and abetting.

At the time of the attack, many asked how such a small operation—led by a teenager—could have successfully breached the security of a major technology company. According to an investigation by The New York Times, Clark’s Twitter hack was not the work of an experienced hacker, but of a tried-and-true fraudster. Having bilked victims out of small sums of about $50 for years, Clark is alleged to have eventually worked his way into a scam that involved the theft of $856,000 worth of Bitcoin, at the age of 16.

After the theft, Clark posted photos of himself on Instagram wearing a Rolex watch.

To compromise Twitter, Clark used his practiced social engineering skills to gain access to an employee control panel. From there he was able to change users’ email addresses, and to use those new email addresses to reset passwords and disable two-factor authentication, giving him access to numerous user accounts, and their millions of followers.

The post Teen behind 2020 Twitter hack pleads guilty appeared first on Malwarebytes Labs.